From the massive corporate frauds at Enron and WorldCom, to the recent scandals arising out of subprime mortgages and mortgaged-backed securities, it seems that the last decade has witnessed an endless serious of corporate and financial scandals. Yet at the same time, we have seen increased regulation mandating stronger internal controls and corporate compliance, with Sarbanes-Oxley, new rules under the Investment Adviser's Act and Investment Company Act, and FINRA (formerly NASD) regulations. The result has been an impressive growth of strong, independent compliance functions, often separate from an in-house law department, with direct reporting to the top through Chief Compliance Officers. In fact, a 2007 Deloitte survey of major financial institutions found that, among the institutions surveyed, spending on compliance increased 159% from 2002 to 2006.(1)
These compliance programs are an important first line of defense and employ impressive arsenals, including:sophisticated internal controls and monitoring systems; ombudsmen, hotlines and investigation teams; and, voluminous employee manuals, policy statements and memoranda about conduct. But given the continued pervasiveness of fraud and misconduct inside companies of all stripes, something is obviously missing. Indeed, after more than 15 years in federal law enforcement, first as a Trial Attorney at the Department of Justice and later as an Assistant Director in the Enforcement Division of the SEC, one thing has become certain about corporate compliance:many programs, well wrought, thoughtful and expensive as they may be, only address half of the equation. What is all too often is missing is an organizational culture that emphasizes and rewards ethical conduct, supports compliance, encourages internal reporting, and fosters open communication between and among all employees.
Without such a culture, corporate compliance will remain a backward-looking and mechanical exercise, creating a standard for conduct and outlining penalties for wrongdoing, but not adequately preventing it. Anyone that doubts this need look no further than the many distinguished financial services firms that have recently been the subject of significant SEC enforcement actions, such as Goldman Sachs, Bank of America, Bear Stearns, and J.P. Morgan. Virtually all of these firms had vigilant compliance officers and all of them had sufficient resources to establish state-of-the-art compliance programs. However, during the relevant period, what many of these organizations lacked was a strong ethical culture where employees cared about the organization they worked for and either refrained from misconduct or reported misconduct when it occurred, before it snowballed into a massive fraud.
A more preemptive and proactive approach is needed, and it is needed now more than ever. Over the past two years, the Securities and Exchange Commission (SEC) has carried out a number of major structural reforms, becoming ever more aggressive and proficient in identifying, investigating, and prosecuting violations of the federal securities laws. Among these reforms is the launch by the Division of Enforcement of five national specialized investigative units, each dedicated to high-priority areas of enforcement. The specialized units include Asset Management, which focuses on hedge funds, investment advisers, and private equity; and Market Abuse, concentrating on high-volume and computer-driven trading strategies, large-scale insider trading by market professionals, and market manipulation schemes.
Along with the creation of these specialized units, the SEC announced its Enforcement Cooperative Initiative, which seeks to encourage individuals having knowledge of a securities fraud to cooperate with the SEC, even though they may have some culpability themselves. Thus, under this initiative, the SEC is now utilizing tools such as cooperation agreements, deferred-prosecution agreements, and non-prosecution agreements-long since been usedeffectively by traditional law enforcement authorities-to increase its enforcement capabilities.
But it is the SEC's newest program that will be the biggest game-changer of them all. I am referring to the new and, in many ways, revolutionary whistleblower program, which was finalized and implemented in August, under the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act.While a senior attorney at the SEC, I played a leadership role in developing the whistleblower program, which emerged in response to the serial misconduct pervading the marketplace and recognizes that law enforcement needs greater participation from the public to be more proactive and effective in identifying unlawful conduct in domestic and international markets.By offering significant monetary awards and strong protection from workplace retaliation, the federal government, through this new program, has essentially deputized virtually every company employee, vendor, customer (and their second cousins) to serve as their eyes and ears.
The requirements are relatively straight-forward. A qualified whistleblower who provides original information to the SEC can receive as a reward 10-30% of the monetary sanctions collected in a successful enforcement action. With few exceptions, any individual, or group of individuals, may qualify, so long as the information is derived from independent knowledge and is not already known to the SEC or solely derived from public sources. The information provided must cause the SEC to commence a new investigation, which leads to a successful enforcement action, or significantly contribute to the success of an existing action. Any violation of the U.S. federal securities laws qualifies. Moreover, when reported conduct becomes the subject of a parallel proceeding by another law enforcement or regulatory body, such as the Department of Justice or a state Attorney General, the whistleblower could receive, subject to agency discretion, a percentage of the sanctions collected in both actions.
Another innovative aspect of the program is its powerful anti-retaliation and privacy provisions. Under these provisions, a qualified employee whistleblower is protected from any work-place retaliation for up to 10 years, regardless of whether the information is ultimately verified, if it was provided in good faith. And if represented by counsel, a whistleblower may maintain anonymity until he or she claims a reward.
The importance of the whistleblower program cannot be understated. Consider that a 2007 survey by the Compliance and Ethics Leadership Council found that "companies in which employees are uncomfortable speaking up or fear retaliation have significantly elevated levels of misconduct."(2) In addition, KPMG's 2008-2009 Integrity Survey found that (i) 74 percent of employees surveyed reported that they had personally observed or had first-hand knowledge of wrongdoing during the previous 12 months;(3)(ii) only 57 percent of employees surveyed would feel comfortable using a hotline to report misconduct;(4) (iii) and only 53 percent of employees believed they would be protected from retaliation.(5) Clearly, then, conventional compliance protocols are not working, and the new whistleblower program will certainly fill that void if the focus of compliance is not redirected. The result is that the SEC's ability to detect violations of the federal securities laws will be enhanced, its investigations will be more effective and efficient, and its related enforcement actions will be more successful.
