Companies Fear Lawsuits, Higher Costs From Whistleblower Rules

The Securities and Exchange Commission is expected to publish its final rules for whistleblower bounties and other expanded protections any time now, and the corporate compliance community is anxiously wondering how current programs will meet the challenge ahead.

If comments on the proposed whistleblower rules, published in November, are any indication, companies are not terribly keen on what's to come. They are afraid of more whistleblowing, more lawsuits, and increased compliance costs, as a result of the new rules.

Most unpopular is the proposed bounty program, designed to reward people who report alleged securities laws violations. Whistleblowers who provide “original information” could receive as much as 30 percent of the proceeds if the SEC successfully settles with a company for at least $1 million. A 90-day window allows employees to report allegations internally and still remain eligible for the reward by giving the tip to the SEC within that timeframe.

Companies have several concerns about the whistleblower rules, according to Obiamaka Madubuko, a partner in the law firm of McDermott Will & Emery.  The biggest is that the rules will interfere with corporate internal compliance efforts. “The fear is that by offering a large financial reward without having certain caveats, like encouraging employees to go through their internal channels first, it may actually make the jobs of corporate compliance officers and departments a lot harder,” she says.

Another worry is that the enhanced anti-retaliation provisions would embolden whistleblowers to file lawsuits against their companies, if they feel that they went through the right channels and weren't treated appropriately. Or an employee might have another grievance with his employer, and use whistleblower litigation as a means to some other purpose, Madubuko says.

Then there's that 90-day overlap period, where employees can report something internally and still bring the complaint to a government agency; the tip will still be considered new information, and tipsters will still be eligible for the whistleblower reward. That's going to pressure compliance departments to investigate and disclose possible misconduct sooner, so the company can be the first one to alert the SEC rather than the whistleblower.

“There's a lot of pressure in an economy where companies are trying to do more with sometimes less resources, to overburden their compliance staff, now having to come up with even faster responses in light of perhaps more complaints that might be coming in, either internally or externally,” Madubuko says. “Sometimes, if the person doesn't even report it, then they are completely blindsided and they have to respond to intrusive governmental actions, as well as try to figure out what happened.”

Another possible risk for companies in the new rules is the anonymity: Yes, whistleblowers ultimately do have to identify themselves, but that can be stalled until late in the process, Madubuko says. “So a company can be faced with a claim made by an unknown person, where they have no idea how to start going about finding out what happened,” she says.

Comment letters the SEC has received about the whistleblower rules have no shortage of criticism. Some say the 90-day window for a company to respond to allegations should be expanded to 180 days. Others want tighter restrictions on which employees would be considered ineligible for the SEC bounty.

“The fear is that by offering a large financial reward without having certain caveats ... it may actually make the jobs of corporate compliance officers and departments a lot harder.”

—Obiamaka Madubuko,

Partner,

McDermott Will & Emery

Jonathan Sulds, co-chair of the employment practice at law firm Greenberg Traurig, notes that the proposals do prohibit rewards for anyone criminally convicted of the misconduct in question; commenters, however, want that expanded to anyone involved in the misconduct at all. “[The] comments talked about how anybody who was involved in that underlying activity shouldn't be able to benefit from their own wrongdoing,” he says.

Others pondered the circumstances where it would be appropriate for legal, compliance, or audit employees to report claims to the SEC—if at all. “In the proposed regulations, both legal and audit have an initial obligation to report to internal resources, and then if the company investigates in bad faith or takes an unreasonable time to self-report the violation, they're able to go to the regulators and become whistleblowers themselves,” Sulds explains.

Companies also worried about the scope of retaliatory action, and whether a company might run afoul of whistleblower rules for punishing an employee over something unrelated to his whistleblower status. The scenario that troubles Sulds: “What if an internal investigation is proceeding without knowledge, for example, of one of the whistleblowers going to regulators; it  uncovers wrongdoing in which the whistleblower is involved or in which the whistleblower had knowledge, and discipline is imposed on that individual?”

WHISTLEBLOWER COMMENTS

The following excerpt is from a joint comment letter from public companies to the SEC regarding the whistleblower provisions.

If employee whistleblowers bypass their companies' compliance and reporting

programs because they are incentivized to go directly to the SEC, then the value and

effectiveness of these programs will be significantly diluted—leading to a “less effective”

system of securities regulation. We recognize that the proposed rules include certain

provisions that are intended to address these concerns, and we appreciate the Commission's

efforts in that regard, but they do not go far enough. Specifically, Proposed Rule 21F-4(b)(7)

provides that a whistleblower's report to the SEC will relate back to the date of the

whistleblower's internal report to a corporate legal, compliance, audit, or similar function,

provided that the whistleblower contacts the SEC within a certain amount of time of having

reported internally. However, while this measure would allow for internal reporting, it

provides no requirement or incentive for employees to report internally. Moreover, whether

employees first report an alleged violation through their company's compliance program is

not a consideration that the Commission is required to take into account in determining the

amount of the award; it is, instead, only one of 11 “permissible considerations.”

