chevron-down Created with Sketch Beta.
March 26, 2012 Articles

Criticism and Self-Criticism: Law and Compliance in a Revolutionary Time

Regulated entities seeking recognition of their proper conduct should expect to receive criticism and be ready to engage in self-criticism.

By John H. Walsh

When the majority of the people have clear-cut criteria to go by, criticism and self-criticism can be conducted along proper lines, and these criteria can be applied to people’s words and actions to determine whether they are fragrant flowers or poisonous weeds.

— Chairman Mao Zedong

Our age has been described as a revolutionary time in financial regulation. Changes in institutions, laws, and regulations have been pushed forward at an accelerating pace. Moreover, beyond the pace of events, new norms are emerging in regulators’ expectations. Two in particular, with the potential to reshape how they view regulated entities, are evocative of past revolutionary times: a new emphasis on criticism and self-criticism. Today, regulated entities seeking recognition of their right conduct should expect to receive criticism and should be ready to engage in self-criticism.

Criticism is playing an increasingly important role in financial regulation. To some degree, it is playing a new role across the economy, as quality managers give enhanced attention to customer feedback. Indeed, today, one can hardly visit a website, stay in a hotel, or travel on an airline without being asked to complete a follow-up survey. Regulators have always paid attention to relevant criticism, and an aggrieved customer has often helped trigger official interest and action. Recently, however, the role of criticism in financial regulation has been fundamentally transformed.

Aggrieved Customers

Criticism by aggrieved customers is the lifeblood of any financial-law-enforcement program. Regulators have developed many mechanisms to obtain complaints about those they regulate. For example, the website of the Securities and Exchange Commission (SEC) prominently displays an area labeled “Investor Complaints” that states: “If you have a problem with your investments, investment account, or a financial professional . . . use our investor complaint form to provide us your information.” The site then suggests possible topics for complaints, including fees, suitability, inaccurate or misleading disclosures by financial professionals, and more. In recent years, the agency has emphasized the need to better organize, control, and track the information it has received.

Regulated entities generally have experience dealing with this type of information. Highly regulated firms, such as broker-dealers, may have regular communications from regulators asking about customer complaints that were submitted to the regulator’s website, hotline, or another of the existing venues. These communications often border on the routine: The entity is asked to respond to the criticism so that the regulator can determine if any official action is required. Newly regulated firms may have less familiarity with this type of official curiosity. Nonetheless, aggrieved customers are familiar figures, wherever they are encountered—in complaints to regulators or in customer-satisfaction surveys solicited by financial-services firms themselves.

Paid Informants
Recently, the SEC has adopted a new program that is quite removed from the customer-centered mainstream. In this new approach, whistleblowers—even anonymous whistleblowers—will be eligible for substantial monetary bounties. In the future, paid informants will compete with aggrieved customers for regulatory attention.

The genesis of the SEC’s new program was in June 2009 with the Treasury Department’s Regulatory Reform Proposal. See Department of the Treasury, Financial Regulatory Reform; A New Foundation: Rebuilding Financial Supervision and Regulation (June 17, 2009). The Treasury stated that the SEC should have available a fund to reward whistleblowers who provide quality information about serious cases. The idea was taken up by Congress and was enacted in section 922 of the Dodd-Frank Act, which adds new section 21F to the Securities Exchange Act. The legislative history for this provision states that it was intended to enhance incentives and protections for whistleblowers providing information leading to successful SEC enforcement actions. See Dodd-Frank Wall Street Reform and Consumer Protection Act, Conference Report to accompany H.R. 4173, 111th Cong., 2d Sess., Report 111-517 at 871 (June 29, 2010). In May 2011, the SEC adopted rules implementing the Dodd-Frank mandate. See SEC, Implementation of the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934, Securities Exchange Act Release 65545 (May 25, 2011).

