Securities Laws and Regulations

Last August, we reported on two significant cease-and-desist orders issued by the SEC that, for the first time, found certain language in the confidentiality and release provisions of separation agreements to violate the SEC’s Rule 21F-17(a), which precludes anyone from impeding any individual (i.e., a whistleblower) from communicating directly with the agency.[1] Since then, the SEC has continued its aggressive oversight of separation and confidentiality agreements, with substantial repercussions for some employers. These orders, a select number of which we summarize here, have companies engaging in a serious review and rethinking of their confidentiality restrictions and other relevant provisions in their agreements and handbooks, and considering whether and what remedial steps to take proactively to cure any issues with the language in these key documents.

In Anheuser-Busch InBev SA/NV (Sept. 28, 2016), the company entered into a separation agreement in late 2012 with a specific employee after his termination and subsequent mediation of various alleged employment law claims. The separation agreement contained provisions (i) prohibiting the employee from disclosing confidential or proprietary company information, with no carve-out for reporting to government agencies; (ii) prohibiting the employee from disclosing the substance of the separation agreement; and (iii) imposing a $250,000 liquidated damages provision in the event that the employee breached the confidentiality provisions. After signing the agreement, the employee, who had been voluntarily communicating with SEC in connection with an ongoing investigation, ceased doing so.

The cease-and-desist order—which is a negotiated resolution of the matter once the SEC determines that a company has violated its rules or regulations—did not require the company to make any additional changes to its separation agreements because, in September 2015, the company had amended separation agreements to state:

I understand and acknowledge that notwithstanding any other provision of this Agreement, I am not prohibited or in any way restricted from reporting possible violations of law to a governmental agency of entity, and I am not required to inform the Company if I make such reports.

The order required the company to contact only certain former employees identified by the SEC to inform them that they were not prohibited from providing information to the SEC, rather than all employees who had signed separation agreements since the rule was implemented in August 2011, as has been required in other cases. In addition, unlike other cases, it appears that there was no separate monetary penalty against the company for violating Rule 21F-17(a).

In NeuStar, Inc. (Dec. 19, 2016), the company’s severance agreements included a non-disparagement clause with the following language:

Except as specifically authorized in writing by NeuStar or as may be required by law or legal process, I agree not to engage in any communication that disparages, denigrates, maligns or impugns NeuStar . . . including but not limited to communication with . . . regulators (including but not limited to the Securities and Exchange Commission . . .) [emphasis added].

Any breach of this clause by the employee resulted in the required forfeiture of all but $100 of the severance paid under the agreement. The SEC found that “at least one” former employee was impeded by this clause from communicating with the agency—although the SEC does not hesitate to find violations of Rule 21F-17(a) even where there is no evidence that anyone has actually been impeded.

To settle the matter, the company agreed to pay a civil penalty of $180,000 and to contact 246 former employees to inform them that the severance agreements they signed between August 12, 2011, and May 21, 2015, did not prevent them from communicating concerns about potential violations of law or regulation to the SEC. No remedial revisions to the company’s template severance agreement were required because the company had voluntarily, after commencement of the investigation, removed the reference to “regulators” from the non-disparagement clause and included a more common provision that stated, “In addition, nothing herein prohibits me from communicating, without notice to or approval by NeuStar, with any federal government agency about a potential violation of a federal law or regulation.”

Most recently, in HomeStreet, Inc. (Jan. 19, 2017), certain severance agreements used by the company had contained common waiver language used, in form and substance, by many employers:

This release shall not prohibit Employee from filing a charge with the Equal Employment Opportunity Commission or discussing any matter relevant to Employee’s employment with any government agency with jurisdiction over the Company but shall be considered a waiver of any damages or monetary recovery therefrom [emphasis added].

The SEC previously found that employees might interpret such waivers as applying to the agency’s whistleblower monetary incentive award program and, therefore, would unlawfully impede employees from coming forward to the SEC or reporting potential violations of the securities laws. The SEC reached the same conclusion in this case.

Prior to the investigation, however, the company had voluntarily revised its standard severance agreement to substitute the following:

Employee understands that nothing contained in this Agreement limits Employee’s ability to file a charge or complaint with any federal, state or local government agency or commission (“Government Agencies”). Employee further understands that this Agreement does not limit Employee’s ability to communicate with any Government Agencies or otherwise participate in any investigation or proceeding that may be commenced by any Government Agency including providing documents or other information without notice to the Company. This Agreement does not limit the Employee’s right to receive an award for information provided to any Government Agencies [emphasis added].

