Corporate compliance programs need to be reevaluated in light of the whistleblower provisions of the recently enacted Dodd-Frank financial reform bill and its powerful incentives for employees to bypass internal systems and report potential problems directly to the Securities and Exchange Commission.
Dodd-Frank mandates that the SEC offer rewards or "bounties" to whistleblowers who provide information about securities fraud and securities law violations (including violations of the Foreign Corrupt Practices Act). The SEC is expected to adopt final rules implementing the provision in April, 2011.
With required monetary rewards between 10 and 30 percent of fines and settlements in excess of $1 million, employees presumably will be more likely to report potential violations directly to the SEC rather than use existing internal compliance and reporting systems. However, companies need employees to report internally in order to have the opportunity to investigate and take remedial action where appropriate.
The SEC's proposed rules attempt to encourage internal reporting by providing that if an employee chooses to first report the potential violation internally and thereafter submits the same information to the SEC within 90 days, the SEC will treat the disclosure to the SEC as if it were made on the day of the initial disclosure. However, this provides the company with, at maximum, a 90-day period to complete its internal investigation and self-report in advance of the whistleblower's report.
Dozens of companies have formally expressed concerns to the SEC that the final rules should require employees to first use existing internal compliance and reporting systems and then allow companies a reasonable opportunity to respond in order to be eligible to collect a "bounty." Regardless of the outcome of the rulemaking process, companies need to prepare for the fact that employees will have powerful financial incentives to report information about potential securities law violations to the SEC. Specifically, companies should focus on three areas:
- Strengthening internal audit process
- Promoting a culture of compliance
- Developing procedures for prompt self-reporting to the SEC
Strengthening internal audit procedures means reviewing existing compliance policies to ensure that they are geared to catch problems before whistleblowers do and before potential problems escalate to the point where they satisfy the SEC "bounty hunter" threshold. Additionally, internal audit procedures should be regularly reviewed to identify areas for improvement, taking into consideration problems identified during the prior year.
Companies should try to develop a culture of compliance in which employees will want to report issues internally rather than to the SEC. This means implementing genuine "open door" policies which provide employees with access to executives who take the time to listen and, when appropriate, respond to complaints. The human resources department should make employees aware of the policies and procedures and should assure employees that their concerns will be treated confidentially and that they will be protected from retaliation. Investigations should be conducted promptly and informants should be given a timely response. Companies also may consider monetary awards to employees or other efforts to promote internal reporting.
Finally, prompt disclosure to the SEC may be desirable in order to get ahead of potential whistleblowers and to secure so-called "cooperation credit" for self-reporting. Internal investigations must proceed quickly. Every effort should be made to eliminate the argument that the company did not disclose information about a compliant in a reasonable timeframe or otherwise acted in bad faith. Senior management and board members should be made aware of internal investigations and involved in decisions relating to potential self-reporting.
This column is the third in a series of articles on the impact of increasing and evolving governmental regulation and reform in the corporate governance arena.