Q&A with Rick Schroeder of Jones Walker
Rick Schroeder, leader of the Corporate Compliance & White Collar Defense Practice at Jones Walker in New Orleans, discusses whistleblower laws and protections with CCI’s Publisher, Maurice Gilbert.
Maurice Gilbert: What is the most important challenge for compliance officers relating to whistleblower laws, in your opinion?
Rick Schroeder: A common problem we see is that there is a misunderstanding of who is a “whistleblower” and what that really means. The fact is that there are a number of federal and state whistleblower laws, and they do not use the same definition. Even if you focus on the talked-about laws creating whistleblower protections in the area of securities laws, namely Sarbanes-Oxley and Dodd-Frank, currently they have different definitions. A whistleblower under Sarbanes-Oxley includes anyone who reports alleged violations relating to mail fraud, wire fraud, bank fraud, securities fraud or any rule or regulation of the Securities and Exchange Commission; or any provision of federal law relating to fraud against shareholders either to federal regulatory or law enforcement authorities; or to any person “with supervisory authority over the employee.” Dodd-Frank only applies to persons who provide unique information directly to the SEC pursuant to and consistent with its rules. The distinction matters. Dodd-Frank’s anti-retaliation provisions as well as its bounty program only kick in if you qualify as a Dodd-Frank whistleblower.
MG: Have there been recent developments about which compliance personnel should be aware?
RS: Yes. There have been changes in substance and enforcement policy on almost an annual basis. The distinction discussed above between Sarbanes-Oxley whistleblowers and Dodd-Frank whistleblowers was made very clear in the U.S. Supreme Court’s recent decision in Digital Realty Trust, Inc. v. Somers, a case where an employee was denied Dodd-Frank’s whistleblower protections because he had only reported internally and not directly to the SEC. The Commission has also recently proposed rule changes that would limit the size of some of the larger whistleblower awards and that would allow the Commission to make awards to persons reporting less significant violations resulting in de minimis fines. Presently, a bounty is only paid when the information provided results in a financial fine of greater than $1 million. The proposed rule would allow for awards even in circumstances where enforcement action was taken, but there was a smaller fine. For purposes of retaliation protection, an individual would be required to report information about possible securities laws violations to the Commission “in writing.” To be eligible for a bounty award or to obtain heightened confidentiality protection, the whistleblower must submit information on what is referred to as a “Form TCR” or through the Commission’s online tips portal. Finally, the bounty program would be broadened to include matters settled by the Department of Justice or state attorneys general through deferred or non-prosecution agreements, rather than only through settled SEC actions.
The point is that whistleblower laws, at the federal and state level, are very dynamic.
MG: Are whistleblower laws on balance helpful or harmful to compliance programs?
RS: There is debate about that. Some feel they are harmful in that they create an incentive to circumvent internal reporting channels. Clearly, that school of thought grew as a result of the Somers decision, where a would-be whistleblower would lose Dodd-Frank protections as well as bounty eligibility if he reported first internally, only to see his company then self-report the violation. Because the company self-reported, the reporter would no longer be the one to provide the SEC with original information, even if the reporter later went directly to the SEC. While this may seem like a complicated matter for an employee to work through, employees who witness serious violations often seek legal counsel, and frankly, any good lawyer would recommend reporting directly to the SEC and then internally. Detractors also point to the fact that the vast majority of whistleblower complaints are simply not valid. The SEC gets thousands of reports each year, and a very small fraction are found to relate to significant or even valid violations. Company compliance personnel are in a much better position to know very quickly whether a suspected violation has any merit, and the sooner they become aware of an issue, the sooner they can investigate and put a stop to any bad behavior.
The other school of thought is that whistleblower laws complement and even improve internal compliance programs in any number of ways. First, just the fact that they exist causes compliance personnel to be more vigilant in preventing violations. Also, greater effort is placed on protection of employees who internally report violations.
There is truth to both sides of the debate. One thing we have found is that if a company has a genuine and robust compliance program, it really does not matter what whistleblower laws there are and whether an employee reports to the government or not. That company will always be ready to respond and to defend its program and its handling of reported potential violations.
MG: What do you recommend compliance departments do to ensure compliance with whistleblower laws while preserving effective internal processes?
RS: There are a number of elements of a good compliance program that automatically ensure compliance with whistleblower laws. Let me mention three of the most relevant steps you can take.
1. Understand the specific laws that apply to your company’s operations.
All good compliance programs, as part of their policy build-out and risk assessment processes, identify and understand all federal, state and international laws that apply to their business operations, including whistleblower laws. When you do that, I bet you will remove the word “whistleblower” from any of your program documents or polices, because, as I said at the outset, there is no one definition and you should not label every reporter a whistleblower.
You will also understand that compliance with those laws involves more than just providing anonymous hotlines in some cases, or preventing retaliation; it also involves carefully checking all of your employee agreements and policies to ensure you are not “chilling” or impeding employees from reporting directly to the SEC. Rule 21F-17 provides, for example, that “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement … with respect to such communications.” Employee agreements, such as termination agreements and confidentiality agreements, can inadvertently contain language that the SEC believes employees may misapprehend.
2. A well-designed and well-publicized internal reporting mechanism is a critical component of every corporate compliance program.
In order to encourage employees to use internal reporting channels, companies must promote a culture of improvement based on self-analysis. Successful companies look forward to discovering internal problems, because this drives a process of learning, adjusting and improving. This only works, however, if employees are educated on the internal reporting policy, believe in its outcomes and trust that they won’t face retaliation or other negative consequences for making internal reports.
3. (And this is critical) Ensure that employees understand that internal reporting is mandatory, not voluntary.
Regardless of whether they choose to report to the SEC, they have an obligation as a matter of company policy to report internally, anonymously or otherwise. Hopefully they will feel comfortable reporting without the cover of anonymity, but in any event, they must report. We have seen many cases where employees felt that reporting only to the government was “OK” and consistent with company policy. It should not be.
Companies can and should use compliance certification processes that require all employees to certify either that they have no knowledge of any violations of law or company policy or that they have reported any potential violations internally. The primary reason for certifications is to ensure internal reports are made so that the underlying issue may be addressed.
Another benefit occurs if an employee makes an external report in the future, because the company will be better prepared to address the issue with the government, having already conducted its own investigation, or, if the issue was never reported internally, it can check that employee’s past certification forms to determine whether there is a contradiction between prior certification forms and the external report of a potential violation. The SEC has committed to encouraging internal reporting of violations. Hold them to it.
Rick Schroeder leads the Corporate Compliance & White Collar Defense Practice at Jones Walker. He is based in New Orleans. He represents local, national and international companies, particularly in the energy and natural resource sectors, and their officers and employees in business and corporate compliance matters, internal investigations and government enforcement proceedings.
Mr. Schroeder has particular experience in developing comprehensive corporate compliance programs that address the broad array of high-risk areas companies face today. He has designed and assisted in the implementation of global corporate compliance programs for public and private companies with domestic and international operations, as well as conducted risk assessments and compliance program evaluations.
Maurice Gilbert founded Corporate Compliance Insights in December 2008 to further the discussion and professional knowledge exchange of important, forward-thinking corporate governance, risk and compliance topics.
