The Dodd-Frank Whistleblower Provisions: Considerations for Effectively Preparing for and Responding to Whistleblowers

May 26, 2011

As part of the Dodd-Frank Act (“Dodd-Frank” or the “Act”), Congress created powerful incentives to encourage persons to report (i) potential violations of the federal securities laws to the Securities and Exchange Commission (“SEC”)1 and (ii) potential violations of the Commodity Exchange Act (the “CEA”) to the Commodity Futures Trading Commission (the “CFTC”).2  While the Sarbanes-Oxley Act (“SOX”) encouraged up-the-ladder reporting by employees and allowed for self-policing and self-reporting by companies of potential violations, the Dodd-Frank Act’s whistleblower provisions will incentivize external reporting to the regulators that may hamper a company’s ability to self-police and self-report. The SEC’s rules to implement those provisions of the Act within the SEC’s authority, approved yesterday on May 25, 2011,3 raise serious challenges for public corporations, broker-dealers, investment advisers, hedge funds, credit rating agencies, and other companies that are subject to the federal securities laws.

Companies may expect an increase in the number of complaints that circumvent internal reporting mechanisms and instead go directly, or through plaintiffs’ lawyers, to the government.  Indeed, “[t]he Commission estimates that it will receive approximately 30,000 tips, complaints and referrals submissions each year” pursuant to the Dodd-Frank whistleblower provisions.4  Put bluntly, there is now a material risk that individuals will disdain internal reporting in favor of a potential bounty from the government.  Accordingly, affected companies are faced with increased regulatory and law enforcement scrutiny and a threat of more and more rapid derivative and private securities class actions as plaintiffs’ firms offer enticing promises to whistleblowers.  Tellingly, typing in the phrase “whistleblower” into an internet search engine results in a number of law firms trying to recruit corporate employees to profit by becoming whistleblowers.  An examination of these profit-oriented sites shows that they are in the business of selling to employees the notion of making money by becoming whistleblowers.    

Without a critical evaluation and modification of internal policies, procedures, and training, a company may lose the benefit of itself conducting a considered examination of the validity of claims, addressing and correcting any problems, and, where appropriate, self-reporting the conduct to the appropriate governmental authorities. 

With these new rules, there is little doubt that whistleblowers who elect to go to the government, rather than attempt to prevent or correct problems internally, will cause companies considerable expense, even where their allegations are unfounded or relate to immaterial violations.  That said, the manner in which a company responds to a whistleblower will ultimately have a tremendous impact on the company’s legal and financial exposure.  Although a company is prohibited from retaliating against a whistleblower, companies can and should take steps to encourage internal reporting, prevent the unauthorized flow of information to non-parties, and reduce the likelihood that other employees and non-parties become external whistleblowers.  When a complaint is received, companies now must decide even more promptly whether to investigate, self-report, and cooperate with the government.  Obtaining “credit” from the government for cooperating becomes more challenging, although not impossible, when there is a whistleblower.

This memorandum describes the mechanics of the whistleblower rules and discusses some of the proactive steps companies should consider to encourage individuals to use internal reporting systems before, or instead of, contacting the SEC.  It also highlights some of the issues companies should consider in order to reduce potential financial and legal liability once whistleblowers have gone to the government.

Dodd-Frank Whistleblower Provisions Explained

Numerous websites, including those sponsored by plaintiffs’ lawyers, are designed to entice employees to become whistleblowers and to turn against their companies in the hope of big bounties.  When faced with such ubiquitous marketing, there is no doubt that employees may misunderstand exactly what is required under the Dodd-Frank whistleblower provisions and related SEC rules.  Educating employees concerning a company’s established compliance programs as well as on the SEC whistleblower provisions may be the best way to encourage employees to report any problems internally and allow a company to self-correct any real problems. 

The Dodd-Frank Act adds Section 21F to the Securities Exchange Act of 1934.  Section 21F requires the SEC to award eligible whistleblowers a bounty of 10 to 30% of the monetary sanctions recovered in eligible SEC or related actions stemming from the whistleblower’s information.  The Dodd-Frank whistleblower provisions were immediately effective as of June 22, 2010, and arguably cover misconduct reported on or after that date, even if the conduct itself occurred prior to the passage of Dodd-Frank.  Even though the provisions became effective on adoption of Dodd-Frank, Congress dictated that the SEC pass rules regulating how those provisions would be implemented in practice.  Those rules, proposed on November 3, 2010,5 were finalized yesterday, May 25, 2011.

The SEC rules state that eligible individuals who voluntarily provide the SEC “original information” (as defined in the rules) about any violation of the federal securities laws, that leads to a successful SEC enforcement action of $1 million or more, are entitled to a sizeable percentage of the aggregate recovery by the government in that or any related action.  Importantly, the SEC rules do not require an employee-whistleblower to report complaints internally first or at all.  However, the rules are intended to provide certain incentives for individuals to utilize internal compliance resources.  As explained below, however, the whistleblower rules still pose a significant threat to the efficacy of internal compliance programs by incentivizing individuals, including even those employees with compliance responsibilities, to bypass internal compliance measures.