In summary, the SEC’s new rules provide that if a whistleblower voluntarily provides original information that leads to a successful enforcement action in which the SEC obtains monetary sanctions of more than $1,000,000, the whistleblower may receive an award of between 10  and 30 percent of the amount. Most of the rule, and the SEC’s 300-plus-page adopting release, is spent defining terms (such as “voluntary,” “original information,” “action,” and “monetary sanctions”), establishing anti-retaliation protection for whistleblowers, addressing implementation issues (such as how to handle multiple claimants for the same award), and establishing administrative processes (such as for filing information and claims).

From the perspective of a legal or compliance professional, two aspects of the rules warrant special note. First is how they relate to a firm’s own compliance program. When the SEC considered these rules, two of the five commissioners argued that whistleblowers should be required to report first to their firm’s own compliance system. The proposing staff disagreed, stating that the purpose of the provision in the Dodd-Frank Act was give them a new investigative tool and warning that internal reporting would be inappropriate when the enterprise itself is corrupt. The majority of commissioners agreed with the staff. The final rules create incentives for internal reporting, but it is not required. Participation in internal compliance systems is a factor that may increase the amount of the whistleblower’s award. See Rule 21F-6(a)(4). Similarly, interference with internal compliance systems is a factor that may decrease the amount of an award. See Rule 31F-6(b)(3). Finally, when whistleblowers contact internal compliance, they are given an additional 120 days to report to the SEC. See Rule 21F-4(b)(7). The SEC described this “look back” period as intended to give a whistleblower reasonable time in which to decide whether or not to report to the SEC. See SEC, Implementation of the Whistleblower Provisionsat 91.

The second aspect of the rule that warrants special note is the agency’s decision that it may pay bounties on information that was obtained illegally, with the sole restriction being that information will not satisfy the requirements of the rule if it was obtained “by a means or in a manner that is determined by a United States court to violate applicable federal or state criminal law.” Rule 21F-4(b)(4)(iv). In other words, information can be obtained by a whistleblower in breach of civil law, foreign law, or a judicial protective order and then used to earn a bounty. See SEC, Implementation of the Whistleblower Provisions at 80. Even information obtained in violation of criminal law could earn a bounty, as long as the whistleblower is not convicted of the offense. Id. There is a certain circularity in this provision: The government can pay a bounty for stolen information unless a government prosecutor decides to take action against the thief who brought it to the government. The SEC limited itself to noting that if a criminal case is pending or known to be contemplated against the whistleblower, it may defer a decision on the award until after the criminal matter is resolved. Id., n.180. This is scant comfort. Indeed, the SEC also indicated that it expects to pay bounties to whistleblowers who were themselves involved in the reported wrongdoing, with their culpability simply another factor to be considered in setting the amount of the award. Rule 21F-6(b)(1).

Unlike the aggrieved customer, the paid informant is a new and unfamiliar figure in the regulatory landscape. Even more, given the SEC’s willingness to pay for information obtained in violation of civil law, judicial orders, and unprosecuted criminal law, the full scope of this program is difficult to predict. In this uncertain environment, only two bright lines remain clear: Whistleblowers are given incentives to report first to internal compliance and, once they do, they have 120 days to decide whether or not to report to the SEC. See Rules 21F-4(b)(7) and 21F-4(c)(3).

An Expectation of Criticism
In November 2011, the SEC issued its first public report on its new whistleblower program. The SEC’s rules became effective on August 12, 2011, so they were in effect for only seven weeks of the fiscal year reporting period. Nonetheless, the results are highly suggestive. Over those seven weeks, the SEC received 334 whistleblower tips, almost 48 per week. The top three categories were market manipulation, corporate disclosures and financial statements, and offering fraud.

One should be careful about drawing inferences from the first few weeks of a new program. Nonetheless, the SEC’s ability to attract almost 48 whistleblowers a week demonstrates that the program is gaining traction. Apparently, a lot of potential whistleblowers believe they have stories to tell and would like to be paid for the telling. Legal and compliance professionals should get ready.

