Whistleblowingdata Privacy – Managing Risk Throughin Europe Effective Response

REPRINT risk & R&Ccompliance

WHISTLEBLOWINGDATA PRIVACY – MANAGING RISK THROUGHIN EUROPE EFFECTIVE RESPONSE

REPRINTED FROM: RISK & COMPLIANCE MAGAZINE JAN-MARAPR-JUN 20152014 ISSUE rriskisk && && compliance compliance �� JAN-MAR 2014 RC �� RC www.riskandcompliancemagazine.com

��

�� Inside this issue: �� FEATURE �� The evolving role of the chief risk officer �� EXPERT FORUM �� Managing your company’s �� regulatory exposure

HOT TOPIC Data privacy in Europe

www.riskandcompliancemagazine.com

VVisitisit the website to request a free copy of the full e-magazine

MINI-ROUNDTABLE WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE RESPONSE

2 RISK & COMPLIANCE Apr-Jun 2015 www.riskandcompliancemagazine.com WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

Edward T. Kang Timothy P. Hedley Partner Partner Alston + Bird LLP KPMG LLP T: +1 (202) 239 3728 T: +1 (212) 872 3496 E: [email protected] E: [email protected]

Edward Kang is a partner in Alston & Bird’s Government & Dr Hedley is a partner in KPMG LLP’s Forensic practice where Investigations Group and focuses on white-collar defence and he serves as Global Lead for the ﬁrm’s Fraud Risk Management compliance in areas of the Foreign Corrupt Practices Act, False service offerings. He provides his clients with a wide range of Claims Act and Ofﬁce of Foreign Assets Control sanctions. forensic services by assisting with the prevention, detection Previously, Mr Kang served as a federal prosecutor in the and response to fraud and misconduct. He is a member of the Department of Justice’s Criminal Division. Executive Committee of the New York State Society of CPAs where he serves as Vice-President of Professional Issues. He is also co-author of the book, ‘Managing the Risk of Fraud and Misconduct: Meeting the Challenges of a Global, Regulated and Digital Environment’, published by McGraw-Hill.

Kirk Ogrosky Alex Willscher Partner Partner Arnold & Porter LLP Sullivan & Cromwell LLP T: +1 (202) 942 5330 T: +1 (212) 558 4104 E: [email protected] E: [email protected]

Kirk Ogrosky is a partner in the white-collar practice at Alex Willscher focuses his practice on securities class Arnold & Porter LLP in Washington, DC. Mr Ogrosky represents actions and complex commercial litigation, white-collar companies and executives in qui tam litigation, internal criminal defence, regulatory enforcement proceedings, internal investigations, and trials. He served as an assistant US attorney investigations and cyber security matters. Mr Willscher has from 1999 to 2004 and as deputy chief of the Fraud Section at represented a number of companies and individuals under DOJ in Washington from 2006 to 2010. investigation by the US Department of Justice, the Securities and Exchange Commission, the US Commodity Futures Trading Commission, the US Treasury, the US Senate Permanent Subcommittee on Investigations, and state and local prosecutors’ ofﬁces.

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2015 3 WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

