I had the good fortune this week to attend a panel discussion on the latest developments in whistleblower tips and SEC enforcement. Given how often whistleblower tips turn into big, complicated headaches for corporate compliance officers, let me pass along some insightful morsels from the speakers.
The panel was part of the day-long Securities Enforcement Forum West, held Thursday in California. Alas, I could only attend the event virtually, but Securities Docket always puts together informative events chock full of SEC speakers.
We can begin with the SEC Office of the Whistleblower, which had a banner year in 2021. The agency gave out award money than ever before ($564 million) to more whistleblowers than ever before (108 people). Most important to compliance officers, however — the agency also received more than 12,000 whistleblower tips in 2021, a stunning increase of 76 percent from 2020 and yet another all-time high.
Why so much activity? Katharine Zoladz, associate regional director at the SEC and one of the panel speakers, gave credit to reforms the SEC implemented in 2020 that streamlined the processing of whistleblower tips. Those reforms allowed the SEC to weed out frivolous claims or deny hopeless claims more quickly; that, in turn, allowed SEC staffers to spend more time on tips with real merit.
That’s all true, although it doesn’t explain the spike in whistleblower tips that the SEC received last year. Most of those tips have yet to be processed — which means lots of potential issues still out there, that could result in the SEC calling your legal team some day. So compliance teams, as always, have strong incentive to encourage internal reporting (better you than the SEC, after all) and protection of whistleblowers.
Looking at the Bigger Picture
One excellent point came from panelist Kristin Flinn, a forensic accountant and associate director at Berkeley Research Group. When investigating a whistleblower’s complaint, she said, “cast a wide net” to look for internal control deficiencies that might be afoot. You might discover control deficiencies that aren’t directly related to the whistleblower’s complaint, but need attention anyway.
“We’ve often seen that whistleblower complaints lead to the discovery of internal control failures,” Flinn said, especially control failures related to financial reporting. “Even if the whistleblower’s claims are slightly off the mark, it usually points to a bigger internal control problem at the firm.”
What could those control problems be? Inadequate accounting policies and procedures, weak segregation of duties, and poor employee training, to name only a few. None of those things would necessarily lead to misconduct; but any one of them could, and they’d all need to be addressed once you discovered them.
Flinn recounted one case where an accounting employee raised concerns that a manager was making improper adjustments to a non-GAAP financial metric. An audit committee investigation ensued, which ultimately concluded that all material adjustments were legitimate — but it also found that the company’s accounting policies around non-GAAP metrics were weak, and training for accounting personnel was insufficient.
Flinn’s point seems especially important for FCPA compliance, since so often it’s the internal control provisions that trip up your company. We’ve seen numerous instances of loose accounting policies where intermediaries can convert a company’s credit notes into cash, or the corporate office grants a foreign subsidiary’s request for product discounts without sufficient documentation. Those are precisely the issues that might come to light if you launch an expansive review of internal controls once a whistleblower report comes over the transom.
This does mean that the compliance team will need to keep your internal audit friends down the hall on speed dial, since they’re the ones who know internal control issues better than you. Or, if your company has no internal audit team, you’ll need to know an accounting firm you could call for help.
Plus, some portion of whistleblowers are well-meaning, but don’t know what’s actually going on in their company or how a certain process works; that can suggest inadequate training. That’s an internal control weakness unto itself, and also a potential risk for an effective compliance program. Recall that the Justice Department’s guidance about effective compliance programs specifically discuss the importance of gatekeepers:
What, if any, guidance and training has been provided to key gatekeepers in the control processes (e.g., those with approval authority or certification responsibilities)? Do they know what misconduct to look for? Do they know when and how to escalate concerns?
If you see employees speaking up (yay!), but misunderstanding what they see (boo!), that could signal deeper trouble. This is especially true if the whistleblowers are in the accounting or finance function, since they serve in those gatekeeper roles. So tread carefully, but also ask, “What made this employee think that what he or she saw was wrong? Was it good judgment, or misjudgment?”
‘Impeding the Whistleblower’
To no surprise, the panelists also stressed the importance of not impeding a whistleblower’s ability to approach and communicate with the SEC. Hardy Callcott, a partner at law firm Sidley Austin, noted that the SEC has taken enforcement action numerous times against companies for impeding a whistleblower, even when the whistleblower was wrong and there was no valid underlying securities law violation.
The tricky part, of course, is understanding what “impeding” actually is. One example the panel chewed over was the case of NS8, a software firm that imploded in fraud two years ago. The co-founder of the firm recently agreed to pay $97,000 to settle charges that he obstructed a corporate whistleblower by restricting that employee’s access to internal systems.
In that case, Republican SEC commissioner Hester Peirce objected, arguing that the SEC’s whistleblower protection program is only meant to assure that whistleblowers can communicate with the SEC — not necessarily to assure that whistleblowers have unfettered access to corporate data they might want to use to press their case. That, she said, might set a dangerous precedent where disgruntled whistleblowers could also share corporate data with competitors or other outsiders.
So how should a company tread that line, between protecting legitimate commercial interests on one hand and not impeding whistleblowers on the other? Callcott recommended including clear language in employment contracts, corporate policies, and severance agreements (“Of course you can communicate to the SEC! We don’t mean to say you can’t do that”), but warned also that this niche of law is still somewhat murky, with many settled cases and few litigated court decisions.
“What actually constitutes retaliation, and especially impeding communication with the SEC, is still a little unsettled here,” he said. “Be very careful when drafting these agreements” to clarify that employees can always approach the SEC or other regulators when they believe that’s necessary.