Self-criticism is also playing an increasingly important role in financial regulation. Over the last 10 years, numerous regulatory initiatives have sought to foster self-reporting by those who may have engaged in a violation. Each of these initiatives was motivated by specific compliance failures, and each, treated in isolation, could be viewed as a reasonable response to the presenting problem. Taken as a whole, however, they are creating a new climate in which self-reporting is expected and indeed, in many cases, required.

Self-Reporting Initiatives
The first and still most important statement of the SEC’s expectations regarding self-reporting was issued in October 2001 in the form of a public report that described how the agency would consider, and potentially reward, the self-reporting of possible securities violations. This release, sometimes called the Cooperation Release, indicated that the SEC would consider a variety of factors in the exercise of its prosecutorial discretion, including how the misconduct was detected, the steps the firm took upon learning of the misconduct and, ultimately, whether the firm promptly made available to SEC staff the results of its review. Id.

In the Cooperation Release, the SEC said: “When businesses seek out, self-report and rectify illegal conduct, and otherwise cooperate with Commission staff, large expenditures of government and shareholder resources can be avoided and investors can benefit more promptly.” Id. In 2010, the SEC republished this release as its Framework for Evaluating Cooperation by Companies and established a program of formal cooperation agreements. In 2011, while adopting the whistleblower rules, the SEC cited repeatedly to this release. SEC, Implementation of the Whistleblower Provisions at n.166 and n.196.

In the months and years following issuance of the Cooperation Release, several other regulatory initiatives have enhanced the flow of self-reported information.

In July 2002, as a response to widespread financial-reporting fraud, Congress passed the Sarbanes-Oxley Act. Sarbanes-Oxley Act of 2002, Pub.L. 107-204, 116 Stat. 745 (July 30, 2002). The act included several provisions designed to enhance the flow of self-reported information, with a special focus on the internal flow of information within public companies. The act required public company audit committees to establish internal reporting mechanisms, id. at section 301, 116 Stat. 776 (codified at section 10A(m)(4) of the Securities Exchange Act), and prohibited retaliation against the employees who used them, id. at section 806(a), 116 Stat. 802–03 (codified at 18 U.S.C. Section 1514A). As one commentator put it, the Sarbanes-Oxley Act made the audit committee “a conduit for employee complaints, a hotline for whistleblowers and the investigator of all things gone awry.” Thomas O. Gorman, Critical Issues in the Sarbanes-Oxley Act: Audit Committee, 1 (2009).

In December 2003, as a response to widespread illegal market timing in mutual-fund portfolios, the SEC adopted new compliance rules for investment companies, Rule 38a-1, and investment advisers, Rule 206(4)-7. These rules require investment companies and investment advisers to designate a chief compliance officer (CCO), adopt and implement written policies and procedures reasonably designed to prevent violations of the securities laws, and complete an annual review of the adequacy of their policies and procedures and the effectiveness of their implementation. SEC, Compliance Programs of Investment Companies and Investment Advisers, Investment Advisers Act Release 2204, Investment Company Act Release 26299 (December 17, 2003), Rules 38a-1(a)(3) and 206(4)-7(b). Additionally, CCOs for funds are required to provide a report to the fund’s board that addresses each material compliance matter that has occurred since the date of the last report. Rule 38a-1(a)(4)(iii)(B). The fund rule also protected compliance professionals with an anti-retaliation provision modeled on the language in the Sarbanes-Oxley Act. Rule 38a-1(c). Importantly, the SEC took the view that all of the reports required by its rules are meant to be made available to the SEC and its staff and are not subject to the attorney-client privilege, the work product protection, or other similar protections. SEC, Compliance Programsat n. 94. Thus, the results of the annual reviews and, specifically, funds’ reports of material compliance matters are open to review by regulators.

