Corporate Compliance Insights
Compliance officers eligible to participate in the SEC and CFTC whistleblower programs must navigate strict rules. Speaking up always carries risk, but – as Michael Filoromo and Zac Arbitman explain – the SEC, CFTC and various federal and state laws protect whistleblowers from retaliation.
The first article in this series provided an overview of the whistleblower award programs established by the Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) and the eligibility criteria for compliance personnel to serve as SEC or CFTC whistleblowers. This article outlines the steps involved in submitting tips and claiming awards, as well as the anti-retaliation protections available to whistleblowers who speak up about wrongdoing.
Procedures for Submitting a Tip
To submit a claim under the SEC and CFTC whistleblower programs, an individual must file a tip, complaint or referral (TCR) form detailing their allegations. When preparing tips for submission to the SEC or CFTC, whistleblowers and their counsel should make sure that the TCR form and accompanying exhibits present the most comprehensive and compelling evidence. With the SEC and CFTC receiving a steadily increasing number of tips – 5,200 in 2018 alone – it is important that a first read of a whistleblower tip provide agency staff with a sound understanding of the alleged violations and, to the extent possible, a roadmap to investigate and prove the wrongdoing.
Whistleblowers should describe in detail the particular practices and transactions they believe to be unlawful, identify the individuals and entities that participated in or directed the misconduct and provide a well-organized presentation of whatever supporting evidence the whistleblower possesses. Under no circumstances, however, should whistleblowers give the SEC or CFTC information that is protected by attorney-client privilege, as the agencies cannot use privileged information in an investigation or enforcement action. The mere receipt of such information can interfere with and significantly delay the staff’s ability to proceed. This is a particularly important consideration for compliance personnel, who often work and communicate with in-house and external counsel.
The SEC and CFTC provide whistleblowers with the option to submit the TCR form anonymously through an attorney and to further identify for nondisclosure any documents or information that could reasonably be expected to reveal the whistleblower’s identity. The agencies strive to protect the disclosure of whistleblowers’ identities “to the fullest extent possible,” regardless of whether they submit their information anonymously. This includes in the issuance of whistleblower awards, which omit any identifying information about the whistleblower or the entity.
Determining the Size of an Award and the Process for Claiming It
When an enforcement action results in the collection of proceeds totaling more than $1 million, the SEC or CFTC publishes a Notice of Covered Action (NOCA) on its website. The publication of a NOCA does not guarantee that any tipster will receive an award. Additionally, the SEC and CFTC do not contact potential claimants regarding an enforcement action that could entitle them to an award. Rather, whistleblowers and their counsel must monitor the website for a relevant NOCA and must submit an application for an award within 90 days of the posting.
To file a claim for a whistleblower award, the whistleblower must file and sign a Form WB-APP (Application for Award of Original Information) by mailing or faxing it to the relevant agency. Failure to meet the 90-day deadline may preclude the recovery of an award. Only at the award application stage must a tipster reveal his or her identity to the agency, and even then, the SEC or CFTC makes every effort to protect the whistleblower’s identity from public disclosure.
The SEC and CFTC have the authority to award a whistleblower from 10 percent to 30 percent of what the agency collects. In a case where an agency issues an award to multiple whistleblowers in the same action, it cannot award the whistleblowers a total award of less than 10 percent or more than a total of 30 percent of the sanctions imposed.
To determine the amount of an award, the SEC and CFTC will review the whistleblower’s record – TCR form, supplemental submissions, Form WB-APP and other relevant documents – and take several factors into consideration. Factors that increase an award include the significance of the information to the ultimate success of the enforcement action, the degree of assistance provided by the whistleblower and their legal representative, the agency’s enforcement interest in the violations at issue and the whistleblower’s participation in internal compliance systems. Factors that might decrease an award include the level of culpability of the whistleblower in the wrongdoing, unreasonable delay in reporting the violations to the SEC and the whistleblower’s interference with internal compliance and reporting systems.
