by Stephen Kohn
Compliance officials are not to blame; they often speak out against lawyer-controlled program and even become whistleblowers. This is why, as explained in Rule 15, the Securities and Exchange Commission created a specific rule permitting auditors, directors, and all employees who perform compliance functions to blow the whistle on the company and obtain a reward. The SEC has paid rewards to compliance officials.
Most compliance professionals, whether or not they ultimately report to the general counsel, want their programs to be independent. A March 2013 survey of ten thousand compliance professionals, conducted by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association, demonstrated this point. The question was simple: Should corporate compliance officials report to the company’s general counsel? The response was overwhelming—“88.5% of the surveyed compliance professionals were opposed to the corporate counsel serving as the compliance officer.” According to the survey, employees who worked in compliance understand there is an inherent conflict of interest between a compliance function (“encouraging reports”) and the job performed by a company attorney (“defending the company”).
Senator Charles Grassley, as chairman of the Senate Finance Committee, also weighed in on this issue. He pointed out that the roles of general counsel and chief compliance officer were distinct, and that merging these two functions created a conflict of interest. As an Iowan, his words were blunt: “It doesn’t take a pig farmer from Iowa to smell the stench of conflict in that arrangement.”
New York Ethics Opinion 650
Should there be any doubt as to where a lawyer-run compliance program’s loyalties lie, the cautions approved by Opinion 650 of the New York State Bar Association Committee on Professional Ethics settle the issue. The Committee looked at the corporate attorney’s conflicts of interest and explained the nature of the warning that must be given to employees who contact an attorney-managed compliance program. These warnings, which are almost never given, are designed to ensure that an employee who contacts an attorney-managed program clearly knows that the program is designed to protect the company, not the worker or whistleblower.
In its opinion, the committee addressed the question of whether a corporate attorney could participate in a “compliance” program under which employees are required to report illegal or unethical behavior. The Committee determined that lawyers, as well as those individuals operating under the attorneys (such as paralegals or investigators), could participate in such programs only if certain precautionary measures were taken. The Committee approved an adverse-interest script, drafted by the company seeking the ethics opinion. The company mandated that this script be read to all persons who called into the company’s compliance program:
When it appears that a caller’s interests may differ from or there is a reasonable possibility that such interests may be “in conflict” with the Company’s interests:
1. Determine whether the caller is represented by counsel. If yes, make the following statement: “The Company’s policy requires that you report non-compliance with the law or other unethical behavior. However, as you are represented by counsel, I can only talk to you through your counsel. Please have him/her call me or give me his/her name and I would be happy to call him/him.”
2. If the caller is unrepresented by counsel, please make the following statement: “I want to caution you that I am an attorney for the Company and not for you or other employees. Therefore, while I can record your complaint, I cannot and will not give you legal advice, and you should not understand our conversation to consist of such advice. I do advise you to seek your own counsel, however, as your interests and the Company’s may differ. Having said this, I would be happy to listen to your complaint,” etc.
The Committee also noted that although the Code of Professional Conduct is addressed to lawyers, the lawyers must diligently supervise non-lawyers to ensure that the rules of professional responsibility are not violated. In other words, the non-lawyers also have to provide these warnings to the employees who call into the compliance hotline. The New York rule is consistent with the general ABA rules governing attorney conduct.
What to Do If the Company’s Attorneys Knock on Your Door
The key advice for any potential whistleblowers who may find themselves in the middle of a compliance investigation (or whose concerns may have triggered the investigation) is to contact your own attorney before you make any disclosures. Whether or not to meet with or provide information to a company lawyer (or compliance personnel who work for the lawyer) must be made on a case-by-case basis. You must understand that the company lawyer does not represent you, and may use any information you provide (or don’t provide) against you.
Various hypothetical situations call for differing responses. For example, assume you are already giving information confidentially to the government. Your allegations trigger a DOJ investigation. The company’s lawyers (or outside counsel), not knowing that you were the source, ask to interview you as part of their defense to the DOJ review. If you refuse to be interviewed, you may tag yourself as a whistleblower or, at a minimum, not a “team player.” Refusal to be interviewed will raise suspicion. On the other hand, assume you agree to the interview but withhold information. The company may use your statement to impeach you in the future, stating that either you did not really know the facts or were holding information back for nefarious reasons. The decision whether to be interviewed, and what to say during the interview, is highly strategic and must be well thought out. It is highly recommended that any such decision be made after consulting with your own attorney, an attorney whose allegiance is to you and you alone.
Another frequent issue arises when the company informs you that you are a witness in an investigation and then offers to pay for an attorney to represent you personally due to a potential conflict of interest. This is very common, especially in Foreign Corrupt Practices Act cases, where individuals can be held personally accountable, along with the company itself. Don’t be fooled by this offer. You get what you pay for. When companies hire outside attorneys to represent their employees, these outside lawyers are almost always beholden to the company that pays their fee. In most every case these attorneys will work hand in hand with the company lawyers, share your information with the company, and give you bad advice.
