The SEC Cannot Abandon Its Rules Protecting Internal Whistleblowers
The U.S. Securities and Exchange Commission (SEC) will soon be voting on proposed amendments to its highly successful whistleblower program. Although a number of issues have received widespread attention during this rulemaking, such as whether the SEC will place limits on the amount of an award, another critical issue will also be decided. This issue will impact every publicly traded corporation and will have major ramifications on rules governing corporate internal controls.
The SEC will determine whether or not retaliation against an internal corporate whistleblower constitutes a regulatory violation. At issue is the integrity of internal compliance programs. Under Proposed Rule 21F-2(d)(4), the Commission has proposed dropping its current regulation prohibiting retaliation against internal whistleblowers. If approved, a company could fire an employee for reporting a securities law violation directly to the Audit Committee. The Commission would be without any authority to hold that company accountable or undermine its own compliance program.
Will the Commission simply abandon any attempt to protect employees who work within these programs and raise serious regulatory concerns? Or will the SEC use its current authorities to continue to protect internal whistleblowers?
In 2018, the SEC’s regulatory framework for protecting whistleblowers who report violations pursuant to corporate compliance programs was dealt a severe blow. The U.S. Supreme Court, in Digital Realty v. Somers, 583 U.S. ___ (2018), ruled that a “whistleblower” under the Dodd-Frank Act was only protected from retaliation under that law if he or she went directly to the SEC. Employees who reported violations of securities laws to the General Counsel and Audit Committee, compliance programs, or supervisors were denied any employment-related protection. Although Digital was an employment law case, the Commission filed an amicus brief to the Supreme Court urging the court to protect internal corporate whistleblowing and explained how these internal programs were an essential component of the regulatory scheme
The positions taken by various parties before the Supreme Court was somewhat counter-intuitive. Qui tam attorneys whose livelihood in large part depended on employees going directly to the SEC with concerns (so they could qualify for a financial reward) all strongly urged the Supreme Court to protect internal whistleblowing. This effort included extensive amicus briefs by qui tam and non-profit whistleblower rights groups such as Taxpayers Against Fraud.
Corporations that had previously warned the SEC that the Dodd-Frank Act’s reward provisions would harm internal compliance programs took an odd position. They forcefully argued to the Supreme Court that internal whistleblowers had no rights under the Dodd-Frank Act’s anti-retaliation provisions and that employees who reported violations to internal compliance programs could be fired at-will, with no protections under the DFA. Chief among the advocates for this anti-compliance position was the U.S. Chamber of Commerce. However, in lower courts, numerous corporations had raised these same arguments.
Taking its cue from the Chamber of Commerce, the U.S. Supreme Court backed up Digital Reality, and threw out the whistleblower’s lawsuit. The Court unequivocally held that if an employee wanted protection under the DFA, they had to report directly to the SEC.
In light of the U.S. Supreme Court’s decision in Digital Realty v. Somers, 583 U.S. ___ (2018), the Commission has proposed a rule to eliminate the coverage of internal whistleblowers under its regulations. See Proposed Rule 21F-2(d)(4). The explanatory notes accompanying the proposed change show deference to this decision, stating that:
[t]he Supreme Court recently held in Digital Realty Trust, Inc. v. Somers . . . that a whistleblower under Section 21F of the Exchange Act must report a possible securities law violation to the Commission in order to qualify for employment retaliation protection under Section 21F(h)(1) . . . Accordingly, we believe that it is appropriate to amend Rule 21F-2 to conform to the Supreme Court’s construction of Section 21F.
83 Fed. Reg. at 34,704.
Under the current rule, if a publicly traded company fired an employee in retaliation for raising concerns internally, the Commission could take regulatory action against it. In other words, a company could be sanctioned and fined by the SEC for firing employees who reported concerns to Audit Committees, their chain of command, hotlines, and other compliance-related corporate programs. Under current regulations, the SEC views these forms of retaliation as violations of the SEC’s regulatory scheme that requires publicly traded companies to have significant internal compliance programs.
If approved, proposed rule 21F-2(d)(4) would negatively impact the integrity of internal compliance programs for which Congress, the Commission, and whistleblower advocacy organizations strongly endorse. The proposed rule would give corporations the green light to fire any worker whose internal reporting they did not like and escape any adverse regulatory consequence for an action that clearly would negatively impact its ability to weed out fraud and corruption that harms investors.
