United States: SEC Adopts Final Rules Implementing Dodd-Frank Whistleblower Program—Explanation And Practical Implementation Considerations

Last Updated: August 10 2011
Article by Colin Diamond

On May 25, 2011, the US Securities and Exchange Commission (the "SEC"), in a 3 to 2 vote along party lines, adopted rules implementing Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the "Dodd-Frank Act" or the "Act"), which requires the SEC to establish a program to pay awards to eligible whistleblowers reporting federal securities law violations. The rules were initially proposed by the SEC on November 3, 2010, and were subject to significant comment—the SEC received over 240 comment letters and approximately 1,300 form letters. Under the final rules, which will be administered by the newly created Office of the Whistleblower, persons who voluntarily provide original information to the SEC about potential violations of federal securities law that leads to successful enforcement actions in which monetary sanctions exceed US$1 million, are entitled to an award of between 10 and 30 percent of all such sanctions collected.

The final rules are largely consistent with those originally proposed. Most changes refine and clarify the original proposal. In an effort to keep the lure of an award from undermining companies' compliance programs, the most significant changes to the final rules seek to encourage whistleblowers to report internally before turning to the SEC. In particular, the final rules (i) extend from 90 to 120 days the period whistleblowers have to submit information to the SEC in order to remain eligible for an award after having reported information internally, (ii) clarify that voluntary internal reporting can increase the amount of an award, and (iii) allow employees who report internally to receive awards if their company subsequently discloses to the SEC the information reported by the employee.

Despite the changes described above, the final rules fall short of requiring mandatory internal reporting. As a result, the final rules still have the potential to undermine corporations' efforts to monitor their own compliance with applicable laws and regulations, investigate potential instances of non-compliance, and take appropriate remedial measures to protect stockholders from the consequences of ongoing non-compliance or other malfeasance.

This Client Alert summarizes key aspects of the final whistleblower rules, noting differences with the originally proposed rules, and outlining certain practical considerations for public companies.

When Will the New Provisions Be Effective?

The final rules will become effective 60 days after publication in the Federal Register, but the statutory provisions of Section 922 of the Dodd-Frank Act apply to any original information provided to the SEC after July 21, 2010. Potential whistleblowers are already entitled to the general rights provided by the Act's whistleblower provisions and are taking advantage of the new program, as the number and quality of tips received by the SEC has reportedly increased since the enactment of the Dodd-Frank Act.1

Whistleblower Eligibility Requirements

A whistleblower is an individual who provides the SEC with information relating to a possible violation of the US federal securities laws that has occurred, is ongoing or is about to occur. In order to be eligible for an award, a whistleblower must (i) voluntarily provide the SEC (ii) with original information (iii) that leads to the successful enforcement by the SEC of a federal court or administrative action, (iv) in which monetary sanctions totaling more than US$1 million are obtained. Each of these four requirements is discussed in more detail below.

Voluntary Submission Requirement

Whistleblowers are eligible for awards only when they "voluntarily" provide original information to the SEC. This covers situations where an individual comes forward before his or her representative is subject to a request, inquiry or demand by any governmental authority or self-regulatory organization, including the SEC and the Public Company Accounting Oversight Board (PCAOB). Under the proposed rules, a submission was not considered "voluntary" if made by an employee after his or her employer had already received an inquiry on the matter; however, the final rules contain no such limitation. Submissions will not be considered "voluntary" if made by an individual who has a pre-existing legal duty to report securities violations to the SEC (but not to some other agency) or has a pre-existing contractual duty to report securities violations to the SEC or certain enumerated agencies (i.e., pursuant to a cooperation agreement). The final rules establish mandatory procedures for an individual to mail, fax or electrically submit, under penalty of perjury, information related to a possible securities law violation. Such submissions may be made anonymously as long as an attorney can certify to the would-be whistleblower's identity.

Original Information Requirement

Information is "original" if it is derived from a whistleblower's independent knowledge or analysis, not already known to the SEC, and not exclusively derived from public sources. Independent knowledge does not require first-hand knowledge—information gained from experience, communications and observations in the whistleblower's business or social interactions qualifies.

