What Internal Auditors Need to Know About SEC Whistleblower Law

SEC Whistleblower program

Internal auditors, compliance officers, and other “lines of defense” professionals are in unique positions to spot fraud and wrongdoing at the companies where they work. In most cases it is enough to report the problems to senior management or to the board of directors in situations where senior executives may be involved in the fraud themselves.

There are, however, some unique cases where it will also make sense to report fraudulent behavior to the Securities and Exchange Commission or other relevant government agencies. Indeed, alerting the federal government to criminal financial fraud can result not only in raising the likelihood for an investigation, but also in lucrative payouts for whistleblowers. Reporting can also establish important protections for whistleblowers against retaliation and mistreatment by employers, which is, unfortunately, too common in whistleblower cases.

The SEC has awarded more than $262 million to 53 whistleblowers since issuing its first award in 2012, including awards in excess of $30 million in some cases. All payments are made out of an investor protection fund established by Congress that is financed entirely through sanctions paid to the SEC by securities law violators. According to the SEC, whistleblower tips have resulted in more than $1 billion in enforcement remedies to date.

“Whistleblowers may be eligible for an award when they voluntarily provide the SEC with original, timely, and credible information that leads to a successful enforcement action,” states the SEC Whistleblower Office, which handles such tips. The program was established by the Dodd-Frank Act of 2010.

While internal auditors, compliance professionals, and other risk-management professionals are eligible for awards under the law, there are some unique aspects of it that they must know and some specific rules to follow to earn whistleblower payouts. But first, lets take a look at some of the basics of whistleblower law.

He Who Sues for the King
SEC whistleblower actions are related to a broader type of legal cases known as “qui tam” actions. The phrase comes from a longer Latin phrase, “qui tam pro domino rege quam pro se ipso in hoc parte sequitur,” which, in English, roughly means, “he who sues for the king as well as for himself.”

The idea is that a private citizen can act as a form of “private attorney general” and initiate a legal proceeding against another individual or entity on behalf of the government with the expectation that the whistleblower can receive an award or share part of a verdict or settlement that the government obtains against the defendant. Typically, the filing party has some first-hand knowledge or evidence that the defendant committed fraud or other improprieties, though in some instances even corroborating or additional information gained from an insider source can be sufficient to merit an award.

In a SEC whistleblower matter, a whistleblower does not initiate a legal action but rather makes a claim for an award by notifying the SEC in writing of the wrongdoing and provides “high-quality original information” about the case. This claim for an award is made by filing a TCR form, which the SEC has devised to elicit information about potential fraud.

Filing a Claim
Usually the whistleblower also provides a short narrative that outlines the extent of the whistleblower’s knowledge and may identify additional witnesses who also have knowledge of the fraud. A whistleblower typically will retain counsel familiar with the SEC’s rules and process for whistleblower awards to ensure a greater likelihood of receiving an award. In sensitive matters where a whistleblower is concerned that identifying themselves to the SEC as a whistleblower could put their employment or their life in jeopardy, the SEC has permitted whistleblowers who are represented by legal counsel to file their SEC whistleblower matter anonymously with all communications conducted with the SEC through their legal counsel without revealing their identity.

Once the SEC receives the tip or claim for award, a claim number is assigned and the SEC may or may not interview the whistleblower to ask questions about the substance of the claim. The SEC then decides whether to investigate the whistleblower’s claims if the SEC finds that the tip could have merit.

Ultimately, the SEC will provide an award to the whistleblower if it leads to a Commission enforcement action in which over $1 million in sanctions is ordered. The range for awards is between 10 percent and 30 percent of the funds collected. So far, the average SEC whistleblower award is in the neighborhood of $3.5 million. It is important to note that the whistleblower, also called the “relator,” does not need to show damages or lose their job to pursue a whistleblower claim. The SEC does everything possible to protect the identity of a whistleblower, even upon the distribution of an award.

Other Types of Whistleblower Matters
The SEC is not the only agency that provides monetarily awards to whistleblowers. The Internal Revenue Service, for example, also provides awards between 15 to 30 percent to whistleblowers who assist the IRS with information about tax fraud or even unintentional tax underpayments. The agency may make a reward where information is obtained which permits the IRS to collect proceeds (taxes, penalties, and interest) in excess of $2 million. If the IRS collects less than $2 million based upon a whistleblower’s information then the IRS has discretion to decide whether or not to pay an award.

