Imagine this: An anonymous tip comes through the company’s hotline that a senior executive has engaged in insider trading. The allegations are convincing enough to warrant an investigation, so compliance enlists the help of outside counsel—only to later discover it was all a lie in the name of academic research.
This scenario is not a hypothetical. It happened, effectively leaving hundreds of unwitting corporate subjects to foot the bill for the follow-up they conducted. A PhD student at the National University of Singapore (NUS) earlier this summer had sent numerous fabricated anonymous allegations to multiple companies in order to gauge their hotline response rate for field research.
“On June 4, one of my public company clients received an anonymous email reporting that a senior employee had admitted to improper insider trading,” says Susan Muck, a partner at WilmerHale. “Within three or four hours, a different client in a different industry thousands of miles away received an identical email and also contacted me to investigate.”
Muck says the coincedence caused her to immediately suspect the emails were part of some mass whistleblower scheme whose intent at the time was not known. She immediately alerted other law firms that also work in the whistleblower space. That was on a Friday. By the end of the weekend, several companies had come forward seeking the advice of their outside counsel concerning similar claims.
One company immediately flagged the content of the email as suspicious because it referenced a conversation said to have taken place behind closed doors—during a pandemic, when its office had been closed for months. Other companies believed the claim to be genuine and asked their compliance team to begin investigating.
“Nobody is talking about it, because they don’t know about it. Companies don’t realize they are being used as nonconsenting participants in experiments.”
An anonymous university professor on the dangers of academic studies on hotline reporting
Meanwhile, a blog post published on TheCorporateCounsel.net about this “whistleblower hoax” sparked a firestorm of law firm alerts, warning clients to beware of insider trading whistleblower scams that, at the time, many assumed to be malware or phishing attempts.
As a third-party hotline operator, NAVEX Global similarly began receiving “multiple calls from customers,” says Carrie Penman, its chief risk and compliance officer. She estimates around 200-300 companies received the fabricated anonymous hotline claims.
“Ultimately, we spent about three or four weeks trying to address these concerns,” Penman says. As a precaution, companies were advised to start taking their hotline reports offline and, instead, handle them over the phone.
The truth revealed
Two months later, the PhD student who had conducted the field study notified his corporate subjects of the experiment by email. “The claims brought forth were completely fictitious and deliberately did not bare enough details to necessitate the launch of an investigation,” the student stated in an email seen by Compliance Week. “Once the claim was made, we’ve only recorded your initial response and did not pursue the matter any further, thereby interfering with your day-to-day business as little as possible.”
“That is where the rationale went off the rails,” says Penman, who wrote about the hoax hotline claims on NAVEX Global’s website. Absent information about who engaged in serious misconduct or when it occurred, a company often will start investigating everything, rather than nothing at all.
Upon request, the University of Singapore provided NAVEX Global with only a sample of the anonymous emails that were sent, which included “pretty serious allegations” of collusion, accounting fraud, and kickbacks, Penman says. The university would not share how many companies received the fabricated claims.
“By and large, companies take whistleblower reports very seriously,” Muck says. “Often, investigations will involve outside counsel, auditors, or even regulators in certain instances.”
Regarding vague insider trading allegations, especially, companies might enlist the help of a forensic audit firm to capture electronic data and begin to analyze employee trading patterns to spot any red flags. “They’re looking for the needle in the haystack, and there is no needle,” Muck says.
All told, a company could end up racking up tens of thousands, even hundreds of thousands, of dollars on an internal investigation. Even if a company ultimately decides not to pursue an investigation, a single phone call to external counsel can still run about $1,000.
And those are just the monetary implications. For companies under a settlement agreement, a public disclosure might be required as well. “If they self-reported a hoax—what a mess between them and the regulators,” Penman says.
Moreover, in addition to diverting time and attention away from legitimate claims, Penman says she also worries such studies will inspire even more copycat research, particularly since this is not the first academic study of its kind to examine the efficacy of hotlines.
In May 2020, the Journal of Accounting Research —a peer-reviewed academic journal associated with the University of Chicago—published an academic analysis, “Paper Versus Practice: A Field Investigation of Integrity Hotlines,” led by Harvard Business School Professor Eugene Soltes. The paper was also published under the title, “The Difficulty of Being Good: The Efficacy of Integrity Hotlines.”
Soltes, who spoke with Compliance Week, says the motivation of the field study was to understand the availability and responsiveness of integrity hotlines. The research was conducted by sending anonymous “inquiries” to a random sample of 250 companies in the S&P 900. They were never notified of the study.
