We’ve been discussing with a number of clients whether it is appropriate to require employees to certify periodically that they are not aware of violations of the company’s code of conduct or, put another way, that they have reported to the company all violations of which they are aware. Some companies believe that this requirement can be a useful complement to a compliance program in that it requires employees to focus on the issue. Others have been concerned that it could generate a lot of noise in the form of false leads, creating an investigative burden that could actually complicate the record.
There’s another dimension to consider in this context: whether the very existence of such a requirement (independent of whether and how it is enforced) could be seen as interfering with an employee’s statutorily-protected right to complain to the government. If this seems to you like a tortured, thinking-too-hard argument, it’s worth considering that a senior SEC official has recently advanced this very idea.
In a webcast on the invaluable corporatecounsel.net on September 13, Sean McKessy, the chief of the Office of the Whistleblower in the Division of Enforcement, had the following to say:
I would hate to have employers, with all the right intentions, craft language that could end up with unfortunate consequences. For example, if the certification were drafted to say something like, “After six months I affirm that, to the extent that I was aware of any fraud, I came to the company to report it,” an individual who had come to us might not feel comfortable signing the certification because he hadn’t gone to the company. There could be some tension between trying to set up a structure like that and the statutory requirement of allowing the possibility for individuals to come directly to law enforcement or regulatory agencies.
Put aside that this objection on its face doesn’t make a lot of sense, since (i) it addresses the case of someone who has already blown the whistle to the government, and (ii) there is in any case no inconsistency between going to the government and reporting internally. What’s disquieting is the prospect that a straightforward certification, of the type that many companies already use for the purpose of Sarbanes-Oxley compliance, could be twisted into an attempt by the company to suppress reporting to the government.
I’m inclined not to overreact to this; on some level it’s the sort of thing you would expect the head of the Office of the Whistleblower to say, and it carries the standard disclaimer that it doesn’t necessarily represent an official view of the SEC. But it’s a useful reminder that a certification policy should be drafted judiciously. Just as you would generally be unwise to sanction a whistleblowing employee for failing to make an internal report first, you should avoid adopting a certification policy that even implicitly threatens such sanctions. It’s a fine line, and the details of drafting can matter.