As New Whistleblower Rules Kick In

Corporate unease still reflects concerns over whether this part of Dodd-Frank undermines internal compliance.

Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act --- increasing the protection for whistleblowers -- amends the Securities and Exchange Act of 1934 by allowing the Securities and Exchange Commission to offer awards to individuals providing original information about a violation of federal securities regulations. Next Friday, on Aug. 12, these whistleblower provisions go into effect.

For that individual to receive the award, the information submitted must lead to the successful enforcement of an SEC action resulting in monetary sanctions of more than $1 million. The award then would equal 10% to 30% of the sanctions, with SEC determining the amount based on, among other factors, the significance of the information provided.

One of the most contentious issues within the provision has been how it allows employees who believe they've seen wrongdoing to report directly to the authorities, without going through internal channels first, says Hal Garyn, vice president of North American services with the Institute of Internal Auditors. The IIA doesn't have an official position on the provision, because it falls outside the discipline of internal auditing, he says. But his own view is that "you want to leave corporate governance as much as possible within the organization." While a few dramatic cases of wrongdoing capture headlines, many internal whistleblower programs never make the news because they work effectively and quietly, he adds.

But part of the theory behind the provision is that it should "put more cops on the street," says Geoffrey Rapp, professor of law at the University of Toledo College of Law. The scandals surrounding Ponzi-schemer Bernard Madoff and, others like him were "a huge egg on the face of the SEC," he says. The commission wants more people to come forward, and then to persist if there is some corporate backlash. "With the bounty out there," he says, "it may not affect the decision to blow the whistle, but may affect the decision to stick with it."

Superseding Company Efforts?

Supporters of the provision say it provides needed protection to whistleblowers, who may be subjected to retaliation for speaking up. Were internal reporting to be required, some might be forced to come forward with their allegations to the wrongdoers themselves. Opponents say that the provision encourages whistleblowers to bypass internal compliance programs, often established by companies at great cost.

"Our concern is this: we have an internal system that's in place and that's meant to identify and address problems as quickly as possible," says Tom Deas, vice president and treasurer with $3 billion chemical company, FMC Corp. in Philadelphia. FMC has implemented a number of procedures to facilitate whistle blowing, such as an anonymous tip line and a pledge that management won't retaliate, he says. "Now comes a new system that's competing, and competing with a big monetary award."

Investors also have concerns about the provision, says James Allen, head of capital markets policy with the CFA Institute. While the Institute supports exposing any problems or irregularities, it wants the internal processes used. "The whole point of creating whistleblower programs is to protect shareholder value," James says. The original proposal created an incentive for whistleblowers to "go for a home run instead of trying to stop some corruption from occurring."

Giving Company Efforts More Kick?

While the concerns that many businesses express about the whistleblower provision are perfectly valid, according to Prof. Rapp -- "Companies have spent a lot of money and hired talented people to run these programs," he notes -- the legal expert points out that the SEC didn't ignore those concerns.

The SEC's final rule states, in fact, that one factor that may increase a whistleblower's award percentage is his or her participation in internal compliance systems. Conversely, interference with internal compliance and reporting systems by the whistleblower could lead to a decrease in the award.

The protections afforded whistleblowers are necessary, says Harold Burke, a Greenwich, Conn.-based attorney who works with both whistleblowers and companies. When deciding whether to come forward with allegations of wrongdoing, "there's nothing for employees to gain in terms of job security," he says. "The reality is that there will be cover-ups, their complaints will be ignored and they'll lose their jobs." The financial incentives for those involved in wrongdoing often are simply too great, he adds.

What's more, the vast majority of employees do report internally. A 2010 study by the National Whistleblower Center of cases filed under the False Claims Act between 2007 and 2010 found that nearly 90% of employees who filed a qui tam case, as whistleblower actions often are known, initially reported their concerns internally.

The Million-Dollar Threshold

Additionally, most SEC sanctions fall well short of the $1 million threshold required for whistleblowers to be eligible for an award, Rapp says. He estimates that fewer than 10 percent of cases result in any fines, and less than one-half of those result in sanctions that top the $1 million mark.

Even so, a bill introduced in June by Rep. Michael Grimm (R-NY) -- H.R. 2483, or the Whistleblower Improvement Act of 2011 -- would make several changes to the current regulations. Among them, it would drop the minimum award amount from 10% to 0%, and would require whistleblowers to report internally first -- unless there is evidence that the misconduct involved complicity at the highest level of management.

In fact, at least a dozen bills have been introduced that would repeal all or parts of Dodd-Frank, according to the Sunlight Foundation. While the likelihood of full repeal is slim, it's possible that a future administration could de-fund it, Burke says. If the office of whistleblower enforcement at the SEC drops down to a secretary at a desk, the likelihood of real enforcement action becomes almost nil, he adds.

Ostriches with Egos

Whether or not the whistleblower provisions change, companies that want to avoid wrongdoing -- presumably, that's most -- can use the new regulations as an opportunity to revisit their codes of ethics and corporate compliance efforts, Garyn says. The goal? "You want employees to trust that internal protocol is going to work."

Should an employee come forward with a claim of wrongdoing, managers need to investigate and report to appropriate agencies, Burke says. "Companies really should not have an ostrich-head-in-the-sand approach."

Additionally, they need "disconnect their egos from the case," Burke adds. It's easy, when having to account for one's actions -- say, against a claim of retaliation -- to get defensive. That can prompt others to question their credibility. "Get your ego out of the analysis."

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuesregulationsecuritydata protectiongovernment

More about FMCIIASECSecurities and Exchange CommissionWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Karen M. Kroll

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts