Global Investigations Review - The law and practice of international investigations

The Investigations Review of the Americas 2016

United States: whistleblowers and self-reporting

Jeremy Levin , Kyle Clark and Dan Starck

25 August 2015

Baker Botts LLP

The interrelated questions of how to handle a whistleblower allegation and whether to self-report conduct to the US authorities have long been two of the most challenging problems in the investigations sphere. These questions are proving only more significant and difficult today as the US authorities continue to incentivise and protect whistleblowers, and make great efforts to draw out self-reports. In this climate, it is unsurprising that many continue to take a conservative approach to these problems. Companies often are motivated to take any steps they can to avoid indictment when potentially criminal conduct arises. Separate from penalties themselves, a criminal action against a corporation presents a range of potential collateral consequences, including the possibility of suspension and debarment from government contracting, and increased scrutiny from current and prospective business partners. Yet, at the same time, there is a groundswell towards pushing back on the United States enforcement authorities’ role as prosecutor, judge and jury in corporate criminal matters.

This article focuses on the twin issues of whistleblowing and self-reporting by examining the current landscape around them with a focus on some of the most recent developments, and then by looking at some of the considerations that can help guide decision-making in this arena. It focuses especially on developments since our article last year in The Investigations Review of the Americas.

The current landscape

The current environment is marked by major government initiatives to incentivise and protect whistleblowers, as well as continuing attempts to incentivise voluntary self-reporting, with the promise of more certain, tangible benefits as to the former than the latter. The purpose of these initiatives is obvious – to generate leads from those with knowledge of potential wrongdoing.

SEC’s Whistleblower Program

Prior to passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010, the United States Securities and Exchange Commission (SEC) offered a limited ‘bounty’ programme for tips related to insider trading, but the programme was not well publicised, received few claims for rewards and was determined by the SEC itself not to have been well designed.1 To remedy those flaws, the Dodd-Frank Act2 created a more muscular programme designed to incentivise reporting potential violations of federal securities laws to the SEC. The SEC created the Office of the Whistleblower to oversee the Dodd-Frank Whistleblower Program, and adopted rules for its implementation.3 The Whistleblower Program features both a potentially lucrative awards programme and strong anti-retaliation provisions.


The Whistleblower Program incentivises reporting by offering monetary awards for information leading to successful enforcement actions. To qualify for an award, a whistleblower must voluntarily provide original information that leads to a successful enforcement action in which the SEC obtains monetary sanctions totalling more than US$1 million, and the information must pertain to violations post-dating the enactment of Dodd-Frank.4 Information is provided ‘voluntarily’ if the individual provides it to the SEC, Department of Justice (DOJ) or other government regulatory or enforcement agency before the individual is asked to provide it.5 To be considered ‘original information’, the tip must be derived from the whistleblower’s independent knowledge or analysis, and must not be in the public domain or known to the SEC.6 A whistleblower qualifies under the regulations if he or she reports to another regulator, or if the whistleblower first reports through the company’s internal compliance systems, as long as the whistleblower also reports to the SEC within 120 days.7

Qualified whistleblowers may be entitled to be paid between 10 and 30 per cent of the amount of monetary sanctions collected by the SEC, or in related actions by the DOJ, by certain defined regulatory bodies, or in state court.8 Awards to eligible whistleblowers can be reduced if the whistleblower was involved in the securities violation, delayed reporting the violation, interfered with the company’s internal investigation and reporting protocols, or otherwise hindered efforts to investigate the violation.9

The SEC posts a notice of covered action for every enforcement action where the final judgment is greater than US$1 million. Individual claimants then have 90 days to apply for the award. The SEC has issued 570 notices of covered action, including 139 in FY 2014.10 From the programme’s inception in 2011, the Commission has granted 14 awards, including nine in FY 2014.11 The SEC was keen to note that this meant there were almost double the whistleblower awards in 2014 as had been issued previously, in total. And it is true that although the raw numbers are not yet overwhelming, the upward trajectory is unmistakable. Moreover, September 2014 saw the largest monetary award to date, a US$30 million award for help uncovering an ongoing fraud that, according to the Commission, ‘would have been very difficult to detect’ absent assistance.12 The recipient of this award was living in a foreign country.13

Several other awards from last year are noteworthy. In August 2014, the Commission awarded US$300,000 to a whistleblower with internal audit responsibilities.14 The Commission noted that the recipient reported the information through internal channels first, but when the company took no action on the information within 120 days, the whistleblower reported the same information to the SEC. The Commission awarded US$1.5 million to a compliance professional under similar circumstances.15 These cases suggest that compliance personnel may indeed be willing whistleblowers, and that the SEC will accept them gladly. The cases also clarify the SEC’s position on a potentially ambiguity concerning when information from those with internal audit or compliance responsibilities must be reported to be deemed ‘original’.16 The Commission does not seem to view the requirement to report within 120 days as applicable to those with internal audit or compliance responsibilities. Rather, those individuals must wait 120 days after reporting the matter internally, and then report it to the SEC. 

