And at the Whistle, They're Off

Dodd-Frank amends the Securities Exchange Act of 1934 to add ' 21.F, “Securities Whistleblower Incentives and Protection,” which includes a new edict: The Commission shall pay awards to whistleblowers “who voluntarily provided original information to the Commission that led to the successful enforcement of the covered judicial or administrative action, or related action.” (Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376, ' 922(b)(1), available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h4173enr.txt.pdf.)

The amount to be paid is 10% to 30% of the “monetary sanctions” (defined broadly as “any monies, including penalties, disgorgement and interest, ordered to be paid,”
' 922(a)(4)(A), in matters exceeding $1 million). This provision also applies to the Foreign Corrupt Practices Act (FCPA), which since 2004 has led to many large corporate settlements; in fact, since 2007, the SEC has settled 50 FCPA cases, and only 11 have settled for amounts under $1 million. The amount of the payment to whistleblowers is at “the discretion of the Commission.”

The Disclosure Process

As corporate FCPA settlements skyrocket into the tens and even hundreds of millions, even 10% is enough to change the incentives of the most altruistic employee. This is likely to alter how the disclosure process works:

• Companies will disclose more and sooner without the benefit of a thorough internal investigation.
• The SEC will receive many more tips, and concerning much more insignificant conduct.
• Plaintiffs' lawyers will become more involved in the process.
• Foreign entities will be even less likely to list their stocks in the U.S.

To understand the potential effect of Dodd-Frank on issuers, the regulated community must look to where Congress delegated the discretion ' the SEC. It has set aside nearly $452 million for potential whistleblower awards. On Nov. 3, 2010, it issued the first proposed rules for ' 21F, with a deadline for comments of Dec. 17.

Although the SEC recognized a “possible tension” between the Act and the existing policy of encouraging internal reporting and compliance, it stopped short of requiring that internal compliance mechanisms be exhausted, or utilized at all, prior to reporting. Rather, the SEC intends merely not to discourage whistleblowers “who work for companies that have robust compliance programs to first report the violation to appropriate company personnel, while at the same time preserving the whistleblower's status as an original source of the information and eligibility for an award.” Employees who report a violation internally would have 90 days to apply as Dodd-Frank whistleblowers by filing papers with the SEC. (See Proposed Rule 21F-4(b)(7), available at http://www.sec.gov/rules/proposed/2010/34-63237.pdf.)

And why doesn't the SEC require whistleblowers to use internal programs? “While many employers have compliance processes that are well-documented, thorough, and robust, and offer whistleblowers appropriate assurances of confidentiality, others lack such established procedures and protections.” (Proposed Rules at 34.)

'Independent Knowledge'

While the SEC notes an attempt to exclude attorneys, independent auditors and compliance personnel from awards in its proposed definition of “independent knowledge,” the SEC also states that the “rules would not prohibit a whistleblower in a compliance function from reporting information to the Commission where the company did not provide the information to the Commission within a reasonable time or acted in bad faith.” (Proposed Rules, at 4)

In terms of defining a “reasonable time,” the proposed rules note that “the Commission preliminarily believes that the proposed rule should not define one fixed period that would represent a 'reasonable time' in all cases.” Rather, it depends on “all of the facts and circumstances.” (Proposed Rules, at 26-27.) The one example provided suggests that “almost immediate” disclosure is what is “reasonable” if there is “ongoing fraud that poses substantial risk of harm to investors.” (Proposed Rules, at 26.) While the Commission promises that “we will review all the circumstances of the case after the fact in order to determine whether the company disclosed the misconduct to the Commission within a reasonable time or proceeded in bad faith,” Proposed Rules at 27, issuers are left to assume that this judgment will be made by an SEC staff enforcement attorney with the benefit of 20/20 hindsight and faced with pressure from a whistleblower's lawyers.

Under the proposed SEC rules, even company attorneys and compliance personnel may be able to get paid for reporting misconduct to the government if their employer does not do so “within a reasonable time.” This will force companies to assume that the very employees who are trusted with cleaning up misconduct will be making personal for-profit decisions to tell the government about perceived misdeeds even if doing so is not in their employer's interest. In that circumstance, a company has no choice but to get to the government first.

