The SEC’s First Risk Alert of Fiscal Year 2017 Targets Registrant Rule 21F-17 Compliance
The Securities and Exchange Commission (SEC or Commission) Office of Compliance Inspections and Examination (OCIE) issued a Risk Alert on October 24, 2016, titled “Examining Whistleblower Rule Compliance.” This recent Risk Alert continues the SEC’s aggressive efforts to compel Rule 21F-17 compliance and puts the investment management and broker-dealer industries on formal notice that OCIE intends to scrutinize registrants’ compliance with the whistleblower provisions of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd–Frank). By way of background, Dodd–Frank established a whistleblower protection program to encourage individuals to report possible violations of securities laws. Importantly, in addition to providing whistleblowers with financial incentives, Rule 21F-17 provides that no person may take action to impede a whistleblower from communicating directly with the SEC about potential securities law violations, including by enforcing or threatening to enforce a severance agreement or a confidentiality agreement related to such communications. As discussed in our prior publications, the SEC’s Division of Enforcement (Enforcement) has instituted several settled actions against public companies for violating the “chilling effect” provisions of Rule 21F-17. During the past two months, the SEC has filed two additional settled enforcement actions, as summarized below. Thus, as the SEC embarks on the start of its 2017 fiscal year (FY2017), Rule 21F-17 remains an agency-wide priority, and issuers, investment management firms, and broker-dealers—if they have not done so already—need to take heed and proactively remediate any vulnerabilities that they may have regarding their Rule 21F-17 compliance.
OCIE Alerts Registrants
As described previously, the SEC’s most recent annual report stated that assessing confidentiality terms and language for compliance with Rule 21F-17 was a top priority for fiscal year 2016 and that staff had started the practice of examining company documents for such compliance. Now, less than one month into FY2017, OCIE has formalized this practice and notified the registrant community accordingly.
The Risk Alert spells out how OCIE plans to examine documents for these compliance issues. First, OCIE staff will examine whether any terms that are contained in company documents “(a) purport to limit the types of information that an employee may convey to the Commission or other authorities; and (b) require departing employees to waive their rights to any individual monetary recovery in connection with reporting information to the government.” Second, regarding the books and records to be examined, staff will analyze the following types of documents: compliance manuals; codes of ethics; employment agreements; and severance agreements. Finally, the Risk Alert identifies provisions that may contribute to violations of Rule 21F-17 or may impede employees or former employees from communicating with the Commission, such as provisions that
(a) require an employee to represent that he or she has not assisted in any investigation involving the registrant;
(b) prohibit any and all disclosures of confidential information, without any exception for voluntary communications with the Commission concerning possible securities laws violations;
(c) require an employee to notify and/or obtain consent from the registrant prior to disclosing confidential information, without any exception for voluntary communications with the Commission concerning possible securities laws violations; or
(d) purport to permit disclosures of confidential information only as required by law, without any exception for voluntary communications with the Commission concerning possible securities laws violations.
Since August 16, 2016, the SEC has instituted two additional enforcement actions for violations of Rule 21F-17 based on prohibitions contained in severance agreements. First, in the Health Net, Inc., matter, the relevant violations involved release language in severance agreements that required employees to waive their right to any monetary recovery resulting from participating in a whistleblower program, among other issues. As part of the settlement, Health Net agreed to pay a $340,000 civil penalty and to engage in undertakings similar to those in the prior Rule 21F-17 cases. A review of the SEC’s Rule 21F-17 stand-alone cases reveals that the penalties have increased with each matter and that Health Net payed the largest fine to date. More recently and within a month of OCIE’s Risk Alert, an international beverage conglomerate agreed to pay a civil penalty for violations of Rule 21F-17, among other charges. The Rule 21F-17 violations were related to a liquidated damages provision in the company’s separation agreement that did in fact cause an employee to stop communicating with the SEC until he received a subpoena. In this case, the primary charges involved books and records violations and internal control infractions that arose under the terms of the Foreign Corrupt Practices Act of 1977. Consistent with one other Rule 21F-17 case, the SEC appears to routinely investigate possible Rule 21F-17 violations while investigating other charges.
OCIE’s first Risk Alert of FY2017 puts the investment management and broker-dealer industries on notice that OCIE staff will examine and scrutinizing company documents for Rule 21F-17 compliance. More importantly and not stated in the Risk Alert—when coupled with Enforcement’s ongoing and aggressive interest—this combination indicates that OCIE staff will be looking to refer violations of Rule 21F-17 to their receptive Enforcement colleagues. Thus, investment management and broker-dealer registrants need to be proactive in assessing their risks and in reviewing all agreements, policies and procedures that may create exposure to SEC Rule 21F-17 violations. If there are any potential violations, Registrants should then execute a remediation plan. Cleary, this Risk Alert serves as a “notice,” and registrants who fail to act will likely be subjected to an OCIE referral to Enforcement.