United States: Securities/Corporate Compliance & Internal Investigations Alert: SEC Adopts Final Whistleblower Bounty Rules Under Dodd-Frank

On May 25, 2011, the Securities and Exchange Commission (SEC) adopted final rules¹ implementing the whistleblower provisions of new Section 21F of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), which was added to the Exchange Act by Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the "Dodd-Frank Act"). The SEC proposed these rules on November 3, 2010² and adopted the rules with certain modifications and clarifications. Section 21F of the Exchange Act directs the SEC to pay awards, subject to certain limitations and conditions, to eligible whistleblowers who voluntarily provide the SEC with original information about a possible violation of the federal securities laws that leads to the successful enforcement of an action brought by the SEC resulting in monetary sanctions exceeding $1 million.

These rules are among the most controversial of the SEC's rulemaking to date under the Dodd-Frank Act, in part because many in the business community anticipated that the rules will prompt would-be whistleblowers to circumvent companies' internal whistleblowing procedures and send reports of potential violations directly to the SEC in the hopes of obtaining a "bounty." In response to these concerns, the SEC made a few adjustments in the final rules, as described below, that are designed to encourage whistleblowers to report their concerns through internal company procedures first. The SEC was limited in its ability to make any fundamental changes to the proposed rules as part of the rulemaking process, given the requirements of Section 922 of the Dodd-Frank Act, which did not give the SEC discretion to eliminate the fundamental concept that payments will be made to whistleblowers in exchange for providing information to the SEC, if the requirements of the section are satisfied.³

The whistleblower program will be administered by the SEC's Office of the Whistleblower, and the final rules will become effective on August 12, 2011. A summary of the final rules is provided below.

Who qualifies as a "whistleblower"?

Consistent with Section 21F of the Exchange Act, the final rules define a whistleblower to be a natural person who, alone or jointly with others, voluntarily provides "original information" (as defined below) to the SEC relating to a possible violation of the federal securities laws that has occurred, is ongoing, or is about to occur. A company or other entity cannot qualify as a whistleblower. In addition, the violation must relate to a provision of the federal securities laws or a rule or regulation promulgated by the SEC. As such, reporting a violation of a state or foreign law would not qualify a whistleblower to receive an award under these rules.

What kinds of persons are ineligible for awards under these rules?

The final rules provide that certain persons will not be eligible to receive whistleblower awards due to special client relationships with the individuals or entities involved in possible violations of the securities laws, or due to pre-existing legal duties of such persons to report information to the SEC. Generally, the following categories of potential would-be whistleblowers would not be eligible to receive awards under the final rules:

• members, officers, or employees of the SEC, the Department of Justice, an appropriate regulatory agency (as defined in the final rules), a self-regulatory organization, the Public Company Accounting Oversight Board (PCAOB), or any law enforcement organization;
• any person who is a spouse, parent, child, or sibling of or resides in the same household as an employee of the SEC;
• foreign government officials;
• attorneys (including in-house counsel) and non-attorneys who obtain information through a communication which is subject to the attorney-client privilege or in the course of representing a whistleblower or whistleblower's employer, unless disclosure is allowed under applicable state attorney conduct rules;
• certain personnel with compliance-related responsibilities. Specifically:
• • officers, directors, trustees or partners of a company who (1) obtained information regarding allegations of misconduct from another person (e.g., via the company's compliance or whistleblower hotline) or (2) learned such information through the company's internal processes for identifying, reporting and addressing possible violations of law (e.g., via an auditor's report);
  • employees whose principal duties involve compliance or internal audit responsibilities (e.g., compliance officers); or
  • employees of firms that are retained to conduct an internal investigation or inquiry into possible violations of law (e.g., engagements for annual audits of broker-dealer firms);
• public accountants working on engagements required under the federal securities laws if the information relates to violations by the client or the client's directors, officers or other employees;
• persons who obtain information as a result of an audit of a company's financial statements (including quarterly reviews), if submission of such information to the SEC would be contrary to the reporting requirements of Section 10A of the Exchange Act⁴
• persons who obtain information in a way that is determined by a domestic court to violate applicable federal or state criminal law; and
• anyone who obtains information from persons subject to the above exclusions, subject to certain exceptions.

