Introduction

On May 5, 2023, the Securities and Exchange Commission (“SEC”) granted its largest-ever whistleblower award of $279M to an individual,^[1] reportedly stemming from Ericsson’s $1.1B settlement to resolve claims that the telecommunications company violated the Foreign Corrupt Practices Act (“FCPA”).^[2] Coupled with other recent enforcement actions by the SEC arising under applicable whistleblower protection rules (Dodd Frank’s Rule 21F-17) and the increasing number of whistleblowers to the SEC and U.S. Department of Justice (“DOJ”) who are corporate compliance officers and auditors, these events are warning signals to companies of the need to evaluate not only the robustness of their internal reporting and investigation mechanisms but also the extent to which they have instilled a “speak up” culture that encourages employees to raise issues.

SEC Whistleblower Protection Rules

Section 922 of the Dodd-Frank Act and the SEC Whistleblower Protection Rules (the “Rules”) issued in May 2011 provide a set of incentives and protections for individuals who choose to make reports to the SEC.^[3] The purpose of these provisions is to encourage whistleblowing on potential securities law violations, borne of compliance and other transgressions, by providing confidentiality, anti-retaliation protections, and monetary rewards for tips that result in successful SEC actions.

If a tip-off leads to a successful enforcement action by the SEC resulting in monetary penalties over $1,000,000, the whistleblower will receive an award worth 10 to 30% of the monetary sanction.^[4] Further, employers subject to the Rules are prohibited from retaliating against persons who make reports to the SEC, which we wrote about here.^[5] In addition to incentivizing whistleblower activity and protecting against retaliation, the Rules help to ensure that others do not interfere with an individual’s ability to make reports. In particular, Rule 21F-17 provides: “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”^[6]

Whistleblower Statistics and Trends

Ericsson’s December 2019 resolutions with the SEC and DOJ related to the company’s violations of the FCPA’s anti-bribery, books and records, and internal controls provisions. The $1.1B settlement included a $520M criminal penalty and $539M in prejudgment interest and disgorgement of illicit profits. According to the DOJ, the size of the resolution was based on a number of factors, including Ericsson’s failure to voluntarily disclose the conduct to the DOJ. Further, Ericsson only received partial cooperation credit from DOJ because Ericsson did not disclose allegations of corruption with respect to two relevant matters and it failed to produce certain materials in a timely manner.

Over three years later, the SEC awarded $279 million to a whistleblower, an award which reportedly related to Ericsson’s FCPA case. While the SEC does not disclose details of the information provided by the whistleblower, the information that the whistleblower provided apparently significantly aided the agency’s enforcement action.^[7]

As this whistleblower award and recent statistics and trends illustrate, monetary awards offered by the SEC and DOJ to encourage whistleblowing, even from company compliance officers, are very effective tools for these agencies.

From the SEC whistleblower program’s inception in 2011 through FY 2020, the agency awarded a total of about $562M to 106 whistleblowers.^[8] Activity then greatly increased in FY 2021, which saw the highest record number of whistleblower awards, with $564M awarded to 108 individuals (exceeding all the prior years combined).^[9] FY 2022 was second highest, with the Commission granting $229M to 103 individuals.^[10] Since the inception of the SEC’s whistleblower program, the Commission has paid over $1.3B in 328 awards to individuals.^[11] During this time, and before the recent $279M award, the biggest singular tip was for $114M in October 2020, followed by an award of $110M in September 2021.^[12]

SEC whistleblowers report the most tips in four categories: (1) Manipulation (of a security’s price or volume); (2) Offering Fraud (including Ponzi schemes, pyramid schemes, and high-yield investment programs); (3) Initial Coin Offerings and Cryptocurrencies; and (4) Corporate Disclosures and Financials.^[13] Comparatively, whistleblower reports on FCPA violations are relatively few, constituting less than 2% of the total tips in FY 2022. It is important to note, though, that the reporters themselves choose the category.

With the DOJ, well-known incentives for whistleblower activity arise under the federal False Claims Act. The False Claims Act’s qui tam provisions permit private citizens to file suits on behalf of the government and earn up to 30% of the government’s recovery. In FY 2022, whistleblowers filed 652 qui tam suits, leading to the DOJ’s recovery of over $1.8 billion, representing an increase up from 598 qui tam suits in 2021.^[14]

Whistleblower Awards to Compliance and Audit Officers

Notably, whistleblower awards by the SEC and DOJ to company compliance officers or internal audit personnel are increasing in number. This is particularly significant in the SEC context, as SEC Whistleblower Rules generally prohibit awards based on information learned by compliance or audit officers performing their duties^[15] unless certain requirements are met under Section 21F-4 of the Securities Exchange Act. The exceptions generally swallow the rule.

Specifically, a compliance or internal audit professional can receive a whistleblower award if (1) the professional reasonably believes disclosure is necessary to prevent conduct likely to cause substantial injury to the financial interest or property of the entity or investors, (2) the professional reasonably believes the entity is engaging in conduct that will impede an investigation of the misconduct, or (3) at least 120 days have passed since the professional properly disclosed the information internally, or since the professional learned that the officers already knew of the information.