Although the definition of original information is broad, information is not considered "original" when it falls into the following categories:

  1. information that is subject to attorney-client privilege (whether obtained by outside or in-house counsel) unless disclosure of the information would otherwise be permitted by an attorney under the SEC's rules implementing Section 307 of the Sarbanes-Oxley Act ("SOX"),2 applicable state attorney conduct rules or otherwise;
  2. information learned by directors or officers from another person or in connection with the company's internal procedures to identify possible violations of law;
  3. information learned by employees whose responsibilities relate to compliance or internal audit or information learned by external employees engaged for similar purposes; or
  4. information learned by an employee of an accounting firm performing an engagement required under federal securities laws (i.e., an annual audit or quarterly review of financial statements).

Notably, however, in contrast to the proposed rules, under the final rules, an individual in possession of information in classes (ii) through (iv) above can become eligible for whistleblower awards when:

  1. the individual reasonably believes disclosure may prevent substantial injury to the financial interests of investors;
  2. the individual reasonably believes the company on which they would report is engaging in conduct that will impede an investigation; or
  3. at least 120 days have elapsed since the individual reported the information to the company's audit committee or appropriate officer, or if it was clear to the individual that such committee or officer was already aware of the information.

While Chairman Schapiro explained these changes were made because the proposed rules may have "sought to exclude too many important, potential whistleblowers," Commissioner Paredes voiced concerns that "these exceptions will swallow the general rule that compliance and internal audit personnel are not eligible to receive bounties."

Successful Enforcement by the SEC Requirement

Information is considered to have led to a successful enforcement action when a whistleblower:

  1. provided information that was "sufficiently specific, credible and timely" to lead to the opening or reopening of an investigation or caused the SEC to inquire regarding different conduct as part of an existing investigation;
  2. provided information about conduct already under investigation that "significantly contributed" to the government prevailing; or
  3. submitted a complaint through his or her internal reporting mechanism, which prompted the company to conduct an internal investigation and ultimately disclose information to the SEC that is covered by (i) or (ii).

The third situation was not part of the proposed rules and is intended to incentivize whistleblowers to avail themselves of their company's internal compliance program. Chairman Schapiro noted that this addition "could create an opportunity for a whistleblower to obtain an award through internal reporting where the whistleblower might not otherwise have qualified for an award because the information was not sufficiently specific and credible." To be eligible for an award in this manner, the individual must still report the same information to the SEC within 120 days of reporting it internally.

Sanctions in Excess of US$1 Million

The US$1 million requirement will be met if the SEC obtains monetary sanctions in that amount from more than one action based on the same information. In addition, subject to the SEC obtaining monetary sanctions in excess of the US$1 million amount, the SEC will aggregate amounts obtained in "related actions," which are federal or state criminal proceedings or certain regulatory and self-regulatory proceedings based on the same original information that enabled the successful SEC enforcement. To prevent wrongdoers from benefitting by blowing the whistle on themselves, the amount on which awards are based will exclude any sanctions arising from the whistleblower's own misconduct.

Determination of the Amount of an Award

As mentioned above, the SEC will grant an eligible whistleblower a discretionary award of between 10 and 30 percent of the monetary sanctions recovered in an SEC action or related action. Under the proposed rules, the SEC would make a fact-specific determination of the amount of an award based on four general criteria. While fact-specific inquiries remain at the heart of determining the amount of the award, the final rules offer more guidance to the SEC by enumerating specific factors that may either increase or decrease the whistleblower's award percentage, rather than only providing general criteria to be considered.

The following factors may increase a whistleblower's award percentage:

  1. The significance of the information provided by the whistleblower to the success of the action.
  2. The degree of assistance provided by the whistleblower in the action.
  3. The SEC's programmatic interest in deterring securities laws violations by making awards to whistleblowers who provide information that leads to successful enforcement actions.
  4. Whether, and the extent to which, the whistleblower participated in internal compliance systems.

The following factors may decrease a whistleblower's award percentage:

  1. The whistleblower's culpability or involvement in misconduct related to the action.
  2. Whether the whistleblower unreasonably delayed reporting the securities laws violations.
  3. Whether the whistleblower undermined the integrity of internal reporting systems.