RC: How do corporates perceive the misconduct. They also have a much better chance concept of whistleblowing? Are they of detecting misconduct in a timely fashion if they taking a proactive approach, or is there take proactive steps to help ensure employees still a need for increased awareness? know they have an affirmative obligation to report misconduct, and, importantly, that they can do so Kang: Companies are certainly becoming without fear of retaliation. With respect to awareness increasingly aware of the risks and issues posed by of whistleblower mechanisms, there is always a whistleblowers. The publicity surrounding recent need for increased awareness. There is always room high-dollar whistleblower awards – such as the $30m for improvement and this is especially true for those award announced by the SEC in September 2014— organisations that happen to place lower on the has certainly helped get the word out. That said, ‘maturity scale’ of compliance programs. many companies have still not taken the affirmative step of re-evaluating their compliance policies and Ogrosky: Corporations support mechanisms programs in light of the increase in whistleblowing that identify and prevent real fraud and create level activity. In today’s environment, all major companies playing fields within markets. Problems arise due to should have a well-defined process for responding the intersection between governmental enforcement to and managing whistleblower complaints. For actions and traditional employment issues. In far example, the Fifth Circuit recently held that a too many instances, employees claiming to be company’s identification of an employee as a whistleblowers are misusing laws that were set up to whistleblower in a document preservation notice help the government detect and prevent misconduct was an “adverse action” under the anti-retaliatory as a way to extract excessive remuneration from provisions of the Sarbanes-Oxley Act. Therefore, companies. The expense of defending against companies failing to establish well-defined internal frivolous allegations puts whistleblowers in a processes for managing employee complaints can position to raise spurious issues knowing that result in companies not only paying large penalties companies are likely to seek to avoid meritless under the False Claims Act, but also potentially being investigations. In certain markets, the problems have accused of having engaged in retaliatory conduct. become so severe that whistleblowing has become like a lottery for poorly performing employees. For Hedley: Corporations understand that their example, US healthcare sectors have been riddled employees are critical in uncovering major with hundreds of whistleblower driven qui tam cases. To the extent that real legal issues exist in

4 RISK & COMPLIANCE Apr-Jun 2015 www.riskandcompliancemagazine.com WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

these cases, most could have been prevented had Willscher: Since 2010, when the Dodd-Frank Act the whistleblower utilised the corporate compliance authorised awards of up to 30 percent of recovered reporting mechanisms. It is a frustrating process to funds to individuals who provide “high-quality see individuals threaten to raise issues only when original information”, many companies have needed personal employment problems arise. Finally, most to contend with the new incentives and implications corporations have been extremely proactive in of whistleblowing. Of course, it has always been creating and enforcing sophisticated compliance important for companies to be good global citizens, programs. but the new whistleblowing rewards programs – and

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2015 5 WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

the resulting surge in purported whistleblowing whistleblowing. At the end of the day, ‘crying wolf’ claims – now may require corporates to refocus should carry some punishment. their compliance regimes to account for this new reality. Particularly after last year’s $30m dollar SEC Willscher: The surge in purported whistleblowing award payout to a whistleblower – the largest to claims is further evidence of a pendulum swing in date and one which the SEC indicated could have the direction of increased regulatory attention on been larger – most companies are paying attention. corporates. Companies are operating in a highly- The challenge will be proactively and effectively regulated environment in the post-2008 financial responding to the changing regulatory tide. crisis world. Among other things, Congress and various state and federal regulators have created RC: What does the growing number very enticing financial incentives for individual of whistleblowing complaints tell us, if employees to file reports. In light of the new awards anything, about today’s corporate culture programs, it is unsurprising that the number of and regulatory environment? purported whistleblowing claims has grown recently. But one should hesitate before attempting to draw Ogrosky: Whether it is securities or government any larger conclusions about the state of today’s programs, the concept of regulation through corporate culture based on the fact that more investigation and litigation is simply not a complaints are being made. It remains to be seen sustainable, long-term solution. The resources that what percentage of the new complaints relate to are expended on legal and consulting services actual violations of the law. to combat many of these allegations are not commensurate with the level of alleged wrongdoing. Kang: The number of whistleblower tips sent to Governmental agencies need to establish rules that government agencies is up dramatically, and the allow for consistent and well functioning markets. To increase highlights the fact that we are now at a allow whistleblowers to saddle certain companies point where companies have to anticipate that with expensive investigations while others go misconduct such as bribery and fraud will eventually untouched creates inequities. Particularly in the US, come to light. Robust compliance programs are where plaintiff’s attorneys fund and pursue cases expected by the government and a necessity for hoping for massive recoveries, there is a need any major company. This post-Enron emphasis on a for regulators to take action to discourage false culture of corporate compliance is ultimately a net positive, as it helps ensure that the playing field is

