Employers concerned about implementation of the broad whistleblower provision of the Dodd-Frank Act found little comfort in the SEC's mostly unchanged final rules, which the commission approved in a 3-2 vote on May 25. Effective August 12, whistleblowers who deliver to the government original information about a possible violation of federal securities laws can garner awards ranging from 10 percent to 30 percent of the penalty if their information leads to an enforcement action and monetary sanctions exceeding $1 million.

It's quite the incentive for employees—10 percent of, say, an average Foreign Corrupt Practices Act (FCPA) settlement could yield real money and, accordingly, the fear of more FCPA claims is often mentioned in the same breath as the Dodd-Frank whistleblower program. In 2010, companies paid a record $1.8 billion in penalties to settle FCPA-related charges with the SEC and DOJ. While garden-variety disclosure and accounting issues may comprise the majority of whistleblower tips, lucrative FCPA claims remain the “holy grail for the plaintiffs bar,” says David Woodcock, a partner at Vinson & Elkins.

The SEC received more than 240 comment letters and 1,300 form letters on the proposed rules released in November 2010. Many of them, the agency reported, delivered “sharply divided” views on how the whistleblower program will affect companies' internal compliance programs.

“What's very clear is that companies were hanging a lot of hope on getting the SEC to adopt a rule that required internal reporting,” Woodcock says.

They didn't get it. The final rules reject a mandate in favor of measures that incentivize whistleblowers to report internally while still allowing them the option of avoiding such reporting lines.

Staying Inside

The final rules incentivize but don't require whistleblowers to first report to company compliance programs by providing that the SEC will consider whether the whistleblower cooperated or interfered with internal processes when determining what size award the whistleblower receives.

Another provision says that if a whistleblower reports information to an internal compliance program, and subsequent company investigation uncovers more information that leads to a “successful” SEC action, the whistleblower will be credited not just for the tip(s) he or she delivered, but for all the information the company gathers in its own investigation, and potentially a greater award.

In addition, the final rules extend the “lookback period” to 120 days from 90 days, meaning that if whistleblowers first report internally, they can subsequently report to the commission within 120 days and still be treated as if they reported to the SEC at the earlier reporting date.

The new rules preserve the ability of whistleblowers to bypass internal reporting lines, which opponents of a mandate say can be crucial in some situations.

“[A]n internal reporting requirement—particularly in situations where the compliance function is not effective or is controlled by managers that are the subject of the whistleblower's claims—could easily undercut the purpose of the statute,” said Robert Khuzami, director of the Division of Enforcement, at an SEC meeting presenting the final rules.

Lingering Fears

The changes don't do much to assuage businesses' fears about the impact on internal compliance programs, however.

“My sense,” Woodcock says, “is that the rule doesn't alleviate the fear that you could have people in your company who have gone to a government agency to report you or your company for fraud, and you don't know who they are and you don't know they've done it until the SEC comes knocking on your door.”

A mandate, some commenters argued, would have allowed entities to detect, investigate and correct securities violations to stop them in their tracks, an ability especially imperative for complaints outside the SEC's jurisdiction or too small for the SEC to investigate. Some view self-policing as more effective in quickly rooting out potential violations, since government agencies must adhere to legal formalities internal investigation teams aren't obligated to observe.

“Information is the lifeblood of [corporate compliance programs],” said Commissioner Kathleen Casey in a May 25 SEC speech addressing the final rules. “Diverting a large portion of that flow of information to the government will impair companies' ability to step in and interrupt violations at an early stage. This does not benefit investors, and it is at odds with the purposes of the securities laws.”

The Association of Corporate Counsel (ACC) commented that the proposed rules would encourage employees to find ways to profit from corporate wrongdoing rather than improve corporate behaviors.

“Fraudulent misconduct, the bane of good compliance systems, then becomes the gold mine,” the ACC wrote, “rather than an impetus for companies with effective compliance systems to address the underlying issues.”

Compliance Reassessment

Comforting in this context is a December 2010 report from National Whistleblower Center that reviewed qui tam whistleblower cases filed under the False Claims Act between 2007 and 2010, concluding that 89.7 percent of employees initially reported to supervisors or compliance departments. It also cited a New England Journal of Medicine report in which 18 of 22 whistleblowers who won large False Claims Act judgments against the pharmaceutical industry first reported internally.

Employees are much more likely to turn to internal reporting structures if they feel they can trust them.

“You have to incentivize employees to use your programs, otherwise they'll just go get the bounties,” says Jordan Eth, co-chair of Morrison Foerster's securities litigation, enforcement and white-collar defense group. “The company's compliance systems need to be transparent to employees, and employees have to feel like they can use them and rely on them.”

And when internal compliance teams receive tips—whether from employee complaints or elsewhere—they have to be ready to investigate at a moment's notice. Many view the 120-day lookback period as a window for companies to get to the bottom of any problems.

To do this, Eth says companies must “have their antennae up” for internal complaints. Compliance personnel must be able to quickly separate real problems from minor nonissues. “It's a race between the employer, employee and SEC,” he says. “You have to be fast now, faster than before.”

The quality has to be there as well, which means public companies must audit and enhance their own programs.

“Subtly scare top management to make major new and continuing investments in their compliance and ethics programs,” says Thad Guyer, a civil rights attorney who represents whistleblowers and wrote an extensive review of the final rules for the Government Accountability Project. Forward them SEC and DOJ releases on the latest indictments and fines against companies, he suggests. Make sure they're aware federal sentencing guidelines consider the effectiveness and sincerity of compliance and ethics programs.

In litigation involving corporations, Guyer says he has been “appalled” at the low quality of corporate compliance and ethics programs even at some Fortune 50 com- panies. “I would say [they're] pitiful— a disgrace,” Guyer says. “Dodd-Frank whistleblowers are going to fix that in the companies they target.”