'Potential Violations'

Unlike the statute itself, Proposed Rule 21F-2 (Definition of a Whistleblower) uses the term “potential violation.” Does this effectively require the company to disclose to the SEC any “potential violation” within a “reasonable time” (which could be “almost immediately”) ' before someone in the audit, compliance or legal department runs to the SEC, wrapping themselves in anti-retaliation protections? Is such disclosure really “voluntary”? Would it strip Audit Committees of the oversight and judgment regarding corporate compliance that SOX intended to give them?

Even if the company itself is the first to disclose a “potential violation,” the whistleblower risk has not gone away. Under paragraph six of Proposed Rule 21F-4(b), the whistleblower will be considered the “original source” of any information that is “derived from his independent knowledge or independent analysis and that materially adds to the information the Commission already possesses.” As the SEC notes, this is modeled after the recent False Claims Act amendments. It may create the three-way game that government contractors have been playing in qui tam suits for years: The company discloses and/or rebuts allegations, the government returns to the plaintiff's counsel and reports the company's positions, and the plaintiff returns to work (under anti-retaliation protections) hunting for another piece of information to take to the SEC to counter the company's positions or disclosures, and the cycle continues.

All this is likely to increase the quantity and decrease the quality of tips to the SEC, because companies will be disclosing far sooner than is currently the case under the assumption that employees will report even the smallest misdeeds in the hope of a bounty payment.

In addition, the disclosure process probably will soon include a plaintiff's lawyer. Because the minimum award for whistleblowers is $100,000 (10% of a $1 million case), there will be plenty of money to be made on contingency fees. Of course, the bounty gets paid only if enforcement action is taken. Now, in addition to the SEC itself, a second team of lawyers will be seeking enforcement action, perhaps going public with accusations of insufficiently vigorous enforcement. Decisions to decline enforcement action will become more contentious and difficult.

Finally, the law adds yet another set of regulations that discourage companies from issuing securities in the U.S. Foreign companies already seem perplexed by the severe FCPA enforcement atmosphere and frustrated with the increasing costs of dealing with U.S. regulators. Now potential issuers will be asked to place their faith in a system in which plaintiffs' attorneys, fueled by contingency fees, lobby the SEC to take more and harsher action against their companies.

Conclusion

All in all, the Dodd-Frank whistleblower provisions promise a sea change in how listed companies deal with the SEC for FCPA and other securities law violations. Instead of conducting thorough internal investigations and then deciding how and whether to disclose them, companies will be forced to disclose more conduct sooner. If a whistleblower is involved, the company then faces the prospect of trying to negotiate with the SEC while the whistleblower's attorney eggs the SEC on to as high a penalty as possible.

The SEC says it wants to “implement Section 21F in a way that encourages strong company compliance programs” and requests comments and recommendations. For companies that wish to pursue some vestige of a compliance program based on thorough internal investigations and truly voluntary disclosure, it's time to evaluate the proposed rules' effects on your company's compliance program. Get your pen out and comment before the whistle sounds, sending everyone off to the races!

Laurence A. Urgenson ([email protected]), chairman of this newsletter's Board of Editors, is a Partner at Kirkland & Ellis LLP. Audrey Harris ([email protected]) and Samuel Williamson ([email protected]) are partners at the firm specializing in white-collar representations.

Sarbanes-Oxley (“SOX”) jump-started a worldwide industry of corporate-compliance vendors as companies sought to establish hotlines and meet other SOX requirements that placed the onus of policing employees' behavior squarely on the companies themselves. (See Sarbanes-Oxley Act of 2002, Pub.L. No. 107-204, 116 Stat. 745, available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.tst.pdf.)