The decision whether to let the company hire a lawyer for you and what you say to that lawyer is another strategic decision. If all the other company witnesses are letting the company hire and pay for their attorneys, you will stick out like a sore thumb if you refuse. When you talk with a company-sponsored outside attorney, regardless of what the lawyer says, understand that he or she cannot be trusted. The attorney was picked by the company, is paid for by the company, and knows where his or her next (very large) paycheck is coming from.
In each of these circumstances, you need a lawyer who understands the law, can advise you as to whether you could qualify for a reward, and who has undivided loyalty to your best interests. Working with your own counsel is the best way to navigate these extremely treacherous waters. Bad decisions can undermine your credibility, arm the company with defenses against your whistleblowing, or even lead you to becoming a scapegoat for the problems. Good decisions can give you a door into the company’s strategies and help you and the government understand how the company may be manipulating witnesses or trying to cover up wrongdoing.
PRACTICE TIPS
• Upjohn Co. v. United States, 449 U.S. 383 (1981) (the Supreme Court decision discussing when attorney-client privilege applies to a compliance investigation).
• In re: KBR, 756 F.3d 754 (D.C. Cir. 2014) (broadly defining corporate attorney-client privilege in the context of compliance investigations).
• U.S. ex rel. Barko v. Halliburton Co., No. 1:05-cv-2276, Opinion and Order dated March 6, 2014 (D.D.C.) (district court docket in the KBR cases).
• New York State Bar Association Committee on Professional Ethics Opinion 650, July 30, 1993; ava
ilable at http://old.nysba.org/Content/ContentFolders/EthicsOpinions/Opinions601675/EO_650.pdf (ethical rule discussing the duties attorneys are supposed to follow when participating in compliance programs and investigations).
• The RAND Center for Corporate Ethics and Governance, “Transforming Compliance: Emerging Paradigms for Boards, Management, Compliance Officers, and Government”; published at www.rand.org/pubs/conf_proceedings/CF322.html (presents an excellent discussion of the policy issues facing compliance programs, especially those run by general counsel).
RULE 19Auditors and Compliance Officials: Qualify for Rewards
Almost all large corporations in the United States (and worldwide), including most banks, hospitals, government contractors, and every publicly-traded company, are required to have compliance programs, auditing departments, and strong procedures for “internal controls.” All companies that trade on the U.S. Stock Exchanges are required to have employee concern programs capable of accepting and investigating confidential or anonymous internal employee allegations regarding “questionable” accounting or auditing practices. Thousands of compliance professionals (including auditors, accountants, and lawyers) work within these programs. The work they do is inextricably linked to whistleblowing.
These compliance professionals are on the front line of uncovering and reporting fraud. In 2015 the Institute of Internal Auditors, a trade association of more than 180,000 members in 170 countries, published its study Politics of Internal Auditing. As part of the study five hundred North American chief audit executives (CAEs) were questioned as to the pressures confronting auditors. A majority of CAEs reported that they had been directed to suppress important audit findings.
• 55 percent of the CAEs were directed to omit important findings from their audit reports;
• 49 percent were directed “not to perform audit work in high-risk areas”;
• 32 percent were instructed to audit “low-risk” areas, in part so that executives could “retaliate against another individual.”
The pressure to change audit reports came from the top (see Figure 10). When asked who “directed” them “to suppress or significantly modify a valid internal audit finding,” the CAEs reported that 38 percent of these requests came from a company’s Chief Executive Officer, 24 percent came from a Chief Financial Officer, and 12 percent came from the Board of Directors. Significantly, 18 percent of the requests came from persons with significant oversight responsibility (the Chief Compliance Officer, legal or general counsel, the Chief Risk Officer, or the company’s Audit Committee).
A comprehensive survey of 14,518 auditors from 166 countries reported vicious retaliation when the auditors refused to change their findings. Forms of retaliation included pay cuts, transfers to other positions, terminations, being eased into retirement, budget cuts, exclusion from important meetings, being ostracized, audit department outsourcing, and hostile working conditions.
After Congress enacted the Dodd-Frank Act, authorizing corporate whistleblowers to obtain monetary rewards for reporting violations of securities and commodity trading laws, and the Foreign Corrupt Practices Act, the U.S. Chamber of Commerce worked overtime to block auditors and compliance officials from obtaining whistleblower protection. The group vigorously argued that employees paid by the company to uncover, report, or correct problems should not be afforded an opportunity to obtain a whistleblower reward. The Chamber advocated for a strict rule prohibiting all workers who had corporate oversight duties from collecting rewards.