Who Can Be A Whistleblower?  Except for legal entities and the other exclusions discussed below, almost any individual may be eligible to receive a whistleblower bounty.  Employees, former employees, vendors, agents, contractors, clients, customers, and competitors are all potential sources of tips and complaints that could justify a whistleblower award.  Perhaps somewhat remarkably, even individuals involved in securities violations may be eligible whistleblowers under Dodd-Frank.   

Exclusions. With some significant exceptions, the following categories of individuals are generally excluded from obtaining a whistleblower award under Dodd-Frank. 

  • Officers, directors, trustees, or partners of an entity, who are informed of allegations of misconduct.6
  • Individuals with compliance or audit responsibilities at an entity, who receive information about potential violations.
  • Attorneys cannot be whistleblowers on their own behalf in connection with information they obtained in the course of their representation of a client.  This prohibition applies both to in-house lawyers and outside counsel representing a company.7   
  • Accountants are ineligible for awards when providing information about a client or its directors or officers if obtained in the context of providing outside auditing services to that company.
  • Foreign government officials.
  • Individuals with a pre-existing legal obligation to report information about potential violations to the SEC or to other authorities (e.g., government contracting officers).

Significant Exceptions to the Excluded Persons.  Notwithstanding these limitations, officers, directors, trustees, partners, and individuals responsible for, or involved in, internal compliance or audit at an entity, may take advantage of potentially broad exceptions and be eligible as whistleblowers.  First, these individuals may report directly to the SEC as whistleblowers to the extent they have a “reasonable basis to believe that disclosure of the information to the Commission is necessary to prevent . . . conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors.”8  Second, these individuals may report directly to the SEC 120 days after the individual has reported the information internally to appropriate internal resources (such as, for example, a supervisor, the chief legal officer, or the audit committee).9  These exceptions alone threaten to swallow the rule. 

Culpable Individuals Not Excluded.  The SEC rules do not exclude individuals who may be responsible or complicit in a violation from receiving a whistleblower award unless and until they are convicted of a crime related to the information reported.10  The SEC, however, will consider the conduct of a whistleblower in determining the amount of any eligible award, and will subtract the amount of a fine paid by the whistleblower, or attributable to the whistleblower’s conduct, in assessing whether the $1 million recovery threshold has been reached.

“Original Information” Must Be Derived from “Independent Knowledge.”  Under the SEC rules, “original information” is information that is (1) not already known to the SEC, (2) derived from an individual’s independent knowledge or analysis, and (3) not exclusively derived from an allegation in a judicial or administrative hearing, or similar action.  “Independent knowledge,” meanwhile, is defined as information that is not obtained from public sources,11 although a whistleblower need not have direct, first-hand knowledge of potential violations.  Independent knowledge can include information from experience, observation, or even communications with other employees, clients, vendors or non-parties.

Submission Must Be Voluntary.  An individual is eligible for a whistleblower award if he or she provides information to the SEC prior to the SEC (or any other enumerated regulator)12 making any formal or informal request, inquiry or demand directly to the whistleblower for that information.13

Information Must “Lead to” a Successful Enforcement Action.  The SEC has made clear that it will not award a whistleblower bounty for every tip and complaint.  Rather, a bounty only will be awarded to a whistleblower who provides information that “leads to” a successful SEC enforcement action.  The SEC rules contemplate that only information of high quality, reliability, and specificity will merit an award.  The SEC will look to both the significance of the information provided in opening an investigation as well as the role the information plays in the success of a related enforcement action. 

With respect to situations where the SEC is not already looking into the precise conduct raised by the potential whistleblower, information will be considered to have led to successful enforcement when it is “sufficiently specific, credible, and timely to cause the staff to commence an examination, open an investigation, reopen an investigation that the Commission had closed, or to inquire concerning different conduct as part of a current examination or investigation, and the Commission brings a successful judicial or administrative action based in whole or in part on the conduct identified in [the] original information.”14  A whistleblower award should be rare in connection with conduct that is already under investigation.  In those situations, only information that has “significantly contributed” to the success of an SEC enforcement action, will be considered eligible to merit a whistleblower award. 

Internal Reporting Still Permitted But Not Required.  In an attempt to recognize the importance of a company’s internal compliance function, the SEC rules are intended to provide some incentive to whistleblowers to first report the possible violation through internal company channels.  First, the SEC rules provide that an internal whistleblower may be eligible for an award in those circumstances where the company reports to the SEC information received from the whistleblower, or the results of an investigation initiated in response to the whistleblower’s information.  In those circumstances, all the information reported by the company will be deemed attributable to the internal whistleblower.  Second, the rules grant a 120-day grace period to an internal whistleblower.  An individual would be deemed to have reported directly to the SEC at the same time they have reported internally, so long as he or she voluntarily reports original, independent information to the SEC within 120 days of having first reported the information internally to the company.  Finally, when considering the amount of an award to grant a whistleblower, the SEC will consider whether and to what extent an individual made use of (or, alternatively, interfered with) internal compliance procedures.