Early indications show that these various new initiatives are working. In its recently released 2011 Performance and Accountability Report, the SEC reported a record number of enforcement actions during the past year and an astounding $2.8 billion in monetary sanctions ordered, including several cases in which sanctions exceeded $100 million. Furthermore, even though it only became effective on August 12, the SEC has already received 334 whistleblower tips, according to the Annual Report on the Dodd-Frank Whistleblower Program released by the SEC this month. Tips came from individuals in 37 states, as well as from several foreign countries, including China and the United Kingdom. Considering the amount of sanctions collected by the SEC last year alone, you can expect the that whistleblowers will come forward in increasing numbers to report possible violations of the US securities laws.
With these new initiatives comes a new and challenging reality for corporate compliance professionals. But it also presents a great opportunity. Just as compliance professionals acted as a force for reform following the enactment of the Sarbanes-Oxley Act reforms in 2004, they can do so again. With the unprecedented amount of attention the Dodd-Frank whistleblower program has received, compliance officers now have a compelling argument for increased resources and support in establishing strong ethical cultures and state-of-the-art compliance programs. They must take advantage. Companies must cultivate a compliance culture that deters misconduct by emphasizing and rewarding ethical conduct, encourages open communication and internal reporting, and applies equally to all levels of employees, including top management. In this new, post Dodd-Frank world, companies should consider adopting the following measures.
Invest in Compliance. Every organization must invest in a strong compliance program. This includes evaluating what is currently in place and deciding what is working, what can be improved, and what new areas need development. Investment could then be made accordingly, and every program should be regularly reviewed and strengthened. These compliance programs should employ procedures that are reasonably designed to prevent, detect, and correct not only violations of law, but also the organization's Code of Ethics. Part of this investment in compliance should also be reserved for continuing education and training so that all employees know and understand the company's policies, procedures, and Code of Ethics.
Create a Culture of Ethics. It is critical that an ethical culture be fostered within every organization. This begins with a strong sense of community and a compelling organizational vision. Employees should have a sense of belonging and be concerned about the well-being of their colleagues, customers, and the organization as a whole. They should also be guided by a set of values, outlined in a Code of Ethics, that is promoted by the organization and that emphasizes integrity and appeals to each employee's own sense of moral judgment. In the end, employees need to feel proud of where they work, and will thus take care not to do anything that will tarnish the organization's reputation.
Establish an Effective Internal Reporting Process
. With employees now having powerful incentives to report misconduct to outside authorities, it is more critical than ever that a strong and effective internal reporting mechanism be put in place. Employees must not only know how the process works, but they must be encouraged to report internally with financial incentives, public recognition, and anti-retaliation assurances. Make such assurances credible with meaningful follow-up with employees who report misconduct. When legal or ethical violations are discovered, violators should be held accountable, regardless of their position in the organization and in a manner consistent with others similarly situated.Any potential benefits for employees that report possible violations should also be dispensed in an equitable fashion.
Self-Report and Cooperate
. Compliance officers should not view the SEC's new whistleblower program as an encroachment onto their turf, and organizations should not be in competition with the SEC. Rather, organizations should self-report violations to the SEC and other law enforcement organizations, and cooperate fully with any subsequent investigation. Doing so is a powerful way to establish an organization's commitment to creating an ethical culture (and to earn cooperation credit).
Encourage and Practice Open Communication
It is critical that organizations communicate more often and more effectively about what conduct is acceptable, how reports of misconduct are dealt with, and how employees who report misconduct will be protected and rewarded. Without this transparency, employees' confidence in their organization's commitment to ethics will be undermined, leading to unnecessary whistleblower submissions to the SEC and other law enforcement, and a crucial opportunity to stand against and deter misconduct will be missed. Moreover, employees must feel comfortable raising concerns about any issue, and management must listen to these concerns, address them, and explain why a certain course of action was taken. At the same time, management must be open with employees about what is expected of them, as well as the costs of violating those expectations.
In short, corporate compliance must not be an abstract concept, but a code of behavior that applies to everyone in an organization. In order to continue in their role as a force for reform, compliance professionals should take the lead at fostering this ethical culture and reforming their compliance protocols in order for their organizations to remain successful and scandal-free in this post Dodd-Frank world.
1 Navigating the Compliance Labyrinth: the Challenge for Banks, http://www.finextra.com/finextra-downloads/newsdocs/Deloittecompliance.pdf (last visited Nov. 29, 2011).
2 The Compliance and Ethics Leadership Council Identifies Leading Indicators of Misconduct at Large Organizations (Aug. 8, 2007), http://news.executiveboard.com/article_print.cfm?article_id=1072 (last visited on Nov. 28, 2011).
3 Significantly, 46 percent of these employees reported that what they observed could cause a significant loss of public trust if discovered-with that number growing to 60 percent for employees working in the banking and financial services industries.
4 In practice, only 3 percent of reports of misconduct are made to hotline telephone numbers. Ethics Resource Center, 2009 National Business Ethics Survey.
5 Disturbingly, 15 percent of employees who observed and reported misconduct perceived retaliation as a result. Ethics Resource Center, 2009 National Business Ethics Survey.