Posted on: 7/6/2011
Marcia L. Narine, Ryder System Inc
View Latest Articles
Blame Bernie Madoff for what may soon be one of the biggest changes to affect corporate compliance programs in years. Madoff, as you may remember, was accused of stealing almost $65 billion during a Ponzi scheme, which defrauded thousands of investors, pension plans, charities, and retirees. He is currently serving a 150-year sentence in a North Carolina federal prison after pleading guilty to eleven counts of fraud, money laundering, perjury and theft. The Securities and Exchange Commission ("SEC") allegedly ignored numerous reports by whistleblower Harry Markopolos, an independent financial fraud investigator.
After the collapse of the financial markets, President Barack Obama signed the Dodd–Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank"[1]) into law on July 21, 2010. Section 922 has a whistleblower clause, the so-called "bounty" provision. As a result of the uproar over the Madoff scandal, starting this summer, with some exceptions,[2] employees, ex-employees, vendors, suppliers, agents, and members of the general public, even those outside of the United States, will be eligible for 10-30 percent of the sanctions in excess of $1,000,000 levied by the SEC against companies if the whistleblower provides original substantive information about violations of the federal securities laws including the Foreign Corrupt Practices Act.
Why have hundreds of corporations signed on to letters to the SEC protesting certain provisions of the bill? As of the time of this writing, the SEC does not plan to require employees or others to utilize existing anonymous reporting mechanisms such as hotlines, or go through compliance programs, internal auditors, or independent board members to report the wrongdoing so that the company can conduct an investigation, confirm whether the allegations are indeed corroborated, and voluntarily disclose the findings to the government as recommended under the Federal Sentencing Guidelines for Organizational Defendants, which will be discussed later in this article[3].
Instead, employees can go straight to the SEC to report their suspicions even without alleging that the existing company reporting mechanism is not a viable, functioning, credible or legitimate option.
The Background: Sarbanes Oxley and the False Claims Act
Since 2001, several corporate giants have folded or suffered significant financial and reputational damage after the revelation of fraudulent financial practices. Public outrage over Enron, Worldcom, Tyco, Global Crossing, Qwest, and Adelphia resulted in the Sarbanes Oxley Act of (2002) ("SOX"). SOX contains a number of provisions related to accounting and internal controls and was meant to prevent and detect securities fraud. Two key SOX provisions that arose out of the demise of Anderson Consulting and Enron include Section 802, which provide for up to 20 years imprisonment for destroying documents related to an investigation and Section 806, the civil anti-retaliation provision. Section 1107 of SOX also imposes a potential 10-year prison term for retaliation.
A similar, but older law, the Federal False Claims Act has a much more powerful financial whistleblower incentive. "Qui tam" is a provision that encourages private citizens represented by qui tam counsel to file sealed lawsuits in federal court seeking recovery of government money obtained by fraud or more specifically, false claims, and awards a 15-30 percent recovery to those who expose wrongdoing. The False Claims Act provides a monetary incentive that SOX does not, and many have argued that SOX would be much more effective if SOX whistleblowers had such an incentive. The recently enacted Dodd-Frank legislation intends to close some of those perceived gaps.
The whistleblower community reports that the vast majority of employees who observe wrongdoing do not report it because they fear retaliation or believe that the company will ignore their report. Further, those who do report, do so internally first, and those who report externally are not motivated by monetary incentive.[4] With these factors in mind, here are the top five things your clients should do right now, even before the final regulations are passed.
What Five Steps (at a minimum) Should Your Clients Take to Minimize the Potential Impact of Dodd-Frank?
1. Look at the tone at the top, middle and bottom. Everyone talks about the tone at the top, which typically refers to the messaging from the executive suite to company employees about ethical culture. Equally important, though is what the employees see from the vice presidents, directors, location managers, and supervisors. If their front line managers don't walk the walk and talk the talk, then the messaging from the CEO and a multimillion dollar compliance program mean nothing. If the employees see wrongdoing they won't report it to anyone -- not to their manager and not to the hotline -- because they won't have any loyalty to the company. The SEC and a bounty will look like a much more attractive option.