Recovery and Rewards.  Dodd-Frank and the SEC rules provide that where the SEC recovers at least $1 million, a reward to eligible whistleblowers must be between 10 and 30% of the aggregate monetary sanctions obtained by the SEC and other U.S. governmental entities in any related actions.  The calculation of the monetary sanctions includes penalties, civil and criminal fines, and disgorgement, in addition to interest.  The SEC retains broad discretion to determine the precise amount awarded to an eligible whistleblower, vetted through a new Claims Review Staff.15  The SEC will consider the following factors in determining the amount of an award: the significance of the information provided; the degree of assistance provided; the SEC’s “programmatic interest”; and various other factors, including, as observed above, whether the whistleblower made use of (or alternatively impeded) a company’s internal compliance function, whether the individual put himself or herself in danger, whether the whistleblower encouraged others to assist the SEC, and the culpability of the whistleblower. 

Reward and Anonymity Is Not Guaranteed.  Although the whistleblower provisions are designed specifically to encourage individuals to come forward, there are important substantive and procedural steps that the SEC requires before issuing an award.  In addition to the eligibility requirements described above, potential whistleblowers must: (i) submit information, under the penalty of perjury, on a designated federal form; (ii) agree to provide testimony if requested; (iii) enter into a confidentiality agreement with the government if requested; and/or (iv) provide other assistance and cooperation with the Commission’s investigation or related actions.  As a result, whistleblowers may be faced with years of ongoing cooperation obligations, including the time, difficulty and out-of-pocket expense associated with such cooperation.  And, at the end of the process, if the SEC has not recovered over $1 million from the alleged violation, or if the SEC determines that the individual is ineligible, the whistleblower will not receive any bounty.

Even assuming there is an eligible recovery from a final judgment, a whistleblower also must file a claim for award, which is reviewed and evaluated by the SEC staff.  If history guides, the time from initiation of investigation to the SEC’s recovery of a monetary sanction could run anywhere from two to eight years, and a whistleblower’s bounty will be paid only after the SEC actually collects eligible funds.16  Moreover, although initial whistleblower reports can be filed anonymously via an attorney, a whistleblower must identify himself or herself to the SEC prior to collecting any reward.

Potential whistleblowers will have no control over the scope or length of an SEC investigation they instigate through a whistleblower complaint.  Once a formal order of investigation is opened by the SEC, the SEC Enforcement staff may decide to investigate whether the whistleblower had a role in the alleged violation or should have done more to prevent any wrongdoing, and could pursue any potential violations, even those involving the whistleblower.17

Expanded Protection for Whistleblowers.  The Dodd-Frank Act enhances existing protections for employees who report possible violations of the securities laws either internally or to the SEC or other federal authorities.  As a result, companies must have strict anti-retaliation policies and procedures and must be prepared to clearly document those practices in order to limit exposure to employment-related claims that could add further liability beyond the reported offense.

Dodd-Frank makes it unlawful for any employer to “discharge, demote, suspend, threaten, harass, directly or indirectly, or in any other manner discriminate against, a whistleblower in the terms and conditions of employment because of any lawful act done by the whistleblower.”18  Protected conduct includes (1) providing information under the whistleblower provisions, (2) participating in an investigation or action of the SEC relating to information provided under the provisions, or (3) otherwise making disclosure required or protected under any law or regulation within the SEC’s purview.  Employee-whistleblowers under Dodd-Frank can sue their employers civilly for up to six years after any alleged retaliatory conduct, and can recover up to twice their back pay, with interest.  They need not seek administrative relief first, unlike whistleblower protections under the Sarbanes-Oxley Act (“SOX”).  In addition, the SEC has indicated that it has “enforcement authority” against employers who violate the Dodd-Frank whistleblower protections.19

Dodd-Frank also extends protections under the pre-existing SOX whistleblower protections that have been in place since 2003.  Pursuant to SOX Section 806, employee-whistleblowers may continue to file discrimination claims if they face adverse employment actions on the basis of providing information regarding potential violations of the federal mail, wire, bank or securities fraud statutes (or for assisting in related investigations), either internally within a company, or externally to a federal law enforcement or regulatory agency.  Dodd-Frank expands those protections in four significant respects. 

First, Dodd-Frank extends the time period for employee-whistleblowers to file SOX discrimination claims with OSHA from 90 days to 180 days.  Second, the Act expressly provides for jury trials for discrimination claims brought under SOX.  Third,  the Act prohibits the use of predispute arbitration agreements for SOX discrimination claims.  Fourth and finally, the Act expands SOX coverage to include not only employees of issuers, but also to all employees (including those abroad) of subsidiaries of publicly traded companies whose financial information is included in the consolidated financial statements of the publicly traded company and financial service employees and employees of nationally recognized statistical rating organizations.

