Whistleblower Protection Blog : Whistleblower Lawyer & Attorney : National Whistleblower Legal Defense and Education Fund : Whistleblower Protection, Fraud Claims : Washington DC

3. PwC Survey Shows Increased CCO Independence

According to the 2012 PricewaterhouseCoopers State of Compliance study, the number of CCOs reporting to GCs fell by 6 percent—to 35 percent from 41 percent—in the prior year. CCOs reporting to CEOs held steady at 32 percent. This is momentum in the right direction and is consistent with the 2010 amendments to the Federal Sentencing Guidelines, which favor “direct reporting obligations” to the board or its independent committee. According to Keith Darcy, the ECOA’s executive director, “A clear, unfiltered CCO voice in the C-suite is key to a robust program. Without independence, a CCO is mere window-dressing and false security for the board."

4. Madoff’s Brother and CCO Pleads Guilty to Fraud, Gets 10-Year Sentence

Did you know that Ponzi scheme king Bernie Madoff’s brother Peter was also the firm’s chief compliance officer? Oh yeah, I’m not making that up. He’s in jail now, serving a 10-year sentence. Lack of independence is rarely this obvious, but it is incumbent on boards and management to recognize empowerment and independence issues in all their nuanced appearances. Note to the Securities and Exchange Commission: Please add “the CCO is the CEO’s brother” to your list of red flags. And add “independence” to the list of CCO requirements. Thank you.

5. Joint DOJ/SEC FCPA Resource Guide on Adequate Autonomy for CCO (and Incentives)

The widely anticipated Foreign Corrupt Practices Act Resource Guide, issued jointly by the DOJ and SEC, may not have broken new ground—but for CCOs it validated many best practices already in place in the field (ahem, use of incentives in programs- ahem) and also expressly tracked the language of the 2010 OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance, which noted that the CCO must have “adequate autonomy from management” in order to do the job. The Justice Department has been using this language in individual FCPA settlement agreements since 2010, going beyond the letter of the current Federal Sentencing Guidelines for Organizations.

6. Big Milestones for the C&E Profession

In 2012, the Ethics and Compliance Officer Association, the first industry association for C&E professionals, marked its 20th anniversary—a significant milestone for the profession. Also this year, the Society of Corporate Compliance and Ethics, an industry association that traces its founding to 2002, earned its 3,000th member, making it the largest cross-industry compliance and ethics organization, and its annual meeting attracted over 1,000 attendees for the first time. In addition, the SCCE’s sister organization, the Health Care Compliance Association, passed the 8,000-member mark. These important milestones signal the vitality, increased profile, and continued growth of the rapidly evolving profession.

7. HSBC Settlement Agreement Elevates and Empowers CCO

I would make the DOJ settlement agreement with HSBC (for widespread anti money-laundering violations and failure to maintain any semblance of a compliance program) required 2013 reading for boards, if I had that power. The case is notable for many reasons, but CCOs will recognize all manner of glaring missteps in how the firm positioned and structured its compliance function. HSBC has now “elevated” its CCO by separating compliance from the legal function, adding resources, fixing the line-of-sight, and creating levels of independence. And one more thing I’ve never seen before: the CCO was expressly raised to the level of the top 50 employees of the firm. Now that’s what I call a seat at the table. As SCCE CEO Roy Snell said “The real question is, will industry give independence to the compliance officer before the government mandates independence through regulatory action as they have with auditors.” Time will tell.

8. Enforcers Tally a Record $9 Billion in Corporate Settlement Agreements, Warn Boards and Management

As Joe Warin of Gibson Dunn puts it, the “B word”—corporate settlements levied by federal enforcers with totals in the billions—are almost the “new norm.” The 2012 total of $9 billion dwarfs the previous 2006 high of $3 billion. With 35 NPAs and DPAs in 2012, across a broad spectrum of industries, CCOs have significant new input to add to the existing guidance for compliance programs, many of which include positioning, structure, and resources of the compliance function. As Gibson Dunn advised its clients: “Make no mistake: while not formally labeled as such, DOJ and other regulators appear to be promulgating compliance guidance for various industries through the remedial requirements included in the DPAs and NPAs used to resolve real-world cases.” In 2012, officials made a number of public statements and speeches urging boards and management to “elevate the role of compliance” by supporting their CCOs with “adequate resources, independence, standing, and authority” to be effective. Boards and management should take heed.