6 RISK & COMPLIANCE Apr-Jun 2015 www.riskandcompliancemagazine.com WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

level and that companies cannot cut corners to get One problem the SEC bounty program presents ahead. It does, however, bring with it the need for for corporates is the opportunity for abuse by a companies to be more vigilant than ever in terms disgruntled employee, or those seeking a payday. of compliance efforts and to react quickly when Indeed, a corporate might spend a millions of dollars compliance issues arise. responding to a governmental inquiry or conducting

Hedley: Such growing numbers tell us that hotlines and other whistleblower “One reason whistleblowers give for mechanisms are a critical component of a modern and effective risk management not bringing their allegations directly program. But we cannot draw conclusions to the company is that such a step about the state of corporate culture and would be futile given the company’s compliance based on the number of inadequate systems and controls.” whistler complaints received. There are many factors that affect how many people will make a complaint but that is not a Alex Willscher, function of a pervasive deterioration of Sullivan & Cromwell LLP corporate culture. its own investigation in cases where there has been RC: To what extent has the SEC’s no actual misconduct. Further, the SEC’s program Whistleblower Program impacted on the has inspired other similar initiatives. For example, frequency of whistleblowing? Is there in February 2015, New York’s Attorney General a risk that whistleblowers will bypass proposed a bounty program similar to the SEC’s, internal investigations and report directly which will increase the pressure on corporates to the SEC? in the banking, insurance and ﬁnancial services industries. There is certainly a risk whistleblowers Willscher: The frequency of whistleblowing will opt to bypass internal reporting programs complaints has increased signiﬁcantly. Last year, and instead report directly to the SEC. One reason the SEC received more than 3500 tips from whistleblowers give for not bringing their allegations whistleblowers, the largest number received since directly to the company is that such a step would the program went into effect three years ago. be futile given the company’s inadequate systems

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2015 7 WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

and controls. Thus, companies seeking to maximise Kang: The SEC’s Whistleblower Program has the chances that a whistleblower will report to clearly created significant monetary incentives the company first should consider taking steps to for whistleblowers to come forward, and create internal programs that demonstrate that whistleblowers have responded. The numbers speak the company will take whistleblower allegations for themselves. As the SEC explained in its 2014 seriously and investigate them in a logical, annual whistleblower report, it has received 10,193 reasonable and responsive way. tips since the program was implemented in 2011. Whistleblower tips have increased every year, with Hedley: Many believe that the SEC’s 334 tips having been received in 2011 – the first year Whistleblower Program has had an influence upon the frequency of whistleblowing and has generated “Whistleblowers must have a very high many high-quality tips about potential level of confidence in the process, which misconduct. Although this has received a great deal of attention in boardrooms, must be managed in a way such that can it is still difficult to know what the long protect the reporting employee and resolve term implications will be. With regard to the issues involved in a meaningful way.” bypassing internal protocols, it is always a possibility people will report directly to the SEC, but their doing so is not always Timothy P. Hedley, a negative. Some organisations may KPMG LLP not possess the requisite skills, tools or motivation to act upon a whistleblower complaint. of the program – compared to 3620 tips in the fiscal Those organisations that want whistleblowers to year 2014. There is no question that the program report internally should make sure that they have has greatly increased the risk that employees effective whistleblower mechanisms and should may report outside of the company in the first literally ‘roll out the red carpet’ for employees to instance rather than reporting internally. There is no report internally, and, again, that employees know foolproof way for companies to entirely combat this that they have an affirmative obligation to report reality, and companies certainly cannot discourage misconduct and can do so without fear of retaliation employees from contacting the government. However, implementing a strong compliance