Proposed rule 21F-2(d)(4) goes too far. There is absolutely no legal justification for the SEC to abandon its position that firing employees who report securities violations to internal compliance programs constitutes a regulatory violation. The Commission should not use Digital as an excuse to leave thousands of potential whistleblowers to fend for themselves if they are lucky enough to find an attorney and a law (not the DFA) that could protect them.
Upon closer examination, the Supreme Court’s decision in Digital only impacted the ability of the Commission to protect internal compliance programs under the Dodd-Frank Act. The case was extremely limited, and only evaluated the specific statutory language in the DFA. It did not evaluate other statutes that give the SEC jurisdiction and authority to sanction corporations that retaliate against internal whistleblowers.
As explained below, instead of predicating its compliance-whistleblower rule on the DFA, the Commission can rely on alternative regulatory and enforcement authorities under the Sarbanes-Oxley Act (“SOX” ) to ensure that internal whistleblowers continue to be fully protected under the Commission’s regulations.
Like the Dodd-Frank Act, SOX also contains employment-related anti-retaliation provisions. But unlike the DFA, SOX explicitly covers internal whistleblowers and numerous other disclosures that are not covered under the DFA. In addition to prohibiting retaliation against employees who report concerns to their supervisors, SOX also protects employees who report violations directly to the Department of Justice and Congress. The Digital decision did not impact and should not abrogate the Commission’s ability to protect the integrity of internal compliance programs pursuant to other regulatory authorities, including SOX.
The Sarbanes-Oxley Act has four provisions that protect whistleblowers, three of which broadly cover internal whistleblowers and ensure that retaliatory conduct will not undermine internal controls, auditing requirements, and compliance requirements that are integral to the Commission’s regulatory scheme. Under SOX, the SEC has the regulatory authority to ensure that such internal disclosures are fully protected under the SEC whistleblower regulations approved in 2011. See Public Law 107-204, § 3, codified at 15 U.S.C. § 7202.
Although the Court ruled that the Dodd-Frank Act did not contain the authority to protect internal whistleblowers from retaliation, the Sarbanes-Oxley Act does directly provide the authority to do so. SOX requires the SEC to treat violations of the Act analogously to violations of the Securities Exchange Act of 1934 (“SEA”). The Court in Digital did not interpret the Commission’s authority to protect internal whistleblowers pursuant to the authority granted the Commission under SOX. Indeed, the Sarbanes-Oxley Act directly provides statutory authority for the SEC to enforce and promulgate regulations under the Act.
On the face of Section 3 of SOX, it is indisputable that the Commission can ensure that its whistleblower rules regarding retaliation remain in place and that the Commission continues to have a rule prohibiting retaliation against internal whistleblowing. Specifically, SOX Section 3(a) confers explicit rulemaking authority to the SEC necessary to enforce any provision of SOX, including its anti-retaliation provisions. Under SOX, Congress gave the SEC the authority to “promulgate such rules and regulations as may be necessary or appropriate … in furtherance of this Act.” 15 U.S.C. § 7202(a) (emphasis added). Further, Section 3(b) provides that a violation of any provision of SOX, or any rule or regulation issued thereunder, constitutes “for all purposes … a violation of the Securities Exchange Act,” and incurs the same penalties. 15 U.S.C. § 7202(b)(1). This provision gives the SEC authority to enforce all provisions under SOX.
Section 806 of SOX protects against retaliation when a whistleblower discloses information that the whistleblower reasonably believes constitutes a violation of the securities laws to “a person with supervisory authority over the [whistleblower] (or such other person working for the employer who has the authority to investigate, discover, or terminate misconduct).” P.L. 107-204, § 806, codified at 18 U.S.C. § 1514A(a)(1)(C); see also Letter from the Senate Judiciary Committee (Nov. 9, 2004). This section ensures that internal whistleblowers are fully protected under SOX. Because the SOX law itself gives the SEC full regulatory authority to enforce every provision of that Act, the Commission has the authority to continue to prohibit retaliation against internal whistleblowers.
Proposed rule 21F-2(d)(4) is an abdication of that authority and should not be approved.