Protections against Retaliation
Despite the whistleblower programs’ emphasis on protecting the confidentiality of whistleblowers’ identities, compliance personnel and other employees may still face retaliation. In rare cases, retaliation stems solely from a suspicion that an employee has made a report to the SEC or CFTC. Most often it arises when an employee has also complained internally. The risks to which a whistleblower exposes a company – legally, financially and reputationally – can motivate a company to take action against an employee. Colleagues, supervisors and upper management also may also perceive a whistleblower as disloyal, particularly when that person holds a compliance role. Fortunately, the SEC and CFTC whistleblower programs provide critical employment protections to address such situations.
In addition to establishing the SEC Whistleblower Program, the Dodd-Frank Act (Section 922) also created anti-retaliation protections for individuals who report violations of securities laws to the Commission. These anti-retaliation protections are enforced in two ways: directly by the SEC through an enforcement action and through lawsuits by individuals who allege retaliation.
Dodd-Frank’s private right of action affords successful whistleblowers:
- two times back pay; and
- attorneys’ fees and costs.
Notably, an individual need not be eligible to receive an SEC whistleblower award in order to be protected from retaliation. Despite this, an employee must have provided information to the SEC to bring a Dodd-Frank claim. This creates a tension for compliance personnel who wish to be eligible for an SEC award, since they typically must wait 120 days after reporting securities violations internally before providing information to the SEC. During those four months after raising concerns internally, Dodd-Frank may not protect them.
A key element of proving a retaliation claim is demonstrating that the individual engaged in “protected activity” by identifying or attempting to stop wrongdoing. Courts have wrestled with what it means for compliance personnel to engage in protected activity, since their job duties typically include identifying and attempting to correct misconduct.
In some contexts, courts have held that to engage in protected activity, compliance personnel must do something outside the scope of their duties, such as reporting outside the chain of command or insisting on the need to hire outside counsel. But the Supreme Court has called this “step outside” rule into question in the anti-discrimination context. And notably, the Dodd-Frank Act contains no requirement that an employee oppose wrongdoing. Rather, the employee must only “provide information,” which is, on its face, a lower standard.
In the context of the Sarbanes-Oxley Act (SOX), which contains similar language, case law suggests that there is no “step outside” requirement for whistleblowers pursuing claims for retaliation under that statute. This means compliance personnel are protected from retaliation for doing their jobs well by reporting suspected securities violations. This is consistent with the purpose of Dodd-Frank to bolster internal compliance programs and enhance external enforcement measures to prevent the types of conduct that led to the 2008 financial collapse.
SOX is among a number of state and federal legal protections that may apply to whistleblowers who report violations of laws administered by the SEC. Importantly, SOX does not require that an employee report externally to receive whistleblower protection. Thus, SOX may protect compliance personnel during the 120-day period they typically must wait before reporting suspected securities violations to the SEC if they wish to be eligible for an award.
Like the SEC, the CFTC can bring enforcement actions for retaliation. Additionally, whistleblowers who experience retaliation can file a lawsuit under the Commodity Exchange Act (CEA). To receive protection, the whistleblower must: (1) submit a TCR to the CFTC Whistleblower Office and (2) possess a reasonable belief that the information relates to a violation of the CEA or a CFTC rule.
The remedies under the CEA differ slightly from those available under Dodd-Frank:
- back pay with interest;
- attorneys’ fees and costs; and
- compensatory damages for reputational and emotional harm.
The language of the CEA’s anti-retaliation provision mirrors that of Dodd-Frank. By the same reasoning, compliance personnel who suffer retaliation for doing their jobs well and who report violations of laws administered by the CFTC should be protected.
As noted in our first article, compliance personnel are uniquely positioned to learn of corporate misconduct. When internal compliance systems fail or companies refuse to remedy violations, the information compliance personnel possess can be critical to the enforcement efforts of the SEC and CFTC. Experienced counsel will be able to guide compliance personnel in navigating the whistleblowing process and seeking compensation for any retaliation – ensuring that those who speak up are justly compensated.