Lessons From Whistleblower Award
The Securities and Exchange Commission issued a $37 million whistleblower award last week, and before the case fades from memory compliance officers should give it a close look; the details offer a useful glimpse into the importance of getting internal reporting systems right.
The award was handed out on July 26, and as usual we don’t have many specifics: not which company it involved, the nature of the misconduct, when the incident happened, or who the whistleblower was. The $37 million amount suggests that the underlying case involved a civil penalty of $120 million to $370 million, which was likely settled in the early 2020s.
The SEC did say that the whistleblower first reported the misconduct internally (yay for internal reporting!) — but also said the whistleblower “persisted” in reporting the misconduct internally, which suggests that the company’s compliance team wasn’t terribly responsive (boo to slow-walking an internal investigation).
Eventually the company did investigate the misconduct and decided to self-report the matter to the SEC. The whistleblower, however, decided to bring his concerns to the agency directly, and “without the whistleblower’s ongoing, extensive, and timely assistance, the staff would not have learned the full context and extent of the employer’s misconduct,” the SEC said.
Let’s pause right there, because the above paragraph demonstrates an important dynamic in whistleblower reporting today. Namely, you never know when an internal whistleblower might bring his or her concerns directly to the SEC, so when the company does decide to self-report the matter, it better be damned sure it’s reporting as much as possible to that regulator too.
Yes, I understand that self-reporting can involve delicate issues of attorney-client privilege and disclosure that might spawn messy civil litigation with private plaintiffs. But consider the risk of disclosing too little, as made clear by the SEC’s statement in this case: you self-report some of a matter to the SEC, while the whistleblower — whom you already know exists, because he already reported internally to you — is there telling the agency that your company didn’t disclose the full scoop.
How would a regulator feel about that information gap? Not great, that’s for sure. It will still have a roadmap to investigate the issue thanks to the whistleblower, and now the agency will be giving your company the side-eye, wondering what else you might be hiding. It makes them wonder whether your company truly does have a culture of compliance, which is not a question you want regulators to have in their brain.
And as a cherry on top of this unsavory sundae, we also have whistleblower retaliation. Specifically, the whistleblower received a bad performance review and a “sharply lower bonus” than the previous year, despite meeting performance goals that the company had set for him or her.
So the SEC had evidence of less than fulsome self-disclosure, and evidence of whistleblower retaliation. What conclusions would you draw about that company’s culture of compliance if you were in the agency’s shoes?
The Compliance Officer’s Predicament
What we don’t know about this case is how the company eventually decided to self-report its misconduct, and who decided the amount of information the company would offer to the SEC. Presumably the conversation involved the general counsel, the compliance officer, the company’s outside counsel, and likely senior management and the board.
The question for the rest of us on the outside, concerned with building a strong culture of internal reporting and compliance, is how to design a process to guide the company through those conversations about self-reporting, so that the company reaches wise decisions and doesn’t find itself on the back foot thanks to an internal whistleblower turned external reporter working with the SEC.
For example, does the chief compliance officer indeed have a voice in those discussions? What if your company doesn’t even have a chief compliance officer per se, but instead relegates that role to someone further down the org chart with a title like “senior manager of ethics and compliance” — does someone in that role really have co-equal footing with the GC, the board, and a know-it-all stuffed shirt from outside counsel?
What about the quality of your internal investigation; will that be sufficiently robust to arrive at a clear understanding of the facts? How are you sure that it will be? Because if it’s not, you might conclude that the matter isn’t serious, or that the regulator won’t be able to compile a strong case. That, in turn, could tempt the company not to disclose — but if the whistleblower is cooperating with the regulator, your whole chain of logic here falls apart.
I suspect most corporate compliance officers already know all that. The real question is whether your general counsel, outside counsel, senior management, and the board all know that. If they have a fundamentally different view about the wisdom of self-reporting — especially in today’s era of whistleblowers cooperating with regulators — that could leave you, the compliance officer, in a vulnerable position (read: the scapegoat) should the worst happen.
Really, you have to wonder what the company involved in this case was thinking. With a $37 million whistleblower award, which suggests a civil fine of several hundred million, the misconduct in question had to be a serious issue.
Management also knew it had at least one whistleblower running around. Even worse, the SEC award order identifies the whistleblower as “Claimant 10,” and mentioned other claimants as well who didn’t receive any awards; so management probably knew it had numerous whistleblowers running around.
Whatever that company’s self-disclosure decision process was, your decision process should be defined in advance, so that management isn’t improvising decisions under the pressure of an actual complaint. A strong decision-making process would depend on a solid internal investigation function to gather the facts, and a strong voice for the compliance function.
Are you sure your company has both those things?