9. Greg Smith’s Very Public Goldman Sachs Resignation, General Services Adminstration, et al—It’s the Culture, Stupid

In 2012, organizational culture hit the headlines. Greg Smith wrote about it in his spectacular “take-this-job-and-shove-it” New York Times op-ed (key word: “muppets”). And social media was abuzz over photos of Jeff Neely, the former head of the General Services Administration, in a taxpayer-funded hot tub with two glasses of wine at the ready. And don’t get me started on those wild and crazy Secret Service parties in South America. The 2012 RAND Symposium report also zeroed in on this “missing link” in its examination of compliance programs at a crossroads. Of course this is all preaching to the CCO choir.

10. The Year of the Corporate Whistleblower

By the end of 2012, it was clearly the year of the corporate whistleblower on a number of fronts. False Claims Act recoveries totaled over $9 billion, more than double the previous year, including the largest health care fraud settlement in history—a $3 billion settlement paid by British drug maker GlaxoSmithKline. After a slow start to its 2007 whistleblower program, the Internal Revenue Service also paid out at least two eye-popping bounties, including $104 million to former UBS banker Bradley Birkenfeld. Companies continue to scramble to respond to the new Dodd-Frank whistleblower program, which provides a direct line to the SEC for allegations of fraud, and a potential bounty of 10 to 30 percent for penalties collected over $1 million. With 3,001 whistleblower tips in its first year and its first bounty paid in 2012 (and reportedly many more in the pipeline), the new Dodd-Frank whistleblower program is now officially alive and kicking. With so much at stake, companies that fail to empower their CCOs could pay a steep price.

And there you have it. After the chief compliance officer was named 2011 Person of the Year by former federal prosecutor Michael Volkov, who recognized the CCO as the “unsung hero” of the corporate workplace, CCOs made strides in 2012. And that’s a good thing, with 2013 promising to be no less fraught with peril for the overseer of the company compliance and ethics program. As Machiavelli wrote, “There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things."

Donna Boehme is an internationally recognized authority and practitioner in the field of organizational compliance and ethics, designing and managing compliance and ethics solutions within the U.S. and worldwide. As principal of Compliance Strategists LLC, Boehme is the former group compliance and ethics officer for two leading multinationals and currently advises a wide spectrum of private, public, governmental, academic, and nonprofit entities through her NJ-based consulting firm.

UNDENIABLE TRUTH NO. 2

Whistleblower bounty programs help create a level playing field. Without these programs, the deck is always stacked against the mere mortal employee or regulator slaving away in the trenches trying to unravel the facts. The large, well-resourced financial institution holds all the cards (and the data). But the introduction of large financial rewards creates incentives for others, such as plaintiffs law firms (or in some cases, hedge funds investing in a whistleblower case for a percentage of the bounty), to support a whistleblower and thus even the score. Harry Markopolos is, no doubt, well versed in Undeniable Truth No. 2 [PDF].

UNDENIABLE TRUTH NO. 3

Sometimes it takes a thief to catch a thief. Who better to unravel the mysteries of complex business misconduct than a whistleblower steeped in the nuances, tricks, and practices of the fraudulent scheme? Wal-Mart’s alleged massive Mexican bribery scheme, which was splashed across the headlines earlier this year, wasn’t uncovered by a regulator or a compliance officer, but by the ex-Wal-Mart executive who for years was allegedly at the center of the bribery-palooza. See Undeniable Truth No. 1.

Ultimately, all whistleblower bounty cases, whether under the False Claims Act, Dodd-Frank, or IRS programs, are a form of “whistleblower arbitrage.” If companies do not seriously root out misconduct through their internal compliance programs, then someone else probably will. However unpalatable the whistleblower, and however ridiculously large and undeserved the bounty may appear, misconduct left on the table will likely be disclosed for profit. Sometimes a very, very big profit. Time will tell whether that becomes Undeniable Truth No. 4.

Reprinted with permission from the September 20, 2012 edition of Corporate Counsel© 2012 ALM media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 or reprints@alm.com or visit www.almreprints.com .

Retaliation is a company felony because it works like a cancer on the culture of the organization. It is the opposite of transparency and accountability. It not only punishes those trying to do the right thing, but broadcasts a clear message to others around them that “this is what happens to those who get out of line.” Employees are nothing if not observant to every nuance of their supervisor’s words and action. Every act of direct or indirect retaliation reverberates in the halls and around the water cooler 100 times more loudly than any CEO letter touting integrity. When a company leader retaliates, whatever advances have been made in the “balloons and barbeques” stage of the program in that part of the organization vanish like the wind, and are replaced by fear and blame.

Retaliation is a cancer that also acts like a communicable disease. A leader who sets the tone of fear and retaliation can often count on others within the team to help reinforce the group dynamic against the disfavored team member. [1]   The disease can also move from team to team and spread throughout other areas of the organization, crushing out competing efforts to encourage transparency, accountability and ethical culture. Role modeling can be a powerful force for either good or evil.

