In this episode Matt Kelly and I discuss the Treasury Department’s recently released A Financial System That Creates Economic Opportunities-Capital Markets report. The report has multiple proposals, including multiple ideas about rolling back Sarbanes-Oxley compliance, especially for smaller public companies. In this podcast, we discuss the three most significant ones for the compliance practitioner.

  1. Exempt more companies from audits of internal financial control. Companies with market cap below $75 million are currently exempt from the SOX 404(b) requirement that an annual outside audit of internal control over financial reporting. The Trump Administration proposes raising that exemption ceiling to $250 million in market cap.
  2. Doubling the lifespan of Emerging Growth Companies. Congress created a new class of public filers in 2012, “emerging growth companies,” that are exempt from numerous corporate governance and compliance rules for the first five years of their lives; to 10 years.
  3. Ending “social disclosure rules” required under the Dodd-Frank Act. The Dodd-Frank Act imposed several required disclosures such as the Conflict Minerals Rule, the CEO Pay Ratio Rule, and the Mine Safety Rule.

For more on this subject, see Matt’s blog post Treasury Report Eyes SOX Compliance

In this episode, Matt Kelly and I take a deep dive into the Dodd-Frank and Sarbanes-Oxley reform initiatives in the House of Representatives and as articulated by incoming SEC Chairman Jay Clayton. For more see Matt Kelly’s blog post SEC Chair Clayton Talks Compliance Costs.

Yesterday I considered an article by Ryan Hubbs, entitled “10 Factors Leading to Reporting Mechanism Distrust”, in which he detailed 10 factors leading to hotline distrust. Today I want to pick up on that article with Hobbs’ tips for building a trusted hotline reporting program and culture, talk about the SEC whistle blowing program, and conclude with a few thoughts on why experienced, invested counsel is so critical in these.

Organizations implement and maintain hotlines, trusted programs, hotline programs differently depending on their sizes, cultures, geography, and many other factors if they must decide if they’ll construct such programs. Many organizations find benefit to taking it outside from the experience and expertise, the appearance of independence which can increase employee trust. A smaller organization may not be able to do so. Nevertheless, there are many competent companies that put on hotline services for small individuals.

What can you do to help build trust for your reporting system?

1. Training and awareness. Increased awareness of the program will help build employee’s confidence around     it, and organization should continually strive to help employees know that the hotline reporting system program works, why the organization believes in it, who operates it, and why it’s a critical part of the culture of the company and the compliance ethos of the company. Organizations should include hotline frequently asked questions and answers for all employee new hires and supervisory training.

  1. Ongoing communication. Communication about a hotline reporting program, recent compliance issues, and messages from management should be a routine and commonplace. I have talked about putting posters in workrooms and coffee rooms to announce hotlines, but you have to continually communicate it. Think of the example of Louis Sapirman at Dun & Bradstreet, where they are continually communicating via the company’s internal social media program about the hotline.
  1. Accessibility. Information on a hotline reporting program and how to report a concern should be within one click of the organization’s intranet or external website. An organization should communicate program information in as many languages is as necessary to provide coverage. Certainly here, the Department of Justice and Securities Exchange Commission have made clear in the 2012 guidance that local languages must be respected and utilized. Web-based reporting platforms should be available to facilitate anonymous reporting and allow for inclusion of attachments. Conversely, you may have a situation where a large amount of your workforce does not have access to a computer. They may be in a country where there’s limited internet or, frankly, they may not be trained on computers, so you be required to maintain other mechanisms as well.
  1. Transparency. Prominently display your organization’s hotline reporting and investigative process including the expertise and contact information of your trained investigators, what employees should expect, plus the organization’s responsibilities, cooperate, and protecting against retaliation. We have talked about anti-retaliation before, but I’m going to emphasize it again because it is so important. You must incorporate the fair process doctrine, you must not retaliate, and you must make clear to your employees that you will not tolerate retaliation.
  1. Proficiency and objectivity. Those who manage the hotline and investigation process should be technically proficient, professional, well trained, and experienced in the handling and reporting of concerns. The organization should also install adequate systems, processes, and technologies to support the investigators and ultimately the employees. This includes an in depth and routine training, I would say no less than annually, for the organization’s investigative, legal, HR, and compliance staff, but you’ve got to get the word out. You got to have proficiency and objectivity. Prong three of the 2016 Department of Justice pilot program required compliance expertise. You must have that proficiency and it should include into your investigative staff.
  1. Ongoing assessment. Is your organization assessing your compliance program and your hotline? How do employees currently view the hotline reporting program and corporate culture? Can people get the information to the appropriate disciplines within your organization? Here you can think about Wells Fargo, where there was clear evidence that the culture had failed yet even with a reporting mechanism in place and use of that mechanism, management did not follow up to determine the issues which led to the company’s catastrophic reputational damage.