Therefore, the SEC has complete regulatory authority to prohibit retaliation against whistleblowers who report potential securities violations internally. SOX grants the SEC the authority to promulgate rules protecting whistleblowers from retaliation and requires that the SEC treat violations of the SOX’s anti-retaliation provisions as it treats any other violation of the Security and Exchange Act.
To be compliant with the Supreme Court’s decision in Digital, the SEC simply needs to amend its current whistleblower rule and reference the Sarbanes-Oxley Act as legislative authority for the continued protection of internal whistleblowers.
Public Policy Strongly Supports Amending the Commission’s Whistleblower
Retaliation to Continue to Support Internal Whistleblowers
The importance of maintaining the Commission’s current regulations protecting internal reporting was forcefully argued by the SEC in the amicus brief filed by the United States before the Supreme Court in Digital. In addition, the vast majority of publicly traded companies and their related trade associations have confirmed the importance of ensuring that the SEC’s whistleblower rules continue to protect internal reporting programs. Nothing undermines such programs more than retaliation, and the chilling effect caused by such retaliation.
In statements filed before the U.S. Supreme Court by the United States in Digital, the Commission fully explained the importance of maintaining protection for internal whistleblowers:
Reading that provision to protect only whistleblowers who report to the Commission would defeat Congress’s purpose, weaken internal corporate-compliance programs, and potentially flood the Commission with allegations that have not been vetted by the corporate insiders best situated to address them in the first instance.
In adopting its rules, the Commission explained that encouraging reporting through internal compliance procedures, such as those required or protected by the laws cross-referenced in [the Sarbanes-Oxley Act], advances the purposes of Section 78u-6. Specifically, the Commission explained that internal reporting enables the private sector to screen out meritless claims, and thereby improves the quality of whistleblower tips later brought to the Commission; that internal reporting gives businesses the opportunity to self-correct without the need for intrusive Commission investigations; and that internal reporting thereby promotes efficient use of both corporate and government resources.
That approach [protecting internal whistleblowers] is especially appropriate given the purpose of Section 78u-6 and the practical desirability of encouraging internal whistleblowing as a way to promote corporate compliance.
[Protecting internal whistleblowers] would “support, not undermine, the effective functioning of company compliance and related systems.” 76 Fed. Reg. at 34,323. During its rulemaking, the Commission received numerous comments from businesses and related associations that urged the agency to promulgate rules encouraging or requiring internal reporting. E.g., id. at 34,302 n.21, 34,326 n.230. The Commission agreed that internal reporting systems “are essential sources of information for companies about misconduct,” and therefore “play an important role in facilitating compliance with the securities laws.” Id. at 34,323, 34,325. Among other benefits, “[s]creening allegations through internal compliance programs may limit [meritless] claims, provide the entity an opportunity to re- solve the violation and report the result to the Commission, and allow the Commission to use its resources more efficiently.” Id. at 34,359 n.450. “[W]histleblower reporting through internal compliance procedures can [thereby] complement or otherwise appreciably enhance * * * enforcement efforts,” without substituting for them. 76 Fed. Reg. at 34,359 n.450. All this facilitates efficient use of private-sector and government resources and effectuates Section 78u- 6’s design to prevent fraud and other securities-law violations. Reading the anti-retaliation provisions to protect only those who report to the Commission, by contrast, would “defeat the purpose of the legislation.”
This analysis remains true, notwithstanding the Supreme Court’s holding that the DFA (but not SOX) did not contain sufficient statutory justification for protecting internal whistleblowers. The policy arguments set forth above go to the heart of the legislative intent behind the creation of the SEC whistleblower program, and the programmatic interests of incentivizing reporting while at the same time supporting a robust internal compliance culture. The Commission has an opportunity in the current rulemaking process to vindicate these policy imperatives by amending its current rules to explicitly reference the authorities it possesses under the Sarbanes-Oxley Act as a source of authority to continue protecting internal whistleblowers, and ensure that all of the whistleblower provisions of SOX are covered under the Commission’s rules.
