by Dennis J. Ventry, Jr.

[Cross-posted from JURIST]

In Digital Realty Trust Inc. v. Somers, the U.S. Supreme Court voted 9-0 to narrow the definition of "whistleblower" under the Dodd-Frank Act of 2010. In particular, the Court ruled that whistleblowers are only protected against retaliation from employers under Dodd-Frank if they report allegations of an employer's securities law violations to the Securities and Exchange Commission (SEC or Commission). Alternatively, whistleblowers who report alleged violations through an employer's internal compliance program without also reporting to the SEC, like Mr. Somers, cannot avail themselves of Dodd-Frank's protections against retaliation.

To date, commentary on the Court's decision has focused on (i) how it will reduce both the absolute number of whistleblowers (by removing the assurance of legal protections against retaliation ) and the percentage of whistleblowers protected against employer retaliation (because the vast majority of whistleblowers report wrongdoing internally before, if ever, reporting to the SEC ); (ii) how the Court refused to defer to the SEC's rulemaking authority pursuant to which it had defined "whistleblower" differently for persons seeking a monetary award under the Dodd-Frank whistleblower statute (which expressly requires reporting to the Commission) versus seeking protection from employer retaliation under the statute (which does not expressly require such reporting) ; and (iii) how the Court summarily declared the statute unambiguousness in a short, two-sentence paragraph.

While these implications of the Court's ruling in Digital Realty Trust deserve highlighting, this blog post explores two unexamined, though no less important, aspects of the Court's ruling. First, while the decision was a win for the employer-defendant in this particular case, it will negatively affect employers more generally and undercut companies' internal compliance programs. Second, the ruling unequivocally harms employee whistleblowers who are obligated by law to report legal violations of employers internally before reporting outside the organization. Chief among these employees are lawyers, duty-bound to report legal violations up the ladder before, if ever, reporting to outside authorities.

Harms Employers and Legal Compliance Programs

The SEC and the companies it regulates have long expressed support for robust internal compliance programs to which employees can report suspected securities law violations.

From the SEC's perspective, deputizing regulated companies to police internal misconduct and promote internal reporting makes eminent sense. Internal reporting, the government argued in Digital Realty Trust, "enables the private sector to screen out meritless claims, and thereby improves the quality of whistleblower tips later brought to the Commission"; it "gives business the opportunity to self-correct without the need for intrusive Commission investigations"; and it "promotes efficient use of both corporate and government resources." The SEC felt so strongly about the benefits of internal reporting that its regulations provided larger awards for whistleblowers who utilize internal compliance procedures, and smaller awards for whistleblowers who interfere with those procedures.

Companies, too, have a vested interest in employees reporting internally before reporting to the Commission. Internal reporting allows employers to (i) remedy improper conduct at an early stage, perhaps before it rises to the level of a violation; (ii) self-report actual violations to the SEC, which can result in leniency in subsequent enforcement actions; (iii) gather sufficient information of the alleged violation in the eventuality of an enforcement action; (iv) promote and reinforce a culture of compliance within organizations; and (v) highlight the significant value that whistleblowers can add to organizations.

As Congress crafted Dodd-Frank and as the SEC drafted regulations to effectuate Congressional intent, support for internal compliance regimes reached a fever pitch. In part, support among regulated entities reflected concern that Dodd-Frank's financial incentives to report wrongdoing would motivate employees to bypass internal reporting channels and go directly to the SEC. Whether motivated by fear of employees reporting out suspected securities-law violations without first alerting the company or a genuine desire to bolster the effectiveness of internal compliance programs, companies rallied around Dodd-Frank's protections against retaliation.

In fact, regulated entities and their representatives urged Congress and the SEC to reinforce internal reporting by providing explicit comfort to whistleblowers that the law would protect them from retaliation. "We recognize the valid concern that some employees will fear retaliation for blowing the whistle," the Association of Corporate Counsel told the SEC. "The solution to that problem is not, however, a scheme to undermine important and effective internal compliance and reporting systems; rather, employees who fear retaliation may rely on the anti-retaliation provision contemporaneously enacted by Congress."