A whistleblower can provide the IRS with the information on their own, but as with the SEC whistleblower program, usually an IRS whistleblower hires an attorney or other representative familiar with the IRS Whistleblower Office and its procedures and preferences. Tax whistleblower claims can raise complex legal and accounting issues that require the assistance of an experienced whistleblower attorney to ensure the maximum reward. Because of manpower constraints, the IRS does not act on the majority of whistleblower claims submitted to them, so it is important that initial and subsequent submissions to the IRS are thorough and compelling.

Likewise, the Commodities Futures Trading Commission administers another growing whistleblower program for reporting cases of impropriety in markets for derivatives, options, futures, commodities, or any violation of the Commodity Exchange Act. The CFTC whistleblower program is similar to the SEC program and was also established under the Dodd-Frank Act. The CFTC has been active lately, paying the largest award so far of $30 million to one whistleblower in July, and $45 million to a group of whistleblowers in August.

False Claims Act Cases
The so-called grandfather of whistleblower laws is the federal False Claims Act, which was established back at the time of the Civil War at the behest of President Lincoln and is sometimes nicknamed the Lincoln Law. The False Claims Act differs from the SEC, IRS, and CFTC whistleblower programs in that a whistleblower actually files a federal court lawsuit on behalf of both themselves and on behalf of the United States against the individual or company who has defrauded the federal government.

False Claims Act cases can involve a broad array of industries and federal programs. The many ways the federal government spends tax dollars are all possible avenues for False Claims Act cases: Medicare and Medicaid, defense, education, veterans, mortgage assistance, and pharmaceutical and health care programs for federal employees have all provided impetus for prior False Claims Act cases.

Once a whistleblower has filed a case, the United States Attorneys’ Office investigates the allegations and makes an initial determination as to whether the federal government will intervene or became actively involved in prosecuting the case, or decline, which permits the whistleblower to proceed with the case on their own. Awards range from 15 to 25 percent of proceeds for intervened cases and 25 to 30 percent for declined cases. False Claims Act “relator share” awards have sometimes dwarfed awards given in the SEC, IRS, and CFTC whistleblower programs because the federal government has had recoveries of over $1 billion in a few False Claims Act cases and several hundred million dollars in many others.

Calling All Internal Auditors
When the SEC finalized the Dodd-Frank whistleblower provisions in 2011, it listed compliance and internal audit professionals among those who are not eligible for whistleblower award under the program, along with corporate attorneys, public accountants, and officers and directors acting on information passed on to them by another employee.

In the ruling however, the SEC laid out a series of exceptions where internal audit and compliance professionals, as well as public accountants, could participate in the whistleblower program. Those circumstances include:

  • The whistleblower believes disclosure may prevent substantial injury to the financial interest or property of the entity or investors.
  • The whistleblower believes that the entity is engaging in conduct that will impede an investigation.
  • At least 120 days have elapsed since the whistleblower reported the information to his or her supervisor or the entity’s audit committee, chief legal officer, or chief compliance officer—or at least 120 days have elapsed since the whistleblower received the information, if the whistleblower received it under circumstances indicating that such officials are already aware of the potential wrongdoing.

In a notice of a $300,000 whistleblower award to an unnamed compliance or internal audit professional in 2014, the SEC further clarified that those who work in a compliance or audit function are eligible for awards.

“Individuals who perform internal audit, compliance, and legal functions for companies are on the front lines in the battle against fraud and corruption. They often are privy to the very kinds of specific, timely, and credible information that can prevent an imminent fraud or stop an ongoing one,” said Sean McKessy, who headed the SEC’s Office of the Whistleblower at the time of the award. “These individuals may be eligible for an SEC whistleblower award if their companies fail to take appropriate, timely action on information they first reported internally.”