Proactively Reassessing Compliance Controls, Training, and Response Plans

The new whistleblower provisions create a host of concerns even for careful companies.  Entities with exposure to federal securities laws should consider a critical assessment of their company’s existing compliance regime and response plans as a step in preparing for the new world of Dodd-Frank whistleblowers.

Encouraging Internal Reporting Procedures. Even without a whistleblower bounty, entities should not expect internal reporting procedures to be used unless the company has established a clear tone of compliance, published unambiguous policies and procedures, and trained adequately employees regarding those internal rules.  The internal rules must be clear and easy for employees to understand, and enforcement of the rules must be consistent. Companies should consider implementing an overall risk system that integrates compliance, legal, internal audit, and external audit to create a risk-based approach to preventing, detecting, and responding promptly to potential violations.  As part of such a system, user-friendly internal reporting mechanisms are essential to encourage employees, agents, and others to bring any potential wrongdoing to the attention of the company. 

Moreover, an effective compliance program, which delineates clear guidelines for the detection and reporting of corporate misconduct, is critically important to how Department of Justice prosecutors evaluate an organization’s compliance controls.  The Principles of Federal Prosecution for Organizations, which govern how prosecutors investigate and present charges against corporations, emphasize the existence of a meaningful compliance program in determining the just resolution of corporate investigation.20  The principles instruct prosecutors to consider the comprehensiveness of the compliance program and to specifically evaluate whether the corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct. The critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives. Accordingly, companies should consider steps to encourage internal reporting, while alerting employees to the reality of the SEC’s whistleblower bounty program.  For example, companies should consider:

  • Hotlines.  Anonymous hotlines for employees, contractors, vendors and clients to report potential securities law violations, and a process that prioritizes such tips and complaints based on risk factors.
  • Audit.  An independent internal audit function with designees in the business lines, and an audit committee with active oversight and involvement in the audit function.
  • Prioritization.  Processes and procedures that ensure that internal complaints are prioritized and evaluated quickly and thoroughly, and that results and trends from complaints are integrated into the company’s assessment of its compliance risks and financial reporting controls.
  • Internal Reporting Requirements.  Employing or strengthening internal rules that require employees to report any suspected wrongdoing to legal or compliance personnel, and that expressly prohibit employees from sharing information with certain non-government entities, such as the media.
  • Internal Reporting Incentives.  Whether to provide rewards or other incentives – either financial or otherwise – for reporting potential violations internally.  For example, prompt reporting of potential violations could form the basis of positive employment evaluations or promotion considerations. 
    • Such a program, however, may raise its own problems of fair and effective administration. 
    • In addition, companies should consider how internal incentives may affect employees’ views of their existing obligations to prevent, detect, and report potential violations.
  • Training.  Establishing training programs that credibly reiterate an institutional commitment to integrity and fair dealing and clearly set out internal complaint procedures. 
    • Effective training programs may incorporate a discussion of the SEC’s whistleblower provision, including the burdens individuals face when they become whistleblowers and the ramifications for reporting false information.
    • Training should highlight for employees their obligation to report suspected wrongdoing to appropriate channels within the company, and, where applicable, remind relevant employees of their periodic certification and sub-certification responsibilities, and of potential adverse employment consequences of non-compliance.21
    • Employees also should understand that the company will not restrict their ability to report matters directly to the SEC.  On the other hand, employees should be reminded of their confidentiality obligations to the company and the ramifications of disclosing information to non-parties with whom they lack an attorney-client relationship.
    • Companies should explain to employees that they will not forgo their opportunity to receive a bounty from the SEC if they report the allegations first to the company, and in fact, stand to receive a greater award if they utilize internal reporting channels.22
  • Exit Interviews.  Establishing a comprehensive exit-interview process designed to identify both potential substantive issues and potential disgruntled employees, before a former employee becomes a future whistleblower.   

Responding to Internal Complaints.  The best way to effectively encourage internal complaint reporting is to foster trust in the internal system.  This is best accomplished by effectively responding in a timely fashion to any credible tips or complaints.  Employees who believe that the company is unresponsive to complaints are more likely to go outside when they perceive problems.  Moreover, because of the incentives for both whistleblowers and companies to be the first to report a violation to the SEC, the whistleblower provisions greatly increase the importance for a company to quickly, yet sufficiently, assess complaints in order to be in a position to self-report a violation to the SEC.23

A key element in the successful defense or mitigation of any federal investigation is the company’s ability to stay ahead of the investigation.  A company’s ability to reduce the breadth, depth, and length of governmental investigations by proactively self-investigating potential violations, remedying problems, and ultimately receiving credit for cooperation, can provide substantial benefit to a company, including reducing fines and penalties, preventing debarment, and avoiding some or all civil and criminal charges.  But a company must act promptly to receive cooperation credit after a whistleblower’s tip or complaint has been received.