Next, is an assessment on whether the ethics and hotline policies, procedures, and technology are meeting the needs of the organization and the employees. Here let me emphasize technologies, because I earlier about a situation where an employee does not have access to a computer. What if the employees are out on a drilling rig? Would they have access to a cell phone, or could they report in that manner? Maybe not. They may have to use a computer. You must have the appropriate technology for your diverse workforce.

What about after the report is made? Are your internal investigations and resulting disciplinary actions consistent with the organization’s desired culture of compliance? Here you need to make sure that the actions you have taken really are consistent because employees understand this and they will watch and see what happens. Are independent reviews conducted by internal audit or external professionals with ongoing oversight by an audit committee of the hotline and results? Finally, are complaints and resolutions disclosed to or discussed with external auditors? Are you bringing in outside experts to help you?

All of this is important because of Dodd-Frank and its creation of a Whistleblower program for securities violations, such as the Foreign Corrupt Practices Act (FCPA) for issuers. As of April, of 2017, the Securities and Exchange Commission (SEC) has made 43 whistle blowers awards of over $153 million to whistle blowers under the Whistleblower program established under Dodd-Frank. This is a direct result of failure of corporate hotlines. Any regulator will tell you that 95% of all employees attempted to report internally first and they were either rebuffed, they were retaliated against, or in some other way rejected. The amount of money, fines and penalties, paid out for ignoring whistle blowers, people who report anonymously, is significant.

Finally, as I end this one-month series, I would just like to re-emphasize the need for experienced investigative counsel for serious matters. Recently had a declination issued in the Linde Gas case by the Department of Justice (DOJ), and it really was clear that the counsel used by Linde in in addition to the decision self-disclose, was a critical factor in Linde getting the superior decision it did, which was a declination to prosecute. The investigation was a very difficult set of facts, very convoluted, very muddled up over many countries with shell companies, direct companies, and others. You really must have experienced investigative counsel for things that are outside the routine. Having an experienced, season and competent FCPA bar-lawyer who could both investigate it and negotiate with the government is very critical going forward.

Three Key Takeaways

  1. Work to engender employee trust.
  2. The SEC Whistleblower program is a huge success and is not going away.
  3. Use experienced investigative counsel for hotlines reports of serious wrongdoing.

Today I want to consider some factors which can lead to employees’ distrust of an internal reporting system. Ryan Hubbs wrote an excellent article entitled “10 Factors Leading to Reporting Mechanism Distrust”.

The guidance and mandates for companies on reporting mechanism reporting are numerous, overlapping and sometimes very broad. There are the US Sentencing Guidelines; regulations under Sarbanes-Oxley (SOX), the Dodd-Frank Act and the 2012 FCPA Guidance. There are international guidelines from the EU, US and London based stock exchanges and even the United Nations deems reporting mechanism reporting a necessary good business practice. Dodd-Frank attempted to strengthen accountability by specifically providing protections for those who come forward as whistle blowers but also allows regulators to respond to misconduct through finding some legal action. While the goal of whistleblowers and reporting mechanisms might be to identify and correct wrongdoing, they do not guarantee success and they do not even guarantee effective and trusting programs.

Trust is a primary factor as to whether an employee will come forward with a concern. Management might try a quick-fix reaction to a messy investigation with more reporting mechanisms, posters or asking a CEO to use compliance training to generally get the word out. Nevertheless, employees view it as a trust issue, and you must have that trust. If an employee chooses not to report and an outside source later discovers misconduct, the organization will certainly be subject to potential financial losses and reputational damage that could have been avoided. If the employee does report, but the culture of trust is lacking or they faced retaliation, up to and including termination, then you have a disgruntled employee who is most likely going to go to the Securities and Exchange Commission.

What are Hubbs’ 10 factors leading to distrust of internal reporting mechanisms? Number one is that employees do not understand the reporting mechanism system. Some the questions include, “who answers the reporting mechanism number? Will they know that I filed a reporting mechanism complaint if I do so anonymously? Will they tell my boss that I’ve reported a concern? Where does my complaint go and who reviews it?” Employee doubt and uncertainty can impede an employee’s decision to report a concern. Transparency is also noted to aid in trust and the more likely an employee is to come forward.

Number two is inadequate reporting mechanism resources and poor reporting program design. Companies can demonstrate their commitment to a reporting mechanism by spending money on well-designed reporting mechanism programs and professionally trained, efficient responders and investigate, fully integrated case management systems and all necessary supported tools. Anything less, will engender employee mistrust.