Companies backed internal reporting to such an extent - and Dodd-Frank's complementary anti-retaliation protections - that they pressed Congress and the SEC to make internal reporting mandatory before an employee could report to the Commission. "An internal reporting requirement is unlikely to have a negative effect on the proposed rules," a prominent law firm wrote on behalf of its corporate clients, "as companies would be given a more immediate opportunity to cure or mitigate potential violations and the whistleblower would remain protected by the anti-retaliation provisions in the Dodd-Frank Act."

Ultimately, Congress and the SEC decided not to make internal reporting mandatory. But they included robust protections against retaliation in the Dodd-Frank whistleblower statute.

Or so they thought. The Court's ruling in Digital Realty Trust delivered a blow to internal reporting and internal compliance programs. Its decision that Dodd-Frank whistleblowers must report out allegations of securities-law violations to the SEC to be covered by the statute's anti-retaliation provisions will result in untold numbers of whistleblowers bypassing internal reporting systems and going straight to the Commission.

From the government's perspective, less internal reporting will reduce voluntary compliance and require more enforcement actions. It will also result in over-reporting of alleged violations to the SEC, including a surge in meritless claims that were previously screened out by internal compliance systems. In turn, over-reporting to the SEC will squander precious government resources.

Companies regulated by the SEC are harmed even more directly by the Court's ruling. Indeed, the decision will render companies' internal compliance programs ineffective, undermine the demonstrative benefits of self-policing, increase the number of resource-intensive and intrusive government investigations, and expose employers to rising costs and liability due to undetected securities-law violations.

Harms Employees Duty-Bound to Report Internally

Employees report misconduct through their employers' internal compliance programs for various reasons. Many employees act out of loyalty and want to give their employer an opportunity to vigorously investigate, root out, and remedy the perceived legal violation. Some of these employees are either unaware of or unmotivated by potential financial rewards for reporting legal violations outside their organization. Other employees are required to report internally under their company's code of conduct. And still others are duty-bound to report internally by law and professional ethics.

In the context of U.S. securities law, this last category of employees--those obligated to report legal violations up the corporate ladder--is expansive. Lawyers representing public companies, for example, must report up evidence of a material violation of federal or state securities law or a material breach of fiduciary duty ; registered public accounting firms and their employees must report illegal acts discovered during audits to the audited public company's management ; a mutual fund's chief compliance officer must report material compliance matters to fund's board ; a broker-dealer's auditor must report material inadequacies to the broker-dealer's chief financial officer ; and investment advisers must adopt code of ethics requiring supervised persons to report violations to the chief compliance officer.

The Court's ruling in Digital Realty Trust harms all of these professionals. Specifically, it prohibits them from invoking the anti-retaliation provisions contained in Dodd-Frank in the event they are retaliated against for reporting legal violations internally but before they have a chance to report the violations to the SEC.

For lawyers, the harm is conspicuous and significant. Under the Sarbanes-Oxley Act of 2002 [PDF], lawyers are not just obligated to report certain legal violations up the corporate ladder. They are also required, in the event they receive an inadequate and untimely response from higher-ups, to report to the company's audit committee, an independent committee of the board of directors, or the board itself. Such exhaustive internal reporting takes time. Indeed, plenty of time to be fired for reporting--and continuing to report - the perceived illegal conduct. Worse, studies indicate that retaliation against whistleblowers occurs quickly, typically immediately after whistleblowers report internally.

Meanwhile, lawyers must wait for their clients to respond. And wait. And sometimes wait some more. Even then, their options are limited. Under Sarbanes-Oxley, lawyers can report out evidence of an employer's legal violation only after exhausting all reporting up obligations and, furthermore, only in the event the lawyer reasonably believes necessary to prevent or rectify substantial injury to the employer or investors. Moreover, ethics rules for lawyers in a majority of states provide similar procedures and requirements before a lawyer can disclose a client's legal violation.