Under the SEC’s Seaboard 21(a) Report, the SEC adopted a policy of crediting companies for “self-report[ing]” violations.  The SEC release relating to the whistleblower provisions makes clear that the SEC’s cooperation policy is not altered by the whistleblower rules:

[W]hen considering whether and to what extent to grant leniency to entities for cooperating in our investigations and related enforcement actions, the promptness with which entities voluntarily self-report their misconduct to the public, to regulatory agencies, and to self-regulatory organizations is an important factor.  At the same time, it is important to note that this rule is not intended to, and does not, create any new or special duties of disclosure on entities to report violations or possible violations of law to the Commission or to other authorities.24

Even well-prepared companies may find it difficult to conduct a thorough review of an internal complaint in a timeframe that permits the company to get to the SEC before a whistleblower does.  Companies may decide to self-report certain allegations received through internal reporting channels before the company has had an opportunity to fully investigate if the allegation is serious and has some indicia of credibility.  However, the SEC appears to acknowledge these potential issues and invites companies to conduct internal investigations and self-report findings, in lieu of merely responding to an SEC-driven investigation.   

Nor do we intend to suggest that an internal investigation should in all cases be completed before an entity elects to self-report violations, or that 120 days is intended as an implicit “deadline” for such an investigation.  Companies frequently elect to contact the staff in the early stages of an internal investigation in order to self-report violations that have been identified.  Depending on the facts and circumstances of the particular case, and in the exercise of its discretion, the staff may receive such information and agree to await further results of the internal investigation before deciding its own investigative course. This rule is not intended to alter this practice in the future.25 

Companies, particularly large and multi-national companies, should consider reassessing their response plans related to internal complaints.  Companies should be able to identify quickly serious complaints, make appropriate internal reports and assessments, investigate, and determine whether and when to self-report to the authorities.  In order to do so, companies should consider the following factors, among others:

  • The initial indicia of credibility associated with the complaint, including where applicable, the source of the complaint, the persons alleged to have been involved in the violation, the nature of the violation, and the likelihood that a violation may have occurred.
  • The reasonable prospect that the whistleblower will (or has already) contacted the authorities.
  • The initial assessment of the size and relative importance of the alleged violation (i.e., materiality, including but not limited to SAB 99 criteria).
  • Whether the violation is ongoing and/or relates to a current period.
  • The possible legal ramifications if the allegations prove to be credible.

Companies also should consider identifying, in advance, a pool of potential outside counsel who could later be selected on short notice to conduct investigations with the speed and thoroughness required, so that critical time is not wasted vetting external counsel candidates after a significant complaint is received.

Self-Reporting When Dealing with a Whistleblower.  The consideration of whether and when to self-report an actual or potential violation will not be new for corporations with U.S. legal exposure.  The whistleblower rules add a new dynamic in those decisions.  Where it is clear that the internal whistleblower intends to report allegations to the SEC, a company should carefully consider whether to make a pre-emptive report to the SEC of the existence of a complaint, even where the company believes the complaint is untrue, immaterial, or otherwise defensible.  A company’s reporting of those allegations to the SEC first, or at least reporting them voluntarily, and explaining why those allegations are unfounded or unimportant, may avoid or truncate what otherwise could be a long and expensive government investigation.  Self-reporting to the SEC may avoid or delay the institution of an SEC investigation.

There may be times when a whistleblower complaint to the SEC reveals such potentially serious misconduct that a company also must consider reporting the whistleblower complaint to the Department of Justice as well.  This is necessary because the Department of Justice has its own criteria for rewarding cooperation and mitigating penalties for companies whose compliance polices comport with the principles enunciated in Chapter 8 of the United States Sentencing Guidelines.  If a company is aware of a complaint regarding potential criminal misconduct, it must self-report in the face of a potential whistleblower complaint in order to obtain leniency from the Department of Justice in any potential criminal action the Department may bring.  In particular, in order for a company to obtain the most leniency in a criminal prosecution, the Sentencing Guidelines and related commentary provides that a company must have, “(A) prior to an imminent threat of disclosure or government investigation; and (B) within a reasonably prompt time after becoming aware of the offense, reported the offense to appropriate governmental authorities, fully cooperated in the investigation, and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct.”26

Reducing the Likelihood that an Employee Notifies the SEC after a Company Receives an Internal Complaint.  Once a complaint is received internally, a company will have a particularly keen interest in minimizing the chance that a whistleblower will also report that information to the SEC.  By doing so, a company will remain better positioned to control the scope and length of the investigation, remediate, and, where necessary, self-report misconduct to receive cooperation credit.  Companies can take several steps to reduce the likelihood that an internal whistleblower will turn also to the SEC.

