Whistle-blower law creates incentives and risks

WASHINGTON—Employers should make sure their internal compliance procedures are strong and effective in light of a rule that is expected to encourage whistle-blower tips to the Securities and Exchange Commission.

The whistle-blower provision of the Dodd-Frank Wall Street Reform and Consumer Protection Act offers workers bounties for reporting securities violations. The final rule permits them to go first to the SEC rather than their own firms, thus putting their firms at risk of falling under SEC scrutiny.

Under the provision, a whistle-blower who provides “original information” to the SEC that results in a sanction of at least $1 million could receive 10% to 30% of the penalty levied.

The SEC's Office of the Whistleblower lists dozens of cases where sanctions exceeded $1 million, although it does not specify whether a whistle-blower award will be paid in connection with any of the cases.

An SEC spokesman said while he has no data to indicate whether the number of whistle-blower tips have increased since its rule implementing the act went into effect Aug. 12, there has been a “significant increase in the number of quality tips.” The SEC has estimated it will receive about 30,000 whistle-blower complaints a year.

Companies lobbied vigorously but unsuccessfully for a requirement that employees first go to their own companies with any whistle-blower complaints before the go to the SEC. Lloyd B. Chinn, a partner with Proskauer Rose L.L.P. in New York, said many companies already have regulatory compliance programs in place in response to various legislation, including the Sarbanes-Oxley Act.

“Employers feel that this bounty program is going to potentially undermine significantly their internal compliance efforts by offering such dramatic incentives to go outside the internal process,” Mr. Chinn said.

Companies assume there will be more whistle-blower claims and “that people might be more inclined to go to the SEC first, as opposed to following internal compliance guidelines,” said Paul R. Monsees, a partner with Foley & Lardner L.L.P. in Washington.

“Particularly if the whistle-blower is a disaffected employee who may not have a bona fide complaint, that whistle-blower could wreak some level of havoc in the company,” forcing it to defend itself in an investigation and “prolonging employment because of federal whistle-blower employment protections,” said Jacob S. Frenkel, an attorney with Shulman Rogers Gandal Pordy & Ecker in Potomac, Md., and a former SEC enforcement attorney.

The provision “will result in an explosion of people reaching out to the SEC, reporting just about any kind of incident they feel might potentially violate” the law, said John Reed Stark, managing director and deputy general counsel at Stroz Friedberg L.L.C. in Washington and a former chief of the SEC's Office of Internet Enforcement.

Zachary T. Fardon, a partner with Latham & Watkins L.L.P. in Chicago, said the whistle-blower provision “creates a new venue and opportunity for employees of companies to profit, to get a bounty, in essence, from internal whistle-blower information.”

Renee B. Phillips, a senior associate with Orrick, Herrington & Sutcliffe in New York, said, however, “It's unclear at this point what effect” the provision is having “because a lot of times the SEC will start an investigation but not say it derives from whistle-blower tips. So companies may be getting these inquiries, but are not sure of their origin.”

Observers note the rule makes an attempt to encourage employees to go to their own companies before approaching the SEC.

It provides a 120-day grace period during which companies that learn of problems through their internal compliance programs can go to the SEC and self-report, and the whistle-blower still could collect their share of a sanction.

If a company reports more issues than reported by an employee, the whistle-blower would receive a bounty for those as well, even if the revelations go beyond what the employee knew.

Elizabeth P. Papez, a partner with Winston & Strawn L.L.P. in Washington, said companies do not yet know whether the incentives that were included in the final rule are “strong enough to keep employees reporting internally first before they go to the agency.”

“We're not really going to know how this is going to play out for a number of years, but certainly it's important for companies to ensure that they have strong governance and compliance programs in place, and adequate communication and response and training mechanism to address this significant change,” Mr. Frenkel said.

“The challenge for companies today is to really look at their hotlines and reporting mechanisms to ensure that they're getting the information early enough in the process, that employees are encouraged to use internal mechanisms, so the company has a chance to respond and do an internal investigation if it is required,” said Richard H. Girgenti, New York-based national forensic service line leader at KPMG L.L.P. Then a company can disclose the issue to the SEC to “mitigate its own exposure and risk,” he said.

But a 2009 KPMG survey indicates this may be a challenge for employers. The survey found that only 57% of employees “were comfortable reporting misconduct” on internal company hotlines, Mr. Girgenti said.

Only 34% of workers thought their employer would take appropriate action, and 47% said they were not confident they would be protected from retaliation after filing such reports, he said.

“There's a huge gap between what a company would like to see happen and what in fact might happen,” said Mr. Girgenti.

He said companies should examine their internal reporting procedures. “Do you need to advertise your hotline program better? Perhaps more training and orientation with employees is needed to educate them not only about the access to the hotline, but that the organization takes nonretaliation very seriously,” he said.

Mr. Girgenti also suggested that companies reward employees making an internal whistle-blower complaint “the same way you would reward employees who have good business results,” because managing risk should be as important as managing earnings.

Experts recommend these 10 best practices for minimizing whistle-blower risks.

Mr. Stark said companies should consider establishing an ombudsman program that, although costly, “might encourage employees to take a healthy look at what they can do internally rather than running to the SEC.”

In addition, “Companies need to consider using an independent third party to help them manage the complaints, and help them investigate the complaints” and then study the digital evidence that is often involved, Mr. Stark said.

Mr. Frenkel recommends that companies also “exercise greater diligence” in investigating whom they hire, because “an employer saddled with a whistle-blower now has fewer options.”