"Record breaking" is how the U.S. Securities and Exchange Commission (SEC) described its whistleblower program results in FY 2021, and it's not hard to see why. The agency continued to receive tips from all corners of the market, and with increasing frequency. According to the SEC Office of Whistleblower statistics, the agency received a 76 percent increase in whistleblower tips over FY 2020, with the most prevalent involving alleged market manipulation, corporate disclosure and financial statement misconduct, and purported offering frauds. Not surprisingly, as the SEC's whistleblower program has matured, the agency's overall awards have continued to increase. But it is the magnitude of the increase that is noteworthy. In FY 2021, the agency issued more whistleblower awards than in the prior 10 years combined, including its two largest awards to date. In total, the SEC awarded approximately $564 million to 108 whistleblowers during the last fiscal year. On the heels of the SEC issuing awards totaling more than $40 million to four whistleblowers last week, we'll unpack certain aspects of whistleblower eligibility and protections, and offer some practical considerations for 2022.
Whistleblower Eligibility and Protections
SEC Chair Gary Gensler has been vocal about the critical role whistleblowers play in the SEC's enforcement of federal securities laws. Gensler "believe[s] deeply in whistleblower programs," and he indicated at the National Whistleblower Day Celebration on July 30, 2021, that the SEC is committed to strengthening its whistleblower program, as it helps the agency "to be better cops on the beat, execute [its] mission, and protect investors from misconduct." Gensler further stated that the agency "must ensure that whistleblowers are empowered to come forward when they see misbehavior; that they are appropriately compensated … ; and that those who report wrongdoing are protected from retaliation."
Section 21F of the Securities and Exchange Act of 1934 authorizes the SEC to pay awards to eligible whistleblowers who voluntarily provide the agency "original information" that leads to a successful enforcement action resulting in monetary sanctions exceeding $1 million. Original information means information derived from a whistleblower's independent knowledge, such as experiences and observations, or a whistleblower's independent analysis of publicly available information. The SEC has clarified that "independent analysis" requires more than directing the agency to publicly available information that facially suggests a violation of federal securities laws. Instead, the whistleblower must, through the application of specialized knowledge or expertise, provide the agency valuable insights that it would likely be unable to infer on its own. Eight awards – one of which was the second-largest award to a single individual – were made by the SEC in FY 2021 based partly on independent analysis.1
Enforcement actions brought against employers who retaliate against whistleblowers and anyone who takes action to impede reporting are the SEC's primary means to protect whistleblowers. The agency considers whistleblower protection a high priority, as reflected by two FY 2021 enforcement actions based on alleged retaliatory conduct in violation of Exchange Act Rule 21F-17.
The SEC further protects purported whistleblowers, and empowers them to report suspected wrongdoing, by protecting their identity, regardless of whether they report to the agency anonymously. With few exceptions (most notably, during civil discovery after a filed enforcement action), the SEC is prohibited from disclosing any information that could reasonably be expected to reveal the whistleblower's identity. Moreover, at Gensler's direction, this fiscal year the agency is expected to propose revisions to two rules that took effect in FY 2021 to address concerns that they discourage whistleblowers from reporting. Simply put: Whistleblower protection will undoubtedly remain top of mind for the SEC going forward.
Practical Considerations for FY 2022
The stakes have never been higher for companies to invest significant resources in compliance-related programs, policies and procedures. All the talk about whistleblower awards omits the logical conclusion of the assessment: For a whistleblower to receive an award, there must be an underlying SEC enforcement action that resulted in monetary sanctions exceeding $1 million. Put another way, the unspoken byproduct of the SEC's bounty program is that issuers are paying significant penalties for alleged misconduct originally identified to the agency by whistleblowers, often company insiders.
As such, any discussion about whistleblowers cannot be divorced from a consideration of an entity's compliance programs, policies and procedures. U.S. Deputy Attorney General Lisa Monaco, in prepared remarks that presaged her Nov. 3, 2021, memo, highlighted that "companies serve their shareholders when they proactively put in place compliance functions and spend resources anticipating problems." For its part, as the SEC increasingly brings enforcement actions based on violations of controls provisions without any fraud component, the agency is surely operating with a similar expectation.