At a recent RAND Symposium on ethical culture, David Gebler, author of “The Three Power Values” made some insightful observations about organizational culture, including leadership actions that must be mobilized to stop the slippery slope of bad culture before it becomes the norm. On the flip side, retaliation is a leadership action that actually hastens the slippery slope and enables misconduct, because it fosters fear, silence and acquiescence. That’s the lesson of Enron & WorldCom 101.

One question I ask when evaluating company programs is “How many times have you fired someone for retaliation?” You’d be surprised how many companies have never found an act of retaliation within their ranks, or alternatively, actually fired a manager for the offense. Workplace retaliation isn’t always spelled out in black and white as an outright dismissal or demotion. That would be easy. Often, it manifests more indirectly, such as exclusion from important meetings or discussions, change of workload, lack of cooperation, social ostracism and malicious gossip. These are harder to pinpoint and requires a committed management that condemns it and the vigilance of trained HR, legal and compliance personnel – factors missing in many organizations.

Another useful question is “What is your implementation plan for monitoring and enforcing the nonretaliation policy?” Organizations that are serious about compliance and ethics not only make retaliation a major offense, but actually have protocols and mechanics in place to ensure team leaders understand and comply. Do managers believe they will be disciplined for retaliation against a team member? Do investigators routinely warn supervisors during investigations that the team may be audited for retaliation? How carefully does the company enforce a “need to know” list? Is there a retaliation monitoring program? [2]  Again, the answer to these questions is often …. crickets.

All this suggests that boards and senior management who are quick to proclaim the ethical culture of the company as their priority should pay much closer attention to seeking out and punishing retaliation as the number one force undermining that lofty goal. Retaliation is a company felony and should be treated accordingly, with swift and consistent public punishment for the perpetrators, no matter how senior. That’s also reason #487 why the chief compliance officer and her team must have the independence, positioning and empowerment to address retaliation wherever and however it manifests, and to otherwise implement and oversee the critical elements of an effective compliance program. [3]

A true ethical culture reflects the better instincts of company leadership, and retaliation does the opposite. One way or another, retaliation must be met with purpose and vigor, and eradicated.

[1] See my related column on an ATF official’s warning to agency employees to “respect the chain of command.” 

[2] Vicki Sweeney, partner-in-charge of KPMG’s ethics and compliance group, has developed a leading edge retaliation monitoring program. 

[3] See RAND Symposium on “Perspectives of Chief Ethics and Compliance Officers on the Detection and Prevention of Corporate Misdeeds” (2009) and “From Enron to Madoff: Why Most Corporate Compliance and Ethics Programs are Positioned for Failure” (2009)
 

A veteran ATF agent who spoke on condition of anonymity for fear of reprisal (hmmmm.........) confirmed that he and his colleagues interpreted the message to mean they would be punished, with vigour, for going outside the ATF agency chain of command to report concerns. Whistleblower advocates immediately decried the video as “chilling” “Orwellian” and “intimidating.” Because that’s the very function of those outside resources, so that employees who do not feel safe raising concerns internally (and after this video, that number just rose to 100%) without fear of retaliation. Given ATF’s important mission, as with any national security watchdog, this is squarely in the public interest.

You would think that in the aftermath of the seriously botched ATF Fast and Furious gun-walking operation (where, inexplicably, two whistleblowers who testified to Congress have been placed under the supervision of the same manager who has vowed to retaliate against them - infamously remarking "ATF needs to f**k these guys."), the embattled agency would be trying to turn over a new leaf. But change is hard.

Just as damning is the agency’s idea of damage control. The explanation: Director Jones was simply trying to address complaints from ATF employees wondering why agents who previously went outside the chain of command hadn’t been punished. That tells you all you need to know about the current ATF culture and to a great extent, prevailing culture within many government agencies (I’m looking at you, FDA) [1] – an uncontrollable urge to squash like a bug anyone with the temerity to tell the truth about bad acts, whether internal or external. A quick review of the treatment of whistleblowers in government agencies with embedded “command and control” tells a familiar story: TSA, FAA, CIA, FBI- all have a long unsettling history of whistleblower retaliation.

The nonprofit Rutgers Center for Government Compliance and Ethics believes that this troubling pattern is further evidence that government agencies should take a page from the private sector by moving beyond the policing function of the inspector general, and establish proactive compliance and ethics programs that would hold government officials and employees to the same standards expected from those companies that they regulate and oversee. So far, only the FBI has gone down this road, and even though it has further work to do, it is to be commended for doing so.[2]

In the meantime we are left with this revealing “accidental” moment of truth about ATF culture that should be of enormous concern to a citizenry relying on this troubled agency to discharge a critical security role in a dangerous and uncertain time for our nation.

