Narrow Whistleblower Protection May Have Broad Impact

Pamela Verick, Director Protiviti Forensic

The U.S. Supreme Court, on February 21, 2018, ruled unanimously that protections afforded to whistleblowers under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) apply only to people who report potential wrongdoing directly to the Securities and Exchange Commission (SEC).

This interpretation narrows a previous rulemaking from the SEC, which had extended retaliation protections to employees who chose to work within a company’s own reporting system when voicing concerns or complaints regarding violation of securities laws.

Government lawyers filed a brief on behalf of the Department of Justice and the SEC arguing in favor of the broader interpretation, but the court ruled unanimously against it, based on wording in Section 21F of Dodd-Frank, which unambiguously defines a whistleblower as someone who reports wrongdoing to the SEC.

The language of 21F is clear: “You are a whistleblower if, alone or jointly with others, you provide the Commission with information […] and the information relates to a possible violation of the federal securities laws […].”

Section 21F also provides for cash awards of $1 million or more for information leading to sanctions. These awards, which some call “whistleblower bounty,” can total millions of dollars, causing some to question the motives of employees who come forward.

The SEC argued that by extending retaliation protections as an incentive for employees to work within their company’s compliance structure, it was serving the spirit of Dodd-Frank, protecting shareholder interests by fostering a spirit of voluntary transparency and good governance in lieu of costly sanctions and public embarrassment. Critics argued that the SEC’s broader interpretation was inconsistent with the statutory language of Dodd-Frank and exceeded its regulatory authority.

It is important to note that anti-retaliation protections outlined in the Sarbanes-Oxley Act of 2002 remain intact, but are not considered to be as robust as those provided under Dodd-Frank. Absent the promise of any protection, it is reasonable to imagine a scenario in which companies would need to work even harder than they now do to establish a “speak up” culture where employees raise concerns without fear of retaliation and management reacts more quickly to address reported matters before regulators are notified of problematic activity.

More than ever, it is important for compliance personnel, internal auditors and boards of directors to consider their companies’ corporate culture, as well as their ethics programs, and ask:

  • Has the organization defined internal controls across the first and second lines of defense to establish, promote and manage a speak-up culture?
  • Is there an ongoing dialogue within the organization that provides examples about the types of improper behavior that management and the board want to know about?
  • Does the design of reporting mechanisms align with the communication styles of cross-generational employee populations?
  • What process is in place to evaluate and escalate information reported through mechanisms other than a hotline or webline (i.e., verbal or written complaints to supervisors and managers, human resources, etc.)?
  • Is the operating effectiveness of reporting mechanisms regularly evaluated as part of compliance audits?
  • Does information collected as part of the reporting process comply with global data and privacy requirements?

As a conversation starter, I would recommend Internal Auditing around the World, Vol. 13, which examines culture and ethics programs at major organizations around the world.

What are your thoughts on the potential effects of this ruling? Let us know in the comments section, or reach us on our website.

Add comment