In July 2004, in further response to the breaches of fiduciary duty revealed by the market-timing cases, the SEC adopted a new rule requiring investment advisers to create a written code of ethics for their supervised persons. Among other provisions, the rule requires advisers to include in their codes provisions requiring supervised persons to report any violation of the code promptly to the CCO. Rule 204A-1(a)(4). In other words, SEC staff said at the commission’s open meeting on the rule that supervised persons now have an “affirmative duty” to report violations of the code to the person designated to receive such reports. Id. Moreover, the SEC required advisers to document in their books and records these reports and any action taken as a result, where these records will be open to regulatory review. Rule 204-2(a)(12)(ii).

Finally, in November 2010, the SEC approved a new self-reporting rule of the Financial Industry Regulatory Authority (FINR). Rule 4530 requires a FINRA member broker-dealer to self-report when it concludes, or should have concluded, that the firm or an associated person of the firm has violated any laws, rules, regulations, or standards of conduct, both foreign and domestic, relating to securities, insurance, commodities, finance, or investments. FINRA Rule 4530(b). In guidance on this requirement, FINRA has indicated that it expects reports only about serious conduct involving a widespread impact, material failures, numerous customers, or significant dollar amounts. FINRA Regulatory Notice 11-06 (February 2011) and Regulatory Notice 11-32 (July 2011). Reports pursuant to this rule must be filed with FINRA within 30 calendar days of when the firm concluded, or should reasonably have concluded, that one of the enumerated violations had occurred. FINRA Rule 4530(b).

In short, since October 2001, the SEC, Congress, and FINRA have repeatedly undertaken new initiatives to enhance and foster the flow of self-reported information within regulated entities, and from them to the regulators. The specific regulatory mechanisms have differed considerably: from earning voluntary credit in prosecutorial decisions, to mandatory internal-reporting systems, to mandatory internal reviews and reports made available to regulators, to mandatory reports filed with regulators. In every case, however, a recurring expectation can be identified: Regulators expect to be informed about misconduct at regulated firms.

An Expectation of Self-Criticism
In the course of adopting the whistleblower rules, in May 2011, the SEC identified an important factor in its expectations regarding firms’ self-reporting. Citing to the Cooperation Release, the SEC said:

When considering whether and to what extent to grant leniency to entities for cooperating in our investigations and related enforcement actions, the promptness with which entities voluntarily self-report their misconduct to the public, to regulatory agencies, and to self-regulatory organizations is an important factor.

SEC, Implementation of the Whistleblower Provisions at 76.

Moreover, the SEC said, while it gave whistleblowers 120 days after making an internal report to decide whether or not to report to the agency, no extra time was extended to the firms receiving the reports. Id. The SEC emphasized that the 120 days given whistleblowers is not a “grace period” for firms to determine their response to the allegations. Id. Indeed, it said, firms “frequently elect to contact the staff in the early stages of an internal investigation in order to self-report violations that have been identified.” Id. at 77. In other words, firms should not only self-report, but also they should do so promptly, without a grace period.

From a regulatory perspective, one can readily understand the benefits of swift self-reporting of known violations. As the SEC suggested in the Cooperation Release, quick confessions avoid the need to expend public and private resources. Nonetheless, this expectation places a firm in a difficult conundrum when it finds itself in possession of incomplete but suggestive information. What should it confess? In such a case, prudence may dictate further internal inquiry, while regulatory expectations demand immediate self-reporting. The pressure will be even greater if an employee has stepped forward to report the problem and his or her time is running down to decide whether or not to seek compensation as a whistleblower. Legal and compliance professionals should not wait until this situation is upon them. They should start getting ready now.

What Is to Be Done?
Preparing for criticism and self-criticism is mostly common sense. Nonetheless, while there is no one best way to prepare, several specific steps should be considered. Moreover, the scale of the problem should not matter. A small firm facing a small problem should consider the same steps as a large firm facing a different order of magnitude. Set out below are 10 steps that are always worth consideration.