[1] Currently in the news: a wide-ranging surveillance program by the Federal Drug Administration against a group of scientists who raised concerns about the safety of medical imaging devices. http://www.nytimes.com/2012/07/17/us/politics/inquiry-sought-of-extensive-fda-surveillance.html

[2] November 2011 Report of the Department of Justice Inspector General on the FBI compliance and ethics program http://www.justice.gov/oig/reports/2011/e1201.pdf

• All internal reporting systems are not created equal.

Why would a widespread bribery scheme, reportedly well-known to Wal-Mart employees and managers in Mexico, fail to be detected and raised to the highest governing authority through existing reporting mechanisms?    We now know that the whistleblower first notified the legal department through email.  But what about all the other employees “in the know” in Mexico and elsewhere in Wal-Mart? Did none of them trust the internal mechanisms enough to raise the alarm? Or if they did, what happened?  And where was the chief compliance officer?  So far it is alleged that the 2005 complaint was “hushed up” by the General Counsel and senior execs, and never made it to the boardroom. That’s alarming indeed, but not surprising.

Creating and maintaining an internal reporting system requires a lot more than hiring a third party vendor, turning on the phone lines and hanging posters.  Yet I continue to be amazed by the number of Boards and senior management teams who live with a false sense of security simply because they have a hotline or other employee reporting mechanism in place.  (See my open letter to boards on this point.)  Beyond the initial set-up, companies that are serious about compliance establish and enforce strict protocols for managing internal reports from initial intake to final consequences, whether discipline or process improvement.  And this is where the rubber meets the road, as powerful company forces often resist the very processes required for an objective, independent investigation.  As I have written elsewhere, Wal-Mart is Exhibit A, B and C for an independent chief compliance officer (i.e. not beholden to the General Counsel or any other corporate officer) who can oversee, among other things, the integrity of the investigation and the overall internal reporting system.  See “The Real ‘Happy Marriage’ Between the GC and the Compliance Officer.”  An independent CCO with a seat at the table would have been a cautionary voice in the exec decision-making process, and would have had direct, unfiltered access to report the matter to the board. If I were asked to advise a friend or a family member on how to raise a concern, I would recommend that they look carefully at the independence and rigor of a compliance program and internal reporting mechanism before ever pulling the trigger internally.
 

• How a company reacts to internal whistleblowers is a good barometer of corporate culture.

That the Wal-Mart whistleblower tip may have been “whitewashed” in an allegedly sham investigation, underscores one of the prime reasons employees consistently give for not reporting perceived misconduct:  the belief that nothing will be done. 

Forget codes of conduct, training, CEO speeches and awards for “most ethical company in the universe.”  If you really want a good barometer of a company’s culture, and the priority it places on accountability, transparency and ethical leadership, look no further than how internal whistleblower reports are treated.  This is tough business for organizations because the natural human reaction to whistleblowers is usually “seek and destroy.”  As in:“I’m all for openness and transparency and for blowing the whistle on wrongdoing.  Except if the guy is on my team, and then he’s a no good traitor.”   The enormous challenge for companies is how to turn this human knee-jerk response into a safe, transparent environment where internal reporting is valued (and not merely tolerated) and tips are expeditiously, confidentially and professionally investigated.  Potential whistleblowers are nothing if not observant.  Just as they notice misconduct, they also see what happens to those around them who raise their hands.  According to the New York Times, after finding the company’s initial interest in his complaint fade away, the Wal-Mart whistleblower said “I thought nobody cares about this.  So I left it behind.”  How companies react when whistleblowers come forward drives the organizational culture in a direct and lasting way.
 

• Wal-Mart, Dodd Frank aftermath and the Grimm Act:  Another bite at the apple?

How Wal-Mart botched the internal whistleblower’s claim is an ironic postscript to the 2011 Dodd Frank whistleblower debate.  

Not too long ago, a long list of veritable who’s who in Corporate America, led by the Chamber of Commerce (of which Wal-Mart is a prominent member), lobbied hard against the then-pending Dodd Frank whistleblower rules,  in particular against the provision that permitted employees to go directly to the SEC without reporting internally first.  The main objection was that the potentially enormous rewards (10-30% of penalties over $1M) would incentivize employees to bypass internal reporting systems,  undermine company compliance programs and otherwise cause the sky to fall.  See “The Sky Has Not Yet Fallen.”  In a smart balancing act,  the SEC rejected those objections, but created incentives to encourage internal reporting.  Now one year later,  that same corporate lobby is attempting another bite at the apple through Grimm Act (House Bill 2483), which would amend the Dodd-Frank whistleblower rules in a second attempt to require internal reporting as a condition to access to the law’s protections and financial rewards. 