8 RISK & COMPLIANCE Apr-Jun 2015 www.riskandcompliancemagazine.com WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

program with readily accessible channels for Hedley: Companies that want to update their whistleblowers to report internally and taking whistleblowing policies should first undertake an complaints seriously by conducting appropriate evaluation of the effectiveness of their efforts in investigations into well-founded allegations, are at this area. All too often, companies undertake major least a couple of measures that companies can take policy revisions and updates without determining to encourage would-be whistleblowers to contact first what works and what doesn’t work. Conducting the management first rather than going straight to an evaluation of effectiveness, for instance through the government. an employee perception survey, will help companies zero in on what needs to be fixed. Time does not Ogrosky: Unlike other US whistleblower permit exploring fully how companies should programs, the SEC is just getting started and I expect manage reports. Having said that, whistleblowers to see a rapid increase, particularly in the area of must have a very high level of confidence in the global corruption. Plaintiff’s attorneys have yet to process, which must be managed in a way such that experience the types of financial rewards that have can protect the reporting employee and resolve the occurred in the US Department of Justice’s (DOJ) qui issues involved in a meaningful way. In other words, tam programs. Since 2009, the US DOJ claims to have that management will take all allegations seriously recovered over $17bn. Of that, almost 20 percent has and work hard to bring the matter to appropriate gone to whistleblowers and their attorneys. In the disposition. US, whistleblowers have been bypassing compliance programs and treating these cases like any other Ogrosky: Most written compliance policies are type of litigation. Over the last five years, there are well done. It is the implementation of the policies very few cases that I recall where the whistleblower and how potentially difficult situations are handled reported issues and allowed the internal process to that has the biggest impact. It is advisable that work before going the government. So, it is not only clients hire outstanding employment counsel a risk but a reality. in-house so that they can address any potential matters immediately. Also, policies should be RC: What advice would you give to designed to allow for appropriate and ongoing companies looking to review and update communication with potential whistleblowers. their whistleblowing policy? How should People will run to get their own lawyers if they come internal whistleblowing reports be to believe that they are being cut out of the process managed? or that the process is not working to address the

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2015 9 WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

issues. Finally, policies should be designed with plan and determining the appropriate scope of the internal incentives so that employees do not come investigation. to believe that filing an internal report will be viewed negatively. Encouraging employees to be compliant Willscher: It is clear that the government is basing and having a system that rewards compliance is corporate penalties in part on how companies critical if you ever are forced to deal with regulators. respond to reports of misconduct. The need for companies to have robust compliance programs, Kang: The first step is ensuring that the company effective personnel, and quick reaction times to has well-publicised and easily accessible reporting whistleblowing reports have become even more channels. Whistleblowers cannot be expected to important as the stakes have become higher. To that come to the company first if they don’t know how end, it is important that a company have in place to do so. Companies should also ensure that they a coherent and structured approach for handling have strong anti-retaliation policies in effect, that whistleblowing reports. First and foremost, all those policies are made known to employees, and allegations of wrongdoing should be taken seriously that those policies are taken seriously if violated. and investigated to an appropriate degree in order Potential whistleblowers need to know that they will to determine whether they have any merit. If an be protected from backlash if they come forward. allegation seems meritorious, a company should When it comes to managing whistleblower reports, decide whether to handle it internally or to bring in each case is, of course, unique. Generally, the initial outside counsel. Another important consideration is steps should be to evaluate the credibility of the whether and when to alert the regulator. Throughout report and all known facts and circumstances to the investigation, companies should consider the make an initial assessment of the potential severity degree to which they keep their employees apprised of the issue and whether and to what extent an of the inquiry. Providing at least some information investigation may be warranted. A decision should may help delay or prevent a whistleblower report to then be made promptly about whether the report the SEC on the ground that the company is ignoring raises relatively minor concerns than can be handled the allegation. When speaking with prospective in house, or whether the matter is sufficiently whistleblowers, it is important that companies serious that it warrants bringing in outside counsel. document all communications. The SEC has made Once that decision has been made, the company significant efforts to incentivise whistleblowers, is in a position to begin developing an investigation including by encouraging people to come forward as soon as possible by reducing awards where

10 RISK & COMPLIANCE Apr-Jun 2015 www.riskandcompliancemagazine.com WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

there was ‘unreasonable delay’. This presents a challenge to corporates, which likely would prefer to handle allegations of misconduct in-house, which can help avoid future litigation costs as well as damaging publicity. In structuring its compliance and whistleblowing programs, corporates should consider making known to employees that reporting concerns internally before going to the SEC can increase the size of an eventual payout. If, as a result of an internal report, a company self-reports to the SEC, the whistleblowing employee will be eligible for an award based on all the information the company reports.

