Jeffrey S. Klein and Nicholas J. Pappas ()
From 2008 to 2013, the federal government collected nearly $17 billion in judgments from actions brought under the False Claims Act (FCA), collecting a staggering $3.8 billion this past year alone.1 Most FCA actions are filed under the FCA’s qui tam provision which allows private citizens, referred to as “relators,” to file lawsuits on behalf of the government alleging fraud. If the relator pursues the action alone and prevails, the relator receives up to 30 percent of the recovery. If the government intervenes and prevails in the action, the relator receives up to 25 percent of the recovery. See 31 U.S.C. §3730(d). In its report, the U.S. Department of Justice disclosed that $2.9 billion of the $3.8 billion recovered last year emanated from lawsuits filed under the qui tam provision of the act, with whistleblowers recovering $345 million.
Imagine you are a manager at ABC Company and you learn from a fellow manager that your subordinate has voiced concerns to other employees that the company is promoting its new product for uses not approved by the federal regulatory authorities. In addition, your subordinate is concerned that the lavish dinners your company hosts for customer representatives may be designed to induce the customer’s vendors to sell more of ABC Company’s products. Your subordinate is concerned that these actions may violate federal laws and is considering reporting the concern to an outside agency. What do you do?
You will likely find the answer to this question in ABC Company’s code of conduct. A code of conduct is a company policy which, inter alia, provides guidelines for making ethical decisions, complying with relevant laws and regulations, and communicating concerns to management. A company’s code of conduct should describe clearly the procedures for reporting complaints or concerns regarding ethical and legal violations and encourage employees to report their concerns to the company. A company’s code of conduct is frequently a standalone document, separate from a traditional employee handbook, as the code generally applies not only to employees, but to officers, directors and sometimes contractors, vendors and consultants. Codes of conduct typically contain provisions outlining specific laws that are relevant to the company’s industry, conflict of interest policies, and whistleblower and anti-retaliation provisions. Codes may also include sections on insider trading, anti-bribery, competition and fair dealing, and preserving confidentiality.
Given the recent increase in “whistleblower” actions, we reviewed a selection of codes of conduct from 20 public companies of different sizes and across various industries, in order to assess the varied approaches and strategic judgments made by companies in crafting their codes of conduct. In this article we will outline the important legal bases for adopting a code of conduct, analyze some of the differences we observed in these selected codes of conduct, and raise practical considerations for companies in evaluating and implementing their codes of conduct.
Legal Basis for Adopting Code
Pursuant to the Sarbanes-Oxley Act of 2002 (SOX), the New York Stock Exchange (NYSE) and National Association of Securities Dealers Automated Quotations (NASDAQ) compliance standards, all public companies must have a code of conduct. Specifically, SOX requires procedures for complaints regarding accounting issues and disclosure of a code of ethics for certain senior officers. See 15 U.S.C. §§78j-1; 7264. The NYSE requires the adoption and disclosure of a code covering directors, officers, and employees, regarding the following topics: conflicts of interest, corporate opportunities, confidentiality, fair dealing, protection and proper use of listed company assets, compliance with laws, and encouraging the reporting of illegal or unethical behavior. See NYSE Listed Company Manual, §303A.10.
The NASDAQ contains similar requirements to the NYSE, and adds that each code must “contain an enforcement mechanism that ensures prompt and consistent enforcement of the code, protection for persons reporting questionable behavior, clear and objective standards for complaints, and a fair process by which to determine violations.” NASDAQ Equity Rule 5610, IM-5610.
Beyond these legal obligations which govern public companies, both public and private companies have many incentives for adopting codes of conduct. First, according to the Justice Department “Filip Memo” from 2008, the department considers an effective compliance program as a factor in deciding whether to indict a company in the event of misconduct. Second, the federal Sentencing Guidelines provide that an effective compliance program is a significant factor in determining the sentence imposed on corporations convicted of criminal conduct. Third, numerous statutes impose requirements with respect to compliance programs. For example, the Affordable Care Act requires that a broad range of providers, medical suppliers, and physicians adopt compliance and ethics programs. Fourth, an anti-harassment provision in a code of conduct may help to limit employer liability for supervisors’ discriminatory actions.2
In addition to legal requirements and other incentives, a code of conduct is a tool for companies to communicate their commitment to a prohibition on retaliation against employees who voice complaints in good faith. Various federal and state statutes (including SOX and the FCA) contain anti-retaliation provisions which prohibit companies from taking adverse actions against employees who report their employer’s violations of such statutes. Accordingly, a code of conduct is an effective way for companies to clearly express their commitment to a prohibition on retaliation.
A code of conduct is not a “one-size-fits-all” document. Rather, the contents of companies’ codes will differ based on variations such as company culture, size, structure, and key areas of risk. Below we analyze some of the different approaches companies have taken and the judgments they have made in crafting their codes of conduct.
Reportable Conduct. Codes vary in scope as to the types of conduct that employees are required to report. For example, some codes broadly require employees to report any issues that may lead to a code violation or regulatory breach. Other codes instead more narrowly list a finite set of mandatory reporting events, such as actual or potential code violations, unethical behavior, or exposure to legal or reputational risks.
A company may consider broadly defining reportable conduct to encourage employees to come forward with information. However, a company may instead consider describing reportable conduct in more defined terms, in light of factors such as company size and/or structures for receiving and evaluating reports.