Step 1: Have a Plan
The first step in dealing with the new regulatory environment is to have a plan. Legal and compliance professionals in particular are strategically placed to play a critical role. Whether it is planned or not, they are often the first persons contacted when an employee has a story to tell. Moreover, because of their existing training operations, they are well suited to lead any outreach initiatives within the firm to encourage internal reporting. Finally, the nature of their offices lends itself to this role. Where better to report a legal problem than to the law department, or a compliance problem than to the compliance department?

What should the plan contain? Any effort to devise a detailed operational plan will probably fail. Few legal or compliance offices have the resources needed to prepare detailed plans for all of the possible contingencies that could arise in a future crisis. Even if they did, the plan would probably be ignored when it was needed most because it would prove too speculative and unwieldy. Instead, a meeting of the minds among stakeholders may be the best approach. Questions to discuss could include the following:

  • Is the firm doing enough to attract internal reporting of possible problems including, but not limited to, potential whistleblowers? Many firms are establishing an appropriate tone at the top, conducting extensive internal outreach efforts, holding training programs, and creating hotlines and other internal reporting venues. Some professionals call this effort creating a culture of “speaking up.”
  • How will the firm manage its response to a serious allegation if and when one arises? Depending on the firm, the legal or compliance departments would seem to be natural choices for leadership, although internal audit or an internal fraud investigative unit may also be reasonable. Once the choice has been made, has it been communicated to other managers who may find themselves in receipt of a serious report?
  • Finally, has the firm identified the types of self-reporting to which it may be subject in a crisis? A firm of any complexity may find itself subject to multiple self-reporting mechanisms with different time periods. These could include the SEC’s zero-grace period as set out in the adopting release for the whistleblower rules, FINRA’s 30-day filing requirement as set out in Rule 4530, or the SEC’s annual-review requirement as set out in the adviser and fund compliance rules. See SEC, Implementation of the Whistleblower Provisions at 76-77; FINRA Rule 4530(b); Rules 38a-1(a)(3) and 206(4)-7(b). Choosing among them will depend on the nature of the firm and the nature of the problem. Nonetheless, an inventory of the firm’s exposure in this regard should not wait until a crisis has arisen.

Step 2: Build Trust
The second step in dealing with the new regulatory environment is to encourage employees to report problems to the firm before they turn to outsiders. The SEC has indicated that it encourages potential whistleblowers to first use internal compliance systems. SEC, Implementation of the Whistleblower Provisions. Firms should not hesitate to take the SEC at its word and move forward with programs to encourage such reports. The issue is: How can this be done?

In a word, potential whistleblowers need trust. Simply telling them “my door is always open” will not suffice. Even putting aside the current low standing of this stock phrase—with management gurus, cartoonists, and songwriters lining up to ridicule it—employees with a painful story to tell will need trust to get them over the portal. Similarly, simply establishing a hotline, without more, will not suffice. A potential whistleblower will need trust to get him or her to pick up the phone.

Building trust is not subject to a simple checklist approach. It requires leadership, honesty, keeping faith with employees, and any number of other virtues that are difficult to build into a flowchart. Nonetheless, one crucial starting point is making sure the personification of trust in an organization is known to all. When an employee has a painful story to tell, who will listen?

Once that person has been identified—perhaps the general counsel, the CCO, or a corporate ethicist—steps can be taken to spread the word about his or her availability, about the terms of access, and just as importantly, why he or she should be trusted. Will conversations be kept confidential to the fullest extent permitted by law? Does the person have a reporting link directly to the top of the organization, showing authority and independence? Is the person’s accessibility part of an overall organizational philosophy, such as a particular approach to quality assurance? The higher the designated person’s profile as a trustworthy point of contact, the better.

Finally, when employees come forward, they should be treated with respect. As a legal matter, anti-retaliation provisions have been a recurring element in the self-reporting initiatives. They appeared in the Sarbanes-Oxley Act, as well as in the SEC’s compliance and whistleblower rules. See Sarbanes-Oxley Act of 2002 at section 806(a), Rule 38a-1(c), and Rule 21F-2. Careful consideration should be given to these requirements. However, beyond the letter of the law, building trust requires the protection of sources. The first employee who reports an issue, and is burned, will probably be the last. If a firm wants the chance to resolve issues internally, it must protect the people who bring them to its attention.

