Refine Your Compliance Program to Manage Whistleblower and Bounty Risks

Agency whistleblower and bounty programs are a reality all companies must acknowledge. While whistleblower programs have a long history, several of them have gained traction in recent years, making it even more important that companies assess the business risks created by those programs, pay special attention to their own internal compliance programs, and find ways to motivate employees to bring concerns forward internally before going to outside parties.

Through the end of 2016, the Securities and Exchange Commission (SEC) whistleblower program received over 18,000 whistleblower tips, with 4,200 of those in 2016 alone. The SEC has awarded US$111 million to whistleblowers since the program’s inception, with more than half of the awards occurring in 2016. Indeed, in 2016, the agency issued six of its largest whistleblower awards ever, in one case awarding the individual tipster US$22 million for bringing what it called “well-hidden fraud” to the SEC’s attention. Likewise, in 2016, whistleblowers filed 702 qui tam lawsuits under the False Claims Act (FCA). The Department of Justice awarded US$519 million to whistleblowers who provided information under the FCA, which entitles insider employees to up to 30 percent of the proceeds the government recovers.

Most of these government programs omit any internal reporting requirement as a condition for any financial reward, providing little, if any, incentive to employees to report misconduct to the company first.⁵ The financial reward, along with expansive antiretaliation provisions, instead offer alluring incentives for employees to report misconduct outside a company’s internal reporting program.⁶ In this increasing “bounty” environment, how can companies ensure they have robust internal compliance programs in place that employees will use before (or instead of) ever going to an outside agency?

5 On Feb. 21, 2018, the US Supreme Court issued a decision that Dodd-Frank does not protect employees against retaliation when the employee has made an internal report but has not externally reported to the SEC. Digital Realty Tr., Inc. v. Somers, No. 16-1276, 2018 WL 987345, at *8 (U.S. Feb. 21, 2018). It is unclear how this decision will affect whistleblower behavior, but there is a strong argument that it will discourage employees from making internal reports first, knowing that antiretaliation protections are triggered only by an external report.

6 For a more detailed read on the background of these whistleblower programs and their controversial provisions, see Ashcroft, John; Hanaway, Catherine; and Onate Greim, Claudia L. (2011) “Whistleblowers Cash In, Unwary Corporations Pay,” Hofstra Law Review: Vol. 40: Iss. 2, Article 5.

Minimizing risk with internal reporting structures

All companies should have internal ethics or compliance programs because of the multitude of inherent cultural benefits they instill. For example, strong compliance programs can create a culture where employees feel safe and comfortable, which likewise increases employee retention. Strong compliance programs also promote and protect the company brand, in an environment of heightened scrutiny among customers about company ethics. In addition to those compelling business reasons, companies should have internal ethics and compliance programs to protect themselves from the risk of external reports — i.e., to ensure that — from the inside — the company and its employees are not violating laws. While there are many powerful reasons to implement strong internal compliance programs, the focus of this article is mitigating risk specifically created by external “bounty” programs. In that context, the more robust the internal compliance program, the less risk there is that an employee will go outside first to report a violation or potential violation. A successful internal reporting process should include (1) a written statement of the process, (2) a detailed mechanism for making reports, (3) training for managers to encourage internal reports, (4) a method for evaluating and properly escalating reports, (5) a system for following up on reports over time, and (6) periodic re-evaluation of the program itself.

1. Written statement

A written statement of the reporting structure will typically be contained in a code of conduct, an employee handbook, some form of policy statements, or all of the above. For organizations of any size, a simple code of conduct is typically recommended, outlining the company’s commitment to ethical conduct generally and specifying detailed regulations that apply to that company.

Companies should beware of implementing a generic code of conduct that simply restates employee handbook provisions. Instead, companies should consider keeping the code of conduct separate from the handbook. The code of conduct should focus on big picture compliance concerns with a simple set of guiding principles that provide a compass for employees. Minutiae and more discrete rule statements should be reserved for the employee handbook. If the code of conduct is too cumbersome or bogged down with rules, its purpose can easily be lost. Finally, while it may seem perfunctory to require employees to certify receipt and acknowledgement of the code of conduct and reporting policy, having those signed certifications or an electronic tracking method adds real value in the event the DOJ or state attorneys general ever get involved. To the DOJ and other agencies, the certifications are physical evidence of a culture that emphasizes and insists on compliance.

