chevron-down Created with Sketch Beta.
March 27, 2014 Articles

Practical Implications of the Dodd-Frank Whistleblower Program

What the SEC's new approach to enforcement means for accounting and auditing firms.

By Dana S. Douglas and Kathleen M. Przywara

Every public company and financial firm subject to the enforcement jurisdiction of the U.S. Securities and Exchange Commission (SEC) employs internal and external accountants and auditors. These accountants and auditors, under the whistleblower program implemented under the Dodd-Frank Act, may now be able to use information obtained during professional engagements to blow the whistle on a client or employer and obtain a monetary award. This shift in SEC enforcement raises significant issues both for auditing firms and for an accountant who decides to file a complaint. There are many steps that auditing firms can take to enhance their own internal reporting procedures and thereby mitigate the whistleblower program’s effect.

Overview of the Whistleblower Program
In response to the perceived failures of regulatory agencies to discover improprieties in the securities and commodities markets, the SEC supplemented the Dodd-Frank Act in August 2011 with new rules designed to use the whistleblower as an enforcement tool. Codified in section 922, these new rules provide protection from retaliation and reward employees in both public and private companies who report “original information” about a violation of the federal securities laws with between 10 and 30 percent of any judgment in a successful enforcement action—either judicial or administrative—exceeding $1 million. The Office of the Whistleblower was established to administer this new whistleblower program.

In fiscal year 2013, the program received 3,238 tips, complaints, and referrals, which was almost 8 percent more than in 2012. Even so, the number of enforcement actions brought by the SEC has not yet significantly increased: The SEC brought 735 enforcement actions in 2011, 734 in 2012, and 686 in 2013. Notably, however, the SEC recovered $3.4 billion in disgorgement and penalties resulting from the 2013 actions, which is 10 percent more than 2012 and 22 percent more than 2011, despite the fact that more actions were filed in those years. By estimate, over $15 million in awards have been issued to six individuals to date, $14 million of which was paid out to a single whistleblower in 2013. Thus, despite the relatively low number of awards to date, their magnitude has led the SEC and Office of the Whistleblower to tout the program’s success, continued momentum, and “big impact on our investigations by providing us with high quality, meaningful tips.”

Challenges for Accounting and Auditing Firms
The whistleblower program presents more challenges for auditing firms than it does for public companies in that auditors, accountants, and those with compliance responsibilities are generally excluded from blowing the whistle on clients, unlike ordinary employees. But the exclusions are subject to what seem to be broad exceptions. In addition, accountants and auditors may blow the whistle on their own firms. This complexity, coupled with the SEC’s stated renewed focus on financial statement and auditing fraud, renders it necessary for auditing firms to know when the whistle can be blown and for the firms to strengthen their internal reporting policies to encourage problems to be dealt with in-house first.

The SEC’s rules initially state that accountants and auditors are generally ineligible for whistleblower awards. Rule 21F-4(b)(4)(iii) explicitly excludes information or analysis obtained by auditors and other persons with compliance or governance duties from the definition of “original information.” Those excluded include (1) internal client employees in the compliance or internal audit area and also employees of external firms retained to perform such work; (2) employees of external firms retained to investigate possible violations of law; and (3) employees of, or other persons associated with, a public auditing firm, if they obtained the information through the performance of an engagement required of an independent public accountant under the federal securities laws, such as being involved in the preparation of annual or even quarterly reviews.

But exceptions apply that allow auditors and other employees of auditing firms to become eligible SEC whistleblowers. Specifically, the exceptions listed in Rule 21F-4(b)(4)(iii) do not apply if any of the following circumstances are present: (1) an auditing individual has reason to believe that disclosure of the information to the SEC is necessary to prevent the engagement client from engaging in conduct likely to cause substantial injury to the financial interest of the entity or investors; (2) the individual has a reasonable basis to believe that the relevant entity is engaging in conduct to obstruct an internal or SEC investigation; or (3) at least 120 days have elapsed since the individual (a) provided the information to the relevant entity’s audit committee, chief legal officer, chief compliance officer, or supervisor, or (b) received the information, if he or she received it under circumstances indicating that the entity’s audit committee, chief legal officer, chief compliance officer, or supervisor was already aware of the information. Put differently, this third exception states that if the entity fails to report to the SEC information learned by an accountant or auditor of a potential violation and no otherwise eligible individual blows the whistle first, the accountant or auditor can report the information to the SEC after 120 days have passed.

Rule 21F-8(c)(4) mandates that no exception applies, however, to allow auditors or accountants to blow the whistle on a client using information obtained through an audit of an issuer’s financial statements, which is required under section 10A of the Securities and Exchange Act. (This is as opposed to the fact that the exceptions do apply with respect to information obtained through audits of registered broker-dealers and investment advisors.) Instead, section 10A requires an audit firm that detects or otherwise becomes aware of a possible illegal act in the course of conducting an audit of an issuer to ensure that the issuer has taken appropriate remedial measures and to cause a report to the SEC in certain circumstances. See 15 U.S.C. § 78j-1. Thus, the whistleblower program specifically prohibits auditors who are responsible for filing a section 10A report or triggering a section 10A investigation from going to the SEC first and potentially profiting from such activities. But even this exception has an exclusion, as the SEC has stated that a submission by an auditor or accountant is not contrary to section 10A—even where the Rule 21F-8(c)(4) exception would otherwise apply—where the whistleblower has a reasonable basis to believe either that (1) the disclosure is necessary to prevent the entity from committing a material violation of the securities laws likely to cause substantial injury to the entity or investors, or (2) the entity is attempting to obstruct an investigation of misconduct, even absent any auditor misconduct. See Release No. 34-64545, Implementation of the Whistleblower Provisions of Section 21F of the Securities and Exchange Act of 1934 (Aug. 12, 2011), at 145–46.

