New SEC rules result in whistleblowing in the wind

By Stephen M. Honig The Daily Record Newswire "You know how to whistle, don't you, Steve? You just put your lips together and blow." -- Lauren Bacall in "To Have and Have Not" Humphrey Bogart might have known how to whistle, at least at Lauren Bacall, but the United States government doesn't think your employees know how to whistle well enough. Hence, we have Section 922 of the Dodd-Frank Act, requiring the Securities and Exchange Commission to establish a bounty system rewarding whistleblowers of public company securities-law violations when recoveries exceed $1 million. The SEC has adopted final whistleblower "rules" ("Release" 34-64545), which went into effect on Aug. 12. It did so in the face of strong industry opposition, including that of the National Association of Corporate Directors. Many commentators foresaw the death of SOX-driven internal reporting systems if the SEC did not require a whistleblower first report to the company, a requirement nonetheless absent from the final rules. How should a public company position itself with respect to these rules? Legal commentators generally seem to be saying, "Wow, we have new and stringent whistleblower rules. We better comply and make sure we don't punish anyone by retaliation." Such generalities are not helpful. Law firm "alerts" make two obvious points: Paying a federal bounty is liable to encourage bypassing internal company reporting, and anti-retaliation rules will make it hard to fire complainants who otherwise deserve to be discharged. The difficulty is how exactly should you update company policies. We are admonished to: * make sure we maintain an anonymous hotline for complaints (already required by SOX); * Have a code of conduct; * Provide basic employee training; * Establish a compliant tone; * Educate HR against retaliation; * Recognize that it violates law to discourage use of the bounty system (without specifics as to what constitutes discouragement); * Reward internal reporters (without suggestions as to implementing such rewards); * Establish strong mechanisms to record and investigate all complaints, with no "materiality" screen; and * Designate a chief compliance officer (reporting to the board). Those suggestions either break no new ground or are too vague to be useful. The July issue of Compliance Week identified the risk of an onslaught of internal investigations, many of which an overworked SEC will bounce back to the company. These company investigations will be characterized by a loss of control, timing, scope and corrective measures, and strain legal departments with increased volume and need to report to the SEC. So what does Compliance Week recommend? The same emphasis on internal reporting and reassurance against retaliation; some undefined reward system to encourage internal reporting; and periodic progress reports to whistleblowers, assuring that a report will be made to the SEC even if it is beyond the 120-day time period that the rules give employees (after providing information under internal reporting systems) to file with the SEC to protect the bounty. Identify your goal The starting point is to identify goals. Is it simply to comply with a minimum standard and make sure you don't violate the rules? That may be enough for some companies, provided there is a true understanding of risks. The minimum involves adopting the standard suggestions described above. I suggest elements of a bolder strategy. A company's goals might be to clarify that the company is working cooperatively with the SEC and does not view the rules as adverse or upsetting; rather, the rules will in the long run benefit the company by creating stronger ethics and internal policing and a collaborative atmosphere. Such an approach would demand enhanced communication with employees, strongly encourage use of internal systems, explain how a compliant whistleblower is economically benefitted by working with the company, and emphasize how the SEC program can increase bounties through internal reporting. The art to such an approach is to achieve those goals without illegally "discouraging" direct SEC reports. To communicate to employees their economic benefit in first utilizing the company's internal reporting systems, you must articulate the manner in which the company will conduct an examination so as to inspire confidence that things will not be swept under the rug, along with any hope of a bounty. How to make this credible? One of the incentives built into the rules is that if an employee gives the company information that itself would be insufficient to support a bounty (if given directly to the SEC), and if the company investigates and enhances that information, then the employee will be given credit for the full amount of information (provided by the employee plus that gathered by the company). Hence, if someone has an "inkling," rather than waiting around to see if a problem grows larger, an employee will be helping obtain the bounty by prompt internal reporting. I suggest a plain-English discussion of: how examinations will be undertaken, with reporting to the whistleblower (assuming the whistleblower is not anonymous); an invitation to anonymous whistleblowers to come forward so that they can receive reports (although such proposal might in some circumstances be viewed as discouraging the bounty process); the 120-day period (after the reporting by the whistleblower to the company and before the whistleblower must advise the SEC to protect bounty); referring employees to outside counsel to assure they don't forfeit bounty (although such a suggestion has some obvious risks); and how (according to the rules) the SEC will increase bounties for whistleblowers utilizing company reporting and decrease bounties for those who have not. Companies should consider establishing a clear roadmap, with diagrams, showing how a collaborative approach (starting with internal reporting and ending with the company contacting the SEC) might work. Can a company provide a direct incentive, an immediate company bounty to an employee who first approaches the company? Would that run afoul of the SEC's policy? You need some trigger in terms of credibility and importance, and cash distribution may be problematical, but what about soft perks such as enhanced vacation or other benefits? There is a balance between actually going fishing for internal complaints, on the one hand, and providing internal reward to forestall a rush to initial SEC reporting, on the other. Companies should make clear those parties who are not entitled to a bounty. That might prevent individuals from going to the SEC and setting off an investigation, which could just as well be done internally, based on a mistaken belief that a bounty would be available. Subject to certain exceptions, the rules describe persons prohibited either globally or as a practical matter from sharing bounties. In-house and outside lawyers, auditors, directors, officers and individuals with a function of identifying and evaluating whistleblower complaints will not qualify for bounty save in exceptional circumstances. ---------- Stephen M. Honig is a partner in the Boston office of Duane Morris. Published: Mon, Jan 16, 2012