Now, however, it seems that Congress has changed its mind: Instead of relying on companies to examine their own behavior with the help of anonymous employee submissions, the new Dodd-Frank Wall Street Reform and Consumer Protection Act establishes a system of whistleblower bounties and mandatory disclosures. Not only does the Act alter the manner in which companies will handle their own compliance and disclosure obligations; it radically changes the incentives for employees to report directly to the government, and along with the new proposed SEC rules, may dramatically change the way issuers conduct internal investigations. Dodd-Frank also introduces an important new player into the game ' the plaintiff's attorney. The likely result is an increase in the number ' but not necessarily the quality ' of reports to the SEC and a decrease in company-driven internal investigations and voluntary disclosures.

Dodd-Frank Details

Dodd-Frank amends the Securities Exchange Act of 1934 to add ' 21.F, “Securities Whistleblower Incentives and Protection,” which includes a new edict: The Commission shall pay awards to whistleblowers “who voluntarily provided original information to the Commission that led to the successful enforcement of the covered judicial or administrative action, or related action.” (Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376, ' 922(b)(1), available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h4173enr.txt.pdf.)

The amount to be paid is 10% to 30% of the “monetary sanctions” (defined broadly as “any monies, including penalties, disgorgement and interest, ordered to be paid,”
' 922(a)(4)(A), in matters exceeding $1 million). This provision also applies to the Foreign Corrupt Practices Act (FCPA), which since 2004 has led to many large corporate settlements; in fact, since 2007, the SEC has settled 50 FCPA cases, and only 11 have settled for amounts under $1 million. The amount of the payment to whistleblowers is at “the discretion of the Commission.”

The Disclosure Process

As corporate FCPA settlements skyrocket into the tens and even hundreds of millions, even 10% is enough to change the incentives of the most altruistic employee. This is likely to alter how the disclosure process works:

• Companies will disclose more and sooner without the benefit of a thorough internal investigation.
• The SEC will receive many more tips, and concerning much more insignificant conduct.
• Plaintiffs' lawyers will become more involved in the process.
• Foreign entities will be even less likely to list their stocks in the U.S.

To understand the potential effect of Dodd-Frank on issuers, the regulated community must look to where Congress delegated the discretion ' the SEC. It has set aside nearly $452 million for potential whistleblower awards. On Nov. 3, 2010, it issued the first proposed rules for ' 21F, with a deadline for comments of Dec. 17.

Although the SEC recognized a “possible tension” between the Act and the existing policy of encouraging internal reporting and compliance, it stopped short of requiring that internal compliance mechanisms be exhausted, or utilized at all, prior to reporting. Rather, the SEC intends merely not to discourage whistleblowers “who work for companies that have robust compliance programs to first report the violation to appropriate company personnel, while at the same time preserving the whistleblower's status as an original source of the information and eligibility for an award.” Employees who report a violation internally would have 90 days to apply as Dodd-Frank whistleblowers by filing papers with the SEC. (See Proposed Rule 21F-4(b)(7), available at http://www.sec.gov/rules/proposed/2010/34-63237.pdf.)

And why doesn't the SEC require whistleblowers to use internal programs? “While many employers have compliance processes that are well-documented, thorough, and robust, and offer whistleblowers appropriate assurances of confidentiality, others lack such established procedures and protections.” (Proposed Rules at 34.)

'Independent Knowledge'

While the SEC notes an attempt to exclude attorneys, independent auditors and compliance personnel from awards in its proposed definition of “independent knowledge,” the SEC also states that the “rules would not prohibit a whistleblower in a compliance function from reporting information to the Commission where the company did not provide the information to the Commission within a reasonable time or acted in bad faith.” (Proposed Rules, at 4)

In terms of defining a “reasonable time,” the proposed rules note that “the Commission preliminarily believes that the proposed rule should not define one fixed period that would represent a 'reasonable time' in all cases.” Rather, it depends on “all of the facts and circumstances.” (Proposed Rules, at 26-27.) The one example provided suggests that “almost immediate” disclosure is what is “reasonable” if there is “ongoing fraud that poses substantial risk of harm to investors.” (Proposed Rules, at 26.) While the Commission promises that “we will review all the circumstances of the case after the fact in order to determine whether the company disclosed the misconduct to the Commission within a reasonable time or proceeded in bad faith,” Proposed Rules at 27, issuers are left to assume that this judgment will be made by an SEC staff enforcement attorney with the benefit of 20/20 hindsight and faced with pressure from a whistleblower's lawyers.

