“You know how to whistle, don’t you, Steve? You just put your lips together and blow.”

— Lauren Bacall in “To Have and Have Not”

Humphrey Bogart might have known how to whistle, at least at Lauren Bacall, but the United States government doesn’t think your employees know how to whistle well enough. Hence, we have Section 922 of the Dodd-Frank Act, requiring the Securities and Exchange Commission to establish a bounty system rewarding whistleblowers of public company securities-law violations when recoveries exceed $1 million.

The SEC has adopted final whistleblower “rules” (“Release” 34-64545), which went into effect on Aug. 12. It did so in the face of strong industry opposition, including that of the National Association of Corporate Directors. Many commentators foresaw the death of SOX-driven internal reporting systems if the SEC did not require a whistleblower first report to the company, a requirement nonetheless absent from the final rules.

How should a public company position itself with respect to these rules? Legal commentators generally seem to be saying, “Wow, we have new and stringent whistleblower rules. We better comply and make sure we don’t punish anyone by retaliation.”

Such generalities are not helpful.

Law firm “alerts” make two obvious points: Paying a federal bounty is liable to encourage bypassing internal company reporting, and anti-retaliation rules will make it hard to fire complainants who otherwise deserve to be discharged.

The difficultly is how exactly should you update company policies. We are admonished to:

• make sure we maintain an anonymous hotline for complaints (already required by SOX);

• have a code of conduct;

• provide basic employee training;

• establish a compliant tone;

• educate HR against retaliation;

• recognize that it violates law to discourage use of the bounty system (without specifics as to what constitutes discouragement);

• reward internal reporters (without suggestions as to implementing such rewards);

• establish strong mechanisms to record and investigate all complaints, with no “materiality” screen; and

• designate a chief compliance officer (reporting to the board).

Those suggestions either break no new ground or are too vague to be useful.

The July issue of Compliance Week identified the risk of an onslaught of internal investigations, many of which an overworked SEC will bounce back to the company. These company investigations will be characterized by a loss of control, timing, scope and corrective measures, and strain legal departments with increased volume and need to report to the SEC.

So what does Compliance Week recommend? The same emphasis on internal reporting and reassurance against retaliation; some undefined reward system to encourage internal reporting; and periodic progress reports to whistleblowers, assuring that a report will be made to the SEC even if it is beyond the 120-day time period that the rules give employees (after providing information under internal reporting systems) to file with the SEC to protect the bounty.

Organizations dedicated to advising board members simply repeat the need for an anonymous hotline, a robust investigatory function and the education of employees.

One well-regarded online resource does define best practices, but the suggestions seem repetitive: offering an educational program to inform directors, officers and employees of what constitutes a whistleblow-able violation and how the internal system works; assuring that all complaints will be investigated vigorously; maintaining detailed employee performance records so that you can discharge a whistleblower if appropriate; making sure there is a whistleblower policy in place; and finishing investigations within 120 days lest you drive an internal reporter to file an SEC complaint to protect bounty entitlement.

The foregoing does not provide guidance on how proactively to enhance a company’s whistleblower policy.

Identify your goal

The starting point is to identify goals. Is it simply to comply with a minimum standard and make sure you don’t violate the rules? That may be enough for some companies, provided there is a true understanding of risks. The minimum involves adopting the standard suggestions described above.

I suggest elements of a bolder strategy. A company’s goals might be to clarify that the company is working cooperatively with the SEC and does not view the rules as adverse or upsetting; rather, the rules will in the long run benefit the company by creating stronger ethics and internal policing and a collaborative atmosphere.

Such an approach would demand enhanced communication with employees, strongly encourage use of internal systems, explain how a compliant whistleblower is economically benefitted by working with the company, and emphasize how the SEC program can increase bounties through internal reporting.

The art to such an approach is to achieve those goals without illegally “discouraging” direct SEC reports.

Robust checklist

The traditional elements of this program are:

• Assure that whistleblower mechanics established under SOX are robust.

• Assure that a code of conduct is acknowledged by all employees.

• Assure that anti-retaliation mechanisms are in place and that HR is supervised prior to taking negative employment action.

• Attend to the tone at the top in board and executive education and policy statements.

Then add these new elements:

• Educate employees on the mechanics of internal and external (SEC) whistleblowing; articulate the types of wrongdoing covered (and not covered); clarify that no bounty is available if information is obtained in violation of the law.

• Institute reporting systems for the progress of investigations, keeping an eye on the 120-day time period after a whistleblower gives information to the company.

• Clarify that employees at any time have the right to go to the SEC directly, before, at the same time as or after making company disclosure.

• Incentivize employees.

Specifics

To communicate to employees their economic benefit in first utilizing the company’s internal reporting systems, you must articulate the manner in which the company will conduct an examination so as to inspire confidence that things will not be swept under the rug, along with any hope of a bounty.

How to make this credible? One of the incentives built into the rules is that if an employee gives the company information that itself would be insufficient to support a bounty (if given directly to the SEC), and if the company investigates and enhances that information, then the employee will be given credit for the full amount of information (provided by the employee plus that gathered by the company).

Hence, if someone has an “inkling,” rather than waiting around to see if a problem grows larger, an employee will be helping obtain the bounty by prompt internal reporting.

I suggest a plain-English discussion of: how examinations will be undertaken, with reporting to the whistleblower (assuming the whistleblower is not anonymous); an invitation to anonymous whistleblowers to come forward so that they can receive reports (although such proposal might in some circumstances be viewed as discouraging the bounty process); the 120-day period (after the reporting by the whistleblower to the company and before the whistleblower must advise the SEC to protect bounty); referring employees to outside counsel to assure they don’t forfeit bounty (although such a suggestion has some obvious risks); and how (according to the rules) the SEC will increase bounties for whistleblowers utilizing company reporting and decrease bounties for those who have not.

Companies should consider establishing a clear roadmap, with diagrams, showing how a collaborative approach (starting with internal reporting and ending with the company contacting the SEC) might work.

Can a company provide a direct incentive, an immediate company bounty to an employee who first approaches the company? Would that run afoul of the SEC’s policy? You need some trigger in terms of credibility and importance, and cash distribution may be problematical, but what about soft perks such as enhanced vacation or other benefits?

There is a balance between actually going fishing for internal complaints, on the one hand, and providing internal reward to forestall a rush to initial SEC reporting, on the other.

Companies should make clear those parties who are not entitled to a bounty. That might prevent individuals from going to the SEC and setting off an investigation, which could just as well be done internally, based on a mistaken belief that a bounty would be available.

Subject to certain exceptions, the rules describe persons prohibited either globally or as a practical matter from sharing bounties. In-house and outside lawyers, auditors, directors, officers and individuals with a function of identifying and evaluating whistleblower complaints will not qualify for bounty save in exceptional circumstances.

Conclusion

To date, practical guidance on enhancing whistleblower programs has not proceeded beyond generalities. The above suggestions may provide content for bolder counsel to consider.

Stephen M. Honig is a partner in the Boston office of Duane Morris.