Thus, the cease-and-desist order did not require further revisions to the severance agreement because the foregoing language largely tracks revised language that the SEC had required in one of the previous orders issued last summer. Notwithstanding its proactive revisions to its agreements, the company still had to agree to a $500,000 civil penalty and to contact certain former employees who had signed the agreement to provide a link to the order and inform them that severance agreements did not prevent them from reporting information to the SEC or seeking and obtaining a whistleblower award from the SEC.

The NeuStar and HomeStreet orders serve to highlight that, even when a company has revised its agreements voluntarily to comply with Rule 21F-17(a), the SEC may still impose monetary penalties and potentially burdensome and undesirable obligations to contact former employees who have signed problematic separation agreements to inform them that, notwithstanding the money they were paid in conjunction with their separation agreements, they remain free to report any company wrongdoing—real or perceived—to the SEC.

What Employers Should Do Now

Companies wishing to avoid SEC scrutiny should do the following:

  • Review current separation and severance agreement templates to determine whether they are in compliance with Rule 21F-17, which would include a review of provisions such as, among others,
    • future monetary waivers,
    • non-disclosure of confidential information, and
    • non-disparagement clauses.
  • If necessary, work with legal counsel to determine appropriate revisions or “carve-outs” to bring those agreement templates into compliance.
  • Discuss with legal counsel whether to take affirmative steps to remedy past uses of confidentiality or waiver provisions that would be unlawful under the SEC orders.
  • Review other types of confidentiality and waiver agreements with employees, in whatever form they are used, to ensure that those agreements do not similarly violate Rule 21F-17.

A version of this article originally appeared in the Take 5 newsletter Five Employment Issues Under the New Administration That Financial Services Employers Should Monitor.”

____

[1] See the Epstein Becker Green Act Now Advisory titled “SEC Finds Certain Separation Agreement Provisions Unlawful Under Dodd-Frank Whistleblower Rule” (Aug. 18, 2016).

Twice in the past two weeks, the Securities and Exchange Commission (“SEC” or “Commission”) issued a cease-and-desist order settling proceedings against companies for using confidentiality and waiver of claims provisions in employee separation or severance agreements that violate an SEC rule promulgated after passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”). The rule in question is designed to encourage and allow whistleblowers to freely disclose information to the SEC without impediments and ensure that they are (and remain) entitled to collect monetary incentive awards if the Commission determines that they are eligible for such awards. In both cases, the companies were required, as part of the settlement of claims without admission of liability, to take affirmative remedial actions and pay fines of hundreds of thousands of dollars as the result of fairly typical language in their separation agreements. In addition, the SEC has signaled that not only will it take action in response to separation agreements that may limit an employee’s ability to communicate with the SEC, but also it will oppose attempts by employers to limit an employee’s right to receive whistleblower incentive awards.

To read more, click here for our Act Now Advisory

A featured story on Employment Law This Week is the new legislation proposed in Congress that aims to clarify whistleblower policies.

The Whistleblower Augmented Reward and Non-Retaliation Act would expand protections for those who blow the whistle on financial crimes. The bill would also resolve a circuit court split on the definition of “whistleblower,” expanding the scope of the term to specifically include employees who only report violations internally, without filing with the SEC or CFTC. The WARN Act aims to broaden monetary incentives for whistleblowers, and increase the scope of protected activities and prohibited retaliation. Whether or not this bill moves forward, we’re likely to see some movement soon on the circuit conflict it addresses, either by legislation or by the courts.

View the episode below or read more about this legislation in an earlier post on this blog.

Businesses of all sizes and in virtually every industry face the daily threat of a data breach or other cybersecurity event, as well as the challenge of managing the potentially catastrophic economic and reputational harm that can flow from such an incident. Further complicating matters is that these threats can come from any number of sources: hackers, phishers, spammers, bot-network operators, spyware and malware authors, insiders, other nations, organized criminal groups, and terrorists. SEC regulations require registered financial institutions—including broker-dealers, investment companies, and investment advisers—to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and records. In the last few years, the SEC has become increasingly vocal about cybersecurity compliance. For example, SEC Commissioner Luis A. Aguilar, in his speech entitled “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus,” noted that “boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.” It should come as no surprise, then, that the SEC recently announced that cybersecurity compliance will be one its selected examination priorities in 2016. The inspection and examination priorities selected by the SEC “reflect certain practices and products that [the Office of Compliance Inspections and Examinations] perceives to present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.” The recent announcement is a natural continuation of the SEC’s focus on cybersecurity in the financial services industry.

In April 2014, after holding a roundtable discussion with industry representatives, the SEC announced a series of examinations to identify and assess cybersecurity risks and preparedness in the securities industry. In February 2015, the Financial Industry Regulatory Authority (“FINRA”) released a “Report on Cybersecurity Practices.” As FINRA observed, the frequency and sophistication of cyber attacks are increasing, and it is imperative to have fundamental controls in place to manage risk and reduce the threat.

