The SEC has recently expanded its whistleblower protection enforcement actions, and we are recommending that clients review relevant agreements and policies for compliance and potential remediation. We read the recent enforcement actions as the SEC requiring that agreements with individual stakeholders, including employees and clients, as well as compliance policies, contain explicit whistleblower protection language that clearly informs an individual that the confidentiality obligations in an agreement or policy do not impede whistleblowing to the SEC. The SEC recently filed settled actions with three SEC-registered entities, two of which paid $10 million or more in penalties for allegedly using agreements that impeded whistleblowing. In those actions, the SEC expanded its interpretation of Rule 21F-17 to include agreements with a company’s individual clients, to include more types of agreements and policies, and to require explicit and affirmative whistleblower protection language.

We are thus advising our clients as follows: Review all employment agreements; separation agreements; severance agreements; settlement agreements; non-disclosure agreements (NDAs); compliance and employment policies; and other contracts or policies with confidentiality obligations imposed on individuals, such as current or former employees, independent contractors, clients/customers, investors, and individual employees of vendors. Ensure the presence of explicit and affirmative whistleblower protection language in close proximity to the confidentiality obligations. In addition, ensure that agreements do not contain representations that individuals have not or will not communicate or file charges with the SEC. And to the extent any agreements or policies reviewed could be read to impede whistleblowing activity, firms should revise, retrain and reach out to the individuals who signed those agreements or read those policies and ensure that they are aware of their whistleblower rights.

For background: SEC Rule 21F-17, says, as relevant: “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce a confidentiality agreement . . . .” 17 CFR § 240.21F-171. When the SEC released its Final Rule in 2011, it described this part of Rule 21F-17 as ”necessary and appropriate” because “efforts to impede an individual’s direct communications with Commission staff about a possible securities law violation would conflict with the statutory purpose of encouraging individuals to report to the Commission. Thus, an attempt to enforce a confidentiality agreement against an individual to prevent his or her communications with Commission staff about a possible securities law violation could inhibit those communications even when such an agreement would be legally unenforceable . . . .” (p. 201.)

However, by 2015, the SEC expanded its enforcement of Rule 21F-17 violations beyond attempts to enforce confidentiality agreements and began to charge companies based on solely the language in a confidentiality agreement without any evidence that a person was impeded from acting as a whistleblower. In the first such enforcement action, the agreement language at issue allegedly barred employees of a company that were witnesses in internal investigations from disclosing information. The SEC filed settled charges despite the SEC being “unaware of any instances of” an employee being prevented from communicating with the SEC or the company taking action to enforce the confidentiality agreement. Over the following years, the SEC expanded its enforcement actions to alleged situations where severance agreements, separation agreements, and compliance policies explicitly or implicitly (e.g., no disclosure “unless compelled by law and after notice to” the company) barred employees from affirmatively contacting the government. 

In the last six months, the SEC has expanded its efforts and its interpretation of the Rule’s reach in settling several cases. The SEC’s more recent expansion of its enforcement actions in this area involved settled charges in September against a publicly listed commercial real estate firm, which allegedly included in its separation agreements an “employee representation” that the employee “has not filed any complaint or charges against [the firm] . . .
with any . . . agency, based on the events occurring prior to the date on which this Agreement is executed by Employee.” The SEC alleged that this representation was included in separation agreements since the Rule was published in 2011. The SEC further alleged that the addition in 2015 of a provision in the agreement that “[n]othing in this Agreement shall be construed to prohibit Employee from filing a charge with . . . the Securities and Exchange Commission” was an insufficient cure as it “was prospective in application, and therefore did not remedy the impeding effect of the Employee Representation.” Said another way, the SEC alleged, somewhat counterintuitively, that the separation agreement’s language impeded employees from whistleblowing prior to signing the agreement.

The SEC was apparently concerned with two potential impediments to whistleblowing: (1) that employees knew about this language while working at the firm and it could have impeded them from whistleblowing while employed and (2) that terminated employees were impeded from whistleblowing after receiving the agreement but before signing it. The SEC also noted that it was “not aware of specific instances in which a former [] employee was prevented from communicating with Commission staff about potential violations of securities laws, or in which [the firm] took action against a former employee based on the Employee Representation.” The SEC recognized extensive remediation by the firm, including revising 300 template agreements worldwide, requiring 100,000 employees to certify their understanding of their whistleblower rights, and contacting over 800 former employees who had signed the agreement in the previous two years. The firm was required to pay a $375,000 penalty as part of the settlement.