First, if the whistleblower’s identity is known, the company should consider providing comfort to the whistleblower that the company is taking adequate steps to respond.  A swift, objective investigation conducted by outside legal counsel will demonstrate to the whistleblower that the company is serious and responsible.  While the company should not usually involve a whistleblower in the actual internal investigation, the company should consider providing procedural updates to the whistleblower, including face-to-face meetings with in-house and/or external legal counsel, in order to address any concerns with the investigation.  In some instances, the company may want to share limited substantive information with the whistleblower and may want to inform the whistleblower, where applicable and as appropriate,27 that the conduct has been reported to the SEC in order to dissuade the employee from going separately to the SEC. 

Second, the company should take immediate remedial actions where necessary. Where there are legitimate problems, the company should act immediately to rectify them, including, where local law permits, suspending potential wrongdoers during the pendency of an investigation and ultimately disciplining responsible parties.28  Remediation is an important step towards earning cooperation credit from the government and fulfilling officers’ and directors’ fiduciary duties, in addition to reducing the likelihood that the whistleblower will go directly to the SEC. 

Finally, by the same token, where the company concludes that there has been no violation, or that any breaches are immaterial, the company should consider explaining its findings to the whistleblower.  While it is not always possible or advisable to inform an individual employee of the specific results or conclusions of an internal investigation, where appropriate the whistleblower should be provided with information sufficient to convince him or her of the thoroughness of the company’s response and the reasonableness of the company’s ultimate decisions.

Responding Once a Whistleblower Has Gone to the SEC.  Even despite best practices, some companies can expect that they will have an employee, former employee, vendor, client, or customer who will become an SEC whistleblower.  When a company learns that an individual has gone to the SEC to report potential wrongdoing, the company must take appropriate steps to reduce subsequent liability by aggressively investigating the substantive issues and affirmatively interacting with the SEC.

Companies should recognize the process by which the SEC evaluates whistleblower complaints.  The SEC’s Whistleblower Office, in conjunction with the Office of Market Intelligence in the Division of Enforcement, is responsible for prioritizing tips and complaints.  The SEC’s priority system looks to the seriousness of the allegation, the quality of the information, the level of persons involved in the alleged wrongdoing (e.g., CFO), and whether harm to investors is ongoing or expected.  From there, the Division of Enforcement will determine, on a case-by-case basis, whether and to what extent to devote resources to further investigative steps.  This is not unlike what companies themselves must do, and it will pose the same time and resources constraints for the SEC.

In the year prior to the whistleblower regulations, the SEC’s Division of Enforcement, which has 1,100 employees, received hundreds of thousands of tips and complaints.  The number of complaints is expected to rise with the advent of Dodd-Frank; the Commission estimates it will receive at least 30,000 tips and complaints annually under the Dodd-Frank whistleblower provisions alone.  Given this volume, the SEC’s own budgetary restrictions, and the necessary lag between the receipt and investigation of those tips and complaints, the SEC may find it challenging to investigate all the tips and complaints from whistleblowers.  Consequently, the SEC has made clear that, under appropriate circumstances, the Enforcement staff will allow (and in some instances may prefer) companies to conduct their own internal investigations of whistleblower complaints received by the SEC using outside counsel, prior to instituting or pursuing an SEC investigation. 

[W]e expect that in appropriate cases . . . our staff will, upon receiving a whistleblower complaint, contact a company, describe the nature of the allegations, and give the company an opportunity to investigate the matter and report back. The company’s actions in these circumstances will be considered in accordance with [the Seaboard 21(a) Report] and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions. This has been the approach of the Enforcement staff in the past, and the Commission expects that it will continue in the future. Thus, in this respect, we do not expect our receipt of whistleblower complaints to minimize the importance of effective company processes for addressing allegations of wrongful conduct.29

Companies have found that the opportunity to conduct a proactive internal investigation with experienced outside counsel is preferred over merely reacting to an SEC investigation.  Companies that do so may be able to negotiate the scope of the investigation, reduce intrusion on employees and interference with day-to-day business, and resolve potential issues more favorably with the regulator by receiving credit for cooperation.

Handling an SEC Whistleblower. Once a company is aware of an SEC whistleblower, the company not only needs to handle the substance of the complaint itself, as described above, but also needs to evaluate how to deal with the individual source of the complaint. 

First, in light of the enhanced protections and private rights of action available to employees under Dodd-Frank and SOX Section 806, companies should consider proactively reassessing their employment policies and procedures, rather than attempting to adapt only after a whistleblower has appeared.  To limit exposure to future employment-related claims, companies must have well-defined policies and procedures that appropriately protect individuals from whistleblower discrimination, and must train employees to follow them.

