In September 2024, the U.S. Department of Justice (DOJ) published an updated Evaluation of Corporate Compliance Programs to provide a roadmap for companies on how to run their internal compliance to avoid prosecution, decrease monetary penalties, and streamline the settlement process. The updated document includes a new section focused on whistleblower protocols.
The new guidance comes on the heels of the DOJ’s new corporate whistleblower award program unveiled in August. In addition to waiving mandatory rewards, putting caps on maximum awards, and limiting anonymity, the pilot program encourages whistleblowers to report internally before submitting information to the DOJ. In contrast to reporting directly to the government, there are significantly weaker whistleblower protections for internal reporting. By reporting internally, whistleblowers risk their identity being exposed and retaliation by their employer and in turn the possibility of corporate disclosure to the proper authorities—critical to investors, law enforcement, and the general public—dims.
The new DOJ release is another formal step to align the interests of law enforcement and corporate enterprise. As good-intentioned as it may be, it will have a perverse effect on accountability due to deficiencies within the corporate compliance regime that Justice has not addressed. These include failure to recognize that under key whistleblower laws such as Dodd-Frank, internal whistleblowing is not protected and those who follow the DOJ’s push to report internally in many cases have no legal protection. The Confidential Reporting Structure and Investigation Process as outlined by the DOJ (1) reduces whistleblower rights and protections, (2) increases opportunities for investigation cover-up, and (3) fails to give proper notice under bar rules.
The DOJ must introduce a more robust compliance procedure that increases transparency of internal investigations with the government. As outlined below, the Confidential Reporting Structure and Investigation Process of the guidance includes a number of prompts which serve to weaken the ability of whistleblowers to hold corporate fraudsters accountable.
Effectiveness of the Reporting Mechanism
“Does the company have an anonymous reporting mechanism and, if not, why not?”
While the DOJ is encouraging anonymity, it is not mandatory. Without anonymity, the whistleblower risks paying a high price for disclosure, limiting the effectiveness of any other policy such as hotlines or compliance training. According to a 2023 study in SSRN 92% of all corporate whistleblower retaliation cases arise from employees who make internal disclosure as opposed to only 5% who go straight to the government. While hotlines promise confidentiality or anonymity, it is possible for employers to discover the identity of the person making the tip based on their complaint. The false promise of anonymity in internal reporting can open a whistleblower to harm in the form of retaliation.
While employees who are fired for reporting to the federal government are subject to the obstruction of law under the Sarbanes-Oxley corporate reform act, no such protection is extended to internal reporting where retaliation is much more frequent.
Worse still, before the Supreme Court in Digital Realty Trust, Inc. v. Somers, the regulation community opposed extending Dodd-Frank anti-retaliation coverage to employers who raise internal concerns. In a unanimous decision, the court permitted firing employees who make disclosures to the company’s and/or external auditors, supervisors, general counsel, and compliance officers. No U.S. government entity should adopt a program to encourage internal disclosure unless the Digital decision is changed by state or judicial precedent.
Commitment to Whistleblower Protection and Anti-Retaliation
“Does the company have an anti-retaliation policy?”
Under Digital, internal whistleblowers are not legally protected and the DOJ counts on the discretion of the company not to retaliate against their employers. Companies have, in the past, fired whistleblowers who reported through company channels. A company’s discretionary anti-retaliation policy may provide whistleblowers with a false sense of security in reporting internally.
“Does the company train employees on both internal anti-retaliation policies and external anti-retaliation and whistleblower protection laws?”
The DOJ does not enforce specific guidelines for anti-retaliation policy training. Such training may misguide employees by advising them to report internally rather than seeking protection under Dodd-Frank, the tax whistleblower law, and/or the AML Whistleblower Improvement Act.
Given the risks posed to companies when whistleblowers report misconduct externally, companies with full authority over compliance programs have a negative incentive to misrepresent potential avenues for whistleblowers. A company may, for instance, avoid advertising the employee’s right to seek legal counsel that may be in the best interest of the whistleblower and accountability.
Properly Scoped Investigations by Qualified Personnel
“How does the company determine who should conduct an investigation, and who makes the determination?”
Investigations under attorney-client privilege should not get approval from the DOJ. Neither should any training that does not discuss an employee’s right to go to the federal governor as an alternative to internal disclosure. Due to the inherent risk of cover-up resulting from an internal investigation, the DOJ should release a formal written procedure that invites more government oversight. Many compliance investigations are covered by attorney-client privilege and companies thus have full authority to run an investigation on their own misconduct without checks by the government.
In Re: Kellogg Brown & Root, Inc., et all, the company filed a writ of mandamus, a petition for a court order to prevent discovery documents from appearing in court. The documents included witness statements and factual reports gathered by the internal compliance department that detailed KBR overcharging the U.S. government on contracts during the Iraq war.
KBR successfully argued that the evidence was under attorney-client privilege. In the end, the case was dismissed, holding as long as one of the significant purposes of the internal investigation is to obtain/provide legal advice.
The appeals court shielded the internal investigatory filings from discovery despite the findings of the District Court revealing documents in camera that demonstrated, not legal opinions, but clear evidence.