Recipients of Reports. Some codes provide employees with many options with respect to reporting applicable conduct. For example, some codes instruct employees that they may report violations to any of the following: their manager, human resources department, legal department, internal audit department, finance department, or business conduct hotline. Alternatively, other codes provide employees with only one outlet for reporting—for example, an ethics compliance hotline.
The multi-source approach may help encourage reporting, as it allows employees to report to the resource of their choice. However, this approach requires that all of the increased number of potential report-recipients should receive training as to how to properly receive and direct reports, as necessary. One potential advantage of the single-source approach is that all reports are centralized in one location, there is greater consistency in approach, and the company can track the content and volume of reports with comparative ease and certainty.
‘Good Faith’ Limitation. Protection against retaliation is an essential provision advanced in codes of conduct. Most codes, however, limit protection against retaliation to those employees who report in “good faith.” In other words, if an employee knowingly makes a false report, he or she may be subject to discipline consistent with a company’s general anti-retaliation policy. As some codes correctly point out, reporting in “good faith” does not mean the employee has to be right about the violation, but rather, that he must have been reporting information he believed to be true. A “good faith” limitation may discourage employees from reporting applicable conduct for fear that they may be accused of reporting in bad faith. However, in the absence of such a limitation, a code may fail to alert employees of the potential consequences for knowingly lodging a false report.
Educating Employees. Some codes of conduct merely instruct employees to comply with the law, while other companies use their codes as a platform to inform and educate employees about the company’s key legal obligations. For example, one multinational company uses its code of conduct to explain legal obligations with respect to privacy, business courtesies, competition and antitrust, social media, prohibitions against human trafficking, entertaining for union officials, bribery, trade embargos, anti-harassment, and corporate opportunities, among others. Instead of merely instructing employees to comply with the law, this approach names key areas of legal compliance, explains what they require, and in some instances, provides examples of hypothetical violations.
A benefit of this later approach is that employees are more informed of the company’s particular legal obligations. However, some companies may prefer a simple instruction regarding compliance with law, in part to avoid omitting any particular legal obligation and to avoid overly complicating the code of conduct with legalese.
Confidentiality or Anonymity. In certain circumstances, a company may be legally required to share information internally or externally. For example, certain reports of misconduct regarding accounting, finance, or auditing must be shared with a company’s audit committee (although, pursuant to SOX §301(4), 15 U.S.C. §78j-1, audit committees must establish procedures for confidential, anonymous submissions). Additionally, if a company needs to issue a legal hold notice or investigate facts alleged in a report, it may need to reveal some of the contents of the allegation. Accordingly, many codes of conduct offer confidentiality to reporting employees or an option to report anonymously through a company hotline, but only to the extent possible while ensuring that the company has the necessary latitude to meet its legal obligations. On the one hand, promises of confidentiality and anonymity may encourage reporting, but promises of complete confidentiality and anonymity may not be possible given applicable legal obligations.
Given the importance of a company’s code of conduct, below are practical considerations for employers in crafting and implementing an effective code:
• Identify and periodically asses the company’s key legal obligations. Consider using the code of conduct as an instructional tool for employees regarding their legal obligations through an honest evaluation of the company’s key areas of risk.
• Consider the extent to which particular categories of employees (e.g. managers, human resources, compliance department) should receive specific training, including for receiving complaints.
• Consider the extent and frequency of any monitoring of company procedures for handling reports from employees, including with respect to documentation, evaluation, direction, and/or elevation of the report where appropriate.
• Consider a periodic assessment of the extent to which a particular region, division or manager is the subject of repeated reports, even if unsubstantiated. The frequency of such reports may suggest the need for additional training or further investigation as appropriate.
• Consider whether the company would benefit from direct involvement by senior managers in the design and execution of the code of conduct. “Buy in” from the company’s top levels may assist the company in effectively communicating the importance of the code to employees in all levels of the organization. Consider requiring employees to certify receipt, reading and compliance with the code on a periodic basis.
The specifics of these practical considerations will differ across companies as variations such as size, areas of legal risk, and structure will inform the content of any code of conduct and the appropriate reporting procedures. Given the sharp increase in “whistleblower” actions, companies would be wise to review their codes of conduct and applicable procedures to maximize their effect in promoting compliance with legal obligations.
Jeffrey S. Klein and Nicholas J. Pappas are partners at Weil, Gotshal & Manges. Valerie Wicks and Kendra Okposo, associates at the firm, assisted with the preparation of this article.
1. Department of Justice, Office of Public Affairs, Justice Department Recovers $3.8 Billion from False Claims Act cases in Fiscal Years 2013, U.S. DEP’T OF JUSTICE, JUSTICE NEWS (Dec. 20, 2013), http://www.justice.gov/opa/pr/2013/December/13-civ-1352.html.
2. Pursuant to Faragher v. City of Boca Raton, 524 U.S. 774 (1998), Burlington Indus. v. Ellerth, 524 U.S. 742 (1998) and their progeny, employers may avoid liability for discriminatory actions of supervisors that do not result in tangible adverse employment actions where the employer has exercised reasonable care to prevent discriminatory behavior and has taken proper remedial action where inappropriate behavior has occurred. According to the Equal Employment Opportunity Commission’s (EEOC) enforcement guidance on vicarious employer liability for unlawful harassment by supervisors, an employer’s demonstration of reasonable care will generally require the existence, dissemination, and enforcement of an anti-harassment policy and complaint procedure, as well as other reasonable steps that may be required to prevent and correct harassment.