The Wal-Mart headlines should give legislators considering the Grimm Act serious pause.  One of the disconnects in this debate has always been the divergent views on the effectiveness of internal reporting systems.  As noted in a 2011 RAND Symposium report on the topic, the corporate lobbyists based their arguments on the premise that these reporting mechanisms were working just fine, thank you very much,  and that Dodd-Frank was going to ruin years, even decades, of all that good work. In stark contrast, whistleblower advocates argued that many internal reporting programs might look good on paper, but in reality are so flawed that they fail in their mission.  Judging by reports so far, Wal-Mart could well be the poster child for the latter view. 

It will be worth revisiting this list of takeaways as more details reach the public domain.  At a minimum, the impact of the Wal-Mart spectacle on current efforts to curtail both the Dodd-Frank whistleblower rules and the Foreign Corrupt Practices Act will be interesting to follow. But for now,  it’s safe to say that companies may have a lot more work to do on their internal reporting systems,  and the controls surrounding investigations and reporting up the chain, before crying “the sky is falling”  about the Dodd Frank whistleblower program.  

For context, the NWC had submitted the qui tam study to the SEC in December 2010 during the heated debate about the proposed whistleblower rules (which did not require reporters to raise their concerns internally first). At the time, the Chamber of Commerce and a list of big name companies, GE included, had vigorously argued that allowing whistleblowers to go directly to the SEC was a very bad, no good, terrible idea, because of the undermining impact it would have on internal compliance programs.

The alarmists feared that the rules would create an army of mercenary employees, lured by the promise of big bounties, to bypass internal reporting systems. A few commentators (myself included) wrote back then that the “the sky is falling” approach was probably hyperbolic. The SEC did the wise thing and declared that whistleblowers would be protected and potentially rewarded for raising their concerns through any channels – internal or external. And so far, it seems the flood of internal bounty hunters hasn’t exactly materialized. Based upon Mr. McKessy’s comment, it appears that Dodd-Frank whistleblowers actually do try to report internally first. Where it gets interesting is what often happens to them when they do that. 

Enter the case of GE’s former Iraq country head, Khaled Asadi, who in the summer of 2010 reported to his supervisor that GE officials had hired an Iraqi official’s relative (“to curry favor” during an electrical bid process), as a potential FCPA violation. In fact, Mr. Asadi did what the entire Chamber of Commerce posse (and presumably the GE Code of Conduct) wanted him to do - he reported internally. So it’s all good, right? Well, not exactly. Mr. Asadi has filed a retaliation suit against GE, seeking Dodd Frank whistleblower protections, because evidently, GE did not care much for the internal report, thank you very much. Mr. Asadi says that after filing his complaint with the GE ombudsperson, he was “pressured to step down” from a role he held since 2006, given an "extremely negative and troubling performance review," and then fired - all before he even thought to proceed with the next step of reporting to the SEC. 

So what’s the message here? The story is still unfolding but this much I know: it is a cold, cruel, perilous world out there for internal whistleblowers. And my hypocrisy radar is starting to beep. Because after all those loud complaints about Dodd Frank’s direct line to the SEC causing compliance programs across the land to blow up, GE now says Mr. Asadi should not get whistleblower protections because – wait for it – he didn’t file with the SEC. Oh, okay. Looks like that internal reporting thing didn’t turn out so well for Mr. Asadi. 

Here are my takeaways so far, after 7 months of the controversial Dodd Frank whistleblower rules. First, as the NWC contends, most employees still report perceived misconduct internally, driven more by a sense of “outrage” than mercenary dreams of a bounty*. Second, some companies have taken the wrong message from Dodd-Frank. Instead of stepping up their programs to bolster management culture and encourage employees to speak up, they’ve gone the opposite way. They are setting up a siege mentality and waging war on whistleblowers. They have let the litigation defense interests of the General Counsel trump the value to the company (and the corporate culture) of the free flow of information. This course is not only ill-advised and illegal – it’s appallingly bad self-governance. But I’m ever the optimist. As the SEC unveils some of its more high-profile Section 922 cases, I’m hoping more companies will decide to travel the right road. It is time for them to finally fix what’s broken in their culture and encourage, rather than punish, participation in their internal reporting systems.

*But see my column on the BNY Mellon/State Street cases organized by Harry Markopolos here.