2. Reporting mechanism

It is not enough to state the company’s commitment to integrity and compliance without a well-defined mechanism for employees to report their concerns. For some companies, it may be enough to provide an internal reporting structure, where employees are invited to bring complaints to their supervisor or human resources. For many companies, a robust internal reporting structure also includes a hotline — sometimes anonymous — that employees can call to make an internal report. To be clear, though, an anonymous hotline should be treated as a “last resort,” when employees are not comfortable reporting concerns to their manager or human resources. Companies create a strong culture of compliance and reporting by first emphasizing that supervisors and management are accessible for all employee concerns and that the company wants to hear and address concerns internally. Companies that add the option of an anonymous hotline typically use outside vendors like EthicsPoint or NavX to administer it. Those vendors offer a well-managed system for intake and tracking, which can be particularly helpful when the volume of calls is higher. Equally helpful is a system that assigns a number to the anonymous caller to allow for a call-back to further investigate the report, which can be difficult to do without a third-party vendor. Best practices for informing employees about reporting procedures is not only to include it in the code of conduct or employee handbook but to provide basic training to all employees about how and when to make reports.

Additionally, given the financial incentive for employees to go to an outside agency like the SEC and even to sit on information — waiting for the stakes to rise — some companies offer internal “bounties” to encourage internal reporting. We advise against these internal monetary awards, which generally only add to the perverse incentive for employees to create complaints and have not been found to minimize external reporting. For companies that have tried such programs, they are often ineffective and then difficult to discontinue.

3. Manager training

Establishing a culture of compliance hinges on training supervisors and managers on how to identify and appropriately handle employee reports. One advantage to a reporting hotline is that it automatically tracks and timestamps all employee reports. On the other hand, when employees go directly to their supervisor or managers — something companies should encourage — you lose the automatic electronic tracking of those reports. Therefore, it is critically important to have well-trained supervisors and managers. Companies should create a tracking system that is not only easy for human resources and compliance experts to update, but also for supervisors and managers to input complaints and reports they receive. Companies must emphasize the importance of keeping accurate records of when complaints are made. Complaints easily get lost in the mix of regular business needs, especially when complaints may not seem particularly serious at the time. Ideally, managers should be trained to track even the most minor complaints, and those issues should be included in a single metric or report that senior management regularly reviews. To promote true compliance, this report provides upper management with the scope of complaints being made and any potential systemic problems that must be addressed.

4. Report evaluation process

In a true culture of compliance, each complaint is acknowledged and an investigation begins as soon as it is reported — and escalated until it is addressed. In most companies, however, it is nearly impossible to give the same attention to every report, and management will have to triage based on available resources. Any criminal or immediate threats must be addressed first — even if it means pushing other, earlier-submitted complaints down the list.

Setting aside threats or reports of criminal activity, all complaints should be addressed as swiftly but also as completely as possible. Even complaints that appear to be minor or baseless should be fully addressed and resolved. It could be that the report just lacks specificity and requires some follow-up, in which case it could evolve into a legitimate complaint. If, on the other hand, it turns out to be truly minor or groundless, an organization’s thorough follow-through with clear documentation will demonstrate a culture of compliance. To the extent the resources are available, it can be more beneficial to err on the side of “over-escalation” for any employee complaints received. However, this depends on the organization’s culture and the performance of a measured analysis to ensure that the company is not giving too much credence to a potentially meritless complaint. The bottom line is that every report must be taken seriously. Companies that fail to do so only increase their risk of an employee making an external report, no matter how groundless the complaint appears on its face.

5. Following up on all reports

An effective reporting program must also include consistent short-term and long-term follow-up. Typically, that includes some kind of immediate communication to the complainant, explaining that the complaint has been received and is being investigated. The panelists all advise against making any promise about the timing or committing to any kind of deadline for resolving the complaint. Instead, simply advise the person it is being handled. At the conclusion of the investigation, the best practice is to reach out to the complainant with a brief conversation to explain that the problem has been resolved and that he or she should report any further problems.

In most cases, it is also beneficial to check in with that person again within the next 30 days to ask if they have any continued concerns and if so to follow through again. These conversations should be documented as well — e.g., with a confirmation email or a note in the investigation file, recording the person’s verification that the issue has been resolved. Another helpful strategy, if the resources are available, is for the supervisor or a human resources representative to calendar regular future conversations with the person, 60 days later, six months later, or even a year later, depending on the circumstances, to check in and inquire about whether the issue remains resolved. Each of these conversations should also be documented. This can be an extremely effective way of staying on top of the concerns and lessening the risk that the person will go to an outside agency to report any ongoing concerns or complaints she or he may have.

