John H. Walsh
This is the second article in a series presenting post Dodd-Frank best practices for in-house counsel and compliance professionals.
Two and a half years after its passage and more than a year after key rules went into effect, the Dodd-Frank Act’s whistleblower program has generated more than 3,000 tips, complaints, and referrals, and yielded its first announced Securities and Exchange Commission enforcement action this year.
The program’s first reward was made in August 2012, reportedly to a whistleblower who helped the SEC stop a multimillion-dollar fraud scheme. Further, the SEC’s annual report on the whistleblower provisions says judgments and orders issued during the 2012 fiscal year exceeded the program’s statutory threshold of $1 million in 143 cases.
Though the full scope of the program continues to unfold, the fact that 3,000-plus individuals believe they have stories of malfeasance to tell indicates the program is gaining traction—and sends a clear signal that regulated entities had better be ready to react if and when a whistleblower investigation arises. Corporate counsel and compliance officers must anticipate areas of risk, actively monitor practices, and prepare appropriate responses in advance. And when it comes to anticipating risk, the primary concern is not just how to respond to a whistleblower allegation, but how quickly to respond.
That can be a particularly vexing issue as large or complex companies may fall subject to multiple self-reporting mechanisms with different time requirements. These include the SEC’s zero-grace period as set out in the adopting release for the whistleblower rules, the Financial Industry Regulatory Authority’s (FINRA) 30-day filing requirement as set out in Rule 4530, and the SEC’s annual review requirement as set out in the adviser and fund compliance rules.
When the SEC designed its whistleblower rules, the agency made participating in internal compliance systems a factor that could increase the amount of a whistleblower’s ultimate bounty award. When whistleblowers contact an internal compliance officer, they are given 120 days to report to the SEC. This look-back period gives whistleblowers time to decide whether or not to report the issue to the SEC
At the same time, however, the SEC also said that how quickly an entity self-reports its misconduct to the public, to regulatory agencies, and to self-regulatory organizations would be an important factor when considering whether and to what extent to grant leniency for cooperating in its investigations and related enforcement actions. Moreover, while the SEC gives the whistleblower 120 days after making an internal report to decide whether or not to report to the agency, no extra time was extended to the companies receiving the reports.
The SEC emphasized that the 120 days given whistleblowers is not a grace period for companies to determine their response to the allegations. Indeed, it said, companies “frequently elect to contact the staff in the early stages of an internal investigation in order to self-report violations that have been identified.” In other words, the 120-day grace period applies only to the whistleblower. It does not and should not affect how quickly an entity self-reports to the SEC.
That’s not the only area where the reporting distinctions are subtle. In 2003 and 2004, the SEC adopted rules that require investment companies and advisers to designate a chief compliance officer and adopt written policies and procedures; and that require investment advisers to create a written code of ethics for their supervised persons. The rules also require CCOs to provide a report annually to the fund’s board that addresses each material compliance matter that has occurred since the date of the last report.
Importantly, these reports are meant to be made available to the SEC and its staff and are not subject to the attorney-client privilege, the work product protection, or other similar protections. Thus, the results of the annual reviews and, specifically, funds’ reports of material compliance matters are open to review by regulators.
Subscribe to Corporate Counsel
