Corporate Compliance Professionals: The New Wave of Whistleblowers

Corporate whistleblowers are afforded vast protection and monetary rewards under the Securities and Exchange Commission. And the SEC is specific about who can report and how.

Under Section 21F of the Securities Exchange Act, corporate compliance professionals are generally excluded from those who can blow the whistle – with exceptions.

Those exceptions were at play when the SEC announced that a corporate compliance professional who “provided information that assisted the SEC in an enforcement action” would be receiving at minimum $1.4 million for his or her efforts.

Pursuant to SEC Rule Section 21F-4, compliance professionals are excluded from whistleblower awards because the information has to be “original,” derived from independent knowledge or analysis. The SEC states it will not consider information to be derived from independent analysis if:

An employee whose principal duties involve compliance or internal audit responsibilities, or you were employed by or otherwise associated with a firm retained to perform compliance or internal audit functions for an entity.

The exception to this rule, however (also in Section 21F-4), states that compliance professionals are eligible to report and be rewarded under the whistleblower program if:

  • They have a “reasonable basis to believe that the disclosure of the information to the Commission is necessary to prevent the relevant entity from engaging in conduct that is likely to cause substantial injury” to the corporation and its shareholders;
  • The compliance professional has a “reasonable basis to believe” the corporation in question is doing something that will impede an investigation of misconduct; or
  • At least 120 days have passed since the information was properly disclosed internally.

In the recent case, the SEC said that the compliance officer “had a reasonable basis to believe that disclosure to the SEC was necessary to prevent imminent misconduct from causing substantial financial harm to the company or investors.”

However, the SEC did not give any additional detail into the background of the investigation leading up to that moment.

Should we be concerned?

Some think so. Ropes & Gray calls the exceptions outlined in 21F-4 “fuzzy” in its analysis of the matter:

First, whether the reported conduct is “likely” to cause “substantial injury” to investors is not guided by any bright-line or concrete regulatory standards. Accordingly, the SEC has significant discretion to read the exception broadly.

Second, the exception allows the SEC to provide a compliance employee with a Dodd-Frank award even if the SEC concludes that the whistleblower’s immediate report was not necessary to prevent substantial injury to investors; under the plain language of the exception, the SEC needs only to find that the employee had a “reasonable basis” to think that an immediate report was necessary to prevent such injury.

This effectively adds a second layer of ambiguity, and therefore potential elasticity, to the exception.

However, the reality is that these exceptions – no matter how broadly they may be interpreted – do exist for good reason. Back in 2014 when the SEC announced its first award to a compliance professional, the chief of the Office of the Whistleblower, Sean McKessy, said the following:

“Individuals who perform internal audit, compliance and legal functions for companies are on the front lines in the battle against fraud and corruption. They often are privy to the very kinds of specific, timely and credible information that can prevent an imminent fraud or stop an ongoing one. These individuals may be eligible for an SEC whistleblower award if their companies fail to take appropriate, timely action on information they first reported internally.”

In his analysis of compliance professionals as whistleblowers, attorney Daniel Hurson wrote that the exception to the rule which affords compliance professionals to blow the whistle is intended to collect information “to stop a fraud in its tracks, not necessarily to find out about an ‘old fraud’ that is no longer active,” and that the SEC is looking for information that is “designed to thwart, expose or otherwise terminate an ongoing or nascent fraud.”

The challenge for corporations is to cultivate internal compliance programs that are strong enough to stand up to whatever temptation a direct line to the SEC presents.

Vigilant officers and directors all hope that their internal compliance programs are robust enough to address concerns before the Office of the Whistleblower is ever involved. However, that doesn’t always happen.

This becomes more challenging when corporations want to self-report in certain circumstances to live up to the SEC's expectations, and whistleblowers beat them to the punch.


The views expressed in this blog are solely those of the author. This blog should not be taken as insurance or legal advice for your particular situation. Questions? Comments? Concerns? Email:



Table of Contents