Digital Realty Trust, Inc., a San Francisco, California-based REIT, terminated Paul Somers, vice president, portfolio management, Asia-Pacific and Europe, circa June 2014. Somers claimed that just before he was terminated, he had reported internally several times that his supervisor apparently eliminated certain internal controls mandated by the Sarbanes-Oxley Act of 2002, and concealed approximately $7 million in cost overruns. However, Somers never alerted the SEC to the suspected securities law violations. Instead, circa seven months later, Somers filed suit against Digital Realty Trust, seeking protection under the Dodd-Frank Act. Digital Reality moved to dismiss the claim on the ground that Somers was technically not a whistleblower, because he did not alert the SEC to the suspected violations prior to his termination. This case eventually made its way to the U.S. Supreme Court.
Supreme Court Decision
On Feb. 21, Justice Ruth Bader Ginsburg delivered the unanimous opinion of the court, which held the anti-retaliation provisions of the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act do not extend to employees who have reported internally but extend only to employees who have reported suspected securities law violations to the Securities and Exchange Commission, which reversed the U.S. Court of Appeals for the Ninth Circuit decision.
Prior to the Supreme Court’s decision, the Fifth Circuit held that employees must provide information to the SEC, while the Ninth and Second circuits held that reporting internally is enough for employees to qualify for the Dodd-Frank Act’s anti-retaliation protections.
Employees who report violations only internally may still benefit from the significant protections afforded by the Sarbanes-Oxley Act of 2002. The Dodd-Frank Act, however, provides employees with a greater level of protection. Dodd-Frank permits a whistleblower to sue a current or former employer directly in federal district court for up to six years after the date of the alleged violation, whereas Sarbanes-Oxley procedures contain an administrative exhaustion requirement and a 180-day administrative complaint filing deadline, which had already expired. Additionally, Sarbanes-Oxley limits a whistleblower’s recovery to back pay with interest while Dodd-Frank permits an award of double back pay with interest. Before doing anything, it is wise to seek the advice of an attorney that specializes in this area.
Raising the Bar
It appears corporate governance and anti-fraud measures must now be looked at again—especially in light of the recent Supreme Court decision that seems to change the relationship between the company and the whistleblower. Now the employee, in order to be protected under Dodd-Frank’s prohibition on whistleblower retaliation, must report suspected securities law violations to the SEC. Thus, the company may no longer have the opportunity to investigate alleged wrongdoing before the SEC gets involved. This changes the game and means the bar is raised again as it relates to uncovering or detecting and investigating alleged wrongdoing in a thorough and timely manner.
The Association of Certified Fraud Examiners (ACFE) has reported for some time that most fraud is uncovered by tip, followed by internal audit, management review, and then by accident. I have said for many years that businesses, including internal audit and compliance, need to do a much better job of identifying alleged wrongdoing by properly assessing and then focusing on those fraud risks that are likely to negatively impact the company. I continue to be perplexed by the number of fraud (including bribery and corruption) risk assessments that in my opinion miss the mark and provide a false sense of security. In addition, fraud controls are often non-existent or not properly designed to prevent, deter, and detect misbehavior. I also know in practice that many internal audit departments struggle with implementing procedures or tests designed to flesh out possible wrongdoing.
The Board and Audit Committee
Boards and audit committees should consider at a minimum the following:
- Review your governance framework and the substance behind each element.
- Obtain an unbiased view of tone and conduct from the top.
- Ask management to explain how they assess, monitor, and communicate fraud risk.
- Review the fraud risk assessment and ensure it’s consistent with expectations, its current, and it has been harmonized with other risks identified.
- Assess whether internal audit and compliance have the skills and capabilities necessary to deal with fraud related matters.
- Ask whether technology is being used to better understand transactions on an ongoing or continuous basis.
- Ensure training includes the communication of “red flags.”
- Understand the risk of management override!
- Assess whether anti-retaliation and prevention a proactive rather than a defensive aspect of the company.
- Monitor the impact on the overall compliance program, especially the ethics hotline.
- Revisit your crisis management program.
It seems the SEC had interpreted the whistleblower protections in the Dodd-Frank Act more broadly, an interpretation the Supreme Court obviously rejected. So the stage is now set for Congress, if they believe broader protection is warranted, to amend the statute so that employees who report violations or suspected violations only to their employers or internally are protected. Until that time, it’s possible this recent decision might encourage employees to bypass ethics hotlines and go directly to the SEC.
When discussing the Digital Realty decision with Tom Sporkin from Buckley Sandler, he reiterated what was stated in their client alert, “… this may be a hollow victory for corporate America. To qualify as a “whistleblower” under Dodd-Frank, individuals now have a clear incentive to report all sorts of observations to the SEC before reporting those observations through their company’s internal reporting infrastructure. While “approximately 80 percent of the whistleblowers who received awards in 2016 reported internally before reporting to the Commission,” that trend is likely to be reversed.”
The Supreme Court’s opinion, as stated herein, does change the SEC’s interpretation and narrows the whistleblower protections under Dodd-Frank and will probably negatively impact attempts to create a best practices compliance program, because a part of any best practices compliance program is an internal reporting mechanism. It also has consequences for auditors, attorneys, and other professionals who are first required to report misconduct internally before making external disclosures.
Now might be a good time to have your CEO send a strong message ensuring your employees that retaliation will not be tolerated for those who report internally. It might also be time to consider offering rewards and incentives for those who report internally.
As a take-off on a “Berra-ism”: Don’t make too many wrong mistakes.
Jonathan T. Marks, CPA, CFF, CFE, is a partner in Marcum’s Philadelphia office and a member of the firm’s advisory services division.