The SEC’s whistleblower program is under heat from Congress over an allegation that it allegedly disclosed the identity of an SEC whistleblower. The allegations are making political headway on Capitol Hill but that may be all that happens – a closer look at the claim shows that it has little merit.
But the recent flap over the SEC Whistleblower program is an important reminder that compliance programs need to have whistleblower triage programs.
What do I mean by a triage program? A quick and dirty team structure to review, evaluate and recommend action or no action on a complaint where there is a potential SEC whistleblower. The reasons for such a program are very clear.
Assuming that a whistleblower makes a complaint to a company and does not go directly to the SEC, the company has an opportunity to protect itself or at least hedge its bets a little bit. If the company reviews the matter quickly, it can decide how great a risk the complaint is to the company. If it is not a great risk or the complaint has little credibility, the company can try and deal with the complaint internally without a pre-emptive move to the SEC to beat the whistleblower in reporting the matter. On the other hand, if the complaint creates significant risk, the company should take immediate and active steps to investigate, interact with the whistleblower to gain time to investigate and gather facts, and possibly go to the SEC before the whistleblower in order to gain an advantage for early reporting and cooperation.
The triage team must consist of a representative from legal, compliance and auditing. It must have procedures in place to evaluate a claim quickly and make recommendations. The triage team needs to have clear reporting requirements to senior management and the Audit Committee, so that any steps it takes are done with proper consultation and approval. A specific protocol for handling whistleblowers and making sure that every effort is made to coordinate and consult with the whistleblower.
The triage team has to evaluate the credibility of the whistleblower complaint by testing the allegations for accuracy, consistency with other sources of information and an overall judgment of credibility. A report of the triage team’s actions has to be made in writing and reviewed by senior management and the Audit Committee.
Under the SEC’s rules, a whistleblower has an incentive (not a requirement) to report the complaint internally before going to the SEC. Specifically, one of many factors to consider in making an award is whether the whistleblower gave the company 120 days to review and respond to the complaint before reporting to the SEC. It is not a mandate but it is an incentive.
Companies need to respond, if given the chance, and need to do so quickly. They do not have much time to do so and the stakes are very high. A company is in a much different position if it is responding to the SEC after a whistleblower has made the complaint to the SEC, rather than initiating a self-disclosure to the SEC before the whistleblower contacts the SEC.
In the face of these significant risks, and before the whistleblower program is fully implemented, companies would be wise to design and implement a specific whistleblower triage program.