In another noteworthy matter, in July 2014, the Commission awarded US$400,000 to a whistleblower who notified the SEC of the alleged violation after being approached by and interacting with a regulatory organisation regarding the same allegation.17 Normally, a report provided under those circumstances is ineligible for an award because the information is not ‘voluntary’ under the plain terms of the statute.18 The Commission’s decision creates some uncertainty going forward about eligibility for awards in similar circumstances, and may have the effect of drawing out more reports from those in a regulatory role. Certainly the Commission (in keeping with the statute) has not shied away from soliciting reports from those who may owe professional duties to their company.

It is not all good news for potential whistleblowers, though.  The SEC has denied whistleblower recovery claims in 19 cases to date,19 giving hopeful whistleblowers a less-than-50 per cent collection record. The most common reasons for denial of an award, according to the SEC, were that the tip lacked original information and that the tip concerned violations predating Dodd-Frank. Other reasons for denial included lack of a successful enforcement action stemming from the information, and outright failure to claim an award. At least one claim was denied for the submission of false claims, and another was denied on the ground that the tip was provided to the Department of Housing and Urban Development and the FBI but not the SEC in the time frame required by the SEC’s rules.20

The current structure includes another incentive for whistleblowers to report quickly: If two whistleblowers provide the same information, only the first is eligible to receive a reward. Multiple whistleblowers may be eligible for a reward based on the same enforcement action, provided their respective information is sufficiently different to be considered ‘original’. The SEC, however, makes that determination. Whistleblowers may justifiably prefer to win the race to report rather than let the SEC decide whether similar information is sufficiently original.

Retaliation and whistleblower protection

A key component of the Whistleblower Program is protection for whistleblowers against retaliation. Section 21F(h) of the Exchange Act prohibits an employer from discharging, demoting, suspending, threatening, harassing, directly or indirectly, or in any other manner discriminating against, a whistleblower in the terms and conditions of employment because of any lawful act done by the whistleblower, including providing information to the Commission.21 Sean McKessy, Chief of the SEC’s Whistleblower Office, has stressed the importance of whistleblower protection:

For whistleblowers to come forward, they must feel assured that they’re protected from retaliation and the law is on their side should it occur. [... The SEC] will continue to exercise [its] anti-retaliation authority in these and other types of situations where a whistleblower is wrongfully targeted for doing the right thing and reporting a possible securities law violation.22

In 2012, the SEC sought and won its first enforcement action based, in part, on retaliation against a whistleblower. James Nordgaard, the head trader of Paradigm Capital Management, a New York-based hedge fund, tipped off the SEC that Paradigm and its owner, Candace King Weir, may have been engaged in prohibited principal transactions by failing to provide meaningful written disclosure to a client regarding conflicts of interest.23 The whistleblower subsequently notified Paradigm that he had reported the potential securities violation to the SEC. In response, Paradigm was found by the SEC to have demoted him from his head trader position to ‘compliance assistant’, stripped him of his supervisory role, stripped him of access to certain internal company systems, and charged him with investigating the very conduct he reported to the SEC. The whistleblower resigned shortly thereafter.24 The Commission brought an enforcement action against the company for the underlying violation and for retaliating against the whistleblower. Ultimately Paradigm and Weir settled for US$2.2 million in disgorgement, prejudgment interest, and penalties, along with a consent order, and Paradigm agreed to retain a compliance consultant.

Despite the SEC’s proactive approach to enforcing anti-retaliation protections, there is some dispute about whether an individual must report to the SEC in order to qualify for those protections in the first place. In the SEC’s view, individuals qualify for protection against retaliation under Dodd-Frank as long as they have a reasonable belief that information provided pertains to a violation of securities law, regardless of whether the information is reported to the SEC, to other agencies, or internally. Several district courts have deferred to the SEC’s definition.25 However, at least one Circuit has taken a different view. In Asadi v GE Energy (USA) LLC,26 the plaintiff alleged that his former employer violated the whistleblower protections of Dodd-Frank by retaliating against him for reporting possible FCPA violations through internal company channels. The Fifth Circuit held that the plaintiff was not a ‘whistleblower’ eligible for protection because he did not provide information directly to the SEC, as required by Dodd-Frank. Although this case dealt specifically with the private right of action arising out of Dodd-Frank anti-retaliation provisions rather than the SEC’s Whistleblower Program, it is potentially significant that the Court refused to defer to the SEC’s more expansive regulation defining who qualifies as a whistleblower.27 Given the uncertainty surrounding when an individual qualifies as a protected whistleblower, an individual may rationally prefer to report to the SEC as a matter of course whenever he or she reports internally.

