PRACTICE POINT: The Whistleblower Rule and A Preparation Checklist
OCIE’s recently published National Exam Program Risk Alert put investment advisers and broker-dealers on notice regarding the SEC Staff’s expectations about compliance with key provisions under Rule 21F-17 (“Securities Whistleblower Incentives and Protection”) of the Dodd-Frank Act, known as the Whistleblower Rule. The Rule requires that:
In an inspection, the OCIE Staff may examine your compliance manuals, codes of ethics, employment agreements, and severance agreements to determine whether they contain provisions that improperly limit voluntary communications with the SEC, especially those pertaining to possible securities law violations.
How can you prepare in light of these expectations?
ReGroup Practice Points
A thoughtful approach to whistleblowing compliance starts with a solid understanding of the requirements and a consensus among your firm’s senior management. Your approach may necessarily impact current, former, and future employees in a way that is best served by executive buy-in and firm-wide coordination.
Use the following checklist to help prepare:
1. Confidentiality Requirements
a. Identify and collect language where your firm:
- Limits, in writing, the types of information an employee may convey to the SEC or other authorities;
- Requires an employee to notify or obtain permission from the firm prior to disclosing confidential information regarding possible securities law violations to the SEC;
- Limits an employee’s disclosure of confidential information to that which is “required by law,” without an exception for voluntary communications; or
- Requires a departing employee to waive beneficial rights if they report information to the government.
b. If a provision could be construed as limiting the employee/former employee’s ability to communicate perceived violations of the law to regulators, then:
- Revise the language to make it clear that no such limitation exists;
- Encourage individuals to report perceived violations to the firm directly and make a safe avenue available to vet those concerns; and
- Provide corrective communications to former employees whose severance arrangements include the limiting language (see # 6 below).
2. Codes of Ethics
a. Review your Code of Ethics to determine whether it contains provisions that direct employees to communicate perceived violations of the law to the appropriate internal resource;
b. In fact, consider including a process (in your Code or a separate procedure) that rewards employees for communicating behavior that could threaten your firm’s regulatory health to an appropriate officer;
c. Include a statement that nothing in the Code of Ethics, or in any firm document, prohibits a current or former employee from voluntarily communicating a potential or suspected violation with SEC Staff; and
d. Include a clear statement that whistleblowing activities will not result in retribution against an employee.
3. Education
a. Educate senior managers on the scope of the rule, and the scope of your recommended program; and
b. Educate employees about the firm’s stance and process with regard to reporting potential violations of the law; and
c. Encourage, but do not require, employees to report perceived violations of the securities laws to an appropriate officer as their first step.
4. Compliance Manual
a. Adopt a policy and procedure that outlines:
- The affirmative steps your firm takes to comply with whistleblowing rules;
- The steps your firm takes to investigate, document, report to management, and act the information upon if necessary.
5. Employee Manual
a. Review the employee HR manual for any conflicting language.
[NOTE: Because HR Manuals and Compliance Manuals are often written by different people and often at different times, we find that they often contain inconsistent and competing information. Therefore, periodically conduct a review of - and edit - the documents together.]
6. Employment and Severance Agreements
a. Review current employment agreements, letters of understanding, offer letters, and severance agreements to identify any provision that might be construed as limiting the employee’s ability to communicate perceived violations of the law to regulators;
b. If you identify such language, consider notifying the employees/former employees in writing that your firm does not prohibit them from communicating with the SEC regarding perceived violation of the law; and
c. If you use outside counsel to draft employee agreements, speak with them about the whistleblower provisions; HR lawyers often work across dozens of industries, and may not be aware of the requirements.
7. Risk Assessment
a. Your firm’s risk assessment should include a consideration of the various elements of your whistleblower requirements. Conduct a risk assessment at least annually and create a written record of the process, findings, and recommended modifications.
8. Compliance Log
a. Record modifications to your whistleblower program in a compliance log or annual review report. It’s an easy step to ignore given the mounting to-do lists of most compliance officers, but relying on your memory as a repository does not serve your firm well. A written log of important milestones creates a credible document that is easy to produce in the event of an OCIE inspection of your firm.