The Dodd-Frank Wall Street Reform and Consumer Protection Act 2010 (Dodd-Frank) passed through US Congress and became law on 21 July 2010. It has been a controversial piece of legislation. In particular, it has significantly enhanced the whistleblower protections afforded by the Sarbanes-Oxley Act 2002 (Sarbanes-Oxley). These changes to the whistleblower regime will affect not just publicly traded US companies, but their non-publicly traded subsidiaries and affiliates as well.
Dodd-Frank has created a new direct whistleblower cause of action for retaliatory conduct, that will allow whistleblowers to sue employers who have discriminated or taken other action against them because they made a whistleblower report. The damages available in such cases include double back-pay.
The Act also provides for the creation of a new whistleblower protection programme for individuals who provide information to the Securities and Exchange Commission (SEC), and certain other authorities, in respect of securities violations. In May 2011, the SEC adopted rules implementing this programme. The rules came into effect in August 2011, but apply retrospectively to all whistleblower reports since 21 July 2010, when Dodd-Frank became law.
These new rules have attracted considerable controversy because they permit the SEC to pay an award or ‘bounty’ to eligible whistleblowers who provide information that leads to successful enforcement action for violations of federal securities law where the SEC collects a fine in excess of $1m. The award available to eligible whistleblowers is between 10-30% of the total fine collected. Given the level of fines that the SEC has recently imposed ($285m on Citigroup in October 2011, $150m on Bank of America in February 2010 and $550m on Goldman Sachs in July 2010) these whistleblower awards have the potential to amount to a very significant amount of money.
Various rules must be satisfied for the whistleblower to qualify for an award. The information must be provided voluntarily and must be ‘original’ (meaning that it must derive from the whistleblower’s own independent knowledge or analysis and must not otherwise be known to the SEC or be derived from other allegations or media reports). Various categories of whistleblower are not eligible for an ‘award’. These include officers and directors who have been told of the violation by another employee, or who have obtained relevant information from internal processes to identify violations, internal audit and compliance personnel, accountants obtaining information through audit work, lawyers learning information through privileged communications and anyone obtaining the information illegally.
There is, however, nothing to prevent culpable whistleblowers from receiving an award (unless they are guilty of criminal conduct). But, naturally, monetary sanctions imposed in relation to the whistleblower’s own misconduct do not count towards the $1m threshold. Further, the culpability of the whistleblower will be taken into account by the SEC in calculating the award, which the whistleblower may be required to forego as a condition of a non-prosecution or co-operation agreement.
IMPACT IN THE UK
All very interesting, you may well say, but why is this of any concern to in-house lawyers or compliance officers at UK corporates? Well, for the very good reason that Dodd-Frank potentially has extra-territorial effect. Under the Act, any subsidiary or affiliate, incorporated in any jurisdiction, whose financial information is included in the consolidated financial statements of a company that is publicly traded in the US (a ‘relevant affiliate’) is now potentially subject to the whistleblower protection provisions of Sarbanes-Oxley. This means that employees of UK incorporated subsidiaries or affiliates of publicly-traded US companies, who blow the whistle to the SEC in respect of possible violations of federal securities law, may be eligible to receive a whistleblower award and may enjoy the whistleblower protection that was previously only available to employees of publicly-traded US companies. Further, the extra-territorial reach of the Act means that the SEC and the US Department of Justice can enforce federal securities laws in respect of misconduct within the US that relates to transactions and participants located abroad (however, the underlying misconduct reported must relate to a violation of US federal securities law, otherwise the whistleblower will not satisfy the whistleblower definition under the SEC’s rules and will not be eligible for an award, or, potentially, for whistleblower protection).
Of particular concern to firms whose employees are covered by Dodd-Frank’s whistleblower incentives and protection regime is the fact that whistleblowers are permitted to bypass their employers’ internal compliance and reporting procedures and report directly to the SEC. This is controversial because firms that self-report to the SEC get credit for doing so (and this may take the form of a discounted fine, where a fine is deemed appropriate). Where employees bypass internal reporting policies, this undermines the firm’s internal compliance and reporting process, and prevents the firm from getting any credit for self-reporting.
The SEC’s final rules implementing the whistleblower protection programme purported to take account of some of the concerns raised by firms about this issue during the consultation on the proposed rules in early 2011. But the reality is that, in its final rules, the SEC has done little to encourage employees to use their firm’s internal compliance and reporting framework beyond indicating that, where whistleblowers report internally first, they may receive a larger award than if they had gone directly to the SEC. The SEC could have made it a prerequisite of eligibility for a whistleblower award that an internal report had to be made at the outset by the whistleblower but, tellingly, it declined to do so.
INTERPLAY WITH UK WHISTLEBLOWING LAW
The basic position under UK whistleblowing law, introduced by the Public Interest Disclosure Act (PIDA) 1998 is that workers who ‘blow the whistle’, in good faith, to certain people, are already protected from being subjected to any detriment or dismissal. If they are subjected to any detriment, or are dismissed, they may be eligible to receive an award in the Employment Tribunal. PIDA 1998 already protects workers who blow the whistle in respect of violations overseas and so there is little new in that respect.
So, how might Dodd-Frank affect the whistleblowing position under UK law? The key is in the possible financial awards paid to whistleblowers under Dodd-Frank, and the fact that the whistleblower does not lose any whistleblower protection or eligibility for a ‘bounty’ payment under Dodd-Frank by reporting externally.
In the UK, although awards to whistleblowers are uncapped, they are, in practice, compensatory and broadly based on actual and anticipated losses, rather than being a ‘reward’ for having blown the whistle.
In addition, while PIDA 1998 generally encourages disclosure to the worker’s employer (internal disclosure) as the primary method of whistleblowing (and disclosure to certain third parties (external disclosure) if more stringent conditions are met), it may now be more attractive for an employee to report US securities violations externally knowing that, even if they lose PIDA 1998 protection, there may be a bigger financial prize at stake that outweighs the protection offered in the UK.
This motivation to report externally is not inconsistent with a recent shift of emphasis in the UK towards encouraging whistleblowers to report directly to the relevant regulator: for example, the Serious Fraud Office (SFO) recently launched a new ‘SFO Confidential’ hotline and online form to encourage individuals to report wrongdoing and, in April 2010, the Employment Tribunals (Constitution and Rules of Procedure) (Amendment) Regulations 2010 (the Regulations) that were introduced by the government. The Regulations give Employment Tribunals the power to send details of whistleblowing claims directly to a prescribed regulator where the claimant has given express consent by ticking a box on the ET1, the claim form that one must use to initiate a claim at the Employment Tribunal.
WHAT SHOULD FIRMS BE DOING NOW?
Against this backdrop, UK firms, and particularly those whose parents are publicly traded in the US, should be doing their utmost to ensure that they are made aware of any relevant breaches as soon as possible and, in any event, before any external third party is made aware. Steps that should be taken will include:
- Reviewing their internal compliance and reporting policies in the light of this latest development to ensure that, whatever the financial incentives may be for their employees to report concerns to US regulatory authorities, their staff remain both confident in the integrity of their employer’s internal reporting processes and appropriately incentivised to report concerns internally as the first port of call.
- Ensuring that staff are aware of these policies – staff cannot report internally if they do not know how to do so.
- Ensuring that those within the firm who receive any report of wrongdoing know how to deal with these matters (including how to launch appropriate investigations internally, how and when to report externally and how employees who have blown the whistle should be treated).
- Strengthening internal systems and controls to ensure that, wherever possible, they are aware of any issues that may arise at the earliest opportunity, enabling them to self-report where appropriate.