Step 3: Do Not Panic
The third step is obvious, but should not be forgotten. Panic is always dangerous, from a legal and compliance perspective, as well as many others. When good people get themselves into trouble, one can ask “What were they thinking?” The answer often is “They were not. They were in a panic.” When approaching this new environment, legal and compliance professionals should have two thoughts in mind.

First, empirical evidence cited by the SEC in favor of the whistleblower rules suggests that most potential whistleblowers will try to resolve the matter internally, before they turn to an outside authority. The adopting release pointing to experience under the False Claims Act suggests that roughly 90 percent of persons who eventually filed an action also reported the misconduct internally. SEC, Implementation of the Whistleblower Provisions at n. 232. During consideration of the rule, an SEC commissioner who favored the rules pointed to other studies supporting a similar conclusion. Luis A. Aguilar, Commissioner, Incentivizing Whistleblowers to Bring Fraud to Light, Open Meeting (May 25, 2011).

Second, both the SEC’s whistleblower program and FINRA’s mandatory self-reporting rule are focused on serious misconduct. For whistleblowers, this was stated explicitly in the Treasury Department’s Regulatory Reform Proposal of 2009, Treasury, Financial Regulatory Reform at 72, and codified in the Dodd-Frank Act’s requirement that a whistleblower bounty would be available only when the enforcement action results in monetary sanctions exceeding $1 million. Dodd-Frank Wall Street Reform and Consumer Protection Act at section 922(a)(1). For Rule 4530 self-reporting, FINRA’s guidance on the rule has also suggested that reports should focus on significant matters. FINRA Regulatory Notice 11-06 (February 2011) and Regulatory Notice 11-32 (July 2011).

It is difficult to calculate how employee behavior may change, given the possibility of large monetary rewards, and how prosecutorial decision-making may change, given the need to pay whistleblowers. Nonetheless, managers should continue to have an opportunity to address internal problems, including the problems that could eventually qualify for a bounty. Day in and day out, managers can still manage.

Step 4: Commit to Learn the Truth

The fourth step is to commit to learn the truth. In the Cooperation Release, the SEC stated that it would ask “Did the company commit to learn the truth, fully and expeditiously?” The truth can exculpate as well as condemn. Learning it is essential.

The commitment to learn the truth should be made formally, and explicitly, at the outset of a crisis. The right tone is set by a senior executive who says “I want to know what happened here, and I want to know it as soon as possible.” This mandate should animate the entire response.

In the Cooperation Release, the SEC set out other considerations that can serve as something of a checklist when considering how to proceed in this area:

  • Did the firm do a thorough review of the nature, extent, origins, and consequences of the conduct and related behavior?
  • Did management, the board, or committees consisting solely of outside directors oversee the review?
  • Did company employees or outside persons perform the review?
  • If outside persons, had they done other work for the company?
  • Where the review was conducted by outside counsel, had management previously engaged such counsel?
  • Were scope limitations placed on the review? If so, what were they?

If a firm can favorably answer each of these questions, it will have a solid basis for stating that it committed to learn the truth.

Step 5: Create a Zone of Privacy
The fifth step is to create a zone of privacy where privileged communications can be protected. This could seem contrary to the spirit of self-reporting. For self-criticism to be sincere, must every thought and judgment be revealed? At one point, the answer seemed to be yes.