"That's all well and good, but what's a company actually supposed to do?" you may be asking yourself. In the coming weeks, the SECond Opinions Blog will unpack more on SEC compliance-related topics for issuers and regulated entities. For now, at a high level, there are several actions it seems clear the government expects to see every company undertake with respect to its compliance program: 1) specific written policies and procedures; 2) tailored policies to address specific risks, threats and vulnerabilities associated with the enterprise; 3) periodic assessment and testing of such policies and procedures; 4) policies and procedures in place to communicate incidents to management; 5) the implementation of an incident response plan to quickly address incidents and red flags; and 6) periodic compliance training of its employees.
Until our next post on this topic, we want to highlight two specific areas at the intersection of whistleblowers and compliance.
Create a Culture That Encourages Internal Reporting: Current or former insiders – many of whom reported their concerns internally to the company multiple times before going to the SEC – received most of the whistleblower awards made in FY 2021. However, amendments to the SEC whistleblower rules that took effect in December 2020 could incentivize a whistleblower to report to the SEC first. The relevant rule amendments aligned the agency's whistleblower requirements with the U.S. Supreme Court's 2018 opinion in Digital Realty Trust, Inc. v. Somers, where the court held that whistleblowers must report possible securities law violations directly to the SEC to receive anti-retaliation protection under the Dodd-Frank Act.2
Companies typically benefit from receiving internal complaints before possible misconduct is reported to the SEC. For instance, functioning ethics hotlines and compliance programs that encourage reporting position a company to quickly act on complaints that warrant internal or independent investigation. Those benefits will take on heightened significance in the current enforcement climate given the emphasis on more aggressive enforcement and heightened standards for individuals and companies receiving cooperation credit. Employees should be able to report anonymously and feel confident that the company will take whistleblower complaints seriously and fiercely protects against retaliation.
Respond Thoughtfully to Whistleblower Complaints: Gensler announced at the SEC Enforcement Forum on Nov. 4, 2021, that his approach to handling corporate enforcement is "broadly consistent" with Monaco's changes to related U.S. Department of Justice policies regarding, among other things, cooperation.
To receive cooperation credit from the SEC, companies should expect to take additional steps beyond merely complying with their legal obligations and conducting self-serving internal investigations. Instead, companies need to invest financial and staffing resources in their internal compliance programs, empower and support the compliance program within the organization, and ensure appropriate objectivity or independence when investigation is warranted. Further, as Gensler noted, companies need to be prepared to provide the SEC "with all relevant facts relating to the individuals responsible for the misconduct." Thus, in connection with responding to a whistleblower complaint, companies should anticipate, and thoroughly investigate, the aspects of the complaint about which the SEC may inquire – for instance, concerns about the accuracy of a company's financial reporting or the accuracy of statements made to investors and other key stakeholders.3
Notably, companies must tread carefully in how they respond to individual employees raising complaints. The anti-retaliation provisions of the Dodd-Frank Act will apply to a given employee if the employee reported to the SEC whether or not the company is aware about the employee's complaint to the agency. As a result, a culture that sufficiently addresses complaints and separates personnel decisions about complainants from complaint assessment is a key factor of a robust compliance program.
1 In assessing the appropriate award amount, Exchange Act Rule 21F-6 provides that the Commission consider: (1) the significance of information provided to the Commission; (2) the assistance provided in the Commission action; (3) law enforcement interest in deterring violations by granting awards; (4) participation in internal compliance systems; (5) culpability; (6) unreasonable reporting delay; and (7) interference with internal compliance and reporting systems. 17 C.F.R. § 240.21F-6
2 There are separate anti-retaliation protections afforded to employees in certain circumstances under the Sarbanes-Oxley Act of 2002 (18 U.S.C. §1514A).
3 The SEC's Division of Enforcement has long relied on the four "pillars" of the Division's Oct. 23, 2001, Seaboard Report – self-reporting, self-policing, remediation and cooperation – to assess not only charging decisions against entities, but also whether to impose penalties and, if so, the amount. Each of these factors has direct ties to not only how companies proactively root out potential issues, but also how they respond when issues are identified.