RC: Why should companies consider engaging external counsel when following up on an internal whistleblowing report?

Hedley: Companies may consider retaining external counsel in order to maintain a level of independence during internal investigations. For example, external counsel will typically be more interested in determining whether the allegations were truthful and the extent of damage to the organisation, rather than undertaking a, perhaps unhelpful, focus on the identity and actions of the whistleblower. It also may help the organisation maintain attorney-client privilege over the investigation.

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2015 11 WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

Willscher: Many factors come into play here. receive the necessary guidance to limit potential External counsel may be better equipped to handle exposure. an investigation where the facts are particularly complicated or far-reaching, or are beyond the Ogrosky: If a whistleblower has already gone company’s capabilities or resources. Where the to US DOJ or SEC, then external counsel should allegations are particularly sensitive, such as by be involved to help with an understanding of the implicating senior management or individuals in issues and prepare to handle the government if control functions like compliance, legal, audit and they contact the company. If it is merely an internal so on, bringing in an independent third-party is compliance issue, the decision to engage outside often helpful in bolstering the independence of the counsel should depend on the nature of the report. process. In many instances, compliance personnel are effective at determining whether a report has merit. Kang: Engaging outside counsel has several If handled correctly and the potential whistleblower benefits. As an initial matter, bringing in outside is treated properly, certain types of internal issues counsel immediately alleviates concerns about simply do not require external counsel. Clients potential conflicts of interest that may otherwise should stay alert to allegations that involve criminal arise when individuals in a company are expected to wrongdoing, or allegations against senior officers or begin investigating their colleagues. Outside counsel directors. If the complaint involves either of those also allows the investigation to be conducted under two scenarios, consultation should take place with the protections of attorney-client and work-product external counsel who specialise in dealing with the privileges. Perhaps most significantly, qualified relevant agencies. At this stage, all parties should outside counsel can bring insight and experience to be concerned about internal communications and the investigation that can assist in everything from whether any privilege applies. properly determining the scope of the investigation to assessing the company’s potential liability and RC: In your opinion, how have recent determining whether voluntary disclosure may be cases – such as the Third Circuit holding warranted. Not every investigation necessarily calls that Dodd-Frank Act anti-retaliation for reliance on outside counsel, but, when major claims may be subject to arbitration issues arise, qualified outside counsel can help the – impacted the whistleblowing process? company rest easy knowing that the investigation will be handled appropriately and that they will

12 RISK & COMPLIANCE Apr-Jun 2015 www.riskandcompliancemagazine.com WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

Kang: These decisions are not likely to impact Willscher: Khazin vs. TD Ameritrade Holding the willingness of potential whisteblowers to come Corp. highlights the differences in whistleblowing forward. The decisions are signiﬁcant, however, in protections available under federal law. Going terms of how companies may handle whistleblower forward, we may see more whistleblowing retaliation complaints. The Third Circuit’s decision in Khazin claims brought under different federal laws – such represents a victory for companies that wish to as the Commodity Exchange Act and the Consumer enforce pre-dispute arbitration agreements in Financial Protection Act – which provide their own responding to anti-retaliation claims under Dodd- anti-arbitration provisions to protect potential Frank. The ability to potentially force arbitration gives whistleblowers. Companies should fully understand companies a valuable tool to manage the process of dealing with anti-retaliation claims and to potentially keep the cost of contesting such claims down. Of course, it “If handled correctly and the potential remains to be seen whether other circuits whistleblower is treated properly, will follow the Third Circuit’s lead on this certain types of internal issues simply issue. do not require external counsel.”

