Corporate Counsel
ALM Properties, Inc.
Page printed from: Corporate Counsel

Back to Article

Select 'Print' in your browser menu to print this document.

The Sensitive Question of When to Self-Report a Possible SEC Violation

John H. Walsh

Corporate Counsel

02-01-2013


This is the latest in a series presenting post-Dodd-Frank best practices for in-house counsel and compliance professionals.

Deciding whether and when to self-report a possible SEC violation is among the most difficult issues a company can face. It must be supported by thorough internal inquiry and must always be approved at the highest levels of the company’s management. With the Securities and Exchange Commission now paying bounties to whistleblowers—even anonymous whistleblowers—for information, the stakes associated with even a single internal misstep are higher than ever.

Take, for example, the now-classic case against John H. Gutfreund, perhaps the most significant failure-to-supervise case ever brought by the SEC. In that case, several senior executives at a major securities firm met, discussed a serious compliance problem, left the meeting, and then took no action, each placing responsibility for further action on someone else. In that particular event, the SEC brought public proceedings against all of them.

To avoid such an outcome, a number of key issues must be addressed beforehand. If and when a whistleblower crisis emerges, a specific person must be chosen to decide exactly what will be done. Others may serve as advisors, but a formally designated “decider” should be established either before a crisis hits or at the outset. That may seem like common sense, but as the Gutfreund case demonstrates, failure to do so can have enormous repercussions.

Formally designating a decider in advance ensures clarity in the decision-making process and avoids the time-consuming, after-the-fact disputes over authority and responsibility that clouded the Gutfreund case. If someone will be held accountable for making a decision, they should know it at the time. If someone is merely an advisor, that also should be known—especially legal and compliance staff who may play a role in responding to a problem, even though someone else is ultimately responsible for the decision.

If needed, helpful guidance can be found in the Financial Industry Regulatory Authority’s 2010 self-reporting rule, regardless of whether a firm is a FINRA member. FINRA states that a member’s reporting procedures should clearly identify the person responsible for determining whether a violation has occurred—and whether it is of a nature that requires reporting to FINRA—as well as the person’s level of seniority (general counsel, chief compliance officer, or a senior staff committee).

Next, the legal department will have to create a “zone of privacy” where privileged communications can be protected. Admittedly, this may seem contrary to the spirit of self-reporting, and at one point in time that’s how it was viewed. The SEC’s 2001 Cooperation Release, for example, suggested the agency expected companies to waive attorney-client privilege or work-product protection as a way to provide relevant information to its staff. Over the next few years, the Department of Justice and the U.S. Sentencing Commission followed suit. But after their policies triggered serious controversy, each agency, to one degree or another, retracted its views.

The director of the SEC’s Division of Enforcement clarified the agency’s view by saying, in effect, waiving privilege or protection is not a prerequisite to obtaining credit in an SEC investigation. The credit is based on, among other things, the quality of the information given and how quickly it’s provided. More recently, the current director has complained about some practices companies use when asserting privileges, such as long delays in production, but not about the assertion of privilege itself. The lesson, therefore, is that core attorney-client communications and opinion work product should not only be protected, but regulators expect companies to do so, even when self-reporting.

As a result, every manager in the organization must understand that the legal department is to be notified the moment an allegation is made. Doing so allows the department to create a “zone of privacy” by identifying and controlling the communications and opinions it will need to protect. If the company must self-report, these controls may be all that stand between some degree of privacy and complete exposure of its innermost thoughts and motives.

Processes must also be in place to “report up” internally. An organization may need, for example, to determine whether the problem is under the jurisdiction of the audit committee or the company’s code of ethics. In each case, an appropriate report must be made. Or, if applicable, the company must determine how the allegation will be reflected in its annual compliance review. Moreover, timely internal reporting to the highest levels of the organization must also be considered, especially for organizations with independent directors, such as mutual funds, because of their role in assuring the fund’s internal compliance. This, of course, is a judgment call that depends on a variety of factors, including the type of company, its regulatory requirements, and the scope of the whistleblower’s allegation.

Next, in a serious crisis, companies will have to remedy the problem immediately, or at least initiate a serious and adequately funded response. Few problems are the result of isolated personal failures. Rather, it is the underlying systematic failures that require remedial action: lack of resources, mixed supervisory signals, and misguided compensation or evaluation systems. Firing individuals, in and of itself, rarely constitutes a remedy. Companies should be able to demonstrate that they have identified and are addressing the underlying problems.

The final step is to self-report. However, the organization must first decide at what level a report should be made. In a borderline case, where a company decides to self-report even though it is probably not necessary, the report should be made at an appropriately junior level. In a serious case, where the credibility and integrity of the company is at stake—such as in the Gutfreund case—the report should be made at the highest levels. Overreacting in the first situation would communicate an unwarranted gravity; underreacting in the second would communicate an inappropriate lack of executive attention.

Once the reporting level is determined, move quickly because time is of the essence. Speed is essential in making inquiries, engaging in fact-finding, and reaching conclusions. A company must be ready to deploy substantial resources and do so on an expedited basis.

John. H. Walsh is a partner at Sutherland Asbill & Brennan. He previously served for 23 years at the Securities and Exchange Commission, where he was instrumental in creating the Office of Compliance Inspections and Examinations.