“An inquiry is distinctly different than a fabricated report, which is making an allegation against a specific individual or group of individuals that is obviously not true,” Soltes says. He stresses all the scenarios in his field study were framed as hypotheticals, not as allegations.
“They’re looking for the needle in the haystack, and there is no needle.”
Wilmer Hale Partner Susan Muck on fabricated tips to whistleblower hotlines
The inquiries concerned four scenarios of potential misconduct: financial statement manipulation, bribery, harassment, and discrimination. As Soltes explained in the paper, after receiving feedback from several compliance officers, he chose these scenarios because they “received common agreement as being both realistic and highly plausible.”
A footnote in the paper states the compliance officers who provided feedback were not employees of any companies in the study and were not provided details of the study.
The study was approved by Harvard’s Institutional Review Board (IRB), which reasoned that raising inquiries to corporate hotlines is not submitting to “people” but rather to “firms.” The IRB did not return a request for comment regarding its protocols and specifically how it justifies the distinction between people and firms.
“Given the potential deception involved … I faced a subsequent review by the university’s general counsel that raised concerns regarding liability associated with the project,” Soltes explained in the paper. “The most salient of these concerns was around fraudulent misrepresentation.”
The paper continued, “To mitigate the potential for damages, the scenarios were designed in a way to make it unlikely that a firm could engage in a substantive or costly investigation without additional information. Specifically, the inquiries were framed around pending behavior that could become more serious misconduct depending on subsequent decisions.”
Soltes stands by the work. “Certainly, there are types of work that people absolutely—and I would absolutely—find unethical,” he says. “I want to emphasize that it’s very important to be quite precise about how the work is done.”
There are different ways to design research, in a careful and mindful way, such that it would mitigate or eliminate the potential for damages, he says. “The study we did specifically sought to address that.”
Asked to see a sample of the anonymous inquiries that were sent, Soltes replies, “Those that we do share, we share under a nondisclosure agreement.”
Without reviewing the actual language in the inquiries, and without the subject companies ever being informed about being part of the experiment, it is impossible to ascertain the actual time and effort compliance and legal teams might have spent investigating such inquiries.
It was also noted in the paper multiple scenarios were sent to each company “to ascertain the responsiveness of their hotline overall, rather than to a specific inquiry at a particular time.” Thus, companies hypothetically could have been looking into multiple inquiries at once.
As explained in the paper, no company was identified by name, because “while the direct costs for a firm to respond to a particular inquiry was likely small and inconsequential, the reputational costs could conceivably be much larger if a particular firm response was viewed negatively by external observers or regulators.”
If these were merely hypothetical scenarios that were raised, however, it is not clear why or how they would then be viewed negatively by external observers or regulators.
As for the study conducted by the PhD student at the University of Singapore, that has since been redacted. “The university has reviewed [the student’s] research study, and the study has been terminated,” the university said in an email to NAVEX Global seen by Compliance Week. “Please be assured that any data collected in relation to this research study will not be used. We apologize for the inconvenience that this research study may have caused.”
It is safe to say the time and resources compliance and legal teams spent investigating the hoax allegations was more than an “inconvenience.” The risk of academic studies like these continuing to be approved by universities’ IRBs poses a very real concern for chief compliance officers, internal audit, and in-house counsel at global companies across all industries.
“Nobody is talking about it, because they don’t know about it,” says one university professor who asked to remain anonymous. “Companies don’t realize they are being used as nonconsenting participants in experiments.”
In response to questions about University of Singapore IRB protocols, an NUS spokesperson tells Compliance Week, “As a leading global university, the NUS commits to high standards of integrity and ethics. Research at NUS adheres to the international common practice and ethical standards. Research projects are submitted for consideration to the NUS Institutional Review Board when human subjects and human tissues, cells, or data are involved. Projects are also assessed and approved by the respective faculties and schools in accordance with established policies and procedures.”
A silver lining
Even critics of hotline field studies praise the value of academic research, generally, and the positive contributions they make to corporate governance and the ethics and compliance space overall. “Academic research drives a lot of really good things for business, but this one was just really off the mark,” Penman says, referring to the University of Singapore study.
Soltes says he hopes his research helps move the conversation forward. “We don’t have a lot of evidence about the efficacy of the hotline process,” he says.
In conducting his study, Soltes says several companies’ hotlines were found to be either inoperable or otherwise imposed other impediments for those wanting to make a report. “That’s obviously really worrisome,” he says. “In that regard, I’m quite proud of what we were able to document in that study.”