The final rules do contain an exception that allows public accountants and company personnel with compliance-related responsibilities (including officers and directors) to receive awards as whistleblowers in certain situations. Such whistleblowers may be eligible for an award if they have a "reasonable basis" to believe that (1) disclosure is necessary to prevent the company from engaging in conduct "likely to cause substantial injury to the financial interest or property of the entity or investors,"⁵(2) the company is engaging in conduct that will impede an investigation of the misconduct, or (3) at least 120 days have passed since the information was provided to the company's audit committee, chief legal officer, chief compliance officer, or the whistleblower's supervisor, or since the whistleblower learned that the information had already been reported internally.

What qualifies as a "voluntary" submission of information?

A submission of information by a whistleblower is "voluntary" if he or she provides the SEC with the information before the whistleblower or his or her representative receives (1) any request from the SEC, (2) a request in connection with an investigation, inspection or examination by the PCAOB or any self-regulatory organization, or (3) an investigative request by the U.S. Congress, any other authority of the federal government, a state Attorney General or securities regulatory authority related to the same subject matter. A submission to the SEC is also considered "voluntary" if the same information is provided to one of the above-listed authorities prior to the whistleblower receiving a request from the SEC.

A submission of information will generally not be considered "voluntary" if the whistleblower is required under a pre-existing legal or contractual duty owed to the SEC or one of the above-listed authorities to report such information to the SEC. However, the adopting release clarifies that companies cannot simply disqualify all employees from award eligibility by generally requiring all employees to sign an agreement to report securities violations to the SEC.

What qualifies as "original information"?

"Original information" means information provided for the first time to the SEC after July 21, 2010 (which was the date on which the Dodd-Frank Act was enacted) that is (1) derived from the whistleblower's "independent knowledge" or "independent analysis," (2) not already known to the SEC from any other source, unless the whistleblower is the original source of the information, and (3) not exclusively derived from an allegation made in a judicial or administrative hearing, in a governmental report, hearing, audit, or investigation, or from the news media, unless the whistleblower is the source of the information.

To be considered "independent knowledge," the information submitted cannot be derived from publicly available sources. A whistleblower's independent knowledge may be obtained through his or her own experiences, communications or observations, though he or she is not required to have been involved in the possible violation at issue. Also, while a whistleblower's "independent analysis" can come from his or her own examination and evaluation of publicly available information, such analysis must reveal information not generally known or available to the public.

What will qualify as a "successful enforcement action"?

Under the final rules, original information voluntarily submitted by a whistleblower must lead to the successful enforcement of an SEC action as a pre-requisite for a whistleblower's eligibility for an award.

If the SEC is not already reviewing the conduct in question, the information provided by a whistleblower must have been "sufficiently specific, credible, and timely" to cause the SEC staff to commence an examination, open/reopen an investigation, or inquire about different conduct as part of a current examination or investigation, and the SEC must bring a successful action based in whole or in part on the conduct that was the subject of the whistleblower's original information.

A higher standard applies to situations in which a whistleblower provides original information about conduct that is already under examination or investigation by the SEC. In such situations, information will be considered to have led to a successful enforcement of a judicial or administrative action if the information provided by the whistleblower "significantly contributed" to the success of the action.

How much could a whistleblower be eligible to receive under these rules?

As mandated by the Dodd-Frank Act, the final rules require a whistleblower (or whistleblowers in the aggregate) who qualify for an award to be paid between 10 and 30 percent of the monetary sanctions collected by the SEC based upon the information provided by the whistleblower, in an amount that exceeds $1 million. A whistleblower may also collect an award based on monetary sanctions that are collected from a "related action" (generally, a judicial or administrative action brought by the Attorney General of the United States, an appropriate regulatory authority, a self-regulatory organization, or a state Attorney General in a criminal case) if the whistleblower's original information led the SEC to obtain monetary sanctions exceeding $1 million. In calculating whether the monetary sanctions meet the $1 million threshold, the SEC may aggregate multiple actions that arise from the "same nucleus of operative facts."

