Featured on Employment Law This Week:  The Securities and Exchange Commission (“SEC”) recently issued the largest whistleblower awards under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) in history.

Affirming the payout of over $49 million to two whistleblowers and over $33 million to a third for information that led to successful securities law prosecutions. Dodd-Frank established the whistleblower “bounty” program in 2010, and the SEC reports that it has awarded more than $262 million so far, to 53 whistleblowers.

Watch the segment below and read our recent post.

On March 19, 2018, the SEC issued an Order jointly awarding two whistleblowers more than $49 million, and awarding a third whistleblower more than $33 million, for reporting information to the SEC that led to its successful prosecution of an enforcement action against the perpetrators of securities violations.

In 2010, the Dodd-Frank Act amended the Securities Exchange Act of 1934 to include Section 21F, entitled “Securities Whistleblower Incentives and Protection.” Among other things, Section 21F established a whistleblower “bounty” program that entitles individuals who voluntarily provide the SEC with original information that leads to a successful SEC enforcement action resulting in monetary sanctions greater than $1 million to receive an award of between 10 and 30 percent of the total sanctions collected.

The awards announced earlier this week are the largest awards issued to whistleblowers since the inception of the whistleblower “bounty” program. The previous record was set by a $30 million award in 2014. To date, the SEC has awarded more than $262 million to whistleblowers.

These recent awards are a good reminder that employers must be more diligent and cautious than ever when it comes to securities compliance and investigating internal complaints by would-be whistleblowers, as the awards available to tipsters under the “bounty” program are a tremendous incentive to report to the SEC. This is likely the reason why the program has been steadily gaining traction, with the number of whistleblower tips submitted to the SEC increasing every year since its inception. Indeed, in its last Annual Report to Congress on the Whistleblower Program, the SEC’s Office of the Whistleblower reported that from FY 2012 to FY 2017, the number of whistleblower tips received by the SEC had grown by almost 50 percent.

Featured on Employment Law This Week: Supreme Court: Dodd-Frank Protections Are Limited

Dodd-Frank whistleblower protections are limited – The Supreme Court has ruled that whistleblower protections under the Dodd-Frank Act apply only to those who report violations to the SEC. The Act protects whistleblowers from termination, demotion, and harassment. People who report to the SEC, other regulatory or law enforcement agencies, or to company management are still protected under the 2002 Sarbanes-Oxley Act. Dodd-Frank’s anti-retaliation provision permits whistleblowers to recover double back pay damages – Sarbanes Oxley does not.

Watch the segment below and read our recent post.

On February 21, 2018, the U.S. Supreme Court resolved a circuit split and ruled in Digital Realty Trust, Inc. v. Somers that Dodd-Frank’s anti-whistleblower retaliation provision (15 U.S.C. § 78u–6(h)) does not protect employees who report alleged securities violations only to their employers, and not to the SEC.

Paul Somers (“Somers”), a former Vice President of Portfolio Management for Digital Realty Trust, claimed that his employer violated the whistleblower protections of Dodd-Frank by terminating him in retaliation for complaining to management about suspected securities violations, including the elimination of required internal controls and financial misconduct by his supervisor. Somers never reported the alleged violations to the SEC. Digital Realty Trust therefore moved to dismiss the claim on the ground that Somers was not a “whistleblower” under Dodd-Frank because the statute’s definition of “whistleblower” only covers individuals “who provide . . . information . . . to the [SEC].”

The District Court denied the motion. It held that whether an employee who reports an alleged violation internally, but not to the SEC, qualifies as a whistleblower is ambiguous under Dodd-Frank. Given the apparent ambiguity, the Court deferred to the SEC’s interpretation of the statute set forth in SEC Rule 21F-2, which provides that an individual is a Dodd-Frank “whistleblower” even if he or she only reports internally. The Ninth Circuit Court of Appeals affirmed, joining the Second Circuit’s position on the issue (previously discussed here) and adding to a split with the Fifth Circuit, which had reached the opposite conclusion and held that Dodd-Frank does not protect employees who only report suspected violations internally.

The Supreme Court reversed the Ninth Circuit, however, and finally resolved the split in authority, holding that “Dodd-Frank’s text and purpose leave no doubt that the term ‘whistleblower’ . . . carries the meaning set forth in the section’s definitional provision.” The Supreme Court ruled that because Somers did not provide information to the SEC before his termination, he did not qualify as a “whis­tleblower” at the time of the alleged retaliation and is ineligible to seek relief under Dodd-Frank’s anti-retaliation provision.

The impact of this ruling on the whistleblower landscape remains to be seen. It may reduce the number of frivolous whistleblowers and whistleblower lawsuits since employees might be reluctant to pursue baseless allegations of securities violations if they have to first report them to the SEC before they can invoke Dodd-Frank’s protections against retaliation. Further, employers should take note that the Supreme Court made clear in its decision that an employee who reports misconduct both to the SEC and internally is a protected whistleblower, and can recover under Dodd-Frank’s anti-retaliation provision by proving that the retaliation was the result of the internal whistleblowing, without demonstrating that the retaliation was motivated by the SEC disclosure.

Last August, we reported on two significant cease-and-desist orders issued by the SEC that, for the first time, found certain language in the confidentiality and release provisions of separation agreements to violate the SEC’s Rule 21F-17(a), which precludes anyone from impeding any individual (i.e., a whistleblower) from communicating directly with the agency.[1] Since then, the SEC has continued its aggressive oversight of separation and confidentiality agreements, with substantial repercussions for some employers. These orders, a select number of which we summarize here, have companies engaging in a serious review and rethinking of their confidentiality restrictions and other relevant provisions in their agreements and handbooks, and considering whether and what remedial steps to take proactively to cure any issues with the language in these key documents.

In Anheuser-Busch InBev SA/NV (Sept. 28, 2016), the company entered into a separation agreement in late 2012 with a specific employee after his termination and subsequent mediation of various alleged employment law claims. The separation agreement contained provisions (i) prohibiting the employee from disclosing confidential or proprietary company information, with no carve-out for reporting to government agencies; (ii) prohibiting the employee from disclosing the substance of the separation agreement; and (iii) imposing a $250,000 liquidated damages provision in the event that the employee breached the confidentiality provisions. After signing the agreement, the employee, who had been voluntarily communicating with SEC in connection with an ongoing investigation, ceased doing so.

The cease-and-desist order—which is a negotiated resolution of the matter once the SEC determines that a company has violated its rules or regulations—did not require the company to make any additional changes to its separation agreements because, in September 2015, the company had amended separation agreements to state:

I understand and acknowledge that notwithstanding any other provision of this Agreement, I am not prohibited or in any way restricted from reporting possible violations of law to a governmental agency of entity, and I am not required to inform the Company if I make such reports.

The order required the company to contact only certain former employees identified by the SEC to inform them that they were not prohibited from providing information to the SEC, rather than all employees who had signed separation agreements since the rule was implemented in August 2011, as has been required in other cases. In addition, unlike other cases, it appears that there was no separate monetary penalty against the company for violating Rule 21F-17(a).

In NeuStar, Inc. (Dec. 19, 2016), the company’s severance agreements included a non-disparagement clause with the following language:

Except as specifically authorized in writing by NeuStar or as may be required by law or legal process, I agree not to engage in any communication that disparages, denigrates, maligns or impugns NeuStar . . . including but not limited to communication with . . . regulators (including but not limited to the Securities and Exchange Commission . . .) [emphasis added].

Any breach of this clause by the employee resulted in the required forfeiture of all but $100 of the severance paid under the agreement. The SEC found that “at least one” former employee was impeded by this clause from communicating with the agency—although the SEC does not hesitate to find violations of Rule 21F-17(a) even where there is no evidence that anyone has actually been impeded.

To settle the matter, the company agreed to pay a civil penalty of $180,000 and to contact 246 former employees to inform them that the severance agreements they signed between August 12, 2011, and May 21, 2015, did not prevent them from communicating concerns about potential violations of law or regulation to the SEC. No remedial revisions to the company’s template severance agreement were required because the company had voluntarily, after commencement of the investigation, removed the reference to “regulators” from the non-disparagement clause and included a more common provision that stated, “In addition, nothing herein prohibits me from communicating, without notice to or approval by NeuStar, with any federal government agency about a potential violation of a federal law or regulation.”

Most recently, in HomeStreet, Inc. (Jan. 19, 2017), certain severance agreements used by the company had contained common waiver language used, in form and substance, by many employers:

This release shall not prohibit Employee from filing a charge with the Equal Employment Opportunity Commission or discussing any matter relevant to Employee’s employment with any government agency with jurisdiction over the Company but shall be considered a waiver of any damages or monetary recovery therefrom [emphasis added].

The SEC previously found that employees might interpret such waivers as applying to the agency’s whistleblower monetary incentive award program and, therefore, would unlawfully impede employees from coming forward to the SEC or reporting potential violations of the securities laws. The SEC reached the same conclusion in this case.