In addition, the ethics rules in a minority of jurisdictions further restrict lawyers' reporting out options. In fact, some jurisdictions prohibit lawyers from reporting out financial crimes or non-criminal frauds, leaving lawyers the sole option of withdrawing from the representation. And while there is a good argument (indeed, from the perspective of this commentator, a winning argument) that the rules for attorneys promulgated under Sarbanes-Oxley preempt state ethics rules, that still-unsettled question might offer inadequate assurance for lawyers wishing to blow the whistle on a client's illegal acts by reporting to the SEC.

In the end, the decision in Digital Realty Trust harms lawyers for fulfilling their legal and ethical obligations. By removing statutory remedial protections against retaliation for reporting legal violations internally, it exposes lawyers to retaliatory acts without legal recourse. It thereby undermines Congress's mandate in Sarbanes-Oxley that lawyers report up "evidence of a material violation of securities law or breach of fiduciary duty or similar violation." And it undermines the Dodd-Frank whistleblower statute, which, by way of SEC rulemaking authority, explicitly incorporates Congress's mandate that lawyers report up certain legal violations.

Dennis J. Ventry, Jr., is a Professor of Law at the UC Davis School of Law. His research and academic specialties include tax policy, tax practice, tax filing and administration, legal and professional ethics, whistleblower law, family taxation, and U.S. economic and legal history. Professor Ventry also serves as the chairman for the Internal Revenue Service Advisory Council (IRSAC).

Credit rating agencies are back in the public eye as the Senate Permanent Subcommittee on Investigations releases another trove of embarrassing agency e-mails and the financial reform bill nears enactment.  In this context, a proposal by two professors at NYU's Stern School of Management, Lawrence White and Matthew Richardson, to improve credit rating agency performance by having the SEC decide which agencies will rate each instrument has attracted favorable attention from commentators such as Paul Krugman.  Although the proposal is refreshing in its boldness and offers a potentially useful way to address one of the many problems besetting the agencies, it should not be understood as a complete solution.  The complementary issue of rating-agency accountability for poor quality should also be addressed.

By now, the background story is familiar: Rating agencies - Moody's, Standard & Poor's, and similar firms whose business it is to assess the likelihood that debt obligations will be paid as agreed - gave their stamp of approval to innovative financial products that were in fact incomprehensible and/or based on the premise of an unending real-estate boom.  Panic set in when everyone realized that the ratings were wrong or unsupported.  The details and even the basic correctness of this narrative are disputed, but the major rating agencies have all more or less conceded that there was a problem of some kind:  their ratings on novel financial products didn't do  as well as they could have.

What exactly are the problems with the rating agency market?  There are several candidates:

(1) Lack of competition.   The SEC says that the three largest agencies have over 97% of the market, as measured by number of ratings outstanding.

(2) Absence of transparency.  Market participants complain that it is hard for users to know what the agencies do and how well their ratings perform.

 (3) Financial regulators' reliance on credit ratings in their rules.  If the rules say that regulated firms like banks and insurance companies have to own financial instruments with credit ratings, then there will be a demand for credit ratings, even if the agencies have no idea what they are doing. 

(4) The "issuer pays" business model.  The firms selling the financial products usually are the ones who pay for the ratings.  "Issuer pays" poses an obvious conflict of interest, as rating agencies have an incentive to please their customers, who are the people selling the products, not those buying them.

 (5) Absence of accountability.  There is no clear way to hold rating agencies liable for poor performance unless it rises to the level of fraud.

Congress' and the SEC's actions to date have focused mainly on the first two issues, competition and transparency:  Legislation passed in 2006 and rules adopted since then have focused on trying to get more rating agencies into the market and on increasing disclosure about what the agencies are doing, what data they're using, and how they're performing.  There has been fitful action on the third issue.  Starting in 2008, the SEC and other regulators have considered reducing their use of credit ratings in their rules, but they have not eliminated their reliance on credit ratings and do not seem to be on track to do so, although deliberations are ongoing.  The problem here is that financial regulators need a measure of credit risk, and it is not clear what would take the place of credit rating agencies, an issue I took up in this article last year. 

