Does SOX 301 Protect Anonymous Whistleblowers Internationally?

One of the most common questions we are asked by clients and prospects alike relates to allowing or prohibiting anonymous whistleblower reports. Although the answer varies greatly depending on circumstance and allegation type, many questions revolve around Sarbanes-Oxley 301.

What is SOX 301?

SOX 301 requires that audit committees of issuers listed on U.S. exchanges "establish procedures" for (i) receipt, retention, and treatment of complaints regarding accounting, internal accounting controls, or auditing matters; and (ii) confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. SOX 301 was codified as Exchange Act Section 10A(m), which the SEC implemented with Rule 10A-3(b)(3).

The adopting release for Rule 10A-3 (Release No. 33-8220) provides explicit flexibility for the audit committees to develop "procedures appropriate for their circumstances" and does not mandate specific procedures or a "one-size-fits-all" approach. However, nearly all public companies have chosen to include an anonymous whistleblower hotline as part of their SOX 301 compliance, and we recommend this approach as a best practice.

International Anonymity Regulations

A question we frequently get sounds like this, "We operate all over the world and are worried that our anonymous whistleblower hotline runs afoul of local law requirements. What can we do?"

The short answer is that there is no straightforward answer:  multinational companies and foreign private issuers subject to SOX 301 (i.e., SEC registrants) may have difficulty reconciling the SOX requirement to non-U.S. local law. In particular, some non-U.S. jurisdictions have laws that forbid the adoption of an anonymous whistleblower hotline.  

For example, the French data protection authority (CNIL) in 2005 restricted the use of anonymous whistleblower hotlines by French subsidiaries of two U.S. companies. CNIL indicated that the hotlines "could lead to an 'organized system of denunciation'" and carry the risk that "employees may be 'stigmatized.'"

It's not just France - Spain and Portugal expressly prohibit anonymous whistleblowing, while certain other E.U. countries have established non-binding guidelines. Moreover, the issue also arises in countries outside the EU. For example, Argentina has a data protection law modeled on the E.U.'s rules, and other non-EU jurisdictions in Eastern Europe have similar data protection laws.

The bottom line is that you will need to analyze this issue country by country and get local advice on maintaining a hotline in those jurisdictions.

Operating Multiple Hotlines

The second most common question we field is this, "Can we operate two types of hotlines, one tailored for local jurisdictions and one for the United States (and other jurisdictions where anonymity is not an issue)?"

Probably.  Although the SEC has never addressed this question directly, we think the better answer under SOX 301 and Rule 10A-3 is "yes."  Recall that SOX 301 requires companies to establish procedures for confidential, anonymous submission of information. Neither SOX 301 nor Rule 10A-3 says that this must be the sole and exclusive channel for whistleblowers or that alternate whistleblowing procedures that are not anonymous must be discarded. Don't forget that local law may make it problematic if the U.S. hotline is available locally.

So if you are one of the companies struggling with these questions, the best answer is to get a firm legal opinion from counsel in the U.S. and in the foreign jurisdictions in which you operate or have an office. The technology is there; it is the deployment of the technology that matters.

The ETHIX360 blog brings you weekly updates on all things human resources and compliance.

MEET THE AUTHOR

J Rollins is the co-founder and CEO of ETHIX360. J is a well known leader and innovator who has served on senior leadership teams ranging in responsibility from Chief Revenue Officer, Chief Marketing Officer, SVP of Product Strategy and Chief Operating Officer.

ABOUT ETHIX360

RELATED BLOGS