For chief compliance officers, compliance professionals, and even corporate legal types, the need to read the tea leaves around Securities and Exchange Commission enforcement of the Foreign Corrupt Practices Act is at an end. All you need to do is listen to the public comments from SEC officials and you can see where enforcement is heading.

Unequivocally clear were the remarks by the SEC in its annual report to Congress on the Dodd-Frank Whistleblower Program, issued in November 2014; and more particularly the comments of Sean McKessy, chief of the SEC’s Office of the Whistleblower, at the SCCE 2014 Compliance and Ethics Institute. Both the report and McKessy talked about the issue of retaliation by corporations for employees who report securities violations to the SEC. They provided clear statements that the SEC had found situations where employee severance agreements and other types of confidentiality agreements attempted to prevent employees from coming forward to the SEC for fear of being sued and other forms of retaliation.

In his remarks to the SCCE, McKessy noted that the SEC was “looking for the first big case here.” In its report to Congress, the SEC stated that “we will continue to focus on agreements that attempt to silence employees from reporting securities violations to the Commission by threatening liability or other kinds of punishment.”

Well, neither the SEC nor McKessy had to wait very long, or even look very hard. On April 1, the SEC announced that it had found that the Houston-based entity KBR Inc. “[violated] whistleblower protection Rule 21F-17 enacted under the Dodd-Frank Act.  KBR required witnesses in certain internal investigations interviews to sign confidentiality statements with language warning that they could face discipline and even be fired if they discussed the matters with outside parties without the prior approval of KBR’s legal department.  Since these investigations included allegations of possible securities law violations, the SEC found that these terms violated Rule 21F-17, which prohibits companies from taking any action to impede whistleblowers from reporting possible securities violations to the SEC.”

KBR was fined $130,000 and “the company voluntarily amended its confidentiality statement by adding language making clear that employees are free to report possible violations to the SEC and other federal agencies without KBR approval or fear of retaliation,” according to a statement from the Commission.

Perhaps the most significant item about this entire matter is that there was no finding that KBR had actually violated Dodd-Frank or had retaliated against any employees. The SEC cease-and-desist order stated: “Though the Commission is unaware of any instances in which (i) a KBR employee was in fact prevented from communicating directly with Commission Staff about potential securities law violations, or (ii) KBR took action to enforce the form confidentiality agreement or otherwise prevent such communications, the language found in the form confidentiality statement impedes such communications by prohibiting employees from discussing the substance of their interview without clearance from KBR’s law department under penalty of disciplinary action including termination of employment.”

Andrew Ceresney, director of the SEC’s Division of Enforcement, was quoted in the SEC press release for the following: “By requiring its employees and former employees to sign confidentiality agreements imposing pre-notification requirements before contacting the SEC, KBR potentially discouraged employees from reporting securities violations to us.  SEC rules prohibit employers from taking measures through confidentiality, employment, severance, or other type of agreements that may silence potential whistleblowers before they can reach out to the SEC.  We will vigorously enforce this provision.”

If you find objectionable language, you should pull out the SEC cease-and-desist order—which contains both the illegal language, and acceptable language that KBR substituted into its confidentiality agreements.

Substantively, the message sent by this enforcement action could not be clearer. Here was a company without any allegation of retaliation, or even the threat of retaliation, against a whistleblower; yet it found itself at the end of a $130,000 fine. Consider every confidentiality agreement that an employee is required to execute. Generally one is signed at the start of your employment tenure. One is certainly signed (or at least proffered) at employment termination. Often one is signed for particularly sensitive matters such as certain mergers and acquisitions. In the case of KBR, one was signed for what appears to be routine investigations. Do you think that any companies have ever threatened to sue an ex-employee based upon a confidentiality clause in a termination agreement? (The answer would be yes.)

To my reading of the language in the cease-and-desist order, any confidentiality agreement, for any company subject to SEC oversight, which had language similar to the KBR confidentiality agreement, is now illegal. Taken a step further, the Justice Department may well take the position that any such confidentiality agreement used against an employee is a criminal violation of the FCPA. Why? Because it might dissuade an employee from reporting a crime to the U.S. government.

For whistleblowers, those who seek greater corporate transparency, and lawyers seeking to bring whistleblower claims, the settlement was a huge win. If you cannot be sanctioned for violating a confidentiality agreement by reporting to the SEC, you certainly cannot be sanctioned, sued or in any other way harassed, for going to a lawyer or whistleblower organization to seek counsel.

The SEC has already made clear that it will prosecute any company that retaliates against an employee or former employee by going to court to enforce a confidentiality agreement. Now it has prosecuted a company that simply had objectionable language in its confidentiality agreement. For any compliance practitioner, this means you need to walk down the hall to the office of your general counsel and find out what is in the plethora of confidentiality agreements that your company may require employees to sign during their employment tenure and at the end of the employment relationship.

If you find objectionable language, you should pull out the SEC cease-and-desist order—which contains both the illegal language, and acceptable language that KBR substituted into its confidentiality agreements. While you are at it, you might also inquire into the times that your company “reminds” employees of their confidentiality agreement obligations. Such a reminder could be a not-so-subtle hint not to go the SEC or other government authority.

In March we were treated to another such example when Ceresney spoke at another conference on compliance in the pharmaceutical industry. Ceresney provided guidelines for compliance professionals about what the SEC expects from companies for FCPA compliance around internal controls. I thought his most important sentence was, “Internal control problems have been prominently featured in recent enforcement cases we have brought in the financial reporting area, even in cases without accompanying charges of fraud.  This reflects our view that adequate internal controls are the building blocks for accurate financial reporting and can prevent fraudulent activity.” While the specified area of these remarks was around Sections 302 and 404 of the Sarbanes-Oxley Act, I think this portends directly to internal controls under the FCPA.

Finally, and perhaps the biggest lesson from all this, is the point that a compliance professional must listen and read what SEC representatives communicate to us about SEC enforcement of the FCPA. Just as McKessy and the SEC made clear they would not tolerate retaliation and now even pre-taliation, Ceresney reinforced what we saw in SEC enforcement actions involving the FCPA last fall. Internal controls will be a focus going forward. Just as you don’t need a weatherman to know which way the wind is blowing, you don’t need a fortuneteller to see where the SEC is going with its FCPA enforcement strategy.