The White and Richardson proposal focuses on the fourth issue.  The idea is to remove issuers' ability to shop for high ratings from agreeable rating agencies by using the SEC to assign the agency that will rate each debt instrument.  Under the proposal, the issuers still pay for the rating, but they pay the agency that the SEC selects to do the rating.  The SEC will make its selection based on its assessment of which agency  is likely to do the best job, thus eliminating the conflict of interest that arises from the issuer-pays business model.  This is an innovative idea, and its boldness is refreshing given the limited scope of the reforms that have even been considered to date.  White and Richardson would fundamentally restructure the rating market - indeed, they apparently would eliminate the rating "market" and substitute SEC assignment. 

Of course, those who think that government can't do anything right will oppose this idea, arguing that the regulators are corruptible, capturable, and/or unskilled at evaluating the performance of rating agencies.   Those who think the SEC in particular is the wrong choice - pointing perhaps to the Madoff affair, to the SEC's oversight of the Wall Street investment banks leading up to the financial crisis, or to allegations that the SEC has been biased toward the large incumbent rating agencies - will oppose the choice of this particular regulator.  Those who think that government approval of rating agencies led to excessive reliance on them will observe that the proposal could exacerbate that problem.  I'll note all three sets of objections and set them to the side for the moment.   

I have two different concerns about this proposal.  First, it seems overbroad to prohibit agencies from expressing their opinions unless authorized to do so by the SEC.  If the SEC selects Moody's to rate a bond, should S&P really be barred from opening its mouth about that bond?  Even setting to one side the agencies' more extravagant First Amendment claims, this seems problematic.  The overbreadth concern could be addressed without changing the essence of the proposal by saying either that the SEC-selected agency is the only one whose ratings "count" for regulatory purposes or that only the SEC-selected can be paid by an issuer, leaving other agencies free to express their opinions in other contexts.

Second, the White and Richardson proposal doesn't address what I see as a central problem:  When confronted with a large and growing market for a set of novel products, agencies that are paid by the rating (or otherwise based on the volume of their business) have a financial incentive to issue ratings on those products even if they don't know what they are doing.  After all, the more ratings, the more revenue - even if the technical complexity or novelty of the product means that the agency can't do a good job.  Indeed, White & Richardson acknowledge this issue, stating that "it's surprising that rating agencies would even attempt to rate" certain types of novel products because of the technical difficulty of doing so.  But under their proposal, agencies apparently still are paid by the rating even though they are selected by the SEC:  The more ratings, the more revenue.  That enticement to poor quality still exists even though the issuer-pays problem may be eliminated.

This problem can be addressed by taking on the fifth issue, rating agency accountability.  Eventually, poor-quality ratings will be discovered and if the agencies know they will have to give up their profits from the poor-quality ratings in that event, that reduces their incentive to issue ratings when they don't know what they are doing.  An article I wrote two years ago addressing this point can be found here. 

The Dodd bill takes steps in the direction of accountability by clarifying that a rating agency can commit fraud by failing to conduct a reasonable investigation of facts upon which it relies and by empowering the SEC to decertify rating agencies that consistently produce poor-quality ratings.  Neither of these provisions really addresses agencies' temptation to issue ratings when they don't know what they're doing.  Decertification is a weak remedy, as credit rating agencies can operate without being certified, and the requirement to conduct a factual investigation doesn't go to the fundamental question, which is whether the agency knows what to do with the facts that it has. 

The Dodd bill does provide for further study of agencies' incentives to produce high-quality ratings, so even if neither the White and Richardson proposal nor a stronger rating-agency accountability provision makes it into the financial reform bill that seems likely to be passed soon, there is some chance that the complementary issues of issuer-pays and accountability will be addressed.