Confidentiality agreements

In a noteworthy development this year, the Commission came down hard on a company, KBR, for having an employee sign an agreement that precluded him from making a report to the Commission.28 The SEC charged KBR with violating the whistleblower protection rule contained within Dodd-Frank because the company had its employees being interviewed as part of internal investigations sign confidentiality statements, with language warning them not to discuss the matters without outside parties without the prior approval of the company’s legal department. While the SEC found no instances where the company had specifically prevented any employee from communicating with the SEC, the SEC’s Director of Enforcement claimed that ‘KBR potentially discouraged employees from reporting securities violations to us.’29 In concluding the announcement, the Chief of the SEC’s Office of the Whistleblower encouraged all companies to ‘review and amend existing and historical agreements that in word or effect stop their employees from reporting potential violations to the SEC.’30

Criticisms of the Whistleblower Program

The most common criticism of the SEC’s Whistleblower Program is that it short-circuits companies’ internal reporting and compliance mechanisms, turning any allegation of wrongdoing, no matter how insignificant or incredible, into the proverbial ‘federal case’. The SEC contends that there are plenty of incentives for a whistleblower to report in-house first, including a potentially enhanced award, and a greater chance that the whistleblower’s tip will qualify as original information even if the company self-reports. The problem, however, is not just that a whistleblower will report a potential violation to the SEC before reporting in-house. Rather, the problem is that even if a whistleblower reports in-house first, the company has to assume the matter will be reported to the government.31

An example of this dynamic is found in a recent disclosure by FedEx. FedEx received an anonymous tip in December 2013 alleging that its contractors bribed Kenyan officials. The whistleblower also threatened to report the conduct to the DOJ and SEC. In response, FedEx self-reported shortly thereafter and without finding any evidence to substantiate the allegations. FedEx’s General Counsel did state that the tip was ‘similar to another complaint’ under investigation, suggesting that FedEx may have had some basis for crediting the allegation notwithstanding the absence thus far of substantiation developed in its investigation. Still, depending on what lies beneath the surface here, this dynamic is arguably distressing. That an unsubstantiated allegation can lead not only to a presumably costly internal investigation but also to a self-reported government investigation and any additional cost, negative publicity and deeper scrutiny associated therewith, is problematic.

The idea of incentivising whistleblowers with monetary rewards was given a chilly reception in the UK, a close collaborator with the US enforcement agencies on compliance issues in recent years. Two UK agencies commissioned by the Parliamentary Committee on Banking Standards to study whistleblower programmes recently recommended against adoption of a similar programme in the UK. The report noted: ‘There is no empirical evidence to suggest that the US system raises either the number or the quality of whistleblowing disclosures within financial services. Nor do the incentives in the US model appear to improve the protection available to whistleblowers.’32

Incentivising self-reporting

There is no independent legal duty to self-report violations of US law, including the FCPA. However, there are various regulatory obligations that may separately require a disclosure that would, in effect, alert the US enforcement authorities to a potential problem. But even in those instances, companies are still not required to self-report and are never required to share the conclusions of any privileged review. Against this backdrop, the US enforcement authorities (DOJ and SEC) have worked to incentivise self-reporting by offering to exercise regulatory and prosecutorial discretion permitted by US law to impose a lesser penalty, or even no penalty.

