As the year gets underway, the Securities and Exchange Commission (SEC or Commission) is continuing its ongoing enforcement efforts to target anti-whistleblower practices by pursuing a broader range of entities and substantive agreements, including the terms of agreements between financial institutions and their retail clients. The most recent settlement with a financial firm signifies that the SEC is imposing increasingly steep penalties to settle these matters while focusing on confidentiality provisions that do not affirmatively permit voluntary disclosures to regulators. We discuss below the latest SEC enforcement actions in the name of whistleblower protection and offer some practical tips for what firms and companies may do to proactively mitigate exposure.

On 16 January 2024, the SEC announced a record US$18 million civil penalty against a dual registered investment adviser and broker-dealer (the Firm), asserting that the use of release agreements with retail clients impeded the clients from reporting securities law violations to the SEC in violation of Rule 21F-17(a) of the Securities Exchange Act of 1934 (Exchange Act).¹

The SEC found that from March 2020 through July 2023, the Firm regularly required its retail clients to sign confidential release agreements in order to receive a credit or settlement of more than US$1,000. Under the terms of these releases, clients were required to keep confidential the existence of the credits or settlements, all related underlying facts, and all information relating to the accounts at issue, or risk legal action for breach of the agreement. The agreements “neither prohibited nor restricted” the clients from responding to any inquiries from the SEC, the Financial Industry Regulatory Authority (FINRA), other regulators or “as required by law.” However, the agreements did not expressly allow the clients to initiate voluntary reporting of potential securities law violations to the regulators. The SEC found that this violated Rule 21F-17(a) “which is intended to ‘encourag[e] individuals to report to the Commission.’”² While the Firm did report a number of the underlying client disputes to FINRA, the SEC found this insufficient to mitigate the lack of language in the release agreements that expressly permitted the clients to report potential securities law violations to the SEC.

The SEC initiated a settled administrative proceeding against the Firm, which neither admitted nor denied the SEC’s findings. In addition to the US$18 million civil monetary penalty, the settlement requires that the Firm cease and desist from further violations of Rule 21F-17(a). Notably, the SEC credited certain remedial measures promptly undertaken by the Firm, including revising the at-issue release language and affirmatively alerting affected clients that they are not prohibited from communicating with governmental and regulatory authorities.

This enforcement action is significant for several reasons. First, it signals a broader enforcement focus by the SEC with respect to Rule 21F-17(a) in that this is the first action involving the terms of agreements between a financial institution and its retail clients, which are prevalent throughout the financial services industry. Previously, enforcement had focused squarely on restrictive confidentiality provisions involving employees, such as those found in employment or severance agreements or in connection with internal investigation interviews.

Second, the unprecedented magnitude of the penalty in a standalone Rule 21F-17(a) case underscores the SEC’s emphasis on preventing practices that it views as obstructions of whistleblower rights. SEC Enforcement Director Gurbir Grewal’s statement announcing the settlement reflects this position, “Whether it’s in your employment contracts, settlement agreements or elsewhere, you simply cannot include provisions that prevent individuals from contacting the SEC with evidence of wrongdoing.” Companies (public and private), broker-dealers, investment advisers, and other market participants should expect to see continued enforcement investigations in connection with the SEC’s ongoing attention toward compliance with Rule 21F-17(a), as discussed further below.

The SEC’s Whistleblower Protection Program

Established in 2011 pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the SEC Whistleblower Program provides monetary awards to individuals who “tip” the SEC with original information that leads to an enforcement action resulting in monetary sanctions that exceed US$1 million. Through the end of the SEC’s FY2023, the SEC has awarded almost US$2 billion to 385 whistleblowers.³ In FY2023 alone, the SEC received over 18,000 whistleblower tips and awarded more than US$600 million in whistleblower awards to 68 individuals.⁴

In furtherance of the Whistleblower Program, the SEC also issued Exchange Act Rule 21F-17(a), which provides that “no person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”⁵

SEC Struck Several Blows in 2023 Against Companies that Failed to Carve Out Whistleblower Protections in Their Confidentiality Agreements