The whistleblower advocacy community quickly spoke up about the injustices suffered by compliance officials for doing their job “too well,” and the Securities and Exchange Commission was provided with examples of compliance officials being fired in retaliation for their audit findings. Directors, auditors, and compliance officials are often the first to see or understand the nature of a company’s illegal actions, and whistleblower advocates argued that prohibiting them from qualifying for rewards would seriously undermine the ability of the government to learn about major frauds.
In 2010–2011 the SEC, after conducting public rulemaking proceedings, made a historic compromise on this issue. The SEC approved a creative approach that promoted honest and independent compliance programs, while at the same time recognizing whistleblower rights. Shortly thereafter, the Commodity Futures Trading Commission adopted an identical rule.
The Chair of the SEC explained the basis for her compromise:
No issue received more focus during this process than the role of internal compliance programs. As I have often said, internal compliance programs play an extremely valuable role in the fraud prevention arena. And we have sought to leverage compliance officers who can help protect investors by keeping companies on the straight path. . . . I believe that the final recommendation strikes the correct balance—a balance between encouraging whistleblowers to pursue the route of internal compliance when appropriate—while providing them the option of heading directly to the SEC.
The final rule is tricky. The bottom line is that in almost every case, employees performing compliance functions who learn about violations of law as part of their official duties can qualify for rewards. However, they must pay careful attention to the fine procedural details of the SEC’s final reward rules.
At first glance, the rules appear to disqualify employees who perform compliance functions. The rules state: “An employee whose principal duties involve compliance or internal audit responsibilities” cannot obtain a whistleblower reward. Additionally, any employee who “learned” of the violations “in connection with the entity’s processes for identifying, reporting, and addressing possible violations of law” is also exempt from obtaining a reward. This exemption also applies to employees from any outside “firm retained to perform compliance or internal audit functions.”
Based on this prohibition, it would appear that Wall Street won the day, and that thousands of employees were excluded from the rewards available under the Dodd-Frank Act.
But that isn’t the whole story. The regulations contained three exceptions that effectively circumvented the rule:
First, if “you [the compliance officer, director, attorney, auditor, etc.] have a reasonable basis to believe that disclosure of the information to the Commission is necessary to prevent the relevant entity from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors,” you can immediately report your concerns to the SEC and qualify for a reward.
Second, if “you have a reasonable basis to believe that the relevant entity is engaging in conduct that will impede an investigation of the misconduct,” you can immediately report your concerns to the SEC and qualify for a reward.
Third, if “at least 120 days have elapsed since you provided the information to the relevant entity’s audit committee, chief legal officer, chief compliance officer (or their equivalents), or your supervisor, or since you received the information, if you received it under circumstances indicating that the entity’s audit committee, chief legal officer, chief compliance officer (or their equivalents), or your supervisor was already aware of the information,” you can thereafter report to the SEC and qualify for a reward.
The third exception—“120-day rule”—is the easiest and safest exception to qualify under. The rule sets tangible, quantitative criteria. Comply with the deadline and you can qualify for the rule. It is that simple. If the company does not make a full and complete self-report to the government within the given time frame, the 120-day rule kicks in, and every employee who performs compliance-related functions can now file a whistleblower claim and qualify for a reward. In this regard, the safest method for compliance-related employees to qualify for a reward is to count the days the company is aware of the fraud allegations. If the company does the right thing, aggressively investigates and self-reports the violations to the government, then the matter is resolved and there is no need for an SEC filing. But if the company ob
fuscates, delays, covers up, retaliates, or ignores the bad news, after 120 days all employees, including those working in compliance and audit functions, can file a claim with the SEC.
In addition to the 120-day rule, compliance-related employees can file claims at any time if the underlying fraud is large and could cause “substantial injury” to investors, or if the company is engaging in a cover-up (i.e., impeding an internal investigation). The main problem with these two exceptions is their subjective nature. What evidence does an employee need to produce to demonstrate a potential cover-up? When is an employee’s concern about a “substantial injury” reasonable in the eyes of the SEC? These exemptions involve subjective judgments. The 120-day rule eliminates the discretion the SEC has to deny or reduce a reward because it disagrees with the employee’s opinion that the company was impeding the investigation or that investors were about to suffer “substantial injury.”
These exceptions will permit compliance officials to obtain financial rewards, except in cases in which companies with extremely well-structured, independent, and accountable compliance programs are willing and able to conduct aggressive investigations and top management will react properly to the bad news they often try to avoid. Moreover, these companies must also be willing and able to honestly and completely self-report their misconduct to the government within 120 days of their initial receipt of an internal whistleblower complaint or negative audit finding.
The SEC’s intent was explicit: Wall Street must stop trying to rig the system and start playing by the rules. Companies need to establish effective compliance programs, capable of identifying problems within 120 days of being reported, with sufficient authority and independence to ensure that companies self-report violations before they get caught. That day has not yet come.