The Cooperation Release suggested that the SEC had an expectation that firms would waive the attorney-client privilege or work-product protection as a means of providing relevant information to the agency’s staff. Cooperation Release at n. 3. Over the next few years, the Department of Justice and the U.S. Sentencing Commission followed suit, and then, after their policies triggered serious controversy, to one degree or another, retracted their views. See the short summary of events set out in Paul Atkins, SEC Commissioner, Remarks before the Federalist Society (September 21, 2006). The controversy reached the SEC, with a commissioner speaking publicly of a “culture of waiver” that should be mitigated by the SEC declining to consider waiver of privilege as a factor affording cooperation credit. Id. A few months later, the director of the SEC’s Division of Enforcement spoke to this area. She said:

First, we do not—indeed we cannot—require waiver of the attorney/client privilege. Second, waiver of a privilege or protection is not a pre-requisite to obtaining credit in a Commission investigation. The credit given is based on, among other things, the factual information given, the timeliness of the provision of information and the usefulness of the information. Waivers may be, and often are, a means to that end but are not an end in and of themselves.

Linda Chatman Thomsen, Director, SEC Division of Enforcement, Remarks before the 27th Annual Ray Garrett, Jr., Corporate and Securities Law Institute 2007 (May 4, 2007).

She went on to express respect for legitimate assertions of the attorney-client privilege and attorney work-product protection, and to note that her interest was in facts, not “core attorney-client communications and opinion work product.” Id. Finally, while she expressed an interest in the facts found in an internal investigation, she stated “We want to encourage parties to consult counsel both regarding potential violations of the securities laws and regarding how best to rectify bad behavior.” Id. This seems to have resolved the issue. More recently, the current director of the Division of Enforcement has complained about some practices used by firms when asserting privileges, such as long delays in production, but not about the assertion of privilege itself. Robert S. Khuzami, director, SEC Division of Enforcement, Remarks to Criminal Law Group of the UJA-Federation of New York (June 1, 2011).

The lesson appears to be that core attorney-client communications and opinion work product can be protected, and regulators expect a firm to do so, even when self-reporting. To effectuate this, firms must identify and control the communications and opinions they seek to protect. A zone of privacy should be created immediately, and disciplined control should be exercised over access to the communications and opinions it contains. If and when the time comes to self-report, these controls may be all that stand between some degree of privacy and complete exposure of the firm’s innermost thoughts and motives.

Step 6: Move Quickly
The sixth step is to move quickly. This should require no great elaboration. In an environment where there is no grace period for self-reporting, time is of the essence. Even meeting the 30-day deadline required for self-reporting pursuant to FINRA Rule 4530(b) could be a challenge, depending on the nature and complexity of the issue. Speed is essential in making inquiries, engaging in fact-finding, and reaching conclusions. Firms should be ready to deploy substantial resources on an expedited basis.

Step 7: Identify a Decider
The seventh step is to designate a specific person who will be responsible for deciding what will be done. To some extent, clarity of leadership is simply good management. In a crisis, it can have enormous repercussions. This is illustrated by In the Matter of John H. Gutfreund, et al., Release 34-31554 (December 3, 1992), perhaps the most significant failure-to-supervise case ever brought by the SEC. In that case, several senior executives of a major securities firm met, discussed a serious compliance problem, left the meeting, and then took no action, each placing responsibility for further action on someone else. Id. In the event, the SEC brought public proceedings against all of them. Id. The proceedings involving the executives who were line supervisors were in the nature of enforcement actions, and the proceeding involving the firm’s general counsel was in the nature of a public report pursuant to section 21(a) of the Securities Exchange Act.

Helpful guidance on this point was issued by FINRA in regard to Rule 4530 self-reporting. It can be applied by all firms, whether or not they are FINRA members. FINRA states that its members’ procedures should:

clearly identify the person(s) responsible for determining whether a violation has occurred, and whether it is of a nature that requires reporting under FINRA Rule 4530(b), as well as the level of seniority of such person(s) (e.g., General Counsel, Chief Compliance Officer, or a senior staff committee).

FINRA, Regulatory Notice 11-32 (July 2011).

Formally designating a “decider” plays several roles. First, the designation ensures clarity in the decision-making process, and avoids the sort of after-the-fact disputes about authority and responsibility that clouded the Gutfreund case. Second, if someone will be held accountable for making a decision, they should know it at the time. Third, if someone is merely an advisor, that also should be known at the time. This last consideration is particularly relevant for legal and compliance staff who may play an active role in responding to a problem, even though, ultimately, someone else is responsible for the decision.