Second, where the identity of the whistleblower is unknown, the company in consultation with outside counsel should carefully consider legitimate, non-discriminatory ways to quickly identify the source of the complaint.  Understanding the source is an important part of evaluating the veracity of the complaint and appropriately focusing resources on how to investigate allegations.  Moreover, identifying the source of the complaint gives the company the opportunity to protect itself from future employment claims.  The company can ensure that a current employee identified as a whistleblower is treated appropriately, rather than risk the chance of an otherwise normal and justifiable employment action being misperceived or alleged as discriminatory.  Identifying the source of a complaint also can be invaluable in successfully limiting and defending against exposure of the underlying allegations.  Even before the Dodd-Frank whistleblower rules, experienced practitioners in both government and private practice realized that some whistleblowers may have less than altruistic objectives and less than perfect information.  Understanding those limitations may provide tremendous assistance to a company in its dealings with regulators by permitting complaints from such individuals to be placed in the correct context.

Nevertheless, companies must be careful not to allow the appropriate identification of a whistleblower to become, or be perceived as, a witch hunt designed to pressure the individual who made the complaint or to have a chilling effect over potential future whistleblowers or cooperators.  Mere allegations of such pressure could be devastating to a company’s credibility before a regulator, and in the worst cases could give rise to stand-alone claims and criminal charges of obstruction of justice.  The risks and rewards regarding the steps taken to identify a whistleblower must be weighed carefully and such steps must be executed with discretion and skill.

Finally, in those instances where an individual is identified as a whistleblower, the company should reevaluate whether and to what extent to share information about the company’s internal investigative steps or conclusions with that individual.30  In those circumstances, there will no longer be a need to mitigate the risk of an individual reporting directly to the SEC, but there still may be compelling reasons to ensure a whistleblower believes the company is responding appropriately.  Companies may find that establishing and maintaining an open line of communication with the whistleblower provides the best opportunity to limit future additional complaints from the same individual, become aware of what information the whistleblower is continuing to share with regulators or others, and enhance and positively project the company’s commitment to compliance.  With that said, companies must assume that a whistleblower will continue to act as a direct conduit of information to the SEC and perhaps to plaintiffs’ attorneys.

On the other hand, companies also may want to carefully consider whether to discipline a current employee who failed to adequately report potential fraud internally, despite having gone to the SEC directly.  Companies should protect the integrity of their own internal compliance regime and internal control over financial reporting, by expecting employees to do their job to detect, prevent, and report potential fraud or other violations.  Companies are not required to ignore a whistleblower’s own transgressions of internal policies and procedures.  As with steps taken to identify whistleblowers, however, disciplining a known whistleblower is likely to result in severe criticism, and may garner claims of discrimination or obstruction.  Those potential results should be weighed carefully in consultation with experienced counsel. 

Interplay of Whistleblower Reporting to SEC and Impact on Criminal Cases.  The regulations published today do not address directly the consequences of a whistleblower reporting to the SEC in a case that warrants criminal, rather than only civil or administrative, enforcement.  While the rules under Dodd-Frank may require significant proactive cooperation, including testimony, before a bounty is paid, it is not clear whether the whistleblower is similarly obligated to cooperate in a criminal prosecution with the Department of Justice.  Moreover, while the rules contemplate the payment of a bounty in the case of “related actions” such as an investigation conducted by the Attorney General or his designees, it is usually anathema to federal prosecutors to rely on cooperating witnesses with a huge financial stake in the outcome of a case – particularly those who might have participated in the misconduct.  It thus remains to be seen whether the Department of Justice will rely on the SEC’s paid whistleblowers to the extent contemplated by Dodd-Frank, and consequently whether there will be a large number of million dollar plus recoveries in these types of cases.


The Dodd-Frank whistleblower provisions have the potential to alter the landscape of internal compliance for issuers, financial institutions, and other organizations with exposure to the federal securities laws.  Companies can reduce their liability by taking proactive steps now to reevaluate their policies, procedures, and controls relating to internal reporting and whistleblowers.  When whistleblowers emerge, companies must act promptly to investigate the allegations and determine the appropriate response. 

1   Dodd Frank Act, § 922, et seq.

2   Dodd-Frank Act § 748 et seq.  Although the CFTC’s proposed rules have not been finalized, these proposed rules tracked the SEC’s originally proposed rules.  Companies that have exposure to both securities and commodities regulations should be aware of the overlap of, and potential interaction between, the SEC and CFTC whistleblower rules.  This article is not intended as an analysis of the CFTC whistleblower rules.

3   “Implementation of the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934,” SEC Release No. 34-64545 (May 25, 2011) (“SEC Rules Release”).  See

4   SEC Rules Release at 209.

5   “Proposed Rules for Implementing the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934,” SEC Release No. 34-63237 (Nov. 3, 2010).

6   Officers, directors, trustees, and partners still may be eligible whistleblowers relating to possible violations that the individual observes or discovers.

7   Other laws and regulations may impose distinct obligations on individuals relating to the reporting of potential violations.  For example, SOX Section 307 requires, in most cases, attorneys appearing and practicing before the SEC to report credible evidence of potential violations of the securities laws “up the chain” within a company.