Subsequently, in September 2015, the SEC launched a second initiative to examine the cybersecurity compliance and controls in place at broker-dealers and investment advisory firms. The SEC expressed concern regarding public reports that had identified cybersecurity breaches related to weaknesses in basic data controls. As a result, this second initiative focused on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident responses.

Shortly thereafter, the SEC announced that a St. Louis-based investment adviser had agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm’s clients. At the time, an SEC representative emphasized that “[a]s we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients . . . Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” Without admitting any wrongdoing, the firm agreed to cease and desist and pay a $75,000 fine.

In the recent statement, the SEC indicated that, to advance the efforts announced last September, the 2016 examinations will be looking at structural risks and trends that may involve multiple firms or entire industries. The examinations will include the testing and assessment of the implementation of procedures and controls at the target companies. Companies subject to the SEC’s jurisdiction are therefore well advised to make cybersecurity and data privacy a priority in their own compliance regimes.

A version of this article originally appeared in the Take 5 newsletter “Five Employment Law Compliance Topics of Interest to Financial Services Industry Employers.”

On February 25, 2016, Congressman Elijah E. Cummings (D-MD) and Senator Tammy Baldwin (D-WI) introduced the Whistleblower Augmented Reward and Nonretaliation Act of 2016 (or WARN Act of 2016) (pdf). The bill proposes expanded protections for individuals who blow the whistle on financial fraud and securities violations and, if enacted, could have significant implications for financial services employees and employers alike.  Specifically, the WARN Act of 2016 aims to strengthen the protections and incentives available to financial crimes whistleblowers by amending the Financial Institutions Anti-Fraud Enforcement Act (“FIAFEA”), Federal Deposit Insurance Act (“FDIA”), Securities and Exchange Act (“SEA”), Commodity Exchange Act (“CEA”), and Sarbanes-Oxley Act (“SOX”).

Under the FIAFEA and FDIA, for example, individuals who report banking fraud can receive awards based on the amount of money recovered as a result of the information they provide. Currently, however, there are monetary caps on these incentive awards. The WARN Act of 2016 would eliminate those caps and permit FIAFEA and FDIA whistleblowers to receive 10 to 30 percent of the total amounts recovered—essentially amending these statutes to include whistleblower “bounty” programs mirroring those under the SEA and CEA created by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank”).

The WARN Act of 2016 would expand the scope of employee activities protected by the FDIA’s existing anti-whistleblower retaliation provision. It would also add a whistleblower anti-retaliation provision to the FIAFEA entitling covered employees who suffer adverse personnel action for assisting with the prosecution of certain violations (e.g., mail fraud, wire fraud, or bank fraud) to recover full reinstatement, double back pay damages with interest, and litigation costs and attorneys’ fees in a civil lawsuit. The revised FIAFEA would further require the Attorney General to issue regulations compelling covered employers to educate, train, and notify employees, including by posting information on their website homepages, about employee rights and remedies under the statute.

The Act also bolsters the whistleblower anti-retaliation provisions created by the Dodd-Frank amendments to the SEA, CEA, and SOX. For example, the SEA and CEA define the term “whistleblower” to include only those who report suspected violations externally to the SEC or CFTC. Employers have relied on this to argue that the anti-retaliation protections of these statutes do not apply to employees who only report violations internally, and there is currently a circuit court split on the issue. The WARN Act of 2016 would resolve the dispute by eliminating the narrow definitions of “whistleblower” under these statutes, apparently establishing once and for all that employees who only report alleged violations internally, but not to the SEC or CFTC, are covered.

In addition, the proposed legislation would expand the scope of activities protected, and adverse personnel actions prohibited, by the SEA, CEA, and SOX anti-whistleblower retaliation provisions; amend the remedies available under the SEA and CEA  anti- retaliation provisions to include compensatory damages and punitive damages of up to $250,000, and those available under the SOX anti-retaliation provision to include double back pay and punitive damages of up to $250,000; and broaden the prohibitions against waiver of any whistleblower rights or remedies under the SEA and CEA (including waivers often contained in standard confidentiality and settlement agreements).

The bill has been referred to the House Committee on Financial Services and the Senate Committee on Banking, Housing, and Urban Affairs for review, and whether it will garner any meaningful support remains to be seen. If it passes, employers will need to provide proper training on the revised regulations, ensure they have comprehensive programs in place for internal reporting and investigation of alleged financial and securities violations and employee retaliation claims, and revisit their confidentiality agreements, settlement agreements, and similar documents to ensure compliance with the Act’s enhanced prohibitions against the waiver of whistleblower rights.

One of the featured stories on Employment Law This Week – Epstein Becker Green’s new video program – is the SEC reminder that their bounty program applies to external whistleblowers.