At times, complaints can be complicated by a close compatriot of the alleged victim’s who either makes the initial report or joins in the complaint, showing up for meetings or making phone calls to the company. For example, a spouse may call the company to complain on his partner’s behalf, upset about the stories of harassment she shares with him about work. Your concern is with the employee, and your obligations only directly relate to the employee, but the spouse is understandably involved. How you handle it will depend on the facts and the parties’ personalities. While there can be risk by involving that third party, rather than shutting the person out altogether, it can be effective to involve them to some degree. If the facts do not warrant involving the third party, consider sending a letter or email thanking them for the feedback and letting them know the issue is being investigated. As with an employee, this kind of contact can go a long way to diminish suspicions that could otherwise lead the person to make an external report about the alleged problem.

6. Periodic program re-evaluation

Finally, any healthy compliance program requires assessment, re-evaluation, and change on a somewhat regular basis. Every company, large and small, has to be prepared to modify its compliance program to account for changes in the workforce, the technology, and the potential concerns being reported. Therefore, companies should review their programs, at a minimum, annually.

Companies should re-evaluate in order to keep the program effective, and then should publicize any changes to all employees. This practice of publicizing the changes will foremost advise them of the changes and, secondarily, will remind employees of the company’s commitment to ethical practices and compliance. As with each element of a successful compliance program, the mechanisms themselves must be effective, but equally important is the perception employees have of the program. Any program that appears stagnant to employees runs the risk of appearing ineffective, which can then quickly lead to external reports.

Promoting a companywide culture of compliance through training and education of supervisors

With supervisors being the face of management to most employees, a company’s compliance program truly is only as good as its mid- and lower-level supervisors. Similar to the training and education needed to ensure supervisors understand and follow the program for receiving complaints, organizations require robust training programs to help supervisors create a general culture of compliance and to identify potential issues even before employees make complaints. A company can demonstrate its commitment to compliance by educating supervisors and managers to be approachable and provide a nonjudgmental place for employees to go. All too often, supervisors are too quick to find whistleblower employees disloyal and disruptive to everyday business, which leads to, although often inadvertent, mistreatment of those employees. This can create a “hostile work environment” or intimidating culture that dissuades employees from reporting concerns internally and is ripe for retaliation and discrimination complaints. Companies cannot expect supervisors to be instinctively objective about whistleblower employees. Instead, they must proactively train those employees to step back, acknowledge criticism or complaints, and avoid becoming defensive about potential problems.

Effective methods to educate employees and supervisors include regular emails and newsletters that remind them complaints are not a sign of disloyalty but rather something the organization takes seriously. These emails and newsletters should be appropriate for any employee to see, even if only directed to supervisors. Annual in-person presentations and periodic “town halls” also create a platform for education about identifying complaints and handling them appropriately. As opposed to emails and newsletters, in-person training or town hall meetings allow supervisors to ask questions or to work through hypothetical situations together with management. That kind of regular training is critical to an effective compliance program.

Additionally, even if the education is directed only to supervisors, its existence should be visible to all employees. For example, if your company requires supervisors to participate in an in-person training, publicize it to all employees through a poster or email, making it known that this training is occurring. This is another simple but effective way to communicate the value the organization places on compliance. Another method of educating supervisors on identifying more subtle complaints is through an annual ethics survey. Ask supervisors, or even all employees, to comment on the company’s culture and whether they believe the company cares about doing business in an ethical manner. While there are limits on how much direct information these surveys can garner, their presence is yet another way to communicate to employees that this company prioritizes ethical conduct and compliance. A final tool is the exit interview. Companies should use these interviews to gain insight from exiting employees who are often more willing to share concerns about cultural problems and perceptions of the company’s level of ethics than current employees.

Assessing and addressing retaliation concerns

A growing concern among companies is employee claims of retaliation. This concern stems from the very real rise in retaliation claims being filed, as evidenced by a 78 percent increase in such claims through the Equal Employment Opportunity Commission (EEOC) since 1998 and the recently issued guidance from the EEOC, declaring a more expansive view of what constitutes “protected activity.”⁷ Similarly, both the SEC’s whistleblower program and the FCA have explicit legal protections prohibiting retaliation against employees who make external reports.