Maintaining protection for internal whistleblowers is also necessary based on the fact that the majority of whistleblowers who eventually disclosure information to the Commission through the TCR process made their initial disclosures internally. In its amicus brief filed before the U.S. Supreme Court in Digital, the Commission explained that many of these internal whistleblowers are subjected to retaliation:
Of the whistleblowers who received awards from the Commission in 2016, about 80% reported internally before reporting to the Commission. SEC, 2016 Annual Report to Congress on the Dodd-Frank Whistleblower Program 18. There are numerous reasons why employees tend to report internally first, including loyalty to the organization, hope that supervisors will rectify or explain the perceived misconduct without the need for government intervention, or (as with auditors and attorneys) a legal obligation to raise a matter in-house. See Janet P. Near & Marcia P. Miceli, After the Wrongdoing: What Managers Should Know About Whistleblowing, 59 Bus. Horizons 105, 105, 113 (2016). Studies also show that retaliation for internal reporting, when it occurs, generally follows quickly.
Further, in 2019, the SEC reported that 69% of Whistleblower Award Program recipients were insiders, and of those 85% raised their concerns internally, or “understood that their supervisor or relevant compliance personnel knew of the violations before reporting their information of wrongdoing to the Commission.” It is well established that internal whistleblowers are often subjected to retaliation, and this retaliation has a devastating impact on the integrity of internal controls. The need to fully protect internal whistleblowers is highlighted by studies conducted by the Institute of Internal Auditors, a trade association with more than 180,000 members in 170 countries. Their study demonstrated the following:
55 percent of Chief Auditing Executives were directed to omit important findings from their audit reports;
49 percent were directed “not to perform audit work in high-risk areas.
Auditors were “directed” to “suppress or significantly modify” “valid internal audit findings, and 38% of those requests came directly from the company’s Chief Executive Officer, 24% from a company’s Chief Financial Officer and 18% from persons with responsibility for compliance or legal matters. Moreover, numerous auditors reported that they were subjected to retaliation based on their audit findings.
At the request of numerous publicly traded companies, the SEC, in its original 2011 rules published under the Dodd-Frank Act whistleblower provisions, approved regulations that encouraged employees to use internal reporting programs to raise concerns. These incentives went so far as to permit whistleblowers to obtain larger rewards if they first contacted an internal compliance program. Furthermore, restrictions were placed on employees who work in compliance or auditing functions in order to ensure that programs designed to enhance internal controls could properly function. These regulations were premised on an understanding that the law protected internal whistleblowers from retaliation. It is absolutely essential that the Commission take advantage of the current rulemaking proceeding to ensure that internal whistleblowers remain fully protected, despite the ruling in Digital. Ensuring continued protection for internal whistleblowers can be fully accomplished under the existing regulatory and statutory provisions of the Sarbanes-Oxley Act.
 See Whistleblower Program Rules, 83 Fed. Reg. 34,702 (2018), Rel. No. 34-83557; File No. S7-16-18.
 Significantly, the two principal authors of the whistleblower protection provision of the Sarbanes-Oxley Act, Senators Charles Grassley and Patrick Leahy, expressed their opinion that the SOX law authorized the SEC to implement rules and regulations protecting whistleblower in accordance with the SOX law. See Letter from Senators Grassley and Leahy to SEC Chairman William Donaldson (Nov. 9, 2004).
 The Commission also explained the importance of fully protecting internal whistleblowers in the commentary published at the time it issued its initial whistleblower rules: “[C]ompliance with the Federal securities laws is promoted when companies have effective programs for identifying, correcting, and self-reporting unlawful conduct by company officers or employees. The objective of this provision is to support, not undermine, the effective functioning of company compliance and related systems by allowing employees to take their concerns about possible violations to appropriate company officials first while still preserving their rights under the Commission’s whistleblower program. This objective is also important because internal compliance and reporting systems are essential sources of information for companies about misconduct that may not be securities-related (e.g., employment discrimination or harassment complaints), as well as for securities-related complaints. We believe that the balance struck in the final rule will promote the continued development and maintenance of robust compliance programs. As we noted in our proposing release, we are not seeking to undermine effective company processes for receiving reports on possible violations, including those that may be outside of our enforcement interest but are nonetheless important for companies to address.” 76 Fed. Reg. 34,323 (June 13, 2011).
 SEC, 2019 Annual Report to Congress, Whistleblower Office, 18. Available at https://www.sec.gov/files/sec-2019-annual%20report-whistleblower%20program.pdf.
 See Institute of Internal Auditors, Politics of Internal Auditing (2015), https://na.theiia.org/news/Documents/Politics-of-Internal-Audit-news-release.pdf.