A whistleblower program that encourages employees to circumvent internal

processes, and report alleged violations directly to the SEC, would deprive companies of the

ability to promptly identify and investigate instances of potential misconduct, and to

determine the depth and breadth of wrongdoing. Moreover, it would be inconsistent with the

provision in many companies' codes of conduct that requires employees to report internally

any potential or actual violations of law or company policy. A program that does not require

internal reporting also would deprive companies of the ability to act promptly in order to

prevent misconduct. For example, given the $1,000,000.01 threshold to trigger the

possibility of receiving a bounty payment, employees who otherwise would internally report

conduct that may involve monetary amounts that they consider de minimis might instead

hold on to the information, perhaps indefinitely (in which case the company would never

learn of the information) or until the potential misconduct and investor harm escalate by

several orders of magnitude. Additionally, we are concerned that the proposed rules would

discourage employees from going to their supervisors or other company resources with

questions as to possible conduct that might or might not be a violation of law or company

policy.

The unintended, adverse consequences likely would not end there. Of particular

significance to the Commission, the current version of the whistleblower program could

impair the Commission's goal of encouraging whistleblowers to provide high quality tips.

According to David Rosenfeld, associate director of the SEC's New York Regional Office,

“the SEC is being ‘inundated' with tips and complaints because of the pending whistleblower

bounty program. ... We expect tons of these whistleblower complaints.” Mr. Rosenfeld

further stated, “Some will be excellent, and some will be out there. It will take ‘considerable

resources and time' to sort out the viable tips.” Mr. Rosenfeld's observation that “some

will be out there” is consistent with the empirical data, which confirm that most

whistleblower complaints are not related to securities law violations but, rather, HR issues ... Driven by the pursuit of bounty payments from the SEC—and

possibly coupled with a lack of familiarity with the securities laws—employees may send the

full gamut of whistleblower complaints to the Commission.

This result would be contrary to the Commission's intent as reflected in the

Proposing Release, which recognizes the need to “provide a mechanism by which some of

those erroneous cases may be eliminated before reaching the Commission, without otherwise

adversely affecting the incentives on the part of potential whistleblowers ...”

Source: Joint Letter From Executives at Alcoa, Celanese, Citgroup, Ingersoll-Rand, Intel, Johnson & Johnson, JP Morgan Chase, Kraft Foods, Pfizer, Prudential Insurance, and Tyco; Dec. 17, 2010.

Even before the final rules are adopted, companies have begun making structural changes to accommodate the whistleblower provisions. “The important thing for the well-advised company is to integrate its compliance program with an overall HR program, so that the environment at the company is not one that resembles a policing operation, but one in which employees are motivated to say, ‘There's something wrong here, let's fix it for the good of the company,'” Sulds says.

End-Run on Compliance

Still, the recurring theme for many comment letters was how the whistleblower rewards might undermine compliance programs that many companies have spent years building up.

“If the final regulation requires whistleblowers to report both to the company and to the SEC at the same time, most of the corporate comment letters seem to support that approach,” says Sara Shanahan, a partner in at the law firm Sherin and Lodgen. “If that provision isn't included in the rules, then we'll have to wait and see … about compliance programs being cut out of the process.”

Another question: how the SEC itself will handle whistleblower tips, and how it will fund and staff the whistleblower office required by the Dodd-Frank Act, says Luis Ramos, chief executive officer at The Network, which manages internal hotlines for corporate customers.

“Nobody knows how many allegations are going to be coming in, nobody knows how many whistleblower office numbers are going to be there, nobody knows how the SEC is going to interact with companies,” he says. “So there's a lot of uncertainly that creates risk for companies around this.”

Now is a good time for companies to shore up their internal compliance and reporting programs and to reach out to employees, Ramos says. “Companies need to reach out to their employee population and ask them whether they're aware of anything—and if they're not, they should get that in writing and certify that information.”

Some advisers are already contemplating ways around the law so companies can stay informed about what employees know. Ramos, for example, recommends that companies now put “simultaneous disclosure” clauses in employment contracts, so that employees must report issues internally, even if they also go to the SEC. The solution isn't perfect, but at least the compliance officer will know what people are saying.