Number three is the lack of personalization of employee concerns. Utilizing an internal reporting mechanism can be a very personal experience for an employee as the whistleblower might be a victim, the employee could well have witnessed significant wrongdoing. He or she may view using the reporting mechanism as simply taking a personal chance by coming forward and doing the right thing. This means that if an employee only hears a recorded message or an automated response; they may view the entire program as machine-like and indifferent. Having qualified and experienced compliance or investigative professionals who should follow a predesigned investigative protocol, should immediately follow up on reported concerns. Moreover, concerned employees need support and reassurance they have done the right thing and the organization will address their concerns and that they will be protected from retaliation. There should also be a strong written statement against retaliation.

Number four is the improper handling of whistleblower complaints and lack of training of investigators. The mishandling of complaints and poor training of reporting mechanism calls and investigations can cause reporting errors in which the company conducts an inadequate investigation and/or comes to the wrong conclusion. As noted above an investigative protocol coupled with skilled investigators early in the reporting process. Employees who experience mishandled complaints will almost certainly communicate their dissatisfaction with colleagues, and that can certainly destroy reporting mechanism morale.

Number five is the always dicey question of whether management is involved in the reporting mechanism. If local management gets involved early when they may be the problem, or complicit in allowing concerns to go forward or unaddressed. Local HR professionals might also appear to employees to be closely aligned with management, they also might be inadequately trained and show bias or favoritism. To ensure transparency and objectivity, often when it’s effective to use a third-party administrator for your reporting mechanism. At the point when concern becomes part of an investigation, the organization can involve management, including internal audit, compliance, legal and HR, depending on the type of complaint.

Number six is too many reporting mechanisms. Your corporate reporting mechanism should be the primary entry point for all concerns regardless of who reports or how companies identify them. Unfortunately, companies also have avenues such as emails, web portals, writing and of course, in person. These can require companies to struggle to determine who owns the proactive and reactive assessments of reporting and responses. Many companies offer reporting mechanisms just beyond the centralized reporting mechanism, but you should have a professionalized, centralized, clearly articulated program that help streamline reporting, increase communication and awareness, and decrease confusion to help build trust.

Number seven is there is too much emphasis placed on reports which must be based solely on “credible complaints. Employees who file fictitious or malicious complaints against companies and colleagues defend pending terminations or to get others into trouble or retaliate for some perceived personal slight.” While some companies attempt to reduce meritless complaints by communicating that employees should only report credible or good-faith complaints, others might go a step further by saying employees could be subject to disciplinary action for filing complaints that are not found to be credible. However, these tactics may well deter employees from reporting any concerns.

Number eight are the twin obstacles of negative incidences and retaliation. If I have had one key theme throughout this series on reporting, and indeed, throughout this month of investigations, it is an absolute prohibition against retaliation. Companies must prevent retaliation. When an employee is mistreated for following the organization’s reporting policy, the reporting mechanism can sustain severe damage to its credibility and viability as a safe and secure mechanism. The damage from mismanagement and reprisals is memorialized on the internet and court records or public documents can create a devastating silent, do-not-report culture. Companies must communicate they have a zero tolerance for retaliation and deal with any retaliation swiftly and publicly.

Number nine is the problem of inconsistent outcomes. Companies must demonstrate that consistent and fair outcomes are routine, regardless of people, relationships or scenarios. Employees will learn through the grapevine if the organization delivers fair, consistent discipline, regardless of how confidentially an organization hides such outcomes. Of course, if employees view outcomes as fair, they will be more compelled to report concerns. Employees know that inconsistency equals personal risk.

Finally, number 10 is the time worn adage that actions speak louder than words. Employees critique, judge and evaluate what an organization says about its reporting mechanism reporting program by what it does, rather than what it says. Does it follow policies and procedures as assigned? Does it really have a zero-tolerance policy on retaliation? Are outcomes consistent, fair and appropriate? Does it truly allow employees to report concerns anonymously?

Three Key Takeaways

  1. What are today’s three key takeaways? Well, number one, you must not retaliate. That is probably the biggest destroyer of credibility and trust in a reporting mechanism reporting.
  2. There must be ongoing communications and there must be follow up with the employees who made the anonymous reports.
  3. Celebrate your reporting mechanism. Let employees know that it is acceptable to raise your hand because that is all you are doing at the end of the day, raising your hand. It is incredibly important and it is something that will make your reporting mechanism work much better.




In this episode, Matt Kelly and I take a deep dive into the weeds of the soon-to-be-released the House Financial Services Committee, the Financial Choice 2.0 Act. We consider some of the ideas in the legislation which Matt thinks are bad including:

1. Repeal of the Chevron deference repealed.

2. Attempts to clip the SEC rule making authority.

3. Exempting more companies which desire to go public from SOX 404(b) requirements and reporting.

4. (Matt’s most particular bad idea) The exemption of more filers exempted from XBRL reporting.

We also discuss some of the potential benefits from the legislation and where it may all go in the Senate.

For more see Matt’s blog post House GOP Regulatory Reform Axe, on his site Radical Compliance.