One of the most common questions we are asked by clients and prospects alike relates to allowing or prohibiting anonymous reports. Although the answer varies greatly depending on circumstance and allegation type, it seems many of the questions revolve around Sarbanes-Oxley 301.
SOX 301 requires that audit committees of issuers listed on U.S. exchanges "establish procedures" for (i) receipt, retention, and treatment of complaints regarding accounting, internal accounting controls, or auditing matters; and (ii) confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. SOX 301 was codified as Exchange Act Section 10A(m), which the SEC implemented with Rule 10A-3(b)(3).
The adopting release for Rule 10A-3 (Release No. 33-8220) specifically provides flexibility for the audit committees to develop "procedures appropriate for their circumstances" and does not mandate specific procedures or a "one-size-fits-all" approach. However, nearly all public companies have chosen to include a whistleblower hotline as part of their SOX 301 compliance, and we recommend this approach as a best practice.
A question we are frequently asks sounds like this, "We operate all over the world and are worried that our whistleblower hotline runs afoul of local law requirements. What can we do?"
The short answer is that there is no short answer: multinational companies and foreign private issuers subject to SOX 301 (i.e., SEC registrants) may have difficulty reconciling the SOX requirement to non-U.S. local law. In particular, some non-U.S. jurisdictions have laws that forbid the adoption of an anonymous whistleblower hotline. For example, the French data protection authority (CNIL) in 2005 restricted the use of anonymous whistleblower hotlines by French subsidiaries of two U.S. companies. CNIL indicated that the hotlines "could lead to an 'organized system of denunciation'" and carry the risk that "employees may be 'stigmatized.'"
It's not just France - Spain and Portugal expressly prohibit anonymous whistleblowing, while certain other EU countries have established non-binding guidelines. The issue also arises in countries outside the EU. For example, Argentina has a data protection law modeled on the EU's laws, and certain other non-EU jurisdictions in Eastern Europe have similar data protection laws.
The bottom line is that you will need to analyze this issue on a country-by-country basis, and get local advice on how to maintain a hotline in those jurisdictions.
The second most common question we field is this, "Can we operate two types of hotlines, one tailored for local jurisdictions and one for the United States (and other jurisdictions where anonymity is not an issue)?"
Probably. Although the SEC has never addressed this question directly, we think the better answer under SOX 301 and Rule 10A-3 is "yes." Recall that SOX 301 requires companies to establish procedures for confidential, anonymous submission of information. Neither SOX 301 nor Rule 10A-3 says that this must be the sole and exclusive channel for whistleblowers, or that alternate whistleblowing procedures that are not anonymous must be discarded. Don't forget, though, that local law may make it problematic if the U.S. hotline is available locally.
So if you are one of the companies struggling with these questions, the best answer is to get a firm legal opinion from counsel in the US and in the foreign jurisdictions in which you operate or have office. The technology is there, it is the deployment of the technology that matters.
J Rollins is the co-founder and CEO of ETHIX360. At ETHIX360, our goal is simple, to provide an affordable, flexible and comprehensive answer to employee communication and case management on issues related to corporate ethics, code of conduct, fraud, bribery, EH&S and workplace violence. To learn more about ETHIX360, please visit www.ethix360.com, or follow us on twitter @ethix360.