The SEC stated at the time that the whistleblower receiving the $300,000-plus award reported his or her concerns “to appropriate personnel within the company, including a supervisor,” but the company took no action within 120 days. The whistleblower then took the same information to the SEC, which ultimately led the SEC to bring an enforcement action. Because of this exclusion in the rules, it’s important that potential claimants who work in compliance or audit functions raise their concerns internally, but also they act quickly to file the complaint with the SEC, usually with the help of an attorney who is familiar with whistleblower law.

When is a Whistleblower a Whistleblower?
Indeed, to whom potential tipsters raise concerns and when has been a issue for potential whistleblowers in compliance and audit functions. As the SEC considered the whistleblower provisions of Dodd-Frank, companies pushed hard for a requirement that wrongdoing must first be reported internally to the company—either through a hotline, supervisor, or other mechanism—before bringing a tip to the SEC to be eligible for a reward. Companies didn’t want to face a scenario where the first time they were hearing about a violation was with a knock on the door by the SEC.

While the SEC rejected that idea (apart for the exceptions noted above for compliance and audit professionals) it did add some important incentives to report wrongdoing internally before notifying the SEC. For instance, the rules:

  • Make a whistleblower eligible for an award if the whistleblower reports internally and the company informs the SEC about the violations.
  • Treat an employee as a whistleblower, under the SEC program, as of the date that employee reports the information internally—as long as the employee provides the same information to the SEC within 120 days. Through this provision, employees are able to report their information internally first while preserving their “place in line” for a possible award from the SEC.
  • Provide that a whistleblower’s voluntary participation in an entity’s internal compliance and reporting systems is a factor that can increase the amount of an award, and that a whistleblower’s interference with internal compliance and reporting is a factor that can decrease the amount of an award.

A recent court ruling also shed some light on when whistleblowers become protected under the anti-retaliation provisions of Dodd-Frank. In February, the U.S. Supreme Court ruled in Digital Realty Trust v. Somers that whistleblowers must report possible securities law violations to the SEC, or in limited cases to another agency, to gain anti-retaliation protection, giving those who see violations another incentive to take those concerns to the Commission.

Still, internal auditors have some additional retaliation protections under the Sarbanes-Oxley Act of 2002. A provision of SOX states that auditors and accountants are protected against a broad range of retaliatory employment actions, including discharging, demoting, suspending, threatening, or harassing them, or in any manner discriminating against them. Under SOX, internal auditors who are subject to retaliation, such as being fired, after blowing the whistle may be eligible for lost wages, reinstatement, and damages for emotional distress or reputational damage. In March 2014, for example, a jury awarded $6 million to a whistleblower in a SOX retaliation case.

Finally, a common misconception among potential whistleblowers is that the tip that is provided to the SEC or other agency must be on a new case of fraud that the agency was previously unaware of. Not true. Information that substantially furthers or strengthens an existing case, can also earn a relator a reward. In 2016, for example, the SEC awarded more than $3.5 million to a company employee whose tip bolstered an ongoing investigation with additional evidence of wrongdoing that strengthened the SEC’s case.

“Whistleblowers should be encouraged to come forward and report allegations of potential securities laws violations even if they think the SEC may already be looking into it,” the SEC said in a press release noting the award.

Under Pressure
It is true that internal auditors are under tremendous pressure at most companies. And while they have come a long way from when they were viewed skeptically as the police force or “hall monitors” of the organization in years past, they must still be on the lookout for fraud and abuse.

In some cases they are even encouraged to look the other way. A study from the Internal Audit Foundation, the research unit of the Institute of Internal Auditors, conducted in 2016 finds that 25 percent of the internal auditors at North American organizations surveyed said they have been pressured to “suppress or significantly modify a valid internal audit finding or report” during their career. Another 6 percent indicated that they would rather not answer the question.

More recently, there have been several cases of internal audit findings, including cases of potential fraud, going ignored or suppressed. In some of these cases, it might be worth it for internal auditors to take those concerns to the SEC or at least to discuss them with outside legal counsel.  end slug


Brian P. McCafferty is managing partner at the Philadelphia based law firm of Kenney & McCafferty, and an expert on whistleblower and qui tam law, including SEC, IRS, CFTC, and False Claims Act cases.

Click here to get more information on SEC whistleblower law!

Leave a Reply

Your email address will not be published. Required fields are marked *