Also in September, the SEC settled charges against a registered investment adviser (RIA) that included a $10 million penalty. The SEC alleged that since the Rule’s effective date in 2011, the RIA had:  

  • an employment agreement prohibiting employees “from disclosing Confidential Information to anyone outside of [the RIA] unless authorized by [the RIA] or except as may be required by any applicable law or by order of a court of competent jurisdiction, a regulatory or self-regulatory body, or a governmental body” 
  • a release for receiving certain post-departure payments that included an employee representation that they had not filed “any complaints, charges, or lawsuits . . . with any governmental agency . . .” and 
  • exit letters and termination agreements specifying that the employment agreement’s provisions survive termination, some of which also explicitly reasserted the agreement not to disclose confidential information. 

The SEC alleged that the “overall result” was to “(1) raise impediments to . . . whistleblowing activity . . . (2) remind certain departing employees of [the RIA]’s prohibition on unauthorized disclosure of Confidential Information upon departure . . . and (3) condition payout of significant profit-sharing amounts or amounts of additional compensation—sometimes amounting to millions of dollars—on certain departing employees signing [r]eleases that included an attestation that they had not filed any complaints with any governmental agency.” The SEC further alleged it was aware of one former employee who was “initially discouraged from communicating with Commission staff about potential violations of securities laws due to the provisions relating to Confidential Information . . .” in the employment agreement and release. The SEC noted that in 2017, allegedly in response to SEC enforcement actions, the RIA sent an email to all employees advising them of their whistleblower rights and revised its policies, and then in 2019, it similarly revised the employment agreement; however, the release was allegedly not revised until after the SEC began its investigation in 2023. 

In January, the SEC further expanded its enforcement of whistleblower protection issues from employee agreements to agreements with customers. The SEC settled charges against a registered investment adviser and broker-dealer (“RIA/BD”) that included an $18 million penalty. The RIA/BD allegedly had clients sign a release if they were being credited or receiving a settlement of over $1,000. The release contained a promise “not to sue or solicit others to institute any action or proceeding against [the RIA/BD] arising out of events concerning the Account.” A separate paragraph of the release required confidentiality but added that the clients “are neither prohibited nor restricted from responding to any inquiry about this settlement or its underlying facts by FINRA, the SEC, or any other government entity or self-regulatory organization, or as required by law.” However, the SEC alleged that “the terms of the [r]elease prohibited clients from affirmatively reporting to the Commission staff.” In other words, the explicit carve out for the SEC included only responding to government inquiries but did not provide for client-initiated communication with the SEC.

The SEC’s recent actions focused on the specific wording of agreements and policies, as well as its expansion to clients in the RIA/BD action suggest it is broadly reading the language of Rule 21F-17, including the bar against “any action” impeding “an individual” from whistleblowing. The SEC has firmly established through its enforcement actions that “any action” can include language in a poorly drafted agreement or policy, which could open a company up to significant penalties. And, after the RIA/BD action, the limit to how broadly the SEC may interpret the word “individual” is unclear: The recent actions suggests that the SEC may continue to expand the definition of “individual” from employee to client to others similarly situated, such as independent contractors, individual investors, or even, in some circumstances, individual employees of vendors. Thus, companies should be carefully reviewing their agreements and policies with such individuals to make sure the wording: (1) does not bar whistleblowing and (2) affirmatively, explicitly, and proximately to the confidentiality agreement allows for whistleblowing to the SEC. If such review reveals agreements that fall short of the SEC’s expanded requirements, companies should take remedial measures, including revising the agreements, training, and informing anyone who signed deficient agreements of their whistleblower rights.

1The rule was enacted after Congress added a “Securities Whistleblower Incentives and Protection” section, 21F, to the Securities Exchange Act of 1934 through the Dodd-Frank Act, which included a prohibition against retaliation and provided the SEC with rulemaking authority to implement the section. at 7-15