Both the SEC and the DOJ have taken great pains to prove the benefits of self-reporting. Numerous DOJ settlements emphasise the credit companies have received for self-reporting, in some cases attempting to quantify it. Indeed, in several FCPA settlements, the DOJ has specifically pointed out that it agreed to fines and penalties significantly below the base level established by the US Sentencing Guidelines range at least in part because the company voluntarily disclosed the violation.33 And the vast majority of reported SEC complaints and consent orders indicate that self-reporting mitigates in favour of a reduced penalty.34

The agencies’ published material also seeks to emphasise the benefits of self-reporting. The SEC’s Enforcement Manual has urged that the benefits of self-reporting may include a reduced penalty, no penalty or a decision not to prosecute in the first place.35 The DOJ and SEC FCPA Guidance places a similarly high premium on self-reporting.36

In addition, the agencies’ leaders continue to tout benefits of self-reporting. Andrew Weissmann, the DOJ’s new Chief of the Criminal Fraud Section, suggested recently that the DOJ is interested in incentivising early reporting to pry companies away from the common strategy of waiting to self-report until late in an investigation or the moment before a whistleblower reports.37 Andrew Ceresney, the Director of the SEC’s Division of Enforcement has recently highlighted the benefits of cooperation, including improved charging decisions, reduction in penalty and less burdensome remedial measures.38 SEC Commission Chair Mary Jo White has emphasised that self-reporting is an important factor in the SEC’s decisions as to whether to pursue an enforcement action and what penalty is appropriate. Specifically, Commissioner White has noted that (i) self-reporting may be appropriate even in cases when a violation is a non-material event that does not require public disclosure; (ii) the decision to cooperate carries more weight if the company makes it early in the investigation; (iii) withholding information can foreclose the possibility of enhanced cooperation credit; and (iv) the SEC is more likely than ever to learn of the misconduct through another channel because of the Whistleblower Program.39

One problem – as is perhaps belied by the constant promotion of self-reporting – is that it remains virtually impossible to predict its benefits. Some of this is simply because any enforcement action is going to be unique and fact-specific. Add to that the highly negotiated nature of any settlement, and it quickly becomes very difficult to concretise any benefit from self-reporting. The costs of self-reporting, however, are easier to imagine. One refrain heard this year from government leadership is the continued need to show the tangible benefits companies receive from self-reporting.40

Another problem is that, while the agencies take great pains to highlight that they do decline cases, and that just because a matter is self-reported does not mean that it will automatically turn into an enforcement action, there is still the perception that such a result is difficult to achieve. Self-reporting is still inviting prosecutors into your company’s business, regardless of how reasonable they might appear.

Finally, note that companies that self-report need to be prepared for the government’s expectations, including that companies provide specific, tangible information that allows the government to prosecute individual employees. In a speech given during the Global Investigations Review ‘FCPA Live’ forum held in New York in September 2014, the Principal Deputy Assistant Attorney General for the DOJ’s Criminal Division, Marshall Miller, warned that
‘[v]oluntary disclosure of corporate misconduct does not constitute true cooperation, if the company avoids identifying the individuals who are criminally responsible. Even the identification of culpable individuals is not true cooperation, if the company fails to locate and provide facts and evidence at their disposal that implicate those individuals.’41 While listeners and readers may well have viewed this pronouncement as reflecting a novel focus, Miller argued that the DOJ has been applying these same principles to criminal cases ‘for decades’, citing generally DOJ’s historical treatment of mafia cooperators.    

A brief survey

Enforcement actions based on whistleblower complaints

The significance of whistleblowing in the enforcement landscape is opaque, largely because whistleblower identities are almost always confidential, because only the largest actions (where the SEC recovers more than US$1 million) prompt a notice of award sufficient even to identify the participation of a whistleblower, and because the SEC has not historically tracked the success of its Whistleblower Program well.42 The numbers may become clearer as the SEC’s Office of the Whistleblower improves its monitoring in the wake of Dodd-Frank.43 Nevertheless, several trends are apparent:

  • Whistleblower complaints outpace enforcement actions. Since the Whistleblower Program’s inception, the SEC received 10,193 whistleblower complaints, including 3,620 in FY 2014.44 During that same time, the SEC brought 2,165 enforcement actions, including 755 in FY 2014.45 Certainly, those numbers do not indicate any link between whistleblower complaints and enforcement actions. But they do suggest that, at minimum, whistleblower complaints are far more common than enforcement actions.
  • Allegations concerning manipulation, corporate disclosures and financials, and offering fraud are the most common whistleblower complaints. Together, these three categories accounted for almost half of all tips since the Whistleblower Program’s inception. However, by far the largest single category of tips was classified by the whistleblower as ‘other’, meaning the allegation did not fit within one of the nine allegation categories listed on the SEC’s whistleblower questionnaire.46
  • Foreign whistleblowers utilise the Whistleblower Program. The SEC received 448 tips from 69 foreign countries in FY 2014 – slightly over 10 per cent of the total number of whistleblower complaints. Most foreign whistleblower complaints originate in Canada, the UK and China. It is not clear that how many of those involved FCPA violations versus other violations of securities laws.
  • The total number of rewards is low. In FY 2014, the SEC posted 139 notices of covered action for eligible awards, meaning only that the SEC’s recovery was large enough to merit an award, not that a whistleblower qualified or even that a whistleblower was involved in the first place. Of those 139 notices in 2014, the SEC issued rewards in nine cases. The SEC has only issued rewards in 14 cases since the Whistleblower Program’s inception.47 Admittedly, the number of rewards sheds no light on the involvement of whistleblowers in enforcement actions that netted less than US$1 million to the SEC, and thus, probably understates the total impact of whistleblowers across the board. Moreover, the upward trend in awards is unmistakable, and is likely to continue as more time has elapsed since the enactment of Dodd-Frank and the Program gains more publicity. But the fact that the SEC determined that whistleblowers qualified in only nine out of 139 cases in FY 2014 suggests that many enforcement actions still do not involve whistleblowers, or that, at least in the view of the Commission, many whistleblowers have little impact on subsequent enforcement actions.