The SEC has been aggressively enforcing Rule 21F-17(a) since its first enforcement action in 2015 with respect to that Rule,⁶ through several waves of enforcement actions. During 2023, the SEC was especially active with a number of settled enforcement actions asserting violations of Rule 21F-17(a) in which the respondents neither admitted nor denied the SEC’s findings:

• In February 2023, the SEC fined a video game development and publishing company US$35 million for violating federal securities laws through its inadequate disclosure controls and procedures. The settled action also included a finding that the company had violated Rule 21F-17(a) by executing separation agreements in the ordinary course of its business that required former employees to provide notice to the company if they received a request for information from the SEC’s staff.⁷
• In May 2023, the SEC imposed a US$2 million fine on an internet streaming company for: (i) retaliating against an employee who reported misconduct to the company’s management prior to and after filing a complaint with the SEC; and, (ii) impeding the reporting of potential securities law violations, by including provisions in employee severance agreements requiring that departing employees waive any potential right to receive a whistleblower award, in violation Rule 21F-17(a).⁸
• In September 2023, in another standalone enforcement action for violations of Rule 21F-17(a), the SEC imposed a US$10 million civil monetary penalty on a registered investment adviser (RIA) for requiring that its new employees sign employment agreements that prohibited the disclosure of “Confidential Information” to anyone outside of the company, without an exception for voluntary communications with the SEC concerning possible securities laws violations.⁹ Further, the RIA required many departing employees to sign a release in exchange for the receipt of certain deferred compensation and other benefits affirming that, among other things, the employee had not filed any complaints with any governmental agency. Although the RIA later revised its policies and issued clarifications to employees that they were not prevented from communicating with the SEC and other regulators, the RIA failed to amend its employment and release agreements to provide the carve out.
• Also in September 2023, the SEC charged two additional firms with violations of Rule 21F-17(a). In one case imposing a US$375,000 civil penalty, the SEC found that a commercial real estate services and investment firm impeded whistleblowers by requiring its employees, as a condition of receiving separation pay, to represent that they had not filed a complaint against the firm with any federal agency.¹⁰ In another case, the SEC imposed a US$225,000 civil penalty against a privately-held energy and technology company for requiring certain departing employees to waive their rights to monetary whistleblower awards.¹¹ This particular action underscores that Rule 21F-17 applies to all entities, and not only to public companies.

Mr. Grewal, in an October 2023 speech before the New York City Bar Association Compliance Institute, emphasized that potential impediments to the SEC’s Whistleblower Program would be a continued focus of the agency’s enforcement efforts, stating, “we take compliance with Rule 21F-17 very seriously, and so should each of you who work in a compliance function or advise companies. You need to look at these orders and the violative language cited by the Commission and think about how those actions may impact your firms. And if they do, then take the steps necessary to effect compliance.”¹²

Key Take-Aways

The SEC’s recent enforcement actions demonstrate that violations of Rule 21F-17(a) can carry significant fines and reach virtually any confidentiality agreement that does not carve out communications between a firm’s current or former employees or customers and the SEC or other regulators about potential securities violations. Moreover, although many of the enforcement actions relate to language in agreements, Rule 21F-17 is not so limited and can also apply to language in internal policies, procedures, guidance, manuals, or training materials. The message from the SEC is clear: it will continue to enforce Rule 21F-17 with respect to public companies, private companies, broker-dealers, investment advisers, and other financial services entities.

The SEC in its recent orders has provided credit to companies for cooperation as well as for instituting remedial actions.¹³ Being proactive in identifying and correcting potential violations in advance of any investigation by the SEC can result in mitigation of any action or penalties.

Legal and compliance officers may want to consider the following steps in order to evaluate and potentially mitigate any potential exposure to an enforcement action:

• Conduct a review of all employee-facing and client-facing documents or contracts with confidentiality provisions and remove or revise any content that may be viewed as impeding (even unintentionally) a person’s ability to report potential securities law violations to the SEC. Depending on the circumstances, this may involve including a reference expressly permitting communications with the SEC and other government or regulatory entities without advance notice or disclosure to the company.
• Remove any language from the templates that could be interpreted as hindering an employee’s or client’s ability to communicate with the SEC concerning potential securities law violations, including language threatening disciplinary action against employees for disclosing confidential information in their communications with government agencies when reporting potential violations.
• Prepare addenda or updates to current employee- and client-facing agreements that reflect the revised confidentiality clauses.
• Include reference in written anti-retaliation policies that employees’ communications and cooperation with the SEC and other government agencies will not result in retaliation from the company.
• Conduct trainings for company managers and supervisors regarding appropriate communications to employees regarding their interactions with the government.
• Implement policies that prevent any company personnel from taking steps to block or interfere with an employee’s use of company platforms or systems to communicate with the SEC and other government agencies.¹⁴