Within each of these factors, the SEC lists further guidelines for consideration. However, the final rules neither specify the relative weight of the factors nor the extent to which they will change an award percentage.

What Should Public Companies Do Next?

In light of the increased protections afforded to whistleblowers under the Dodd-Frank Act whistleblower program, companies should reexamine and heighten the visibility of their internal compliance programs, and position themselves to respond effectively and efficiently to internal reports of potential wrongdoing. The following are steps companies should consider in preparing for the new whistleblower regime:

  • Effective Internal Reporting Mechanisms. Companies should evaluate, update and educate their employees about their internal compliance programs to ensure they provide effective reporting mechanisms. For example, a hotline program permitting employees, or even relevant third parties, to provide information anonymously and in real time promotes efficient reporting and signals a commitment to compliance and good corporate citizenship. Companies should further ensure that any reports received through internal mechanisms remain confidential and, where appropriate, lead to prompt investigation and appropriate disciplinary action.
  • Internal Reporting Incentives. Some companies have reportedly considered whether revising their compliance programs to provide for monetary awards or similar incentives may be appropriate to encourage employees to first report internally. Such awards are likely to be insignificant compared to the prospect of at least US$100,000 potentially recoverable under the SEC's bounty program. Companies whose programs incentivize internal reporting should be careful not to create incentives for false or overstated allegations.
  • Training Programs. Managers and human resources personnel should be trained to recognize and correctly handle reports of any improper conduct. Employees should be made aware of internal reporting mechanisms and must clearly understand the purposes for which such mechanisms are set up. Regular training of all employees, including management, regarding the scope of the federal securities laws may reduce the likelihood of employees reporting unfounded or mistaken claims to the SEC in the hopes of receiving a financial award.
  • Anti-Retaliation Policies. The Dodd-Frank Act provides for substantial sanctions for employer retaliation. The final rules clarify that as long as an employee "possess[es] a reasonable belief" that a possible securities law violation is ongoing, has occurred or is about to occur, anti-retaliation protection applies—neither an actual violation of the securities laws nor a successful enforcement action is a prerequisite. In an SEC retaliation investigation, the burden is on the employer to justify its actions. Therefore, companies should develop comprehensive anti-retaliation policies that provide strong protections for employees who use internal reporting mechanisms. This should encourage employees to come forward internally and may help identify and address potential issues prior to commencement of any costly and burdensome SEC investigation.
  • Procedures to Address Reports to the SEC. Companies should develop formal procedures for senior managers to rapidly respond to the SEC in the event of a whistleblower complaint. Such procedures should outline specific steps to be taken when faced with an SEC inquiry and provide for independent internal investigations following external disclosure by a whistleblower.
  • More Thorough Self-Reporting. In many corporate investigations, it can be difficult to determine when actual wrongdoing has been found such that it is time to self-report. The 120-day reporting period contained in the final rules further complicates this determination and will likely encourage many companies to self-report as comprehensively as possible even before an internal investigation is complete. Companies will also wish to be as comprehensive as possible when self-reporting to avoid missing any issues that may have already been reported to the SEC by a whistleblower and avoid creating an impression of inadequate or partial self-reporting.
  • Tighten the Information Flow. Because the final rules do not preclude employees from bringing whistleblower claims on matters in relation to which their employer has received an inquiry, companies will need to closely monitor the transfer of information so that employees do not use information available to them and preempt the internal compliance system by contacting the SEC directly.


1. Edward Wyatt, "S.E.C. Adopts Its Revised Rules for Whistle-Blowers", N.Y. Times, May 25, 2011, http://dealbook.nytimes.com/2011/05/25/s-e-c-adopts-final-rules-for-whistle-blowers/ (last visited May 31, 2011).

2. Under 17 C.F.R. 205.3(d)(2), which is one of the provisions implementing Section 307 of SOX, attorneys are permitted, although not required, to disregard the attorney-client privilege when representing a company if necessary to (i) prevent the company from committing a material violation of the securities laws likely to cause substantial injury to the company or to its investors, (ii) prevent the company from committing perjury or a fraud upon SEC, or (iii) rectify the consequences of a material violation of the securities laws by the company for which the attorney's services were used.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions