HR’s Role in Dodd-Frank and Other Compliance

By Alec C. MacInnes

The consequences of employee whistleblowing have long been a concern for employers, and the risks have only increased in recent times. The expansion of whistleblower protections has been one of the major trends in employment law in the United States over the past 15 years, and has led to a palpable uptick in whistleblowing claims. The possibility of huge fines, criminal and civil liability, and reputation damage are serious risks for employers. The focus of this article is whistleblowing under the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley or SOX) and the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), and recommended precautions for employers in today’s heavily regulated business world. This discussion is also widely applicable to employee reporting under a variety of other laws and regulations such as the False Claims Act, Employee Retirement Income Security Act, federal anti-discrimination laws, and OSHA regulations.

SOX and Dodd-Frank

Sarbanes-Oxley was enacted in the wake of the Enron crisis in response to the public and legislative demand for increased corporate responsibility and accountability. SOX set mandates for internal legal and regulatory compliance within companies through mechanisms such as audit committees and anonymous complaint procedures, and established protections to ensure that whistleblowers are not retaliated against for their good-faith complaints. SOX contains provisions that impose both civil and criminal liability on employers that retaliate or discriminate against employees for voicing concerns about fraud, accounting issues or securities issues, or for participating in an investigation of such concerns.

The enactment of Dodd-Frank took the underlying spirit of SOX a step further. Dodd-Frank not only contains whistleblower protection mechanisms, it provides an incentive to encourage individuals to report to the Securities and Exchange Commission (SEC) violations of the Securities Exchange Act of 1934. The incentive comes in the form of a bounty program whereby an employee who provides “original information” that leads the SEC to recover monetary sanctions of $1 million or more in criminal and civil proceedings is entitled to receive between 10% and 30% of the recovery. As of May 2017, the SEC has awarded more than $154 million to whistleblowers, and SEC enforcement actions based upon whistleblower tips have resulted in more than $950 million in financial remedies. See SEC Press Release No. 2017-90, “Whistleblower Award of More than Half-Million Dollars for Company Insider” (May 2, 2017), available at

What Can Companies Do?

In this decidedly regulated climate—one where whistleblowers are encouraged by laws and regulations to step up and report ethics violations and unlawful conduct— companies must ask themselves: How do we get whistleblowers to bring their issues to us first so they can be handled internally, instead of going to the media or government?

One step companies can take is to actively encourage employees to come forward and report to their managers, supervisors, and Human Resources any conduct by other employees, or the company more generally, which they believe constitutes an ethical violation or unlawful conduct. In other words, companies should encourage employees to become internal whistleblowers and thereby ward off the damage that results when employees make anonymous complaints to regulatory agencies. The employer’s approach should be the opposite of establishing a “corporate code of silence,” which the Supreme Court has characterized as the force precipitating Congress to enact enhanced financial regulation. See Lawson v. FMR LLC, 134 S. Ct. 1158, 1162, 188 L. Ed. 2d 158 (2014).

Developing and enforcing well publicized policies and procedures to encourage reporting of concerns and to prevent retaliation is critical. Most employers already have in place internal complaint procedures for reports of discrimination and harassment, but the procedures must be expanded and tailored to address whistleblower complaints.

Implement a Code of Ethics

The first step in encouraging employees to report perceived wrongdoing is to make sure they know what conduct is and is not allowable. Employers can do this by developing a code of ethics or a code of conduct to explain the principles by which employees are expected to conduct themselves. In fact, the U.S. Sentencing Commission Guidelines Manual states that one main purpose of the Guidelines is to incentivize an organization to “self-police its own conduct through an effective compliance and ethics program.” See U.S. Sentencing Commission Guidelines Manual, ch. 8, Sentencing of Organizations (Nov. 2015), available at

The employer’s code should reflect the organization’s core values and the key risks relevant to the company’s business activities. For example, if the company is a vehicle manufacturer where product safety failure is a critical risk area for the employer, the code should specifically identify the types of issues employees should report to prevent product safety failures.

The code should also actively encourage individuals to raise any questions and concerns that may conflict with the business’ or industry’s standards. Companies should let employees know that their active participation in reporting areas of concern allows the company, and through it the employees, to thrive.

Establish an Anti-Retaliation Policy & Culture

Employees who are being punished or disciplined for trying to comply with the code of conduct will lose trust in the employer, will be discouraged from reporting concerns, and may be more likely to make complaints to government agencies or file lawsuits. Returning to our previous vehicle manufacturer example, an employee who reports perceived deficiencies in oversight on the manufacturing line may fear reprisal from the manager charged with that oversight.

Employers must establish and inform their employees of a clear policy that prohibits any unlawful retaliation—by supervisors or coworkers—against employees who bring issues forward. The policy should explain the reporting that will be protected and provide specific examples related to the business of the company, such as deficiencies in product safety or integrity.

The employer should have a separate, standalone, anti-retaliation policy to highlight its commitment to abiding by regulations and standards specific to the company’s business.

Develop a Trusted Complaint and Response Procedure

No written policy, no matter how strongly worded, provides adequate protection unless it is disseminated, understood and enforced. Trusted and easily understood complaint procedures help ensure that employee reports of illegal or unethical conduct are handled appropriately and efficiently. To build trust in the complaint procedure, and thereby encourage internal employee reporting, employers should ensure that, where possible and appropriate, its response to, and investigation of, concerns is evident to the reporting employee. In some cases, it may be advantageous for an employer’s response to be apparent not only to the employee who makes a report, but also to other employees, as this may further encourage employee reporting. The employer must remain vigilant in preventing retaliatory actions and disciplining those who retaliate.

Additionally, employers should also consider whether applicable law requires implementation of an anonymous, confidential reporting mechanism. In the case of SOX and Dodd-Frank, the audit committee of a publicly traded company must establish procedures for confidential and anonymous submission of employee concerns regarding questionable accounting and auditing matters.


Effective training is one of the best ways to help ensure that employees at all levels of the organization fully understand its code of conduct, the internal complaint procedures, and the consequences of unlawful retaliation. Training should be conducted to educate employees how to respond to/report alleged retaliation, and how to protect against it. Training can also be part of an affirmative defense to liability for retaliation and whistleblower claims; the federal government has stated that training employees, managers, high-level leadership and the board of directors is a key requisite of an effective compliance and ethics program. See U.S. Sentencing Commission Guidelines Manual, ch. 8, Sentencing of Organizations (Nov. 2015), available at In the case of SOX and Dodd-Frank, to establish an effective compliance program it is necessary to ensure that individuals in high-level management are knowledgeable about ethics and compliance (including the important issue of retaliation prevention). Therefore, an employer should consider training every executive, board member and high-level manager on these topics, and not simply assume they know what their ethical, legal, and regulatory obligations are. Executive and manager training will also help set a proper tone for the organization from the top down.

Alec C. MacInnes, Associate  Littler

Alec C. MacInnes, Associate