Under the proposed SEC rules, even company attorneys and compliance personnel may be able to get paid for reporting misconduct to the government if their employer does not do so “within a reasonable time.” This will force companies to assume that the very employees who are trusted with cleaning up misconduct will be making personal for-profit decisions to tell the government about perceived misdeeds even if doing so is not in their employer's interest. In that circumstance, a company has no choice but to get to the government first.

'Potential Violations'

Unlike the statute itself, Proposed Rule 21F-2 (Definition of a Whistleblower) uses the term “potential violation.” Does this effectively require the company to disclose to the SEC any “potential violation” within a “reasonable time” (which could be “almost immediately”) ' before someone in the audit, compliance or legal department runs to the SEC, wrapping themselves in anti-retaliation protections? Is such disclosure really “voluntary”? Would it strip Audit Committees of the oversight and judgment regarding corporate compliance that SOX intended to give them?

Even if the company itself is the first to disclose a “potential violation,” the whistleblower risk has not gone away. Under paragraph six of Proposed Rule 21F-4(b), the whistleblower will be considered the “original source” of any information that is “derived from his independent knowledge or independent analysis and that materially adds to the information the Commission already possesses.” As the SEC notes, this is modeled after the recent False Claims Act amendments. It may create the three-way game that government contractors have been playing in qui tam suits for years: The company discloses and/or rebuts allegations, the government returns to the plaintiff's counsel and reports the company's positions, and the plaintiff returns to work (under anti-retaliation protections) hunting for another piece of information to take to the SEC to counter the company's positions or disclosures, and the cycle continues.

All this is likely to increase the quantity and decrease the quality of tips to the SEC, because companies will be disclosing far sooner than is currently the case under the assumption that employees will report even the smallest misdeeds in the hope of a bounty payment.

In addition, the disclosure process probably will soon include a plaintiff's lawyer. Because the minimum award for whistleblowers is $100,000 (10% of a $1 million case), there will be plenty of money to be made on contingency fees. Of course, the bounty gets paid only if enforcement action is taken. Now, in addition to the SEC itself, a second team of lawyers will be seeking enforcement action, perhaps going public with accusations of insufficiently vigorous enforcement. Decisions to decline enforcement action will become more contentious and difficult.

Finally, the law adds yet another set of regulations that discourage companies from issuing securities in the U.S. Foreign companies already seem perplexed by the severe FCPA enforcement atmosphere and frustrated with the increasing costs of dealing with U.S. regulators. Now potential issuers will be asked to place their faith in a system in which plaintiffs' attorneys, fueled by contingency fees, lobby the SEC to take more and harsher action against their companies.

Conclusion

All in all, the Dodd-Frank whistleblower provisions promise a sea change in how listed companies deal with the SEC for FCPA and other securities law violations. Instead of conducting thorough internal investigations and then deciding how and whether to disclose them, companies will be forced to disclose more conduct sooner. If a whistleblower is involved, the company then faces the prospect of trying to negotiate with the SEC while the whistleblower's attorney eggs the SEC on to as high a penalty as possible.

The SEC says it wants to “implement Section 21F in a way that encourages strong company compliance programs” and requests comments and recommendations. For companies that wish to pursue some vestige of a compliance program based on thorough internal investigations and truly voluntary disclosure, it's time to evaluate the proposed rules' effects on your company's compliance program. Get your pen out and comment before the whistle sounds, sending everyone off to the races!

Laurence A. Urgenson ([email protected]), chairman of this newsletter's Board of Editors, is a Partner at Kirkland & Ellis LLP. Audrey Harris ([email protected]) and Samuel Williamson ([email protected]) are partners at the firm specializing in white-collar representations.