2. Ensure that your clients have an "effective" compliance program under the Federal Sentencing Guidelines. The Sentencing Guidelines were first enacted in 1985 and then revised in 2004 and again in 2010. They are used by the Department of Justice when making charging, non prosecution and deferred prosecution decisions when corporations commit crimes and by federal district judges when imposing sentences. In fact, the explosion in the number of compliance programs in the United States after 2004 is due in large part to the revision of the Guidelines.[5]
The Guidelines require a company to do the following to ensure mitigation of fines and penalties for corporate crimes:
1. Establish standards and procedures to reduce the likelihood of a violation of the law. Risk assessments conducted by internal and external experts will be more important than ever now.
2. Assign oversight of compliance program to high level individuals such as a compliance and ethics officer.
3. Delegate substantial discretionary authority only to reputable individuals without a propensity to or history of violating the law.
4. Develop position-specific compliance training and communications. One size fits all compliance training or training done only online or in books will no longer be enough. If your clients have overseas operations and use agents, they will be expected to train those agents in their languges especially on the Foreign Corrupt Practices Act.
5. Establish audit and monitoring process. Publicize the anonymous reporting system (including to employees, vendors and the public) and ensure that there is no retaliation.
6. Establish uniform disciplinary action, including against those who failed to detect a violation
7. Take steps to prevent similar offenses and make changes to the compliance program if necessary
The 2010 Revisions added important clarifications. Again, none of these are mandatory but they have significant influence over prosecutors, regulators and judges. Ironically, the SEC's current position allowing whistleblowers to bypass the compliance program squarely contradicts the intent of the new guidelines intended to make it easier for corporations to receive credit from the DOJ for strengthening compliance programs and voluntary disclosing culpability.
1. Ensure that the Chief Compliance Officer reports to the Board or Audit Committee and if s/he reports to the General Counsel that the Compliance Officer has direct and unfettered access and reporting obligations to the Board or appropriate Board Committee.
2. Discover the problem inside the organization rather than outside.
3. After conducting an investigation promptly voluntarily disclose the wrongdoing to the government.
4. Make sure that your client's compliance officer wasn't involved in the violation or willfully ignorant.
3. Train human resources, finance, legal, corporate communications, internal audit, management, the board and appropriate personal on Dodd-Frank.
If whistleblowers choose to take their case to the SEC or to counsel because they believe that their employer has ignored or buried their allegations or retaliated against them, then here is where training can help.
First, key company personnel need to recognize the signs of a complaint. Employees won't necessarily call a hotline or seek out a compliance officer. Instead, they may go to their manager or another supervisor they trust who may not even be in their chain of command. They may not use the words "whistleblower" or "securities fraud." If they say, "I think something's wrong with the accounting or the numbers," "our agent in Pakistan may be bribing the customs officials" or "someone's committing a fraud," people need to know to call the legal department immediately, no matter what they think about the employee's credibility, the materiality of the complaint, or its accuracy. The legal department needs to keep a record of these reports and when appropriate work, with human resources to ensure that the employee won't experience retaliation based upon the complaint, which brings us to the next point.
Your clients need to have bullet proof policies that prohibit retaliation for reporting known or suspected wrongdoing provided that those claims are brought forwarded in good faith, even if those claims are not corroborated. Generally, employees should be disciplined or terminated if they violate clearly established, well documented, consistently followed policies, however, I strongly recommend that your clients work with HR, in house counsel or outside counsel first because the Dodd-Frank legislation as written is ambiguous as to whether legitimate, nondiscriminatory business reasons will suffice for taking adverse action against a whistleblower even under these circumstances.
4. Make sure that your client's document retention, destruction and litigation hold programs are in place. Electronic and paper recordkeeping will be more important than ever as regulators seek every possible record related to a whistleblower's allegations. These records, which could include emails, voicemails, backup tapes, post it notes, videotape, blogs, social media postings, and other nontraditional forms of "data," may go back several years and be located in several jurisdictions in several languages. International data protection regulations may pose additional difficulties so ensure that your clients already have the requisite safe harbor provisions, appropriate intracompany agreements or other necessary protections so that there are no issues with transferring employee or other personally identifiable information across borders when you have a time crunch.
