The Dodd-Frank Wall Street Reform and Consumer Protection Act was signed into law in July 2010 and introduced sweeping reforms to the country's financial regulatory system by creating two new regulatory oversight bodies and an extensive regulatory framework that covers everything from over-the-counter derivatives to creditrating agencies. What looks to be one of Dodd-Frank's “sleepers”—provisions that were not highly publicized prior to the bill's passage but will have big effects for public companies—is the law's “bounty” provision for corporate whistleblowers.
Under the law, any whistleblower who voluntarily gives original information to the SEC or the Commodity Futures Trading Commission that leads to any successful enforcement action will be paid at least 10% and up to 30% of a total penalty for any securities violation that exceeds $1 million. In its proposed rules to implement the law, the SEC acknowledges that providing potential whistleblowers two separate options for reporting illegal activity has created “competing interests” by instituting a program that provides monetary incentives to whistleblowers that effectively negate a company's existing processes for investigating and responding to potential violations of federal securities laws.
Public company compliance teams that have spent time and money building and maintaining their companies' internal reporting systems as required by the Sarbanes-Oxley Act of 2002 (SOX) are going to find it tough to compete with a program that offers money for information. And false claims to the SEC have the potential to drain a company's resources, especially in a recession economy. The SEC's proposed rules say that information reported internally through a company's internal whistleblower reporting structure will still be considered “original” information by the SEC if it is reported within 90 days, preserving the criteria a whistleblower must meet in order to remain eligible for an award. The SEC hopes to further incentivize potential whistle blowers to use their company's internal reporting system by giving credit for doing so in the calculation of award amounts.
The SEC's proposal does not require whistleblowers to first use their companies' own reporting procedure before going to the SEC, but it should. The SEC has said that some companies lack a well-documented, thorough, and robust reporting process, leaving a potential whistleblower with a lack of options and little incentive to report illegal activity—but with Dodd-Frank in place, this is no longer the case. By requiring whistleblowers to use their companies' existing internal reporting procedures prior to contacting the SEC, they can work within the existing framework and in the process remove those competing interests.
The Society's Code and Enforcement
While independent auditors who gain reportable information by carrying out their duties as CPAs during a financial statement audit are not eligible for an award, Dodd-Frank's bounty provision does have implications for NYSSCPA members working in industry. The NYSSCPA's Code of Professional Conduct states that, in offering to perform any professional services in the practice of public accountancy (and remember, public accountancy in New York State now includes CPAs employed in government, industry, and education), members maintain their integrity by “complying with whistleblowing or other similar internal policies or processes, should they exist, of any organization with which the member is affiliated.” That includes employers and applies if a member becomes aware of any significant unethical activity, regardless of any duty to maintain client or employer confidentiality. The Society's code directs its members to use a company's own internal policies to report unethical activity. If a company has no such policies, members cannot avail themselves of this provision. Members should also be aware of guidance given in the Society code's rule on confidentiality, which also encourages members to adhere to the internal reporting policies of any organization a member is affiliated with, including employers.
Enforcement of this whistleblowing provision may present a challenge for the SEC. At least one agency charged with providing oversight of a whistleblower program is dealing with this issue, according to the Department of Labor's Office of the Inspector General (OIG)—Office of Audit. The Occupational Safety & Health Administration (OSHA) is in charge of enforcing SOX section 806, which forbids retaliation against whistleblowers; however, a recent audit by the OIG found that complaints did not always receive appropriate investigations under the Whistleblower Protection Program.
The OIG estimated in its September 2010 report that 80% of applicable investigations under the program did not meet one or more of eight elements from the Whistleblower Investigations Manual that were essential to the investigative process. As a result of not providing complainants with thorough investigations, OSHA could not provide assurance that complainants were protected as intended under the various whistleblower protection statutes. The OIG also found that OSHA inspectors, on average, were working on between six and 35 open investigations at a time. According to OSHA, an investigator can handle between six and eight open investigations at a time. Will the SEC's inspectors meet the same fate of an unmanageable caseload in their efforts to review the thousands of complaints that are expected? If so, how effective will the new program be?
There have already been delays. The SEC announced in December that it had to shelve creating its whistleblower program due, ironically, to a lack of funds. While Dodd-Frank increases the SEC's budget by about $1 billion by 2015 to implement the law, Congress still needs to approve the funding. Because there is still uncertainty over the federal government's 2011 fiscal year budget, which would raise the SEC's budget to $1.3 billion from $1.12 billion last year, the commission's Department of Enforcement has temporarily been assigned to carry out Dodd-Frank's whistleblower requirements.
The effects of the Dodd-Frank whistleblower provisions on CPAs, their employers, and their clients will be the subject of the NYSSCPA's next Breakfast Briefing in New York City on January 28, 2011. The discussion promises to be an interesting one: Among the panelists are Sherron Watkins, the reluctant CPA whistleblower whose email to her former boss, Enron CEO Ken Lay, began with the portentous words, “Is Enron a risky place to work?” and former SEC Commissioner Paul S. Atkins, who, under former SEC Chairman Arthur Levitt, was responsible for organizing the SEC's individual investor program. Rounding out the panel will be Marion E. Koenigs from the PCAOB's Division of Enforcement and Investigations. Moderating the briefing will be Francine McKenna, a Forbes columnist and author of the watchdog blog, re: The Auditors. I hope to see you there.