Enforcement action based on self-reporting

No authoritative statistics exist on the frequency of self-reporting or the link between self-reporting and enforcement actions. Whether a company chooses to self-report only becomes public if a company determines that a violation is material and thus requires public disclosure, or if a self-report leads to an enforcement action. As a result, as least some self-reporting may pass unnoticed. However, FCPA enforcement actions provide a useful proxy for self-reporting more generally, both because of the smaller number of enforcement actions and because self-reporting has played a more visible role in FCPA compliance during the past decade. Since 1978, the DOJ and SEC have brought approximately 160 FCPA enforcement actions against companies that resulted in some penalty or fine. Of those, about one-third involved the target company self-reporting, and every single instance of self-reporting occurred after 2000. With the caveats that FCPA enforcement actions constitute just a small fraction of the potential universe of self-reportable securities violations, and that the Whistleblower Program is still in its infancy, this suggests that self-reporting is more likely to lead to an enforcement action than a whistleblower complaint. It is also apparent that self-reporting in FCPA cases has been critical for the government, explaining its continued vigorous promotion by enforcement personnel.

Considerations and problems

Next we discuss some considerations and problems in the whistleblowing and self-reporting area, to help with thinking through decision-making should an issue arise.

Investigating whistleblower complaints

Companies ignore whistleblower complaints at their own peril. Not only do the US enforcement agencies consider a company’s responsiveness to whistleblower complaints when deciding whether to pursue enforcement actions and levy penalties (including in future matters), but a credible internal investigation process may also foreclose external reporting entirely. While some whistleblowers may be primarily interested in the SEC’s potential reward, many report to the SEC after they decide that the company has ignored internal complaints or that they have been a victim of retaliation. Companies must take measures to ensure that the employees are comfortable reporting internally, that there is no retaliation against whistleblowers, and that complaints are investigated in a thorough and timely manner. Companies with transparent, navigable reporting systems and business cultures supportive of internal reporting, are often in a better position to respond to whistleblower complaints before they reach the US enforcement agencies.

Internal investigations, however, can be time-consuming, disruptive and expensive. Responding proportionally to an allegation, and neither over nor under-reacting, is among the most urgent challenges in today’s environment. To help, companies may consider a two-stage process for vetting allegations. Especially where the plausibility of an allegation is not necessarily inherent on its face, the first stage of an investigation may be limited to an interview with the whistleblower or a small set of individuals involved in the alleged misconduct, or some sort of very limited review of records, just to make a preliminary assessment of the plausibility of the claim. If the preliminary assessment suggests that the whistleblower’s complaint is plausible (or at least that the government would think it plausible), then the company would embark on a more robust investigation by engaging outside counsel or in-house investigation specialists, reviewing documents and conducting additional interviews.

It is of course critical that, however the company proceeds with its investigation, it do so expeditiously so that it can make an informed decision regarding self-reporting. While there is no hard and fast guide for when a report becomes ‘stale’, timeliness matters. Of course, whistleblowers may also have an independent incentive to move quickly. In addition to needing to be the first in with the information they possess, they may also need to report the alleged violation to the SEC within 120 days of reporting it internally so as not to become ineligible for a reward.