Prior to the investigation, however, the company had voluntarily revised its standard severance agreement to substitute the following:

Employee understands that nothing contained in this Agreement limits Employee’s ability to file a charge or complaint with any federal, state or local government agency or commission (“Government Agencies”). Employee further understands that this Agreement does not limit Employee’s ability to communicate with any Government Agencies or otherwise participate in any investigation or proceeding that may be commenced by any Government Agency including providing documents or other information without notice to the Company. This Agreement does not limit the Employee’s right to receive an award for information provided to any Government Agencies [emphasis added].

Thus, the cease-and-desist order did not require further revisions to the severance agreement because the foregoing language largely tracks revised language that the SEC had required in one of the previous orders issued last summer. Notwithstanding its proactive revisions to its agreements, the company still had to agree to a $500,000 civil penalty and to contact certain former employees who had signed the agreement to provide a link to the order and inform them that severance agreements did not prevent them from reporting information to the SEC or seeking and obtaining a whistleblower award from the SEC.

The NeuStar and HomeStreet orders serve to highlight that, even when a company has revised its agreements voluntarily to comply with Rule 21F-17(a), the SEC may still impose monetary penalties and potentially burdensome and undesirable obligations to contact former employees who have signed problematic separation agreements to inform them that, notwithstanding the money they were paid in conjunction with their separation agreements, they remain free to report any company wrongdoing—real or perceived—to the SEC.

What Employers Should Do Now

Companies wishing to avoid SEC scrutiny should do the following:

  • Review current separation and severance agreement templates to determine whether they are in compliance with Rule 21F-17, which would include a review of provisions such as, among others,
    • future monetary waivers,
    • non-disclosure of confidential information, and
    • non-disparagement clauses.
  • If necessary, work with legal counsel to determine appropriate revisions or “carve-outs” to bring those agreement templates into compliance.
  • Discuss with legal counsel whether to take affirmative steps to remedy past uses of confidentiality or waiver provisions that would be unlawful under the SEC orders.
  • Review other types of confidentiality and waiver agreements with employees, in whatever form they are used, to ensure that those agreements do not similarly violate Rule 21F-17.

A version of this article originally appeared in the Take 5 newsletter Five Employment Issues Under the New Administration That Financial Services Employers Should Monitor.”

____

[1] See the Epstein Becker Green Act Now Advisory titled “SEC Finds Certain Separation Agreement Provisions Unlawful Under Dodd-Frank Whistleblower Rule” (Aug. 18, 2016).

A month into the Trump presidency, there have been a number of important statements from the executive branch on the regulation of executive compensation impacting the financial services industry. On February 3, 2017, President Trump issued a statement on the core principles for regulating the U.S. financial system (“Core Principles”). The statement requires the Treasury and all heads of member agencies of the Financial Stability Oversight Council to report within 120 days (by June 3, 2017) all existing laws, treaties, guidance, regulations, etc., that promote the Core Principles, and all such laws, etc., that inhibit the Core Principles. The Core Principles provide some insight into future regulation or repeal efforts by the Trump administration impacting executive compensation.

The Core Principles

The Core Principles include empowering Americans to make independent financial decisions and informed choices in the marketplace, save for retirement, and build individual wealth. This statement appears to favor a more hands-off approach to individual investment decisions. The Core Principles also require regulations that foster economic growth through more rigorous regulatory impact analysis addressing “systemic risk and market failures, such as moral hazard and information asymmetry.” This would presumably require a more extensive review of the regulatory cost of compliance favoring deregulation. However, the focus on systemic risk arising from moral hazard and information asymmetry could impact executive compensation to the extent compensation practices are seen to further individual conduct that could lead to systemic risk. The Core Principles further require regulations to enable American companies to be competitive with foreign firms in domestic and foreign markets and to advance American interests in international financial regulatory negotiations and meetings. The other Core Principles include preventing taxpayer-funded bailouts; making regulations more efficient, effective, and appropriately tailored; and restoring public accountability within federal financial regulatory agencies and rationalizing the regulatory framework, arguably all in favor of deregulation or possibly regulation by stated principles rather than by strict construction.

Potential Impact on Executive Compensation

Based on review of the Core Principles and recent regulatory statements from the Trump administration, including the reduction of two regulations for every one regulation added, the re-proposed rules under Section 956 of Dodd-Frank are not likely to be approved in their final form given the scope and breadth of the regulations. Arguably, these rules would go against the Core Principles favoring deregulation and could inhibit American competitiveness with foreign firms in domestic and foreign markets as to the recruitment and retention of talent. Also, given that the re-proposed regulations were based on international executive compensation standards (particularly, regulatory guidance promulgated in Europe), adopting the re-proposed rules might not be viewed as advancing American interests in international financial regulatory negotiations.