The SEC will not make an award in a related action if an award has already been granted to the whistleblower by the Commodity Futures Trading Commission for the same action pursuant to its whistleblower award program established by the Dodd-Frank Act.

The final rules give the SEC discretion in determining the appropriate award amount within the 10–30 percentage range and, in situations where there are multiple whistleblowers, the appropriate allocation of the award among the whistleblowers. In exercising its discretion, the SEC may take into consideration the following factors:

Factors that may increase the award amount:

• the significance of the information provided by a whistleblower to the success of the SEC's action or related action, including the reliability and completeness of the information;
• the degree of assistance provided by the whistleblower and any legal representative of the whistleblower in the SEC's action or related action, including the amount of cooperation, timeliness of the report and the amount of resources conserved;
• the SEC's law enforcement interest in deterring violations of the securities laws by making awards to whistleblowers who provide information that leads to successful enforcement actions, including the degree to which an award improves the SEC's ability to enforce the federal securities laws, protects investors and encourages the submission of high-quality information; and
• whether, and the extent to which, the whistleblower participated in the company's internal compliance system, including timing of the internal report and amount of assistance provided to the internal investigation.

Factors that may decrease the award amount:

• the culpability of the whistleblower, including the whistleblower's role, education, experience, intent and the amount of financial benefit from the violations;
• whether the whistleblower unreasonably delayed reporting the securities violations; and
• whether the whistleblower interfered with his or her company's internal compliance or reporting system, such as by delaying detection or providing false information.

Can a whistleblower who was involved in the wrongdoing receive an award?

Culpable whistleblowers are not automatically ineligible for an award under these rules since oftentimes, in the SEC's view, only those involved in the possible violation have relevant information regarding such violations. The SEC will consider any culpability of the whistleblower in a securities violation as one of the factors in determining the amount of an award. Also, in determining whether the required $1 million threshold has been satisfied for purposes of making an award to the culpable whistleblower, the SEC will not count any monetary sanctions that the whistleblower him- or herself is ordered to pay, or that are ordered against any entity whose liability is based substantially on conduct that the whistleblower directed, planned, or initiated. The SEC will also not count these amounts towards the total monetary sanctions collected in the action for purposes of calculating any payments to the culpable whistleblower.

Can a whistleblower submit reports anonymously?

The final rules allow a whistleblower to submit information to the SEC anonymously only under certain specified conditions. Any whistleblower may choose to be represented by counsel, but an anonymous whistleblower must retain an attorney who will, among other things, certify to the SEC that he or she has verified the whistleblower's identity. However, the whistleblower will be required to reveal his or her identity to the SEC before the SEC will pay such person any award.

What do the rules provide regarding retaliation protection for whistleblowers?

The final rules provide that anti-retaliation protection for persons who submit reports under these rules is not limited to whistleblowers who are ultimately determined to be eligible for an award. Rather, the anti-retaliation protections apply to all whistleblowers who had a "reasonable belief" that the information provided relates to a possible securities law violation that has occurred, is ongoing, or is about to occur. To incentivize the submission of high-quality tips and to discourage the abuse of the anti-retaliation provisions, the "reasonable belief" standard requires (1) the whistleblower to hold a subjectively genuine belief that the information demonstrates a possible violation and (2) such belief to be one that a similarly situated employee might reasonably possess.

Can the SEC communicate directly with the whistleblower about a possible violation?

Yes. If the whistleblower is a director, officer, member, agent or employee of a company that is represented by counsel, the final rules authorize the SEC to communicate directly with the whistleblower about a possible securities law violation without seeking consent of the company's counsel and without regard to any confidentiality agreements to which the whistleblower may be a party.

What do the rules provide regarding the use of internal compliance programs?