A thorny issue that may arise in an investigation is a whistleblower complaint that implicates privileged materials. The DC Circuit recently held that the attorney–client privilege applies broadly to documents generated through an internal investigation conducted by legal counsel.48 As a general matter, the SEC does not consider information covered by the attorney–client privilege or information obtained through an internal audit or investigation to be ‘original information’ qualifying a whistleblower for a reward.49 But that exclusion only applies to the privileged communications and materials themselves. Information obtained through the whistleblower’s independent knowledge still qualifies even if it covers the same underlying facts as reflected in the company’s privileged material. Moreover, even if a reward is unavailable, nothing except self-policed ethical rules prevents the SEC or DOJ from considering privileged information, and nothing prevents a whistleblower from claiming protection based on providing privileged information. Courts have different views as to whether and under what circumstances such disclosures waive privilege,50 but a common thread in the analyses is that the disclosures from management,51 or disclosures where a company’s efforts to protect privileged material are lax, support a finding of waiver.52

Traditional waiver analysis thus appears to incentivise robust protection of privileged or otherwise confidential materials including where they are relating to the subject of a whistleblower complaint. However, in light of the SEC’s concern over confidentiality agreements or actions that discourage whistleblowers from reporting, counsel must be careful that assertions of privilege or discussions of privilege and confidentiality are not perceived as an improper suppression of self-reporting.53 The SEC’s focus on the potential conflict between confidentiality agreements and the Whistleblower Program raises the troubling question of whether a company can take steps to protect the confidentiality of any information that reveals a potential securities violation. And perhaps more critically, there is the issue of how the SEC’s reasoning regarding the interplay between confidentiality and whistleblowing implicates privilege. For example, under the letter of the regulation, an attorney who issues Upjohn warnings to potential whistleblowers in an internal investigation containing a request that the discussion be kept confidential to protect the company’s privilege arguably ‘impede[s]’ an individual from reporting. While the SEC is not likely to take such an extreme position, absent greater clarity around the meaning of ‘impede’, companies may have difficulty in knowing how far they are allowed to go in protecting information that they believe to be confidential. At a minimum, companies should review employment agreements, severance agreements, codes of conduct and other confidentiality and non-disparagement agreements to be aware of anything that might be perceived as suppressing whistleblowing.

Whether to self-report an allegation

Much of the discussion surrounding self-reporting presumes the alleged conduct occurred and the company is either determining the breadth of the problem or whether it occurred elsewhere. In those instances, US enforcement authorities stress that they have ever-increasing avenues for discovering the information themselves (eg, whistleblowers, competitors, industry sweeps); and cooperation credit is worth the price of self-reporting. In practice, however, a company is rarely able to confirm an allegation is true without at least commencing an investigation, which takes time. But if a company waits too long for an investigation to unfold, it may lose cooperation credit, or the opportunity for self-reporting may be pre-empted by an external disclosure.

Notwithstanding Andrew Weismann’s recent comments, noted above, self-reporting an unverified allegation (as opposed to a violation uncovered after a thorough investigation) can be costly and unnecessary. Once it becomes aware of a potential violation, an enforcement agency has the sole discretion to expand the scope of an investigation, while the target company must bear all the costs. Even if there is no violation, proving the absence of a violation can be very expensive for the target company. By contrast, the cost to an enforcement agency of requiring additional layers of investigation is near zero where the company offers to conduct the investigation and share its findings as part of its cooperation.

The DOJ and SEC are aware of the problem. Last year, Jeffrey Knox, at the time the Chief of the DOJ’s Fraud Section, suggested that the DOJ is conscious of the potential costs of investigation and that it is striving to limit investigations to the particular violation alleged:

We have to exercise restraint and have a proportionate response to the conduct […] companies are spending too much money on investigations. […] If [companies] think they have a global problem and they want to identify it and solve it, that’s great. But it’s often not at our request. And at times, it can actually be counterproductive to what we’re trying to do.54

Leslie Caldwell, the Assistant Attorney General for the DOJ’s Criminal Division, suggested recently that DOJ is conscious of the potential costs of investigation and that it is striving to limit investigations to the particular violation alleged:

We do not expect you to boil the ocean in conducting our investigation, but in order to receive full credit for cooperation, we do expect you to conduct a thorough, appropriately tailored investigation of the misconduct.55

If the US enforcement agencies adopt a policy encouraging investigations that are proportionate to the alleged violation, this would lower the potential cost of self-reporting as it would reduce the risk of the enforcement authorities asking target companies to investigate further during cooperation sessions, and thereby reduce the risk that investigations spiral out of control. Nevertheless, even if enforcement authorities are more cognisant of the scope of investigations going forward, the incentives structure whereby the target company bears the costs while the enforcement agency dictates the breadth will remain unchanged.