¹ In the Matter of JP Morgan Securities LLC, Admin. Proc. No. 3-21829 (Jan. 16, 2024), https://www.sec.gov/files/litigation/admin/2024/34-99344.pdf.

² Id. (quoting Securities Whistleblower Incentives and Protections Adopting Release, Release No. 34-63434 (June 13, 2011)).

³ SEC Office of the Whistleblower Annual Report to Congress for Fiscal Year 2023 (Nov. 14, 2023), https://www.sec.gov/files/2023_ow_ar.pdf; SEC Whistleblower Office Announces Results for FY 2022 (Nov. 15, 2022), https://www.sec.gov/files/2022_ow_ar.pdf; 2021 Annual Report to Congress Whistleblower Program (Nov. 15, 2021), https://www.sec.gov/files/owb-2021-annual-report.pdf; 2020 Annual Report to Congress Whistleblower Program (Nov. 16, 2020), https://www.sec.gov/files/2020_owb_annual_report.pdf.

⁴ SEC Office of the Whistleblower Annual Report to Congress for Fiscal Year 2023 (Nov. 14, 2023), https://www.sec.gov/files/2023_ow_ar.pdf.

⁵ 17 C.F.R. § 240.21F-17.

⁶ In the Matter of KBR, Inc., Admin. Proc. No. 3-16466 (Apr. 1 2015), https://www.sec.gov/files/litigation/admin/2015/34-74619.pdf (imposing a US$130,000 fine on a company in a settled enforcement action for requiring that witnesses in certain internal investigations sign confidentiality agreements warning that they could be subject to discipline if they discussed the matters at issue outside the company without prior approval of the company’s legal department).

⁷ In the Matter of Activision Blizzard, Inc. Admin. Proc. No. 3-21294 (Feb. 3, 2023), https://www.sec.gov/files/litigation/admin/2023/34-96796.pdf.

⁸ In the Matter of Gaia, Inc. et. al., Admin. Proc. No. 3-21438 (May 23, 2023), https://www.sec.gov/files/litigation/admin/2023/33-11196.pdf.

⁹ In the Matter of D.E. Shaw & Co., L.P., Admin. Proc. No. 3-21775 (Sep. 29, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98641.pdf.

¹⁰ In the Matter of CBRE Inc., Admin. Proc. No. 3-21675 (Sept. 19, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98429.pdf.

¹¹ In the Matter of Monolith Res., LLC, Admin. Proc. No. 3-21629 (Sept. 8, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98322.pdf.

¹² Gurbir S. Grewal, Remarks at New York City Bar Association Compliance Institute (Oct. 24, 2023), https://www.sec.gov/news/speech/grewal-remarks-nyc-bar-association-compliance-institute-102423.

¹³ See, e.g., In the Matter of CBRE Inc., Admin. Proc. No. 3-21675 (Sept. 19, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98429.pdf (crediting respondent’s remediation program, which included, among other measures, an audit of relevant agreements, updates to policies with respect to Rule 21F-17, and mandatory trainings); In the Matter of Monolith Res., LLC, Admin. Proc. No. 3-21629 (Sept. 8, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98322.pdf (crediting respondent’s prompt remedial acts including revisions to the at-issue release language and affirmatively alerting affected clients that they are not prohibited from communicating with governmental and regulatory authorities.)

¹⁴ Cf. In the Matter of David Hansen, Admin Proc. 3-20820 (Apr. 12, 2022), https://www.sec.gov/enforce/34-94703-s (settled SEC enforcement action against former Chief Information Officer of a technology company for violating Rule 21F-17(a) by, among other things, removing an employee’s access to the company’s computer systems after the employee raised concerns regarding misrepresentations contained in the company’s public disclosures).