When the reporting person is a current employee, the issues are generally more complex than if you are dealing with a former employee, including the risk of a retaliation claim. One common scenario that raises the risk of a retaliation claim occurs when a whistleblower employee also has performance problems. In those cases, a best practice is to separate investigations of the performance from the investigation of the whistleblower complaint. A natural way to separate is to have human resources investigate the performance problems and use the legal department to investigate the whistleblower report. You may also want to enlist the help of outside counsel to handle the whistleblower report. There are pros and cons to involving outside counsel, which requires a careful analysis. Whether you involve outside counsel or not, keeping human resources out of the whistleblower investigation as much as possible can cut off any possible link between the “protected activity” of whistleblowing and discipline the company issues for performance problems.

Additionally, in some cases, the temptation may be to give the employee some leeway, which then creates the risk that other employees will complain of disparate treatment. Unfortunately, when an employee makes a complaint and has performance problems, the company is forced to walk a fine line. And as with most legal concerns, accurate and thorough documentation is critical. Specifically, an organization must keep detailed records of how it took the complaint seriously and completed a prompt and thorough investigation. Likewise, any discipline must be issued fairly and carefully without any confusion about what policy the employee violated.

7 See EEOC Enforcement Guidance on Retaliation and Related Issues, effective Aug. 29, 2016.

Understanding privilege issues

When it comes to internal investigations, many companies wonder if and when they can claim privilege over the substance of the investigations. It is never too early to start thinking about attorney-client and work product privilege. Once a company receives a report and begins its investigation, it must pay attention to making its inquiry legally focused rather than just factually focused; if outside counsel is not involved in the investigation, we recommend consulting with outside counsel at the outset. Consideration should be given to what documents exist and how they might be protected. In interviews, care must be taken to protect as much information as possible. Organizations can do this by involving outside counsel right away in the interviews, particularly when investigating a whistleblower complaint contemporaneously with a performance investigation. If outside counsel is not involved in the interviews, try not to take verbatim notes of the conversations, but keep the written notes phrased as “mental impressions.” Upjohn warnings, also known as corporate Miranda warnings, make it clear that in-house counsel (or outside counsel representing the company) represent only the company and not the employee. They should be given consistently, but care should be taken not to scare employees with the warnings. The best practice is also to have two people in every interview, as a way to better ensure the accuracy of information without writing down every word that is said.

Most of this information can be voluntarily reported to government agencies, as well, without waiving privilege, but companies should be thinking about this from the start and assuming much of it could be disclosed. Indeed, privilege must be established at every stage of any complaint and investigation to avoid waiving privilege altogether. Even when companies do involve outside counsel, they must consider carefully what information they will or will not publicize, for purposes of future privilege issues.

For example, in a recent lawsuit filed against Baylor University concerning sexual assault reports, the court ordered the attorney-client privilege waived as it related to a massive amount of data, based on investigation summaries the university publicized for public relations purposes, despite the fact the summaries were created with the assistance of outside counsel and much of the underlying data was otherwise protected.⁸ In another highly publicized case, this time against Uber, which involved trade secrets that former Waymo employees allegedly shared with Uber, the court made clear that Uber could not be selective about what parts of the investigations it withholds while cherry-picking the parts it intends to disclose. One executive’s Fifth Amendment right complicated the controversial internal conversations, but otherwise, the magistrate judge made clear that Uber cannot use the attorney-client privilege as both a shield and a sword.⁹ When in doubt about what is privileged and whether any or all of the information should be disclosed, consult with outside counsel and tread carefully.

Additionally, international companies should be aware that recent decisions in Europe have held that no internal investigations, conducted solely by in-house counsel, will be privileged. Keep this in mind when handling any complaints that could eventually be relevant to a European lawsuit or inquiry.

8 See Doe 1 et al. v. Baylor University, 320 F.R.D. 430, 440 (W.D. Tex. 2017).

9 See Waymo LLC v. Uber Technologies, 2017 WL 2485382 (N.D. Cal. June 8, 2017).

Conclusion

Companies have many compelling reasons to implement strong compliance programs, including protection of the brand, business performance, talent retention, and general business culture. One more reason to pay close attention to your internal compliance programs is the increasing “bounty” environment among regulators. Because external complaints can be very public and devastatingly costly for a company, it is worth it to take steps to encourage both internal compliance and internal reporting. Indeed, in light of the risk of external reporting, the investment put toward an effective internal compliance program will truly pay dividends down the road.