Internal Compliance Programs: The Heat is On

How do you create an internal compliance program that encourages employees to report issues internally in the face of government whistleblower payouts that can exceed a million dollars?

This question is on the mind of all directors concerned about the efficacy of internal compliance and whistleblower programs.  After all, it’s hard not to notice myriad news stories showcasing very large payouts to whistleblowers who report their concerns to the Securities and Exchange Commission.

It’s not an easy question, and the stakes are high. Large payouts may inadvertently transform appropriately concerned corporate citizenship into inappropriate efforts by employees to bypass a company’s plans to surface and deal with wrongdoings in a timely manner.

September 2014 saw the single largest SEC whistleblower payout to date of more than $30 million. In December, reports surfaced that whistleblower awards in four qui tam cases filed in connection with the Bank of America mortgage cases would surpass $170 million (a certain reality show star jumped on that wagon, too).

There has been a steady increase in the number of whistleblower tips sent to the SEC since the passage of the Dodd-Frank Act, which amended the Exchange Act to include Section 21F on whistleblower incentives and protection.

From the Dodd-Frank Whistleblower Program 2014 annual report, we see a 20 percent growth from Fiscal Year 2012 to Fiscal Year 2014:

Tips in 2014 ranged from complaints under corporate disclosures, offering fraud, manipulation, insider trading, FCPA issues and more. From the report:

Given the vigor of the whistleblower program at the SEC, one could be forgiven for assuming that the SEC wants the primary modality of whistleblower intake to be the SEC’s Office of the Whistleblower.

The SEC has stated, however, that it does not want to overshadow corporate internal compliance programs. From the report:

The whistleblower program was designed to complement, rather than replace, existing corporate compliance programs. While it provides incentives for insiders and others with information about unlawful conduct to come forward, it also encourages them to work within their company’s own compliance structure, if appropriate.

So, what can a corporation do to construct an effective internal compliance structure – one that encourages potential whistleblowers to report internally first?

1. Remember, Whistleblower Compliance Goes Beyond Just Dodd-Frank

Your organization should do an inventory of all the whistleblower provisions in various states as well as the federal laws that apply to it. Working with outside counsel to conduct this inventory can be invaluable.

While the whistleblower program established by Dodd-Frank may be the most talked about, there are other very important whistleblower protection laws on the books.

For example, most states have their own whistleblower laws. And there are plenty of government whistleblower statutes (e.g., OSHA, etc.) beyond what the SEC has in place.

A critical part of most whistleblower statutes is anti-retaliation provisions. In the case of the federal securities laws, both Dodd-Frank and Sarbanes-Oxley have provisions to protect corporate whistleblowers and impose penalties against companies that retaliate against those whistleblowers.

(Remember also to consider qui tam suits, the type of suits that are resulting in enormous payouts to whistleblowers, as in the Bank of America mortgage cases.)

2. Ensure that Responses to Potential Whistleblowers are Timely

Knowing the rules of when a person can reasonably bypass corporate compliance programs and head straight to the SEC is a good place to start when thinking about how to optimize internal processes.

As a launching point for your review, take a look at some of the recent SEC Whistleblower awards, especially the recent award that went to an employee of a corporation whose job was compliance.  The narrative here is usually one that involves the corporation in question’s failing to respond in a timely way.

The fact that a whistleblower is not one of your actual employees is no excuse to fail to deliver a timely response. As a reminder, in March 2014, the Supreme Court affirmed that coverage for whistleblowers under SOX would not only apply to employees of companies, but also employees of companies that contract with public companies.

3. Establish the Tone at the Top, Then Educate, Educate, Educate
Ethics and accountability are the sort of issues that senior executives need to be seen and heard discussing frequently in order to set the right tone at the top. These communications also need to be clear and accessible to everyone – which means cutting out the memorandums that only a lawyer could appreciate.

Instead of pages of legalese, create a code of ethics that is readable, and then make it a part of the culture through training. Haven’t updated your code of ethics since the days of SOX? Now is the time.

Training and education around ethics is also an area where executives can be directly involved, demonstrating their commitment.

When training, consider sharing illustrative examples of what might induce a whistleblower tip. And, of course, it’s important to be very clear on the intent behind the compliance program, which should be to address wrongdoings by taking all complaints very seriously and in compliance with the law.

This includes preserving anonymity where appropriate, and having zero tolerance for any retaliation against a whistleblower.

When it comes down to it, boards are in favor of good compliance processes and want to know when something is happening under their nose that shouldn’t be. The challenge today is being as accessible and committed to uncovering those tips as the SEC is.

The views expressed in this blog are solely those of the author. This blog should not be taken as insurance or legal advice for your particular situation. Questions? Comments? Concerns? Email: phuskins@woodruffsawyer.com.