Responsibility to tell. Responsibility not to. Allegiances to a company, to yourself, to your family, to the public. Any whistleblower, from the CFO down to the front-line operations employee, may feel tugged in a few directions. Looking back, it’s easy to question the choices whistleblowers make; whistleblowers may eventually doubt their actions themselves.
Sherron Watkins, the well-known whistleblower and former vice president of corporate development at energy and commodities company Enron, for instance, chose to alert the firm’s CEO of accounting irregularities through an internal memo, rather than go to regulators. That memo only went public during a Congressional investigation of the firm, and some questioned Watkins’ choice to report the suspected fraud internally.
Brad Birkenfeld, the banker whose tips lead several U.S. agencies to an investigation of Swiss bank UBS, also first blew the whistle to his company first, but then worked with regulators when his warnings were ignored. He wound up serving a prison term.
The truth is many whistleblowers wind up financially ruined, in prison, or ostracized in their field or industry. The outcome often depends on how they blew the whistle.
A whistleblower’s choices — to either report perceived fraud to the firm or to a regulator, or perhaps to do nothing — may be on the minds of CFOs and their employees more now. At the beginning of October, the Securities and Exchange Commission awarded its largest whistleblower payment ever. It will pay about $14 million to a whistleblower whose information helped the agency recover “substantial investor funds,” an award that could be the beginning of a wave of payouts because more employees (even high-net-worth ones) may be inclined to come forward.
While the prospect of a big payday may persuade executives to run to regulators with fraud claims, that’s not always the wisest way to go about reporting corporate malfeasance. Certainly, many companies would prefer a whistleblower take a different route. But divulging misconduct internally has its risks.
Keeping It In the Family
Some experts, including Daniel Westman, an employment lawyer at Morrison & Foerster, say employees should feel a responsibility to report fraud internally before going to a regulator. “The best thing that any individual can do is to avail themselves of whatever mechanisms the institution has to raise the problem before it spins out of control,” Westman says. The purpose of whistleblowing is to “prevent or minimize illegal activities,” he says. “Whistleblowing is a means to that end, but in and of itself, it’s not an absolute good.”
Westman says any rational, ethical company will want to fix the reported problem. But Westman’s view may be colored by the decade he spent representing companies in the nuclear energy industry. “They took whistleblower concerns about safety extremely seriously,” he says. “They’re heavily regulated by the Nuclear Regulatory Commission, subject to scrutiny by all kinds of public interests groups and the media, so the last thing they wanted was a legitimate safety concern,” says Westman. The fastest way to stop a nuclear energy safety problem would be to tell the company immediately, Westman says.
Not true in all industries or companies, however. For good, logical reasons, whistleblowers may fear retaliation from an employer. But Westman says there are now many legal protections for whistleblowers, including statutes and case law doctrines, that didn’t exist several decades ago. “The classic fear of whistleblowers that they’ll get fired and have no remedy is much rarer today,” he says.
Still, there are no guarantees. Reuben Guttman, a director at Grant & Eisenhofer who represents whistleblowers in the pharmaceutical industry, strongly disagrees with the idea that whistleblowers should feel compelled to report internally before going to a regulator.
“It’s not black and white like that,” Guttman says. “If the wrongdoing is pervasive, internal compliance programs are not going to be helpful.”
At UBS, for example, Birkenfeld notified the head of the U.S. wealth management group in Geneva, then the Geneva head of compliance and the chief legal officer. After receiving no response, he sent the document to the UBS head of compliance. It wasn’t until two years later, after Birkenfeld left UBS, that a new letter to the bank’s top executives prompted an internal investigation.
Indeed, Guttman says, while it might be possible to go to the internal compliance department at a smaller company, that approach will not be as effective at a large one. “There’s a distinction between somebody stealing from the cash register at a big-box store, where it’s going to be more productive to report on a local manager, versus a situation where the employee reports on a scheme that benefits the highest levels of a company,” he says.
A case can be made, however, that the opposite is true. Reporting fraud internally at a smaller company might be risky, Westman says, because the firm may not have an anonymous reporting hotline. On the other hand, he says, employees at large public companies have few excuses to report outside first, because the Sarbanes-Oxley Act requires public firms to create anonymous fraud reporting channels. “Most companies that have given any thought to internal compliance have multiple means for people to raise concerns so they can preserve their anonymity,” Westman points out.
But fraud-reporting channels are not foolproof. If there are only a few people privy to wrongdoing at a company, it would be easy to determine who reported the fraud even if the whistleblower used an anonymous hotline.
Reporting to Regulators
So should whistleblowers notify regulators first? In most cases, yes, to prevent the conduct from happening again, says Guttman. “Is the information that you’re surfacing something that regulators absolutely need to know about? Is there a concern that the company may deal with it and cover it up?” Guttman asks.