Presumably in furtherance of these Core Principles, on February 6, 2017, the Acting Chairman of the SEC, Michael S. Piwowar, issued a statement requesting comments from the public within the next 45 days (by March 23, 2017) on the challenges that issuers are facing with compliance with the CEO pay ratio disclosure rule under Dodd-Frank. The CEO pay ratio disclosure rule requires public companies to disclose the ratio of the median of the annual total compensation of all employees to the annual total compensation of the CEO. Gathering data to prepare the calculation has been challenging for large employers with a diverse domestic and global workforce, and the ratio itself has been criticized as not providing meaningful information. Based on comments, the SEC Acting Chairman stated that SEC staff will be directed to determine whether additional relief is appropriate. As to the review of other executive compensation provisions under Dodd-Frank that are currently in effect, such as say-on-pay and clawback requirements, they likely will be subject to the overall regulatory review, but their repeal might not be first on the agenda.

The final area of interest is President Trump’s pre-election criticisms of the treatment of carried interests, which generally are tax-favored partnership interests that, when sold, frequently generate profits that are paid to private equity fund managers as compensation. However, that compensation may be taxed at a long-term capital gains rate of 20 percent or less, rather than as ordinary income. Thus far under the new presidency, there have been no official statements in this area, but the discussion of carried interests could become part of the broader tax reform agenda expected from the Trump administration.

This year, financial services organizations can expect a new direction on executive compensation to take shape.

A version of this article originally appeared in the Take 5 newsletter Five Employment Issues Under the New Administration That Financial Services Employers Should Monitor.”

Twice in the past two weeks, the Securities and Exchange Commission (“SEC” or “Commission”) issued a cease-and-desist order settling proceedings against companies for using confidentiality and waiver of claims provisions in employee separation or severance agreements that violate an SEC rule promulgated after passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”). The rule in question is designed to encourage and allow whistleblowers to freely disclose information to the SEC without impediments and ensure that they are (and remain) entitled to collect monetary incentive awards if the Commission determines that they are eligible for such awards. In both cases, the companies were required, as part of the settlement of claims without admission of liability, to take affirmative remedial actions and pay fines of hundreds of thousands of dollars as the result of fairly typical language in their separation agreements. In addition, the SEC has signaled that not only will it take action in response to separation agreements that may limit an employee’s ability to communicate with the SEC, but also it will oppose attempts by employers to limit an employee’s right to receive whistleblower incentive awards.

To read more, click here for our Act Now Advisory

Businesses of all sizes and in virtually every industry face the daily threat of a data breach or other cybersecurity event, as well as the challenge of managing the potentially catastrophic economic and reputational harm that can flow from such an incident. Further complicating matters is that these threats can come from any number of sources: hackers, phishers, spammers, bot-network operators, spyware and malware authors, insiders, other nations, organized criminal groups, and terrorists. SEC regulations require registered financial institutions—including broker-dealers, investment companies, and investment advisers—to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and records. In the last few years, the SEC has become increasingly vocal about cybersecurity compliance. For example, SEC Commissioner Luis A. Aguilar, in his speech entitled “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus,” noted that “boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.” It should come as no surprise, then, that the SEC recently announced that cybersecurity compliance will be one its selected examination priorities in 2016. The inspection and examination priorities selected by the SEC “reflect certain practices and products that [the Office of Compliance Inspections and Examinations] perceives to present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.” The recent announcement is a natural continuation of the SEC’s focus on cybersecurity in the financial services industry.

In April 2014, after holding a roundtable discussion with industry representatives, the SEC announced a series of examinations to identify and assess cybersecurity risks and preparedness in the securities industry. In February 2015, the Financial Industry Regulatory Authority (“FINRA”) released a “Report on Cybersecurity Practices.” As FINRA observed, the frequency and sophistication of cyber attacks are increasing, and it is imperative to have fundamental controls in place to manage risk and reduce the threat.

Subsequently, in September 2015, the SEC launched a second initiative to examine the cybersecurity compliance and controls in place at broker-dealers and investment advisory firms. The SEC expressed concern regarding public reports that had identified cybersecurity breaches related to weaknesses in basic data controls. As a result, this second initiative focused on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident responses.

Shortly thereafter, the SEC announced that a St. Louis-based investment adviser had agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm’s clients. At the time, an SEC representative emphasized that “[a]s we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients . . . Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” Without admitting any wrongdoing, the firm agreed to cease and desist and pay a $75,000 fine.