The U.S. Securities and Exchange Commission has awarded $700,000 to a whistleblower who was not employed by the company he exposed. The external whistleblower discovered the issue when he ran a detailed analysis on the company. The agency explained that analysis from “industry experts” is as valuable as insider information. The whistleblower program began after the Dodd-Frank Act was passed and has now yielded $55 million in awards. This latest award raises new questions, including how the SEC will define “industry experts.”

See below to view the episode or read more about this important decision in an earlier post on this blog.

The SEC has become increasingly vigilant and aggressive about what employers say in their confidentiality agreements and the context in which they say it.  We previously cautioned employers when FINRA issued a Regulatory Notice cracking down on the use of confidentiality provisions that restrict employees from communicating with FINRA, the SEC, or any other self-regulatory organization or regulatory authority.  The SEC has now followed suit in In re KBR, Inc., (pdf) the SEC’s first-ever enforcement action against a company for using overly restrictive language in one of its confidentiality agreements.  (See, e.g., “SEC Declares Open Season on Employee Agreements,” (Law 360) (subscription required).

The Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) amended the Securities and Exchange Act to include the whistleblower incentives and protections set forth in Section 21F.  Rule 21F-17 prohibits employers from taking any action to “impede” an employee from communicating with the SEC about a possible securities law violation, including enforcing or threatening to enforce a confidentiality agreement.  The SEC’s Chief of the Office of the Whistleblower, Sean McKessy, previously indicated that his office would be analyzing and looking to bring enforcement actions with respect to severance agreements, confidentiality agreements, and employment agreements that violate Rule 21F-17(a), part of the implementing regulations of the Dodd-Frank whistleblower incentive award program (i.e., the “bounty” program).

Interestingly, the SEC selected a very specific and particular type of agreement for its first publicized action: not a severance, employment, or general confidentiality agreement or policy, but rather an agreement that KBR’s compliance investigators required witnesses interviewed in connection with certain internal investigations to sign, warning them that they could face discipline or be fired if they discussed the substance of the interview with outside parties without prior approval from KBR’s legal department.  KBR had begun using the form agreement at issue prior to the promulgation of Rule 21F-17.

Although there was no evidence that any KBR employees were ever actually prevented from communicating with the SEC pursuant to the confidentiality agreement, or that KBR took any actions to enforce the terms of the agreement, the SEC found that KBR’s use of the confidentiality agreement was unlawful because it improperly restricted employees from communicating with the SEC about the subject of an interview without KBR’s permission, and it undermined the purpose of Section 21F by discouraging employees from reporting possible SEC rules violations through threat of discipline.

KBR has agreed to pay the SEC $130,000 to settle the charges and voluntarily amended its confidentiality statement to expressly provide that it does not preclude employees from reporting possible violations of law or regulations to any government agency or from making other disclosures protected under federal whistleblower laws.  The amended provision also makes clear that employees do not need KBR’s authorization to make such disclosures.

This should serve as a warning that blanket confidentiality provisions that arguably forbid employees from communicating with regulatory agencies, or require pre-approval to do so, unless carefully drafted to comply with Rule 21F-17, may run afoul of federal law.  The SEC is fully committed to prosecuting such violations.  Employers should therefore carefully review, and revise as necessary, all confidentiality agreements they use – whether in stand-alone agreements, employment agreements, separation agreements, or other policies or standards of conduct – so that they too do not become the targets of SEC enforcement actions or other regulatory scrutiny.

Section 953(b) of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) requires certain public companies to disclose how the compensation of the company’s chief executive officer (“CEO”) compares to the compensation of employees generally. The disclosure must include (i) the CEO’s annual total compensation, (ii) the median of the annual total compensation of all employees other than the CEO, and (iii) the ratio of (i) over (ii).

Like many of Dodd-Frank’s requirements, disclosure of the CEO pay ratio was not required until implementing regulations were issued. On September 18, 2013, the U.S. Securities and Exchange Commission (“SEC”) published the applicable proposed regulations.

For more information, see the Client Alert from our Executive Compensation colleagues here.

Michelle Capezza, our colleague at Epstein Becker Green, recently posted a useful summary of the JOBS Act, and we recommend it to our readers in the financial services industry.  See below for an excerpt and link.

On April 5, 2012, President Obama signed into law the Jumpstart Our Business Startups Act, or JOBS Act.  In light of the sharp decline in the number of companies entering the U.S. capital markets through IPOs over the last ten years, Congress recognized a need for this legislation since small companies are critical to economic growth and job creation.  To promote growth and assist small companies in gaining access to capital, the JOBS Act amends the securities laws in several ways . . .

Read the full post on the Technology Company Counselor Blog