Hedley: In the Third Circuit case Khazin v. TD Ameritrade Holding Corp, the Court held that Dodd-Frank’s anti-arbitration Kirk Ogrosky, provision did not apply to whistleblower Arnold & Porter LLP retaliation claims brought under the Act and that the claimant’s employer could require the different regimes when defending against the whistleblower to arbitrate his claims. It may be these causes of action. Another recent case that the case that employers won an advantage in this signiﬁcantly impacted the whistleblowing framework decision and that employees may want to now assert was the US Supreme Court’s May 2014 decision in their claims under Sarbanes-Oxley – which is not Lawson vs. FMR LLC. The Court held that employees subject to an arbitration requirement – rather than of private contractors and subcontractors of public Dodd-Frank. However, it is too early to tell what this companies are protected by the whistleblowing may affect the propensity to blow the whistle. provision of Sarbanes-Oxley, which likely will expand the number of claims brought under the Act and

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2015 13 WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

subject a whole new category of employers to cases will be a priority for enforcement attorneys, potential whistleblower claims. who are being trained to identify potential instances of retaliation while investigating the underlying Ogrosky: Plaintiff’s attorneys expressed dismay reported conduct. For example, on 25 February 2015, with the Khazin decision and viewed it as a victory for the SEC sent letters to several companies asking for companies that may be able to compel arbitration. nondisclosure agreements, employment contracts The long term impact of the decision remains to be and other documents, including in separation seen and it may simply mean that plaintiffs seek to pursue claims under Sarbanes- Oxley. Khazin was the ﬁrst decision to “The major advantage of implementing a non- address the enforceability of arbitration agreements for claims brought under retaliation policy is that it helps to encourage Dodd-Frank’s anti-retaliation provision. whistleblowers to come forward and, in While a victory for employers, the true particular, to come to the company directly impact may require litigation involving instead of going directly to the government.” agreements executed post Dodd-Frank.

RC: Could you outline the Edward T. Kang, advantages and disadvantages Alston + Bird LLP for companies of implementing a non-retaliation policy? How will the recent Third Circuit/Dodd-Frank Act agreements, in order to investigate whether decision affect future policies? companies’ routine documents of that sort could be chilling corporate whistleblowers from coming Willscher: There are not a lot of disadvantages forward. in implementing non-retaliation policies, especially in the current regulatory environment. Indeed, in Hedley: Perhaps one of the biggest obstacles any investigation of retaliation claims, it would be to hotline reporting is employee fear of retaliation. helpful to be able to demonstrate that the company There are no ‘disadvantages’ to implementing a had such a policy. Recent statements by the SEC’s non-retaliation policy and in fact there are many whistleblowing ofﬁce makes clear that retaliatory clear advantages, including greater trust in the

14 RISK & COMPLIANCE Apr-Jun 2015 www.riskandcompliancemagazine.com WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

whistleblower process and ultimately, more reporting examine the company’s policies, they will note that of potential misconduct. The more trust an individual it complies with the Dodd-Frank provisions. Anytime has with the process and in management doing the the government comes to believe that a company right thing, the more things that will be brought to the is retaliating against whistleblowers for reporting attention of management that matter. information to the government, it is going to create problems. But having a written policy is not the key Kang: The major advantage of implementing a or even defining question; it is whether the company non-retaliation policy is that it helps to encourage effectively implements that policy and has a practice whistleblowers to come forward and, in particular, that does not take actions against whistleblowers. to come to the company directly instead of going directly to the government. Such policies help foster RC: What developments do you expect a culture of compliance. In addition, should a problem to see in the whistleblowing arena over arise from a whistleblower complaint, it is certainly the next 12 months or so? Ultimately, beneficial to be able to explain to the government do companies need to strengthen their that your company has a robust whistleblower corporate compliance programs? protection policy that helped to encourage reporting of the misconduct at issue. In reality, I think it is fair to Ogrosky: Most companies are well aware of the say that the government expects major companies current enforcement environment and know what to implement these kinds of policies, and aside from to expect of the next year. In terms of compliance the cost of implementation, there are no clearly programs, SEC and DOJ are going to be focused in apparent reasons not to implement such policies. on issues of implementation and how the programs Time will tell how broad and what type of an impact actually work. Having a great program on paper the Third Circuit’s decision will have on whistleblower simply will not be enough. In 2015, we will continue complaints. However, in the near term, I expect that to see aggressive global anti-corruption enforcement. the Khazin decision will cause companies to consider If rewards to whistleblowers grow in amount, expect including strong arbitration clauses in employment to see the plaintiff’s bar push up the number of cases. agreements. Securities class action firms are likely to be looking to attract whistleblowers to help them file new cases. Ogrosky: Most companies have non-retaliation policies in place. The biggest advantage is that Hedley: With respect to future developments, when the US government attorneys and agents I am hopeful that organisations will increasingly