5.Re-evaluate exit interview questions and clauses in releases and severance agreements. Your clients may want to consider asking departing employees whether they have disclosed all instances of violations of company policy or law that they have seen or if they are willing to do so anonymously after they leave via the company reporting mechanisms. Your clients don't need to mention Dodd-Frank or use the word "whistleblower" but they may hear information that they may not have otherwise learned because the employee may not believe they have anything to lose once they are walking out the door.
Similarly, employment counsel may want to consider advising clients to add Dodd-Frank to the long list of claims in the release similar to clauses related to EEOC claims. I recently sat on a panel where both state and federal regulators thought this was "unconscionable." However, counsel should consider the pros and cons of this approach.
The Dodd-Frank regulations will be finalized this summer. The SEC has already received hundreds of tips and investigations have begun.
Now is the time for your clients to ensure that their employees, vendors, customers and members of the public have the confidence in them and won't need to go to the SEC to report wrongdoing. The bounty hunters are coming and the plaintiffs bar is holding seminars preparing to advise them. Are your clients ready?
Marcia Narine served as the Vice President and Deputy General Counsel, as well the Vice President, Global Compliance and Business Standards and Chief Privacy Officer of Ryder System, Inc., a Fortune 500 global transportation and supply chain management solutions company with over 28,000 employees worldwide for eight years until May 1, 2011. She oversaw the company's global compliance, business ethics, privacy, government relations, environmental compliance, Enterprise Risk Management, corporate responsibility, and labor and employment legal programs.
Prior to this role, she spent almost 18 months as the group director of human resources for Ryder's Supply Chain Solutions division. She began her career at Ryder in 1999 as senior counsel focusing on labor and employment.
Before joining Ryder, Ms. Narine was an associate with Morgan, Lewis and Bockius' labor and employment practice in Miami. She has also worked as a commercial litigator with Cleary, Gottlieb, Steen and Hamilton in New York, and as a law clerk to former Justice Marie Garibaldi of the Supreme Court of New Jersey.
Ms. Narine earned her law degree, cum laude from Harvard Law School in 1992, and her bachelors degree, cum laude, in political science and psychology from Columbia University in 1988.
She left corporate life to pursue a career in academia and is currently researching and writing law review articles on compliance, governance and international human rights related to rape as a weapon of war in the Congo. She is also a founding board member of the Footprints Foundation, which is dedicated to improving infant and maternal health and education in the Congo.
[1] The Act includes corporate governance and executive compensation reforms, new rules for credit rating agencies, new registration requirements for hedge fund and private equity fund advisers, heightened regulation of over-the-counter derivatives and asset-backed securities and significantly increased oversight and regulation of banks and other financial institutions. This article focuses only on the whistleblower provision.
[2] Under the law as currently written, some potential whistleblowers won't be eligible including those who are: (1) members of law enforcement, certain regulatory agencies or the Public Accounting Oversight Board; (2) convicted of certain crimes related to the SEC action; (3) privy to the information because they performed legally required audits (4) failed to provide the information to the SEC in the legally required form; or (5) related to an SEC staffer. Legal counsel, compliance officers, auditors and other fiduciaries are also excluded unless the company fails to act within a requisite time frame. The business community continues to advocate that these groups be excluded from eligibility all together. The whistleblower community counters that those fiduciaries are in the best position to expose wrongdoing to the SEC.
[3] The House Financial Services Committee is set to hold hearings on May 11, 2011 to consider revisions proposed by Representative Michael Grimm (R. NY) to the legislation. His proposal would require employees to inform their employers before reporting to the SEC and would allow the SEC to deny bounties to culpable parties even if they were not convicted. Grimm's bill would also prevent plaintiff's attorneys representing whistleblowers from working on a contingency fee basis. The article's author is one of five witnesses testifying at the hearing.
[4] See generally National Whistleblower Center "Impact of the Dodd-Frank Qui Tam Laws on Compliance: A Report and Supplemental Rulemaking to the Staff of the SEC" January 25, 2011.
[5] An Overview of the United States Sentencing Commission Guidelines is available at http://www.ussc.gov/general/USSC_Overview_200906.pdf. The Commission's
guidelines were mandatory for sentencing judges from 1987 until 2005, when the Supreme Court invalidated them, but courts must consider them when sentencing convicted defendants. United States v. Booker, 543 U.S. 220 (2005).