Recent Whistleblower Activity Increases Pressure on Internal Reporting and Investigation Mechanisms


By: Gary Giampetruzzi, Corinne Lammers, Josh Christensen, Jessica Montes, and Marlyse Vieira


Recent federal whistleblower awards and enforcement actions arising under statutes that incentivize and protect whistleblowers are warning signals to companies of the need to evaluate the robustness of their internal reporting and investigation mechanisms and the extent to which they have instilled a “speak up” culture.

Whistleblower Statistics and Trends

As recent statistics illustrate, monetary awards offered to encourage whistleblowing are very effective tools for the Securities and Exchange Commission (“SEC”) and Department of Justice (“DOJ”).

Under Section 922 of the Dodd-Frank Act and the SEC Whistleblower Protection Rules (the “Rules”), if a whistleblower tip leads to an SEC enforcement action, the whistleblower can be awarded 10 to 30% of the monetary sanction.  From the SEC whistleblower program’s inception in 2011 through FY 2020, the agency awarded approximately $562M to 106 whistleblowers. FY 2021 then saw the highest record number of awards, with $564M awarded to 108 whistleblowers. FY 2022 was second highest, with the SEC granting $229M to 103 whistleblowers. In May 2023, the SEC granted its largest-ever individual award of $579M to a whistleblower, reportedly stemming from Ericsson’s $1.1B settlement to resolve claims that the telecommunications company violated the Foreign Corrupt Practices Act.

With the DOJ, incentives for whistleblower activity commonly arise under the federal False Claims Act (“FCA”), which contains qui tam provisions that permit private citizens to file suits on behalf of the government and earn up to 30% of the recovery. In FY 2022, whistleblowers filed 652 qui tam suits, leading to the DOJ’s recovery of over $1.8 billion, an increase from 598 qui tam suits in 2021.

Whistleblower Awards to Compliance and Audit Officers

Whistleblower awards by the SEC and DOJ to company compliance or internal audit personnel are also increasing. This is particularly significant in the SEC context, as SEC whistleblower rules generally prohibit awards for compliance and audit officers unless certain requirements are met under Section 21F-4 of the Securities Exchange Act. The exceptions generally swallow the rule.

As examples, in April 2022, the SEC awarded $450,000 to a compliance professional who waited over 120 days to contact the SEC after reporting internally. In December 2020, the SEC awarded about $300,000 to a compliance professional because the whistleblower had a reasonable basis to believe the entity engaging in misconduct would impede the agency’s investigation.

The DOJ has also awarded amounts to compliance officers turned whistleblowers under the FCA. For example, in 2020, Merit Medical’s former chief compliance officer received $2.65 million from the government’s recovery of $18 million under the FCA for Merit’s alleged kickbacks to healthcare providers to boost sales. In his qui tam complaint, the whistleblower claimed that he reported the allegations internally, but that management gave the concerns only “token respect.”

Recent SEC Enforcement Activity Related to Prospective Whistleblower Activity

In addition to incentivizing whistleblower activity, the Rules include various provisions to protect whistleblowers. In recent years, there has been an increase in SEC’s use of a particular provision, Rule 21F-17, to protect against activity that the SEC perceives as impeding prospective whistleblower activity. Rule 21F-17 provides the following: “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”

Enforcement actions for breaches of Rule 21F-17 have picked up since the Trump administration, signaling renewed focus on enforcement in this area.

In 2022 and 2023, the SEC settled cases following alleged willful violations of Rule 21F-17. One action addressed a company’s use of employee confidentiality agreements to restrict employees from disclosing confidential company information to third parties without written approval. Another involved the retaliatory firing and revocation of an employee’s computer access after that employee internally raised concerns of securities law violations.

Enforcement under Rule 21F-17 indicates that company policies, agreements, and trainings that might be designed to achieve seemingly innocuous objectives, such as ensuring internal whistleblowing or protecting confidential information, may be criticized if the SEC can argue that the tone and language of such materials undermines the goal of encouraging whistleblower reports.

Key Takeaways

The risks presented by not adequately addressing internal whistleblower complaints are far-reaching. Employees may resort to reporting issues to the media—presenting potential reputational damage—or to regulatory authorities, leading to investigations and enforcement actions.

Therefore, companies should encourage employees to raise issues by developing robust reporting mechanisms and investigation procedures. Employees who believe that their employer takes concerns seriously and appropriately remediates problems are more likely to report their concerns.

Companies should periodically review and assess their reporting and investigations dockets to confirm that employees regularly utilize reporting mechanisms, such as hotlines, and that formal investigations are being appropriately conducted. Companies should not minimize the significance of an underutilized hotline based upon perceptions that employees prefer to speak up in informal settings or that management is fully aware of potential issues. If the docket contains little to no activity, companies should take additional steps to ensure that employees are familiar and comfortable with their reporting systems. Similarly, a limited investigation flow may indicate a misperception in management that investigations are disruptive and fail to add value. In such cases, companies need to establish clear expectations regarding investigation processes and documentation. In doing so, companies create the record necessary to drive insights from investigations findings and trends and to further increase employee confidence in reporting. Building such confidence lessens the risk that employees feel the need to externally report concerns.

Companies can undertake a number of steps to foster an environment where employees are more likely to report misconduct internally:

  • Obtain periodic assessments of their risk profile and compliance program effectiveness as it relates to monitoring, reporting, and investigations.
  • Periodically evaluate and retrain middle management on appropriate responses to reporting and retaliation.
  • Ensure thorough and timely follow-up on all whistleblower complaints.
  • Foster an internal culture of compliance, ethics, and support for internal reporting.
  • Disseminate materials regarding proper avenues for reporting unethical behavior.