8   SEC Rule  21F-4(b)(4)(v)(A).

9   SEC Rule 21F-4(b)(4)(v)(C).  Where an officer, director, partner, trustee, or compliance or audit personnel have received information under circumstances indicating that appropriate internal resources are already aware of the information, the 120 days begins running immediately, without any further internal reporting by the individual.  Those same otherwise excluded individuals also may report directly to the SEC and be eligible as an SEC whistleblower if they “have a reasonable basis to believe that the relevant entity is engaging in conduct that will impede an investigation of the misconduct.”  Id. at 21-F-4(b)(4)(v)(B).

10 Thus, an individual who enters into a non-prosecution or deferred prosecution agreement with the Department of Justice or another criminal authority would not be precluded from receiving a whistleblower award.

11 According to the comments in the SEC rules release, “publicly available sources may include both sources that are widely disseminated (such as corporate press releases and filings, media reports, and information on the internet), and sources that, though not widely disseminated, are generally available to the public (such as court filings and documents obtained through Freedom of Information Act requests).”

12 Information provided subsequent to a request from “[the SEC], Congress, any other federal, state, or local authority, any self-regulatory organization, or the Public Company Accounting Oversight Board,” would not be deemed voluntary.

13 The commentary to the SEC rules notes that “individuals who wait to make their submission until after a request is directed to their employer will not face an easy path to an award.  We expect to scrutinize all of the attendant circumstances carefully in determining whether such submissions ‘significantly contributed’ to a successful enforcement action under Rule 21F-4(c)(2) in view of the previous request to the employer on the same or related subject matter.”  SEC Rules Release at 31 n. 73.

14 SEC Rule 21F-4(c)(1).

15 As noted below, the SEC rules provide a purported whistleblower with the right to appeal the denial of an award, but no right to appeal the amount of an award that is within the statutory range.

16 An individual has a right to appeal an SEC decision as to whether he or she is an eligible whistleblower.  However, there is no right to appeal the SEC’s determination of the amount of a whistleblower award that is within the statutory range of 10-30% of the aggregate monetary recovery.  Nor is there any obvious right for a whistleblower to challenge the amount of an SEC (or other regulatory) settlement, even though the amount of any settlement will dictate their eligibility to receive an award and the amount of any such reward.  Nevertheless, it is not far-fetched to imagine instances where an aggressive whistleblower (or a whistleblower with aggressive legal counsel) could seek to intervene as an interested party during the federal court review of an SEC settlement of a federal court action.

17 An individual’s status as a whistleblower will not provide amnesty from SEC charges or criminal prosecution.  SEC Rule 21F-15.  For this reason, a whistleblower that has potential legal exposure also may seek to enter into a cooperation agreement with the SEC (and other authorities), to best ensure leniency.  SEC cooperation agreements are relatively new (first announced in January 2010), and it remains to be seen how the SEC’s new cooperation agreements and the new whistleblower provisions will interact.

18 Dodd-Frank Act, § 922(h)(1)(A).

19 SEC Rules Release at 18.  A judge in the Southern District of New York already has interpreted the Dodd-Frank whistleblower protections.  In Egan v. TradingScreen, 10 Civ. 8202 (LBS) (S.D.N.Y. May 4, 2011), the district court ruled that an employee must do more than report a complaint internally at a privately held company to state a retaliation claim under Dodd-Frank’s SEC whistleblower protections.

20 See U.S. Attorney’s Manual available at

21 Although Dodd-Frank prohibits a company from stopping an employee from reporting to the SEC, nothing prohibits a company from establishing and enforcing its own internal reporting requirements.  Indeed, the Securities and Exchange Act’s internal control provisions arguably require public companies to rigorously enforce employees’ duties to report suspected wrongdoing within the company.  Securities Exchange Act of 1934, § 13(b)(2)(B) (requiring issuers to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances” that transactions and assets are recorded appropriately).

22 As discussed above, an employee who makes use of internal compliance reporting mechanisms may be eligible for an increased award in the SEC’s discretion, and, to the extent the company reports to the SEC the whistleblower’s information or the results of an investigation initiated based on that information, may receive an award as if they reported the information directly to the SEC.

23 Entities subject to FINRA regulations may have regulatory obligations to report violations pursuant to FINRA Rule 4530. 

24 SEC Rules Release at 76 (internal footnotes omitted).  See also, infra discussing a company’s response to a known SEC whistleblower.

25 SEC Rules Release at 77.

26 See U.S. Sentencing Guidelines, 8C2.5(g).

27 External and in-house legal counsel should remain cognizant of applicable local ethics rules that may restrict direct contact with whistleblowers who have legal representation.

28 Multi-national companies may face substantial hurdles in effectively disciplining employees in light of local labor laws, but those hurdles should not impede the ability of the company to draw credible conclusions about individuals based on its internal review and taking appropriate and justified employment actions permitted by law.

29 SEC Rules Release at 92.

30 As noted above, local ethics rules may restrict company counsel’s direct access to whistleblowers who are represented by counsel.