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2015 15 WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

enhance their anti-retaliation efforts, for example by employer will take appropriate action as a result of a using continuous monitoring of reporting employees submitted report, and 42 percent are not confident and other third parties for significant changes in that their employer would protect the whistleblower their organisational success factors, including from retaliation after a report had been made. the monitoring of red flags such as productivity, revenue generation, performance ratings, career Kang: Law enforcement agencies rely on advancement, and compensation awards. And with credible information to develop cases. It is clear that respect to whether organisations need to strengthen these agencies have learned that one potentially their compliance programs, the answer for many reliable source of such information comes from organisations is yes, they do – especially as these whistleblowers. Not only have the SEC and CFTC programs relate to whistleblower mechanisms. For enacted programs that incentivise whistleblowing, example, despite the fair abundance of hotlines as but most recently, the New York Attorney General reporting mechanisms, we are increasingly finding proposed legislation that would provide financial out that it is not always easy to convince employees compensation to whistleblowers who voluntarily to surface their concerns using this method. This was report fraud in the banking, insurance and financial recently illustrated by our Integrity Survey data, which services industries. Further, the SEC, in June 2014, showed that too few employees would call a hotline brought its first ever anti-retaliation enforcement to report misconduct in the first place and only a action, requiring a New York-based hedge fund disappointing 53 percent of employees surveyed advisory firm to pay $2.2m to settle the charges. said they would do so. Employee comfort level in These developments portend more federal and calling a hotline generally is not high, with only a state agencies incentivising whistleblowers to come slim majority of respondents, 62 percent, saying forward with information and those same agencies they would feel comfortable reporting misconduct taking greater steps to protect whistleblowers from to a hotline. Arguably, the low number of employees possible retaliation. Companies need to step up their who feel comfortable reporting misconduct is a compliance programs with respect to whistleblowers consequence of the distrust they often feel with now in order to keep up with these trends. respect to the manner in which their employers are likely to respond to a report. In fact, the results of Willscher: We undoubtedly can expect to see the survey showed that 35 percent of employees are more whistleblowing activity. Most companies have not confident that their employer will keep a report recognised that trend and, as a result, we likely will confidential, 31 percent are not confident that their see the proliferation of vigorous whistleblowing

16 RISK & COMPLIANCE Apr-Jun 2015 www.riskandcompliancemagazine.com WHISTLEBLOWING – MANAGING RISK THROUGH EFFECTIVE... MINI-ROUNDTABLE

programs – ‘speak up’ hotlines, websites, anonymous contracts – which might require them to report toll-free phone numbers, and so on – and a ramp misconduct internally before going to the SEC up in resources in order to ensure that any internal – and other documents are improperly silencing reports are investigated in a ‘timely’ matter’, which whistleblowers. The challenge for companies will the SEC determined to be 120 days. We can also be to walk the line between incentivising internal expect to see an increase in investigations by reporting and impermissibly compelling it. A regulators and, potentially, enforcement actions particular space to watch will be whistleblowing for retaliation against whistleblowers. Further, as claims by compliance officers. Ordinarily, and in companies bolster their own compliance programs recognition of their unique position within a company, and encourage internal reporting, they should a compliance officer is ineligible for an award. In consider the risk that certain steps could be viewed August 2014, however, the SEC awarded $300,000 to as running afoul of whistleblowing protections. The a compliance officer where their company failed to SEC presently is investigating whether companies’ take appropriate, timely action on information first use of nondisclosure agreements, employment reported internally. R&C

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2015 17