As an example, in April 2022, the SEC awarded $450,000 to a claimant who held a compliance role and was eligible because the professional waited over 120 days after reporting internally to contact the SEC.^[16] Similarly, in August 2021, the SEC awarded three compliance workers a total of $1M for submitting information to the SEC after waiting the requisite 120 days subsequent to internally reporting the alleged conduct.^[17] Finally, the SEC awarded about $300,000 to a compliance professional in December 2020 because the whistleblower had a reasonable basis to believe the entity engaging in misconduct would impede the agency’s investigation.^[18]

The DOJ has also awarded amounts to compliance officers turned whistleblower under the False Claims Act, including a 2020 settlement with Merit Medical and a 2016 settlement with Olympus Corp. of the Americas. Merit Medical’s former chief compliance officer received $2.65 million from the federal government’s recovery of $18 million from Merit for allegedly paying kickbacks to healthcare providers to boost sales of the company’s products.^[19] Although not legally required to report internally to share in the recovery, Merit’s former chief compliance officer noted in his complaint that he had repeatedly reported his concerns to Merit’s management, but received “only token respect.”

Earning significantly more, Olympus’ chief compliance officer took home approximately $51M from the federal and state government’s recovery of approximately $623.2M from Olympus under the Federal False Claims Act and state analogues.^[20] The False Claims Act violations arose from Olympus’ provision of kickbacks to doctors to induce purchases of its medical equipment.^[21]

Recent SEC Enforcement Activity Related to Prospective Whistleblower Activity

Since 2015, the SEC has brought about a dozen actions against companies for alleged violations of Rule 21F-17.^[22] Enforcement actions for breaches of this whistleblower protection rule slowed down during the Trump administration, particularly during the Covid-19 global pandemic, but they have picked back up again in the past couple of years, signaling the SEC’s renewed focus on enforcement in this area.

In 2022 and 2023, the SEC settled multiple cases with companies following alleged willful violations of Rule 21-F17.^[23] One action addressed a company’s use of employee confidentiality agreements to restrict employees from disclosing confidential company information to third parties without written approval.^[24] Another involved the retaliatory firing and revocation of an employee’s computer access after that employee internally raised concerns of securities law violations.^[25]

As demonstrated by these examples and others, enforcement under this provision  indicates that company policies, agreements, and trainings that might be designed to achieve seemingly innocuous objectives, such as ensuring internal whistleblowing or protecting confidential information, may be criticized if the SEC can frame an argument that the tone and language of such materials might undermine the SEC’s goal of encouraging whistleblower reports.

Key Takeaways      

The risks presented by not adequately addressing internal whistleblower complaints, or the prospect thereof, are far-reaching. Employees may resort to reporting issues to the media—presenting, at a minimum, potential reputational damage—or to enforcement authorities, leading to investigations and prosecution or settlements. As seen above, the SEC will actively enforce both scenarios: investigating companies for substantive violations reported by the whistleblowers but also fining companies for actions perceived to restrict their employees from reporting to the SEC.

As a result, companies are best served by encouraging employees to raise issues and then taking appropriate actions. To encourage employees to speak up, companies need to develop not only a strong compliance program, but a strong culture of compliance. Employees who believe that their employer takes issues and concerns seriously and addresses problems through appropriate remediation are more likely to report their concerns. Companies can foster this type of trust by surveilling for risks and then actively working to mitigate identified risks. Proactive compliance programs with a strong speak-up culture that appropriately address reports can prevent employees from feeling that the only outlet for their concerns is through external whistleblowing.

In order to achieve this culture of transparency and trust, companies need to share information with employees about internal reports, investigations, and disciplinary outcomes to instill confidence. This should be done in a manner that preserves the confidentiality of the investigations, but still is sufficiently detailed to drive insights and lessons learned and to increase employee confidence in the reporting and investigations processes. Businesses should also strive to apply disciplinary measures fairly and consistently, for both employees and management. When employees know the rules apply to all, no matter the title, they are more likely to report issues. Building such confidence allows companies to identify and address issues and lessens the risk that employees will feel the need to externally report concerns.

In view of recent enforcement actions and whistleblower trends, companies should formally evaluate and strengthen their monitoring, reporting, and investigations systems to foster internal reporting and should seek opportunities to further instill employee confidence in the company’s dedication to fair and consistent enforcement of the company’s policies and procedures. Companies can undertake a number of steps in this regard:

• Obtain periodic assessments of their risk profile and compliance program effectiveness as it relates to monitoring, reporting, and the conduct of effective investigations.
• Periodically evaluate and retrain middle management on appropriate responses and approaches to reporting and retaliation.
• Ensure thorough and timely follow-up on all whistleblower complaints.
• Foster an internal culture of compliance, ethics, and support for internal reporting.
• Disseminate materials regarding proper avenues for reporting unethical behavior.