SEC Issues Final Whistleblower Rules

Final rules allow whistleblowers to bypass company compliance procedures

On May 25, the SEC issued final rules implementing the whistleblower provisions of the Dodd-Frank Act (which are codified at Section 21F of the Exchange Act). Under the rules, the SEC will pay a “bounty” to whistleblowers who voluntarily provide the SEC with original information about a possible securities law violation that leads to a successful enforcement action resulting in monetary sanctions of over $1 million. The amount of the award can range from 10% to 30% of the monetary sanctions, as determined by the SEC in its discretion, based on factors listed in the rules.

In response to criticisms that the rules as initially proposed would undermine companies’ internal compliance programs, the final rules create limited incentives for employees to report suspected wrongdoing to corporate compliance programs. However, the rules do not require whistleblowers to report internally before submitting information to the SEC.

Eligibility for Whistleblower Bounty

To be eligible to be paid a bounty, a whistleblower must voluntarily provide the SEC with original information about a possible securities law violation that leads to a successful enforcement action resulting in monetary sanctions of over $1 million.

Whistleblower. Eligibility for the bounty program is limited to individuals. A whistleblower must provide information to the SEC that relates to a “possible” violation of the securities laws that has occurred, is ongoing, or is about to occur. The SEC chose not to require a higher standard — such as that the violation is “probable,” “likely,” or “material” — as a condition to whistleblower eligibility.

The rules exclude certain people from eligibility to receive an award under the whistleblower program, including those who acquired knowledge of a possible securities law violation in their capacity as attorneys, auditors, or persons involved in a company’s internal compliance process. However, these exclusions do not apply if the person has a reasonable basis to believe that disclosure to the SEC is necessary to prevent substantial injury to the company or investors or that the company is engaging in conduct that will impede an investigation of the misconduct, or if at least 120 days have elapsed since the whistleblower provided the information through the company’s internal reporting system.

Voluntary. The whistleblower must submit the information to the SEC before he/she (or his/her representative) receives a request, inquiry, or demand that relates to the submitted information from the SEC (or, in specified circumstances, other regulatory authority), even if such request, inquiry, or demand is not a formal subpoena. A submission is not voluntary if the whistleblower has a pre-existing legal duty to provide the information (for example, under a cooperation agreement).

An employee’s submission of information after a request for information was made by the SEC to his/her employer (but not specifically directed to the employee) will be treated as voluntary. However the employee will not be eligible for a bounty unless the information he/she provided “significantly contributed” to the SEC enforcement action; this standard may be difficult to meet where the information is provided only after the SEC has begun its own investigation. A submission to the SEC will qualify as voluntary even if made after the employee has been asked for information in the course of a company’s internal investigation. However if the employee is found to have acted to undermine the internal compliance process, this would be a factor that could decrease the amount of his/her whistleblower award.

Original Information. The information submitted by the whistleblower must be derived from the whistleblower’s independent knowledge or analysis and not already known to the SEC. In addition, the information cannot be exclusively derived from allegations made in a judicial or administrative hearing, governmental report, audit or investigation, or from the news media (unless the whistleblower is a source of the information), and it cannot have been obtained in a manner that violates federal or state criminal law.

Independent knowledge is defined as any factual information in the whistleblower’s possession that is not derived from publicly available sources, and can include second-hand information derived from communications with others. Independent analysis means the whistleblower’s personal evaluation, assessment or insight with respect to information that may be publicly available, but that reveals information that is not generally known or publicly available.

Even if the SEC already has some information regarding a violation, a whistleblower will be seen as providing original information if the information provided “materially adds” to the information already in the SEC’s possession.

To encourage whistleblowers to utilize their company’s internal compliance program, the rules provide that a whistleblower will be deemed to have provided original information if he/she first provided the information to the company’s internal compliance program and that company subsequently provided the information (or the results of an investigation initiated based on that information) to the SEC. Moreover, such a whistleblower will be deemed to have submitted the information to the SEC on the date it was provided to the internal compliance program if the submission to the SEC is made within 120 days of the submission to the company compliance program. As a result, the whistleblower who used the internal process will be treated as the first person to provide the information even if in the 120-day interim a second whistleblower provided the same information directly to the SEC.

Leading to Successful Enforcement. Original information provided by a whistleblower will be considered to have led to a successful enforcement action in any of the following circumstances:

• The information was sufficiently specific, credible, and timely to cause the SEC to begin an examination or investigation (or reopen a closed investigation) or to expand an ongoing investigation to cover different conduct, and the SEC brings a successful enforcement action based on the conduct identified by the whistleblower. In applying this standard, the SEC will consider the extent to which the whistleblower’s information included facts and allegations used by the SEC in its enforcement action.
• The information was about conduct that was already under investigation, and the information “significantly contributed” to the success of the enforcement action. In applying this standard, the SEC will consider whether the whistleblower’s information enabled the SEC to bring its enforcement action in less time or using fewer resources, as well as whether the information led to additional claims and/or additional defendants in the enforcement action.
• The whistleblower reported the information through a company’s internal compliance procedures, the company subsequently provided the information (or the results of an investigation initiated based on that information) to the SEC, and the information provided by the company satisfied either of the above requirements. In this case, the whistleblower will get credit for having provided all of the information provided by the company.