Whether to self-report a violation

If a violation has in fact occurred, the board of directors should decide whether to self-report. The following factors are among those that may influence the decision: (i) the gravity of the violation; (ii) whether the violation will effectively be disclosed through required securities disclosures; (iii) whether the allegation implicates high-level employees or officers; (iv) the outcome of any preliminary investigation; (v) whether the company believes that a whistleblower will report the matter to an enforcement agency or the enforcement agency will likely discover the conduct some other way; (vi) the potential civil and criminal penalties; and (vii) the impact of disclosure on foreign enforcement authorities, stock holders and business relationships.

Note that even if the company does not self-report, it should thoroughly document its investigation in order to demonstrate to an enforcement agency that the investigation was rigorous and credible, and it should act quickly and responsibly to strengthen any weaknesses in controls or policy identified during the course of the review. Indeed, responding vigilantly to an allegation is often more important where a company does not self-report, since its actions will certainly come under scrutiny if the conduct is later detected, or if a similar issue arises at a later date.


  1. US Securities and Exchange Commission Office of Inspector General, ‘Evaluation of the SEC’s Whistleblower Program’, p. V (18 January 2013).
  2. 15 U.S.C. § 78u–6 (2014).
  3. 17 C.F.R. 240.21F-1–240.21F-17.
  4. 240.21F-3.
  5. 240.21F-4(a)
  6. 240.21F-4(b). Attorneys, accountants, and employees and officers whose work touches on internal investigations are normally deemed not to have ‘original’ information and, thus, are ineligible for a reward except in a few defined circumstances. One such circumstance is that they report more than 120 days after the company has notice of the allegation. 240.21F–4(b)(4)(v)(C); 240.21F-4(c).
  7. 240.21F-4(b)(6)(vi). The interrelation between this provision and the provision that certain whistleblowers do not possess ‘original information’ until 120 days after the company has notice is not entirely clear. But a recent award to a whistleblower with internal audit responsibilities suggests the Commission sees no conflict between the two and, when the whistleblower has such responsibilities, he must wait 120 days to report to the Commission. See also infra at p. __.
  8. 240.21F-5.
  9. 240.21F-6(b).
  10. US Securities and Exchange Commission, 2014 Annual Report to Congress on the Dodd-Frank Whistleblower Program, pp. 10, available at (2014 Report).
  11. Id at p. 10.
  12. US Securities and Exchange Commission, Press Release (22 September 2014), available at
  13. See note 10, at p. 10.
  14. Securities and Exchange Commission, Press Release, (29 August 2014), available at
  15. US Securities and Exchange Commission, Press Release, (22 April 2015), available at
  16. See supra at n. 6 and n.7 regarding the potential ambiguity.
  17. Whistleblower Award Proceeding, File No. 2014-8, (31 July 2014) available at
  18. See §240.21F-4(a)(ii).
  19. This number excludes 196 frivolous claims filed by the same person. In May 2014, the Commission denied in masse 143 claims from one  individual and barred him from filing more.  The Commission previously denied 53 claims by the same individual. See Final Order (12 May 2014), available at
  20. See Final Orders of the Commission, last accessed 29 July 2014, available at
  21. 15 U.S.C. § 78u–6 (h) (2014).
  22. US Securities and Exchange Commission, Press Release 2014-118, ‘SEC Charges Hedge Fund Advisor with Conflicted Transactions and Retaliating Against Whistleblower,’ available at
  23. Order Instituting Cease and Desist Proceedings, In the Matter of Paradigm Capital Mgmt, Inc and Candace King Weir, File No. 3-15930, pp. 2, 6 (16 June 2014) available at
  24. Id at 8.
  25. See Ellington v Giacoumakis, Civ. A. No. 13-11791-RGS, 2013 WL 5631046 (D. Mass. 16 October 2013); Genberg v Porter, 11-cv-02434-WYD-MEH, 2013 WL 1222056 (D.Colo 15 March 2013); Kramer v Tran-Lux Corp, No. 3:11-cv-01424, 2012 WL 4444820 (D. Conn. 25 September 2012).
  26. 720 F.3d 620 (5th Cir. 2013).
  27. 17 C.F.R. 240.21F-2(b)(1).
  28. See US Securities and Exchange Commission, Press Release 2015-54, ‘Companies Cannot Stifle Whistleblowers in Confidentiality Agreements’, available at:
  29. Id.
  30. Id.
  31. Indeed, the SEC has become watchful of companies that make any effort to encourage whistleblowers to keep matters confidential within the company. SEC Rules state that ‘no person may take any action to impede an individual from communicating directly with the [SEC] about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement.’ 17 C.F.R. 240.21F-17(a). The Chief of the SEC’s Whistleblower office recently warned that the SEC is ‘actively looking’ at confidentiality or similar agreements that condition receipt of a benefit on not reporting potential violations. See Brian Mahoney, SEC Warns In-House Attys Against Whistleblower Contracts, LAW360 (14 March 2014),
  32. Financial Conduct Authority, ‘Financial Incentives for Whistleblowers,’ p. 7 (31 July 2014).
  33. US v Pride, Int’l, Cr. No. 10–766, Deferred Prosecution Agreement, paragraphs 6, 8–9 (4 November 2010) (approving downward departure greater than 50 per cent); US v Control Components Inc, SA Cr. No. 09-162, Plea Agreement paragraphs 13–16 (22 July 2009) (approving downward departure greater than 30 per cent); US v Latin Node Inc, Cr. No. 09-20239, Government’s Sentencing Memorandum, pp. 4–5 (3 April 2009) (approving downward departure greater than 50 per cent); see also Note, Sarah Marberg, ‘Promises of Leniency: Whether Companies Should Self-Disclose Violations of the Foreign Corrupt Practices Act,’ 45 V and. J. Transnat’l. Law 557, 583–84 (June 2012).
  34. SEC v Orthofix, Complaint paragraph 22 (10 July 2012); US v Orthofix Int’l, NV, Deferred Prosecution Agreement paragraph 4 (10 July 2010); SEC Non-Prosecution Agreement with Ralph Lauren, paragraph 11 (22 April 2013); SEC Litigation Release No. 22450, ‘SEC Charges Oracle Corporation with FCPA Violations Related to Secret Side Funds in India’ (16 August 2012).
  35. Securities and Exchange Commission Enforcement Manual, § 6.1.2 at 121 (9 October 2013).
  36. See Criminal Division of the US Department of Justice and the Enforcement Division of the US Securities and Exchange Commission, ‘FCPA: A Resource Guide to the US Foreign Corrupt Practices Act,’ p. 54 (November 2012).
  37. Adam Dobrik, ‘We’ll Improve Incentives for Early Self-Disclosure, Says DOJ Fraud Chief’, GIR (4 June 2015).
  38. Remarks of Andrew Ceresney, The SEC’s Cooperation Program: Reflections on Five Years of Experience, (13 May 2015), available at
  39. Mary Jo White, ‘A Few Things Directors Should Know About the SEC,’ (23 June 2014), available at
  40. See, eg ‘American Conference Institute’s 31st International Conference on the Foreign Corrupt Practices Act’, (November 19, 2014), available at
  41. Marshall L Miller, ‘Global Investigation Review Program,’ (September 17, 2014), available at; see also Dobrik, ‘We’ll Improve Incentives for Early Self-Disclosure, Says DOJ Fraud Chief,’ GIR (4 June 2015); Remarks of Andrew Ceresney, The SEC’s Cooperation Program: Reflections on Five Years of Experience, (13 May 2015) available at
  42. See 2014 Report at p. 17.
  43. See id.
  44. Id. at p. 8.
  45. Year-By-Year SEC Enforcement Statistics, available at
  46. See note 10, at p. 29. The nine reportable categories are manipulation, offering fraud, corporate disclosures and financials, insider trading, trading and pricing, FCPA, unregistered offerings, market event, municipal securities and public pension, and other. Some whistleblower complaints leave the allegation category blank.
  47. Id. at pp. 10, 13.
  48. In re Kellogg Brown & Root, Inc, 2014 U.S. App. LEXIS 12115 (D.C. Cir. 27 June 2014).
  49. 17 C.F.R. 240.21F-4(b)(4).
  50. Resolution Trust Corp v Dean, 813 F. Supp. 1426 (D. Ariz. 1993).
  51. Commodity Futures Trading Comm’n v Weintraub, 471 U.S. 343, 348-49 (1985).
  52. Maldonado. New Jersey by & through the Admin. Office of the Courts-Prob. Div., 225 F.R.D. 120, 127-32 (D.N.J. 2004); Lois Sportswear v Levi Strauss, 104 F.R.D. 103 (S.D.N.Y. 1985).
  53. See supra at p. 2.
  54. Wall Street Journal Report, CFO Network, ‘Foreign Corruption: Do the Penalties Exceed the Crime,’ C10 (24 June 2014).
  55. Leslie R Caldwell, ‘American Conference Institute’s 31st International Conference on the Foreign Corrupt Practices Act’, (19 November 2014), available at:

Previous Chapter:United States: handling internal investigations

Next Chapter:United States: white-collar crime defence