SEC Has Another Banner Year on Enforcement
The U.S. Securities and Exchange Commission saw another staggering jump in calls to its whistleblower hotline this year, which was part of another huge year for SEC enforcement generally.
The agency recently released its annual report for fiscal 2023, which ended on Sept. 30. It reported receiving more than 18,000 whistleblower tips, up 50 percent from the 12,300 tips received last year (which had also been a record number for the agency). The SEC also issued nearly $600 million in whistleblower awards — another record, although that $600 million was largely driven by a single award of $279 million, the largest whistleblower award in SEC history.
The SEC also reported…
- 784 enforcement actions in 2023, up 3 percent from 2022;
- $4.95 billion in penalties, disgorgement, and other fines, the second-highest total in SEC history (2022 was the highest, at $6.4 billion);
- 133 persons barred from serving as directors or officers at publicly traded companies, the highest number in 10 years.
Simply put, SEC enforcement is moving aggressively on all fronts. That includes notable settlements for FCPA violations, poor cybersecurity disclosures, accounting fraud, insider trading, misleading disclosures to investors, employees’ improper use of messaging apps, and more. All of those issues fall within the compliance officer’s purview, so CCOs of U.S.-listed companies should be thinking all the time about how to improve your compliance program to avoid entanglements with the SEC.
To a certain extent, knowing what your company should do is not hard to grasp. Like the Justice Department, the SEC places a heavy emphasis on voluntary disclosure of misconduct, cooperation during the ensuing investigation, and fixing the underlying control weaknesses that allowed the misconduct to happen in the first place.
The challenges are (1) to convince management and the board to give you sufficient resources for a compliance program; and (2) to convince other parts of the business to work with the compliance program, rather than to tolerate or flat-out evade your requests. This news about SEC enforcement can help: it underlines the threat of enforcement from the agency. Even if an investigation doesn’t result in penalties, it does result in unwelcome legal costs and other disruptions — so the more deftly your company can avoid such problems, thanks to a robust culture of compliance, the better.
Japan to Review Whistleblower Protections
Regulators in Japan say they will launch a review of whistleblower protections in that country, amid long-running complaints that Japanese companies don’t take internal reporting seriously.
Yutaka Arai, head of Japan’s Consumer Affairs Agency, announced this month that the agency will hold a hearing to investigate whether Japanese businesses have sufficiently strong internal reporting and grievance systems in place. The review comes after news earlier this year that Japan’s biggest talent agency, Johnny & Associates, allowed its founder Johnny Kitagawa to sexually abuse young male talent for decades.
Johnny & Associates did implement a whistleblower hotline as part of its reforms, but originally that hotline was only open to employees — meaning that hundreds of Kitagawa’s victims, who were self-employed models, wouldn’t qualify as whistleblowers.
Japan did expand its whistleblower protection laws in 2020 to bring them at least somewhat into line with much stronger whistleblower protection laws in the United States and Europe, but Japan’s law still has shortcomings, For example, the whistleblower designation only applies to current or former employees of a company, not to freelance workers, suppliers, and family members of employees. Nor does the law impose any criminal or civil penalties against companies that retaliate against whistleblowers (although it does threaten penalties for companies that fail to establish whistleblower systems at all).
Compliance officers should have no illusions that stronger whistleblower protections will come swiftly to Japan; its wheels of progress turn slowly, and Japan long lagged behind the United States and Europe on numerous corporate governance standards — but Japan is moving in the right direction. We should keep one eye on this push to see how and when whistleblower protections might move forward there.
At the same time, however, global corporations should always remember that their wisest course of action is to identify the highest regulatory standard that might affect them, and then aim to comply with that on a global scale. In whistleblower protection, that would mean meeting the standards of the U.S. Dodd-Frank and Sarbanes-Oxley acts, plus the EU Whistleblower Protection Directive. Achieving their standards worldwide will exceed expectations in Japan, and help to protect your company from U.S. and EU regulators even if the misconduct in question springs from Japan.
A Code of Conduct for U.S. Supreme Court
The U.S. Supreme Court has adopted its first-ever Code of Conduct, in response to criticism that perceived conflicts of interest among the court’s nine justices were tarnishing the institution’s reputation.
The Code consists of five principles (five “cannons,” to use the court’s language) that are modeled on the ethics code that already exists for lower courts in the United States. It defines when a justice should recuse him- or herself, what constitutes a conflict of interest, financial disclosure obligations, what outside activities are or aren’t permissible, and the like.
That said, the court’s code also departs in several notable ways from the codes of conduct typically used by corporations. Foremost, the code has no enforcement mechanism. Each justice is responsible for policing his or her own behavior, and the code says nothing about punishment — so if a justice does violate the code, it’s not clear what the consequences would be. The code is also framed more as a set of recommendations rather than rules. It uses the phrase “a justice should…” 43 times, but “a justice must” only once.
Above all, the court adopted this Code of Conduct in response to allegations of ethical misconduct, primarily against justices Clarence Thomas and Samuel Alito (who both did approve this code, as did all the other justices).
Ideally, an organization should adopt a Code of Conduct simply because it wants to codify its ethical values and expectations for personal behavior, long before any specific allegation forces the issue. A code should reflect your organization’s commitment to integrity, complete with mechanisms to hold employees and executives accountable when they’re accused of violating that commitment.
We certainly can applaud the Supreme Court adopting a code at all; any code is better than nothing. Plus, the Supreme Court does have some characteristics that make it unlike corporate organizations. (For example, who would investigate a justice for a code violation, when they sit at the top of the legal hierarchy in the United States? That’s not an easy question to answer.)
Overall, however, this code is still lacking in several important ways. It’s a good opportunity for compliance professionals to consider what does make a code successful, and how you could implement those ideas in your own organization.
New Guidelines on Healthcare Compliance
The U.S. healthcare industry has new guidelines on how to build an effective compliance program, including suggestions for how to scale the program up or down depending on the company’s size and a clear call for compliance officers to report directly to the CEO.
The guidelines come from the Office of the Inspector General (OIG) at the Department of Health and Human Services. They apply to hospital systems, medical practices, nursing homes, medical device makers, pharmaceutical firms, and other healthcare organizations. These guidelines are meant to apply across all healthcare sectors; OIG will follow up with additional, industry-specific guidance in 2024 and beyond, as part of a larger program to bring its guidance into the modern era.
Perhaps most notable is the document’s declaration that compliance officers “should not lead nor report to” the organization’s legal or finance teams — meaning, the chief compliance officer should not also hold the title of general counsel or CFO, nor should the CCO report into those persons. Instead, the CCO should report directly to the CEO or the board, and “Whenever possible, the compliance officer’s sole responsibility should be compliance.”
That ringing endorsement of CCO independence goes farther than what any other U.S. regulator has said on the issue. For example, the Justice Department clearly likes to see CCOs independent of the legal team, but its guidance on corporate compliance programs never expressly says the CCO shouldn’t report into legal. The OIG guidelines do.
One question now is how many healthcare organizations will follow that suggestion and give their compliance officers the autonomy and direct access to senior management that they deserve. Another question is whether other regulatory agencies might also start making clearer, louder calls for compliance officer independence.
Beyond that call for independence, the OIG guidelines offer plenty of other practical advice to compliance officers too. For example, it dedicates an entire section to small healthcare organizations, and how they can tailor the guidelines down to their size. It also walks through the major U.S. statutes that govern healthcare, such as the False Claims Act and the Anti-Kickback Statute; and the seven elements of an effective compliance program and how those elements relate to U.S. healthcare law.
All in all it’s an excellent resource for healthcare compliance officers, with plenty of advice that can apply to other sectors as well.