Factors in Determining Amount of Whistleblower Award

The total whistleblower bounty is determined in the SEC’s discretion within the range of 10% to 30% of the total monetary sanctions collected in one or more successful SEC actions or related actions brought by other enforcement bodies, provided that the total monetary sanctions recovered in the action(s) exceeds $1 million. For this purpose, monetary sanctions means all amounts that are ordered to be paid in the applicable action, including penalties, disgorgement, and interest. The SEC may aggregate proceedings arising from the same nucleus of operative facts in order to reach the $1 million sanction threshold required for payment of a bounty.

A whistleblower’s bounty will be based on the total monetary sanctions recovered in the applicable proceeding(s), even if the information provided by the whistleblower relates to only some of the counts in the enforcement action. The bounty related to an action may be split among multiple whistleblowers whose tips contributed to the successful actions, but the total amount paid cannot exceed 30% of the recovery.

In determining the percentage of the recovery to be paid to a whistleblower, the SEC will consider the following factors:

Factors that may increase the amount of the award:

• Significance of the information provided by the whistleblower to the success of the action, including its reliability and completeness.
• Degree of assistance provided by the whistleblower, including timeliness of the initial report, and whether he/she encouraged others to assist the SEC.
• SEC’s law enforcement interest, including the severity of the violation. The SEC may use this factor to increase an award where potential monetary sanctions were reduced because a company selfreported after the whistleblower’s internal report.
• Whether the whistleblower reported the violation through the company’s internal compliance system, and the extent to which the whistleblower assisted any internal investigation.

Factors that may decrease the amount of the award:

• The whistleblower’s culpability or involvement in the misconduct.
• Unreasonable delay in reporting the violation.
• Whether the whistleblower interfered with or undermined the company’s internal compliance systems.

Anti-retaliation Provisions

The rules prohibit retaliation against a person who provides a whistleblower tip — through the company’s internal compliance process or to the SEC — even if that person does not satisfy all of the requirements to receive a bounty. This protection is afforded as long as the tipper has a “reasonable belief” that there is a possible violation of the securities laws. The “reasonable belief” standard has both subjective and objective components — the whistleblower must have a genuine belief that the information provided demonstrates a possible violation, and this belief must be one that a similarly situated employee would reasonably have. The anti-retaliation protection extends not only to reports of violations of securities law, but also to reports of certain criminal violations specified in the Sarbanes-Oxley Act. The rules make clear that the SEC has authority to enforce the anti-retaliation provisions.

Implications for Companies

The number of whistleblower tips to the SEC is likely to increase as a result of the Dodd-Frank Act whistleblower provisions. The SEC has been receiving an increased number of tips since adoption of the Act, and expects to receive about 30,000 tips annually based on its experience to date. To the extent employees report possible securities law violations directly to the SEC without utilizing the company’s internal reporting procedures, the company may lose the ability to make voluntary disclosure of the violations, and thus may be subject to greater sanctions.

As a result, companies should review their compliance programs and assess whether any changes should be made. The following are among the actions companies should consider:

• Establish a culture of compliance. The goal is to prevent wrongdoing from occurring and to encourage employees to promptly report misconduct internally when it occurs. Senior management should make clear throughout the company that compliance is important and should be taken seriously. Employee training regarding applicable legal requirements and the company’s internal compliance reporting procedures should be provided regularly. Similarly, supervisors should be trained to respond appropriately to employee reports of possible violations.
• Review the company’s internal reporting procedures. A company should make sure that its procedures are easy to use and widely accessible. In evaluating the efficacy of its procedures, a company may want to consider the number of employee reports it receives compared to the number received by peer companies. Receipt of noticeably fewer employee reports may be a signal that employees are not sufficiently aware of the reporting procedures or are not using them out of fear of retaliation.
• Enhance employee communication regarding the company’s internal reporting procedures. Employees should be periodically reminded of the company’s internal reporting procedures and of the importance of using them. A company may wish to make an example by rewarding employees who demonstrate a commitment to internal compliance.
• Review the company’s existing whistleblower protections. A company should review its procedures for dealing with whistleblowers to be sure they don’t violate the anti-retaliation provisions. Supervisors and human resources personnel should be trained to appropriately deal with whistleblowers. Any disciplinary action taken against a whistleblower should be carefully reviewed to be sure it is not motivated by retaliation. To the extent the company determines that there is a legitimate basis for discipline, it should be documented.
• Review the company’s procedures for investigating whistleblower reports. A company should have in place procedures that will enable it to promptly investigate any report of misconduct. The new rules put a premium on being able to substantially complete an investigation within 120 days of receiving a whistleblower tip. As a result, a company may want to give thought to how it would address various types of whistleblower reports even before any reports are received — for example, determining who in the company would undertake the investigation and types of complaints for which outside counsel would be involved. A company may also want to consider the extent to which the tipper should be kept apprised of the status of an investigation consistent with company needs for confidentiality.