For example, if a pharmaceutical company is lying about the integrity of its drug trials in China, a whistleblower “would absolutely want to consider going directly to the Food and Drug Administration or the SEC, because that not only involves potential securities fraud but also affects public health,” Guttman says.
Many companies are not able to police themselves. “In this country, we believe in due process,” Guttman notes. “One of the fundamental tenets of due process is the proposition that conflict-of-interest taints objective investigation and decision making. When the highest levels of a corporation are benefiting from the wrongdoing or the wrongdoing is pervasive, it’s impossible for the corporation to investigate itself.”
Potential whistleblowers, then, have to ask themselves whether their companies can objectively investigate the allegations, Guttman says.“If it’s about investigating someone who is doing damage to the corporation versus the corporation’s own conduct,” then maybe they can, he says. “But it’s not plausible to ask an entity to investigate itself when the fraud is pervasive, because it has a conflict,” he says.
Going to a regulator about potential fraud at a public company is not an extreme reaction, Guttman argues. “When a company is publicly traded, it’s subjecting itself to oversight. You’re taking information in a very channeled and controlled way and giving it to the SEC, which has an interest in protecting the owners of the company and those who seek to be, or those who invest in the company through debt.”
While there is a place for internal compliance, “a black-and-white rule that says you should always go to internal compliance first is not appropriate,” Guttman says. Indeed, the SEC recognized that nuance in their whistleblower regulations, allowing employees to report fraud to the commission even if they hadn’t gone to their company first.
But whatever they do, employees should not report fraud to the media first, Westman counsels. “The law of whistleblowing is pretty clear cut — if an employee goes straight to the media rather than to the company or to law enforcement, the activity is not protected [from employer retaliation].”
The Legal Responsibility
What about not reporting the misconduct or fraud at all? Despite legal protections, people whose instinct is self preservation might view it as their best option. It’s difficult to make blanket statements about a whistleblower’s ethical or moral responsibility, Westman says. “For better or worse, the law is not always predicated on morals. It’s far safer ground to talk about what the legal duty of an individual is and whether or not the conduct they engage in is protected legally.”
An employee’s legal responsibility can vary, depending on where a company is located, says John Carney, partner and co-chair of the white collar defense and corporate investigations group at BakerHostetler. A company’s employee ethics policy or by-laws may encourage a worker to bring allegations of fraud to the compliance department before going to a regulator. But there is no federal law requiring that an employee report internally first. In fact, they’re not responsible to report fraud at all, unless their silence would somehow assist in the illegal conduct, says Carney.
Companies, on the other hand, “have the duties that they’ve always had: to their shareholders, to their employees, to their creditors,” Carney says. “The big difference here is that corporations are now operating in a different environment. Their employees are being paid by the government to come forward with information that might pertain to possible wrongdoing by the corporation or some of its officers,” Carney says. Companies have to take potential problems more seriously and address them more quickly, he says.
Along with anonymous internal compliance systems, senior management should make clear statements that they will not retaliate against whistleblowers. If that message is communicated consistently and the company backs up words with deeds, “the talk around the water cooler will be that they protect the people that come forward,” Carney says.
Companies owe it to their shareholders, stakeholders, and employees to set this tone, experts say, because there are many cases of “false positives” — situations where a worker believes he sees fraud but is wrong.
“You don’t want to have whistleblowers in a division of the company say ‘Ah look, our books and records aren’t right; I’m going to go to the SEC,’ when they don’t understand that what’s being reported to shareholders is perfectly fine,” Carney says. “That’s a losing situation for a whistleblower to be in where they’re making a complaint that isn’t going to be backed up” and for the company to have to deal with a an SEC or Department of Justice investigation over something that’s not true.
Management might also consider setting up an internal reward system, especially if they give awards to employees who try to improve accountability or reporting inside a corporation, he says. “That same whistleblower could say ‘I have a concern that the division’s financials are stated a certain way. Wouldn’t it be better that they be stated on both division levels as well as on a consolidated basis’?” Carney says.
When it comes down to it, Westman says, employees ought to feel a responsibility to divulge fraud, one way or another. “My very simple way of looking at it is that it is the duty of every citizen to speak out when they see wrongdoing, even if it is in the company where you work,” he says. “Perhaps the Enrons, the WorldComs and the major scandals might have been avoided had that ethic been followed.”
On the other hand, potential whistleblowers need to approach each situation with their eyes wide open: a big award from the SEC is tempting, but the whistleblower may be sacrificing their livelihood and potentially a whole lot more.
This story originally appeared in the CFO Tablet Edition.