Step 8: Remedy, Remedy, Remedy
The eighth step is to remedy the problem immediately or at least initiate a serious and adequately funded response. In the Cooperation Release, the SEC indicated that one of the factors it would consider in assessing cooperation was “How long after the discovery of the misconduct did it take to implement an effective response?” SEC,Cooperation Release. This must be a priority. Two thoughts warrant consideration in this regard.

First, some firms experience the temptation to fire one or two people and declare the problem “solved.” The SEC appears to have contributed to this syndrome by indicating, in the Cooperation Release, that it would consider whether the individuals involved in a problem were still in the company’s employ. Id. Few problems are the result of isolated personal failures. Rather, it is the underlying problems that require remedial action: lack of resources, mixed supervisory signals and misguided compensation, or evaluation systems. Firing individuals, standing alone, rarely constitutes a remedy. Firms should be ready to demonstrate that they are thinking about the real problems and addressing them.

Second, in formulating remedies, some firms are reluctant to consider how the problem impacted customers. In many cases, this seems to be a matter of self-image. It is difficult to admit mistakes, particularly to customers. In considering remedies, firms should always consider if customers were impacted and what reasonable steps can be taken in mitigation. Indeed, whatever changes periodically sweep through the regulatory environment, wise legal and compliance professionals will continue to focus on customers and will always give top priority to their grievances.

Step 9: Report Up
The ninth step is to report up within the firm. There are specific requirements that must be considered: Does the problem implicate the jurisdiction of the audit committee, and if so, has an appropriate report been made? Similarly, does it implicate the code of ethics, and again, if so, has an appropriate report been made? Finally, how should it be reflected in the annual compliance review? Moreover, beyond any specific regulatory requirement, timely internal reporting to the highest levels of the organization should be considered. This is particularly true of organizations with independent directors, such as mutual funds, because of their role in assuring the fund’s internal compliance. See Investment Company Act of 1940, section 10(a).

Step 10: Report Out
The tenth and final step is to self-report. The decision whether and when to self-report a possible problem to regulators is among the most serious that a firm can make. It should never be made lightly, should always be supported by considered inquiry, and should always be approved at the highest levels of the firm.

Ironically, in the Gutfreund case discussed above, some of the uncertainty among the executives was apparently caused by their belief that the CEO was considering reaching out personally to a senior-level regulator to report the problem. In the Matter of John H. Gutfreund. While that report was not made, and led to confusion among the executives, it reflects an appropriate line of thinking. At what level should a report be made? There is no one right answer. In a borderline case, where a firm decides to self-report even though it is probably not necessary, the report should be made at an appropriately junior level. In a serious case, where the credibility and integrity of the firm is at stake, such as the situation in the Gutfreund case, the report should be made at the highest levels. Over-reacting in the first situation would communicate an unwarranted gravity. Under-reacting in the second would communicate an inappropriate lack of executive attention.

Criticism and self-criticism have become so engrained in our regulatory environment that they hardly draw any notice. Nonetheless, from time to time a development is sufficiently dramatic to bring new attention to settled practices and long-term trends. The SEC’s program of paying informants is one such event. It contrasts with the traditional focus on aggrieved customers and highlights 10 years of initiatives to foster and then require self-reporting. Is it a tipping point into a radically different regulatory regime? Hopefully, bleak predictions of a future dominated by paid informants and forced confessions will remain the stuff of science fiction. Certainly, though, the program places new demands on legal and compliance professionals. The 10 steps addressed above should help them rise to the challenge.

Keywords: litigation, professional liability, SEC, whistleblower, FINRA, Cooperation Release, Gutfreund

John H. Walsh is a partner with Sutherland, Asbill & Brennan, LLP in Atlanta, GA.