Investigation Response
“Does the company apply timing metrics to ensure responsiveness?”
Under DOJ policy, companies have 120 days starting from the whistleblower's internal report to voluntarily self-disclose in order to receive a declination—an agreement not to criminally prosecute the case. To be eligible for a declination by the DOJ, the company must agree to pay all penalties though reduced due corporate cooperation.
The DOJ decision to put companies under pressure to conduct timely investigations and make expeditious self-reports is laudable. The problem remains, however, that the company’s investigative apparatus without the necessary checks creates opportunities to downplay fraud while crediting companies for nominal self-reports. A compliance program, for example, managed by in-house counsel may cherry-pick material while keeping the majority of it confidential. Likewise, it can place blame on an individual employee/whistleblower to deflect the true nature of the misconduct.
Resources and Tracking of Results
“How has the company collected, tracked, analyzed, and used information from its reporting mechanisms?”
By reporting to the legal department, internal compliance becomes less of a “means of detecting” and “preventing misconduct” and more of a legal arm tasked with “information gathering.” In addition to critical evidence being set aside, company retaliation may also be covered-up. Given the precedent of the KBR ruling, stretching the cloak of attorney-client privilege beyond general counsel to internal compliance, company transparency is at risk.
In a scenario where an internal investigation is triggered by an anonymous source, employees will be interviewed. In the KBR case those who interviewed were never told:
- The purpose of the investigation
- The investigation was being conducted under the attorney-client privilege
- KBR retained the privilege and would decide whether or not to waive the privilege
- That they were entitled to representation during the interview.
A whistleblower that has sought representation may be advised not participate, however, not participating may very well incite suspicion and blow their cover. Under a compliance compliant-to-counsel dynamic, the whistleblower finds themselves in a damning ‘Catch-22.’
“Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses?”
Any corporate policy promoted by the U.S. government that greenlights identifying whistleblowers should not be promoted but prohibited.
Rules of ethics have been put in place to protect employees from the ‘Catch-22’, the issue is that they are rarely enforced. According to the New York State Bar Association Committee on Professional Ethics Opinion 650 (consistent with ABA rules governing attorney conduct), when there may be a reasonable possibility of conflict with the Company’s interests, the company may only talk to you through your counsel. Otherwise, the information divulged during the conversation is not admissible in court. If the caller is unrepresented, then investigators must state that they represent the Company and not the employees and therefore any information revealed can be used against them.
Even before the KBR ruling in 2013, general counsel has been involved in cover-ups of internal investigations run by compliance for bribes approved by the local counsel. Strengthening their position under attorney-client privilege shuts down disclosures by whistleblowers or any subsequent full disclosures by corporate to justice.
What the DOJ Ignored
Compliance offices themselves are generally discontent with the status quo preventing them from ‘doing the right thing.’ Compliance professional and management officials have been
subjected to tremendous pressure to commit or cover up fraud. The pressure comes from C-Suite. 500 North American chief audit executives were questioned concerning the pressures they faced when trying to do their jobs.
- 55 percent were directed to omit material findings from their reports.
- 49 percent were directed “not to perform audit work in high-risk areas.”
- 32 percent were instructed to audit “low-risk” areas, in part so that executives could “retaliate against another individual.”
When auditors refuse to cover up fraud, retaliation from chief executives often ensues. Compliance professionals are positioned to identify frauds, but are often subjected to retaliation for doing their job. Instead of keeping companies honest, these professionals are an easy target to coerce into aiding in a cover-up.
Out of 800 compliance and ethics professionals polled on “whether the chief compliance officer should report to the general counsel” or “attempt to also serve as CCO” 80 percent said: No.
An independent compliance team would have the freedom to run honest investigations, aligning its interests with Justice. The DOJ would have access to discovery during proceedings as documents would relate to business rather than legal matters under attorney-client privilege.
Conclusion
The updated “Evaluation of Corporate Compliance Programs” demonstrates that the DOJ is quite generous in its distribution of non-prosecution agreements to companies that have basic compliance structures. It prioritizes ‘quick and simple’ corporate self-disclosures over full investigations. As a result, whistleblowers—and employees at large—are unprotected from internal investigations engaged in systematic violation of bar rules.
It is important to understand that under its current status, a DOJ pilot program whistleblower is not entitled to the same protections as a whistleblower under the SEC and CFTC. That is because SEC and CFTC provisions have statutory basis. Their offices are composed of a small team and are rather limited in scope beyond securities and commodities trading. In contrast, DOJ’s program stems from an administrative regulation giving it full authority over the legal language. Furthermore, expanding rights and protections of whistleblowers by the Justice’s Criminal Department would have implications on its other branches (DEA, FBI, District Attorney Offices etc.) that rely on secrecy and are strictly opposed to such measures.
To circumvent the concerns of the vast agency, the criminal division could precise its action to corporate whistleblowers by targeting collusion between companies’ legal departments and internal compliance. Announcing increased enforcement against systemic ethical violations in lawyer-run investigations could be the necessary push for independent compliance offices. Thereby erasing attorney-client privilege from internal investigations would protect whistleblowers from retaliation, improve company culture, and increase transparency to Justice.
