Since its inception, the U.S. Securities and Exchange Commission (SEC) Whistleblower Program has fined wrongdoers more than $1.7 billion. “Whistleblowers have played a crucial role in the progression of many investigations and the success of enforcement actions,” said Jane Norberg, SEC chief of the Whistleblower Program, following the $16 million payout to two whistleblowers in November 2017.
The SEC’s 2017 Annual Report to Congress on the Whistleblower Program provides insights for internal auditors and audit committees into the program’s scope, focus, and results. In 2017, the SEC awarded approximately $50 million to 12 individuals for various whistleblower actions. These reports included providing information about a fraud arrangement that was difficult to detect, disrupting investment schemes that targeted unsophisticated investors, and supplying industry-specific information. Norberg stressed the three key features of the program are monetary rewards for information that leads to successful enforced actions, anti-retaliation protections, and confidentiality safeguards.
Given the growing impact of the SEC Whistleblower Program, internal auditors should encourage executives and directors who oversee governance to understand the key elements of the program. Moreover, auditors should ensure internal processes and controls are in place to effectively resolve whistleblower concerns and build employee trust.
The SEC Whistleblower Program was created in 2011, as directed by Section 922 of the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act, to provide incentives to whistleblowers to report federal securities law violations. Section 21F allows rewards for individuals who provide information that leads to a successful SEC enforcement action resulting in sanctions greater than $1 million. Whistleblowers may be an employee, an insider such as a consultant, or an outsider of the company.
Whistleblowers are eligible for payments of 10 percent to 30 percent of the monetary sanctions collected. To receive payment, the whistleblower must complete the award application within 90 days of when the SEC Notice of Covered Action is posted. Factors that could increase the payment amount include how vital the information is to the SEC action, higher level of cooperation, and evidence the violation was first reported through the company’s internal network. Inversely, factors that could decrease payment include the whistleblower’s involvement in the violation and significant delay in reporting the violation.
Since the whistleblower rules took effect in 2011, the SEC has received more than 22,000 tips, complaints, and referrals (TCRs). “Whistleblower Tips,” at right, shows that TCRs have risen 49 percent since 2012, reaching an all-time high in 2017. The categories that have remained the highest over the life of the program include corporate disclosure, offering fraud, and manipulation (see “Whistleblower Allegation Types” below).
Approximately 68 percent of TCRs submitted in 2017 came from the U.S., 20 percent from international locations, and 12 percent from a location not disclosed. The annual number of TCRs submitted internationally has grown 75 percent since 2012.
Although the Dodd-Frank Act prohibits the SEC from disclosing the identity of the whistleblower, the commission does publish the roles in which the whistleblowers served in aggregate. In 2017, most award recipients were current (30 percent) or former employees (25 percent). The remaining recipients included harmed investors (19 percent), outsiders (15 percent), other insiders (7 percent), and industry professionals (4 percent).
Not only are the TCRs up, the amount paid to whistleblowers from the Investor Protection Fund also has been increasing. The SEC has awarded more than $60 million to whistleblowers since 2012 (see “The Top Whistleblower Awards” at the end of this article).
With the monetary awards and payouts growing each year, the SEC has emphasized whistleblower protection since 2017. In separate instances, the SEC levied $2.4 million in penalties against publicly listed companies that retaliated against or hindered employees’ ability to report potential violations to the commission.
Specifically, Section 21F(h)(1) of the Dodd-Frank Act provides whistleblowers with protection against retaliation. In addition, Exchange Act Rule 21F-17(a) forbids employers from not allowing employees to report securities violations to the SEC. The act states that “no person may take any action to impede an individual from communicating directly with the commission staff about a possible securities violation, including enforcing, or threatening to enforce, a confidentiality agreement … with respect to such communications.” The SEC can take legal action against employers that retaliate against employees for reporting federal securities law violations.
In 2017, the SEC found numerous violations of Rule 21F-17(a). For example, Washington, D.C.-based financial service firm Homestreet Inc. agreed to pay a $500,000 penalty for attempting to identify a whistleblower following an SEC inquiry into accounting violations. Moreover, the SEC found that Homestreet employees were only eligible for severance benefits if they signed an agreement waiving potential whistleblower rewards.
The SEC also brought actions against companies for implementing restrictive covenants in their severance and termination agreements. In January 2017, BlackRock Inc. agreed to pay a $340,000 penalty for including inappropriate language in its separation contracts. In exchange for monetary payments, more than 1,000 former employees signed agreements waiving “any right to recovery of incentives for reporting misconduct, including, without limitation, under the Dodd-Frank Wall Street Reform and Consumer Protection Act.”
In another example, the SEC found Oklahoma energy company SandRidge Energy Inc. had violated both Rule 21F-17(a) and the whistleblower anti-retaliation provisions of Section 21F(h). SandRidge terminated an employee after the whistleblower expressed concerns regarding a reserve calculation. In addition, more than 500 former SandRidge employees signed separation agreements from August 2011 to April 2015 that prevented them from disclosing information to any governmental agency regarding company investigations. SandRidge agreed to pay $1.4 million in penalties.
Internal auditors may help the organization define, monitor, and manage elements of the whistleblower process to ensure an effective and appropriate avenue is provided to report claims. Auditors also can review whether claims were resolved appropriately.
Internal Audit Implications
With more than $1 billion in penalties levied so far against companies, the SEC Whistleblower Program is having a significant impact in monetary terms. Moreover, these penalties could result in a scandal that causes reputational damage to the companies involved. In an August 2014 press release, former SEC Whistleblower Office Chief Sean McKessy stressed the importance of internal auditors. “Individuals who perform internal audit, compliance, and legal functions for companies are on the front lines in the battle against fraud and corruption,” he said. “They often are privy to the very kinds of specific, timely, and credible information that can prevent an imminent fraud or stop an ongoing one.”
In some cases, internal auditors, themselves, may be whistleblowers. In 2014 and 2015, the SEC awarded whistleblower rewards to employees within compliance and internal audit functions. According to Section 21F-4, if internal auditors come across a violation, they should first report it internally to the appropriate officer or board member. If action is not taken within 120 days, the internal auditor becomes eligible for an award and may begin the whistleblower process by reporting either through the SEC’s online questionnaire or by completing a hard copy Form-TCR.
Because more than half of whistleblower reports come from company insiders, chief audit executives (CAEs) should work closely with the audit committee to ensure the appropriate tone, policies, and diligence are in place to support a whistleblower who first reports internally. In “Whistleblowers: What the Board Needs to Know,” The IIA’s Tone at the Top newsletter lists six steps that boards and CAEs should take to oversee a whistleblower program:
- Build employee trust of int-ernal policies.
- Consider all sources, including hotlines, anonymous email, lawsuits, exit interviews, and social media.
- Ensure adequate triage of the report based on understanding the legal and accounting implications.
- Enlist internal audit in managing the whistleblower process, managing the investigative process, or reviewing whistleblower activities.
- Understand the entire whistleblower program process.
- Remain vigilant by continually reviewing and updating whistleblower policies.
The SEC Whistleblower Program has resulted in increased tips, fines, awards, and whistleblower protections. With the monetary rewards increasing, reports to the SEC’s Whistleblower Program are likely to grow. Against this backdrop, internal auditors can help their organization’s whistleblower program through education, communication, and monitoring. Given their knowledge of the organization’s governance, policies, and procedures, internal audit’s involvement can add credibility to the whistleblower program. However, auditors should remain objective and leave decision-making responsibility about specific whistleblower cases to management.