In the recent statement, the SEC indicated that, to advance the efforts announced last September, the 2016 examinations will be looking at structural risks and trends that may involve multiple firms or entire industries. The examinations will include the testing and assessment of the implementation of procedures and controls at the target companies. Companies subject to the SEC’s jurisdiction are therefore well advised to make cybersecurity and data privacy a priority in their own compliance regimes.

A version of this article originally appeared in the Take 5 newsletter “Five Employment Law Compliance Topics of Interest to Financial Services Industry Employers.”

One of the featured stories on Employment Law This Week – Epstein Becker Green’s new video program – is the SEC reminder that their bounty program applies to external whistleblowers.

The U.S. Securities and Exchange Commission has awarded $700,000 to a whistleblower who was not employed by the company he exposed. The external whistleblower discovered the issue when he ran a detailed analysis on the company. The agency explained that analysis from “industry experts” is as valuable as insider information. The whistleblower program began after the Dodd-Frank Act was passed and has now yielded $55 million in awards. This latest award raises new questions, including how the SEC will define “industry experts.”

See below to view the episode or read more about this important decision in an earlier post on this blog.

On September 10, 2015, the Second Circuit Court of Appeals ruled in Berman v. Neo@Ogilvy LLC that an employee who reports an alleged securities violation only to his or her employer, and not to the SEC, is nevertheless covered by the anti-retaliation protections afforded by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank”).

Berman, a former finance director of Neo@Ogilvy, claimed that his employer and its corporate parent, WPP Group USA, Inc., violated the whistleblower protections of Dodd-Frank by wrongfully terminating him for raising concerns internally about business practices that allegedly constituted accounting fraud.  The companies moved to dismiss the claim, arguing that Berman was not a whistleblower subject to protection under Dodd-Frank because he did not report the alleged violations to the SEC.  The District Court agreed.

In a 2-1 decision, the Second Circuit reversed the District Court’s decision on appeal.  The Court found that the provisions of Dodd-Frank are ambiguous as to whether an employee who reports an alleged violation internally, but not to the SEC, qualifies as a whistleblower.  On the one hand, Section 21F(a)(6) of Dodd-Frank limits the definition of “whistleblower” to include only those individuals who provide information relating to an alleged securities violation to the SEC.  Yet, on the other hand, Section 21F(h)(1)(A) of Dodd-Frank’s retaliation protection provision prohibits retaliation against individuals who make disclosures that are, inter alia, required or protected under the Sarbanes-Oxley Act of 2002 (“SOX”), and SOX protects employees who make internal complaints of suspected securities laws violations without reporting them to outside agencies.

Finding that these were conflicting statutory provisions, the Court deferred to the SEC’s interpretation of the statute, under which an individual is a “whistleblower” if he or she provides information pursuant to Section 21F(h)(1)(A) of Dodd-Frank, which, as explained above, prohibits retaliation against employees for making internal complaints that would be protected by SOX.  Accordingly, the Court held that under SEC Rule 21F-2, “Berman is entitled to pursue Dodd-Frank remedies for alleged retaliation after his report of wrongdoing to his employer, despite not having reported to the Commission before his termination.”

Judge Dennis Jacobs, dissenting, opined that Dodd-Frank is “unambiguous”:  Section 21F(a)(6) is controlling because it defines who is a “whistleblower” under the relevant section of the statute and expressly provides that only those who report to the SEC can qualify.   Judge Jacobs pointed out that Dodd-Frank Section 21F(h)(1)(A), which the majority found creates ambiguity by incorporating protections provided by SOX, does not expand the statutory definition of whistleblower under Dodd-Frank, but instead identifies which acts done by whistleblowers are protected by Dodd-Frank.  In other words, according to Judge Jacobs, Section 21F(h)(1)(A) does not apply to protect a person unless he or she qualifies as a “whistleblower,” as the term is defined by Section 21F(a)(6).  Judge Jacobs criticized the majority for disregarding the plain text of Dodd-Frank’s definition of whistleblower and creating an ambiguity in the statute that does not exist solely to expand the reach of the anti-retaliation provisions of Dodd-Frank.

Notably, the Second Circuit’s decision creates a split in authority with the Fifth Circuit Court of Appeals, which came down the opposite way when faced with the same issue in 2013.  As a result, this issue is almost surely headed to the Supreme Court for resolution. Further, in holding that Dodd-Frank provides a private right of action for those who report violations only internally, the Second Circuit’s decision may lead to significantly more whistleblower retaliation claims in the future because, in comparison to the SOX whistleblower protections, Dodd-Frank offers a much longer statute of limitations, double back pay damages, and no administrative exhaustion requirement.