Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Latest on Whistleblower Rules: Nothing Good

Matt Kelly | January 24, 2011

Few issues burn up my phone lines and email box these days as much as the new whistleblower bounty rules soon to come from the Securities and Exchange Commission. Little surprise, then, that when SEC Enforcement Director Robert Khuzami appeared at the Securities Regulation Institute's annual conference last week, the new whistleblower rules were discussed almost immediately.

For any last compliance officers out there who still don't know, the SEC's forthcoming rules will create a bounty program that lets whistleblowers reap as much as 30 percent of any settlement the SEC wins based on that whistleblower's information. The agency proposed its program in November, accepted public comment on the proposal until Dec. 17, and is due to adopt final rules by late April.

The loud and universal complaint from compliance officers has been that the lure of cash rewards will entice employees to run directly to the SEC, rather than sound the alarm through internal hotlines. Compliance officers find this annoying, since the SEC has been pressuring them for years to improve their internal programs and now is offering everyone an end-run around them.

So, Khuzami was asked last week, does the SEC feel compliance officers' pain?

“We recognize that as a real issue … the SEC has spent many years encouraging companies to take responsibility for allegations of misconduct,” he said. But nevertheless, “whistleblowers need the opportunity to come to the commission directly if they think that's appropriate.”

I've heard this answer from SEC officials multiple times now. It is a more polite and diplomatic translation of a blunter truth: The SEC knows full well that the bounty program will put compliance departments in a bind. And while the agency never asked for this power from Congress, lawmakers did grant it as part of the Dodd-Frank Act—so the SEC is certainly going to use it.

That reality is irritating enough. Now, however, we can expect Congress to complicate matters even more.

The unfortunate truth is that the SEC has neither the manpower nor the money to investigate any spike in complaints coming from new whistleblowers looking for cash. The agency has been frozen at its 2010 budget since October, leaving it unable to create several new offices mandated by the Dodd-Frank Act—including a new “Whistleblower Office” to follow up on all those new tips. What's more, Congress has decided to keep that level-funded budget at least until March, as the new Republican majority ponders how to cut government spending. Some have already called for the SEC (and every other government agency) to be pared back to its 2008 budget.

Khuzami was honest in what that squeeze means for companies: The SEC and the Commodities Futures Trading Commission will likely not do much more than triage complaints, to separate the quacks from real misconduct. Then they will “backsource” the investigation back to the company in question—leaving you to do all the fact-finding that will reward the whistleblower who ignored your internal hotline in the first place. That stings.

That means corporate compliance departments should start reviewing their investigative ability right now; otherwise, you're just going to hire outside counsel or audit experts, and the costs will only go up. Are any staffers licensed private investigators? Do you have forensic accountants on the internal audit team? Do you have sufficient reserves to hire outside experts anyway, should the worst happen?

Someone also asked an interesting corollary question: Can companies include a provision in their Code of Conduct to require all employees to report misconduct to the compliance officer? Khuzami didn't answer that directly, and others on the SRI panel immediately wondered how a company could enforce a provision like that. After all, how would you discipline someone who ignores that provision and goes to the SEC—fire him? That hardly sounds like a whistleblower-friendly environment.

Of course, the current environment isn't very corporation-friendly either, but it looks like we'll all have to live with that until further notice.