As noted above, one of the main concerns surrounding the proposed rules was the impact the whistleblower program would have on a company's internal compliance program. In the adopting release, the SEC emphasized its goal of "encouraging the submission of high-quality information to facilitate the effectiveness and efficiency of the [SEC's] enforcement program." As such, the final rules do not require a whistleblower to report information through a company's internal compliance process in order to be eligible for an award. However, the SEC did not want to undermine the importance of effective internal compliance, legal, audit and similar processes for investigating and responding to possible violations of the federal securities laws. Therefore, several provisions in the final rules have been designed to encourage the use of internal compliance processes by whistleblowers and to promote the continued development of effective compliance programs, including:

• If a whistleblower reports information through a company's compliance procedure and the company then reports the same and additional information to the SEC within 120 days, the whistleblower would be deemed to have reported such information to the SEC on the date when he or she originally reported the violation internally, and the whistleblower would be given credit for both the original and additional information self-reported by the company to the SEC.
• In determining the amount of an award, the SEC has the discretion to increase the award amount if a whistleblower voluntarily reports to and cooperates with internal compliance systems, and to decrease the award amount if a whistleblower delays reporting or interferes with internal compliance systems.
• In appropriate cases, upon receiving a whistleblower complaint, the SEC staff will "contact a company, describe the nature of the allegations, and give the company an opportunity to investigate the matter and report back." In determining whether to allow a company time to internally investigate a matter, the SEC may consider factors such as the nature of the alleged conduct, the level at which the conduct allegedly occurred, the company's corporate governance culture and its internal compliance programs.

Steps to Be Taken Now

The whistleblower provisions of the Dodd-Frank Act and the final SEC rules implementing these provisions highlight the importance of establishing and maintaining robust corporate compliance procedures. Companies should consider taking the following steps to ensure that their compliance programs provide a means of detecting, investigating and responding to possible violations of the federal securities and other applicable laws:

• regularly review, evaluate and update compliance programs and procedures—including internal complaint mechanisms such as employee hotlines—to ensure they are widely publicized to, and understood by, employees (and vendors or other third parties, if appropriate), are easy for potential whistleblowers to use, and are effective in their tracking and prompt resolution of complaints of alleged non-compliance;
• create separation of duties such that the personnel who receive and review information from whistleblowers—ideally a standalone compliance officer or department—are not the same people who might have incentives to ignore, condone or participate in unlawful conduct;
• regularly emphasize to employees, in communications from the senior management level, the importance of compliance, thus setting a "tone at the top" that ethical business conduct is paramount in the organization;
• consistently and evenhandedly apply disciplinary action against management or other employees who have engaged in, or condoned, wrongdoing—and by no means allow lawbreakers or other unethical individuals to continue to serve in positions with decision-making authority;
• regularly provide trainings on common regulatory and enforcement pitfalls in your industry as well as on how to utilize the company's established compliance procedures (employees are more likely to report internally if they believe that their companies have effective internal compliance programs that take reports seriously and do not retaliate);
• educate management regarding the importance of recognition of and timely response to internal whistleblower complaints and non-retaliation policies; and
• develop mechanisms to evaluate quickly, in consultation with legal counsel, whether a possible violation of the federal securities laws has occurred that should be reported to the SEC.

Footnotes

^{1 See Release No. 34-64545 available on the SEC's website at http://www.sec.gov/rules/final/2011/34-64545.pdf .}

^{2 See Release No. 34-63237 available on the SEC's website at http://sec.gov/rules/proposed/2010/34-63237.pdf .}

^{3 Section 922 of the Dodd-Frank Act provides in part: "In any covered judicial or administrative action, or related action, the Commission, under regulations prescribed by the Commission... shall pay an award or awards to 1 or more whistleblowers who voluntarily provided original information to the Commission that led to the successful enforcement of the covered judicial or administrative action, or related action, in an aggregate amount equal to (A) not less than 10 percent, in total, of what has been collected of the monetary sanctions imposed in the action or related actions; and (B) not more than 30 percent, in total, of what has been collected of the monetary sanctions imposed in the action or related actions."}

^{4 Section 10A of the Exchange Act, among other things, requires public accountants to promptly notify the SEC if the public accountants had informed the appropriate people at the company of material illegal acts that had come to their attention during the audit but the company failed to take appropriate action.}

^{5 The SEC noted in the adopting release that it expects that "in most cases the whistleblower will need to demonstrate that responsible management or governance personnel at the entity were aware of the imminent violation and were not taking steps to prevent it."}

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.