No magic policy or state-of-the-art compliance system will fully prevent federal enforcement actions, but companies can take measures to help minimize risk and promote a healthy relationship among companies, whistleblowers, and Securities and Exchange Commission regulators.
Securities law violations can be costly for companies in numerous ways, but in recent years they also have been particularly lucrative for whistleblowers. The SEC Whistleblower Program, launched at the start of the decade, created potential financial windfalls for employees who report potential securities violations to SEC regulators that lead to successful enforcement actions.
The increasing use of the SEC’s Whistleblower Program raises a host of questions about how companies should respond to whistleblowers and minimize their associated risks.
The stakes reached new heights this year, when the SEC announced a groundbreaking $50 million payment to a pair of whistleblowers who provided the SEC with information that helped secure a 2015 settlement from JPMorgan Chase & Co. Under the terms of the agreement, JPMorgan paid regulators $300 million to resolve allegations that the bank failed to disclose conflicts of interest in its wealth management divisions.
SEC enforcement actions against large financial institutions are nothing new, but payments of this magnitude directly from regulators to witnesses is a new chapter in securities law enforcement.
Federal Statutes and Whistleblower Protections
The federal government administers whistleblower protections under two statutes: the Sarbanes-Oxley Act of 2002 and the Dodd-Frank Act of 2010. Congress passed both laws in the wake of intense political pressure following market tumults—Sarbanes-Oxley after the Enron and WorldCom scandals, and Dodd-Frank after the financial crisis. This article focuses on the newer Dodd-Frank regime, but our principles are broadly transferable to whistleblower situations governed by either statute.
Both statutes contain provisions protecting whistleblowers from retaliation. Whereas Sarbanes-Oxley bars retaliation against internal whistleblowers (that is, employees who report misconduct to superiors within the company), Dodd-Frank protects whistleblowers who provide information to the SEC.
The U.S. Supreme Court formally recognized the SEC reporting requirement in Digital Realty Trust Inc. v. Somers, a unanimous 2018 opinion finding that Dodd-Frank whistleblower provisions extend only to employees who provide information to the SEC. The decision invalidated an SEC rule encompassing internal whistleblowers within the statute’s anti-retaliation protections and resolved a circuit split on the issue.
Dodd-Frank and New SEC Incentives for Whistleblowers
Under Dodd-Frank, the SEC offered financial incentives to whistleblowers who provide information about possible violations of federal securities laws. Eligible whistleblowers can qualify for an award of between 10% and 30% of the monetary sanctions collected by the SEC if their original information leads to a successful enforcement action and penalties are more than $1 million.
Additionally, the SEC implemented Regulation 21F to enhance protections against retaliation for whistleblowers who report new information about possible securities violations to the SEC. The law bolstered enforcement of these provisions by creating a private cause of action, allowing whistleblowers to litigate retaliation claims in federal court.
As of June, the SEC has awarded $384 million to 64 individuals since the start of the program, including $168 million in fiscal year 2018. Such unprecedented financial incentives encourage whistleblowers to provide the SEC with information, often bypassing internal reporting mechanisms.
Moreover, courts continue to protect whistleblowers against retaliation, including in a case in February 2019 where the Ninth Circuit upheld a jury verdict awarding $8 million in compensatory and punitive damages to a company’s former general counsel who claimed he was fired for reporting compliance violations.
Companies therefore need to understand how to minimize risk and promote best practices to insulate themselves against potential liability.
1. Don’t Retaliate or Cut Off Contact With the Whistleblower
First and foremost, companies should never retaliate against whistleblowers for raising concerns to the company or to regulators. That rule is not limited to firing a whistleblower, but also includes qualitative changes in the whistleblower’s employment, such as decreased responsibilities, exclusion from meetings or transfer to a new office or department. Retaliation is not only a problem for culture and ethics, but it can also be a costly mistake triggering litigation.
Whistleblowers are resources to be heard, not contagions to be quarantined. Positive contact with the whistleblower can support them while alerting the company to potential risks. Through this communication, companies can learn whether anyone in the company has discouraged the whistleblower or threatened retaliation and take appropriate remedial action.
Conversely, company employees should not ask whistleblowers whether they have reported to the SEC or other outside regulators.
2. Encourage Internal Reporting
Corporations need to know more about their internal affairs than the SEC. Regulators expect that companies will support and facilitate whistleblowers, and companies can demonstrate good faith compliance efforts by encouraging employees to report potential bad acts. Companies need to establish hotlines and processes for reporting tips anonymously. Regardless of the specific reporting mechanism, any internal reporting system should maintain the whistleblower’s confidentiality to protect against potential retaliation.
3. Get Ahead of the Investigation
A company should not be a passive spectator to an SEC whistleblower investigation. They must collaborate with counsel to gather all facts relevant to the whistleblower’s allegations, and consider proactively disclosing information to the SEC. Even if the government already has the relevant information, a forthcoming approach to regulators could foster a more cooperative relationship and pay dividends in any final settlement or enforcement action.
4. Keep a Paper Record
Every conversation, process, and response to whistleblowers should be credibly documented and preserved. Entities sophisticated enough to file SEC reports are sophisticated enough to avoid relying on verbal accounts and faulty memories to determine how the company responded to whistleblowers.
Instead of relying on informal conversations, companies should record notes of all conversations with a whistleblower, and consider having a human resources representative present for the discussion. Similarly, they should use memoranda or emails to document all steps the company takes in response to a whistleblower’s allegations. In the event of agency enforcement action or litigation, these records can prove critical.
5. Remember: The Task is Never Over
Companies cannot afford to forget these best compliance practices when they do not face an imminent whistleblower allegation. Compliance policies and procedures, including rules for addressing whistleblowers, warrant regular review and evaluation.
An independent third party can offer a valuable outside perspective in periodic audits of company policy, ideally every few years.
Companies also should collaborate with counsel to monitor developments in the law, which can change significantly, as the Supreme Court demonstrated in last year’s Digital Realty decision.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Kyle DeYoung is a partner in Cadwalader’s White Collar Defense and Investigations Practice as well as the firm’s Corporate and Financial Services Litigation and Regulation Practice. Based in the Washington, D.C., office, he focuses on representing corporations, investment funds, and individuals in regulatory investigations and providing clients with strategic counseling when facing corporate crises, potential enforcement action and other complex regulatory issues.
Lex Urban is a special counsel in Cadwalader’s White Collar Defense and Investigations Practice and is based in the firm’s Washington, D.C., office. His practice focuses on representing companies and financial institutions, as well as their directors and officers in criminal and civil investigations.
Will Simpson is a litigation associate in Cadwalader’s White Collar Defense and Investigations Practice and is based in the firm’s New York office.