The Securities and Exchange Commission ("SEC") has recently adopted rules implementing the whistleblower provisions of the Dodd-Frank Act. The new rules direct the SEC to pay awards to whistleblowers who voluntarily provide original information leading to the recovery of monetary sanctions exceeding $1 million.
The most contentious part of the rules is their likely impact on internal compliance programs. The business community has expressed concern that the rules will undercut the reporting requirements of corporate compliance programs. Notwithstanding this concern, the SEC has decided against requiring whistleblowers to report internally. Instead, it has determined whistleblowers are in the best position to know which reporting avenue to pursue.
As a result of the newly established bounty program, companies should be prepared for a flood of complaints. Below is a summary of key concepts under the new rules.
Defining a Whistleblower
The rules define a whistleblower as a person who provides to the SEC information relating to a possible violation of the securities laws that has occurred, is ongoing or is about to occur. A whistleblower must be an individual; companies are not eligible.
To be considered for an award, the rules require a whistleblower to do the following:
(a) Act voluntarily
(b) Provide original information
(c) Provide sufficient information leading to a successful enforcement action
(d) Facilitate a recovery totaling more than $1 million
Whistleblower Protection from Retaliation
Under the rules, it is unlawful for anyone to interfere with a whistleblower's efforts to communicate with the SEC, including threatening to enforce a confidentiality agreement. In addition, the rules do not require an actual violation or the successful receipt of an award for the anti-retaliation protections of the Dodd-Frank Act to apply. In an attempt to deter both bad-faith and frivolous reports, the SEC has imposed a "reasonable belief" standard that requires an employee to hold a subjectively genuine belief that the information demonstrates a possible violation and that this belief is one a similarly situated employee might reasonably possess.
No Internal Reporting Required
The new rules present challenges to established internal compliance programs because they do not require whistleblowers to first report internally before turning to the SEC. However, the SEC has attempted to incentivize utilization of internal compliance programs in three ways:
Companies need to recognize that compliance risks are not caused by whistleblowers. Instead, they are generated by weak compliance programs that fail to identify, assess and control risks before violations are discovered by whistleblowers or regulators. Therefore, companies must make compliance risk assessments an integral part of compliance programs.
Further, an essential part of an effective compliance program is a process that encourages employees to report possible compliance violations without fear of retaliation. In fact, companies should find creative ways to reward employees who come forward with a good-faith belief that compliance violations are occurring. In the end, the quality of internal programs will impact a whistleblower's decision to report to the company as opposed to the SEC first.
For more information about how to appropriately respond to the whistleblower rules, please contact our director, Compliance Risk Services, Jim Bowers, at (860) 275 0339 or firstname.lastname@example.org, or any of the individuals listed above.
On April 9, Jed Davis was one of the presenters on a webinar, "Cybersecurity Regulation: Navigating the New DFS Cybersecurity Regulation," distributed through Thomson Reuters.
Jed Davis spoke on "Cybersecurity: Surveying Current State and Federal Regulatory Activity By The SEC and NYDFS," a webinar presented by Bloomberg and moderated by cybersecurity expert Daniel Garrie.
Jed Davis authored an article, "Six Common Misconceptions About Cybersecurity," which appears in the March 5, 2018 issue of New York Law Journal as part of a special section on cybersecurity.
Dan Wenner authored an article, "Inside the 1st Muni Bond Criminal Case," published by Law360.
Jed Davis will be a featured panelist in a CLE program titled, "Implementing the New DFS Cybersecurity Regulation," (click on title to register), sponsored by the Data Law Initiative at Cardozo Law School.
Adam Grant was quoted in an article, "Content Requirements in Angola Cost Halliburton More Than $29 Million in SEC Disgorgement and Penalties," published in The Anti-Corruption Report.
Jed Davis was quoted in an article, "5 Ways To Keep Cybersecurity Woes From Derailing A Deal," published in Law360.
On January 5, Day Pitney hosted a speech by Robert L. Capers, the U.S. Attorney for the Eastern District of New York, to the White Collar Crime Committee of the American Bar Association's Business Law Section (WCCC) at the firm's New York City office.
Eliza Fromberg was quoted in an article, "Equity Crowdfunding Tops $10M Since SEC Rules Took Effect," in Law360.
Eliza Fromberg was quoted in an article, "SEC Boosts Intrastate Crowdfunding, But Hurdles Remain," in Law360. In the article, Fromberg discusses the U.S. Securities and Exchange Commission’s adoption of amendments to the intrastate offering exemption.