In addition, auditors can become eligible whistleblowers by reporting information on their own firms, except where such submissions would be contrary to section 10A. Acceptable reports include those concerning a firm’s or another auditor’s failure to comply with section 10A after detecting an illegal act is a violation of the securities laws and can form the basis for a whistleblower submission. This also includes reports that an auditor failed to follow other professional standards. See Release No. 34-64545, supra, at 140–41. In addition, if an employee of an auditing firm believes that other members of the firm are engaged in wrongdoing with a client, he or she may blow the whistle. In such cases, it appears that the whistleblower may be able to obtain an award from a successful enforcement action against the firm and also against the client. In allowing these exceptions to the previously mentioned exclusions for awards, the SEC has emphasized that auditor compliance with the securities laws is imperative to its mission, as it believes that auditors play an important gatekeeping role in the securities markets.

Accountants and auditors should consider whether the information they seek to disclose to the SEC is protected by any privilege. Rules such as the AICPA Code of Professional Conduct and Bylaws and the rules and regulations of state boards of accountancy may prohibit certain disclosures of confidential client information. Auditors also may receive work product from clients, which they separately should or need to protect. Significantly, the SEC has declined to explicitly exclude from award eligibility information submitted in breach of professional-confidentiality requirements, and its rules generally permit whistleblowers to maintain anonymity up until receiving an award. Still, accountants and auditors considering blowing the whistle should be aware that the SEC rules do not directly protect them from disciplinary actions for breaching confidentiality. As a relevant analogy, the Second Circuit recently recognized with regard to the disclosure of attorney-client privileged information as the basis for a False Claims Act report, that while the federal statute permits any person to bring a suit, “it does not authorize that person to violate state laws in the process.” United States v. Quest Diagnostics, Inc., 734 F.3d 154 (2d Cir. 2013).

How Accounting and Auditing Firms Can Strive to Keep Whistleblowing In-House

Revise, create, or confirm the rules. Auditing firms should refine their codes of conduct and compliance policies, and firms should clearly lay out their section 10A procedures. Firms that do not have rules regarding section 10A procedures should create them. Firms should formally stress the importance of compliance with securities laws and emphasize that employees are required to aid in maintaining compliance both by complying with the standards themselves and by reporting internally those who run afoul of the laws.

Educate employees. Initially, firms should review the adequacy of their training on generally accepted auditing standards, particularly with regard to the consideration of fraud and illegal acts. Internal training should be updated where necessary to discuss the factors that the SEC considers red flags of illegal activity and should highlight the firm’s section 10A procedures. Following these updates in substantive training, firms should strive to make their refined codes of conduct and internal compliance-reporting procedures highly visible to employees at all levels through mandatory training. A thorough explanation of the internal reporting steps and procedures will foster confidence in the system and will promote the level of comfort employees will have in taking their complaints inside, rather than outside to the SEC. After training is complete, firms may consider obtaining signed acknowledgements from each employee stating that he or she understands the codes and policies and will adhere to them. This is a procedure that should be repeated annually, and it could serve as a tool to re-emphasize the importance of compliance and it may also provide firms with a proactive opportunity to follow up on negative or non-responses.

Implement a credible internal reporting system. An essential element of requiring that employees prioritize compliance is implementing an efficient and effective internal reporting system with adequate staff and resources to investigate complaints of wrongdoing. Often a combination of complaint-intake methods can help promote internal reporting. For example, some employees may prefer to report compliance issues to their direct supervisors, who should be appropriately trained on how to handle such complaints and who should proactively explore potential problems through discussions at divisional meetings and performance-review sessions. Other employees may prefer an anonymous system for submitting reports, such as a secure telephone tip line or an online submission system, potentially managed by a third party.

After receiving a complaint, firms should ensure that the complaint is promptly investigated and remediated within about four months, if at all possible, in light of the whistleblower program’s 120-day grace period for the reporting employee to file a complaint with the SEC after reporting internally. A quick response will increase the probability that employees will be satisfied with how their reports are treated internally, which should make them less likely to seek outside assistance from the SEC. In addition, a firm’s demonstration that it views compliance and internal reports seriously will increase use of and satisfaction with the internal reporting system. To this end, firms should provide reporting employees with proper follow-up briefing and documentation about any investigation taken in response to a report. Firms can also consider publicizing any remedial measures taken with respect to the wrongdoer or providing internal recognition to the whistleblower for bringing issues to management.

In addition, firms should consider reporting violations to the SEC quickly, if necessary, again no later than 120 days after a possible violation is reported. This will allow firms to tell their side of the story to the SEC first, before reporting individuals reach out to the SEC in search of an award.

Prohibit retaliation. Firms should take extra care to make sure that retaliation against reporting employees is strictly and explicitly prohibited, first by including relevant language in the codes of conduct and compliance policies and second by educating employees on the prohibited practices. In addition, all employees should be notified, in writing, that anyone who retaliates, harasses, or discriminates against another employee for raising concerns will be subject to disciplinary action, up to and including termination. Following an internal report of misconduct and investigation, management should periodically follow up with the reporting employee regarding any retaliation concerns.

Change the way terminations and layoffs are conducted. Firms should also take care to conduct thorough exit interviews and to ask specifically about any compliance issues or concerns the departing employee may have. If a firm encounters an employee with a claim that it cannot prevent from going to the SEC, it should engage counsel, initiate its internal investigation, and institute a document-retention hold procedure.

Keywords: professional liability litigation, Dodd-Frank, whistleblower, accounting, auditing


Dana S. Douglas is a partner and Kathleen M. Przywara is an associate at Mayer Brown LLP, in Chicago, Illinois.

Copyright © 2014, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).