October 10, 2023

SEC Settlements Over Whistleblower Protections Pile Up

SEC to Issuers: Don't Take Rule 21F-17 Compliance for Granite
Holland & Knight SECond Opinions Blog
Madeline Mariana Tansey | Allison Kernisky | Jessica B. Magee
Gavel and scale resting on desk

As the SEC closed its fiscal year, it filed three separate enforcement actions against companies for purported violations of Rule 21F-17 under the Securities and Exchange Act of 1934, which prohibits persons from impeding whistleblowers from communicating with the agency. The SEC emphasized similar themes to prior enforcement actions involving 21F-17 violations (limitations on right to recover whistleblower awards, restrictions on lodging complaints with the agency and prohibitions on disclosing information outside the company without prior authorization). In this post, we provide an overview of the three actions and offer some key takeaways from the SEC's orders.

Rule 21F-17 … A Pillar of Whistleblower Justice

For those loyal readers that have been following our coverage of Rule 21F-17 (see here and here), it is clear that the SEC takes a fairly expansive and strict approach to enforcement of the rule, the relevant portion of which provides:

No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement … with respect to such communications.

17 CFR § 240.21F-17. Since the rule became effective in August 2011, the SEC has made clear that enforcement of the rule is one of its priorities. In a July 30, 2021, speech, SEC Chair Gary Gensler made clear that this trend will continue during his tenure (and it has), stating:

Whistleblowers provide a critical public service and duty to our nation. The tips, complaints, and referrals that whistleblowers provide are crucial to the [SEC] as we enforce the rules of the road for our capital markets.

A Large Block … to Whistleblower Awards

In a Sept. 8, 2023, settlement with Monolith Resources LLC (Monolith), a clean energy and resources technology company based in Lincoln, Nebraska, the SEC focused on language within the company's separation agreements with its employees.

For three years – from February 2020 through early March 2023 – Monolith entered into separation agreements with 22 departing employees that contained this language:

[N]othing in this agreement is intended to limit in any way your right or ability to file a charge or claim with any federal, state, or local agency …. These [governmental] agencies have the authority to carry out their own statutory duties by investigating charges or claims, issuing determinations, filing lawsuits in their own name or taking other action authorized by statute. You retain the right to participate in any such action, but not the right to recover money damages or other individual legal or equitable relief awarded by any such governmental agency (emphasis added).

Even though the agreements did not prohibit any former employee from communicating directly with the SEC or threaten any retaliatory action for initiating such communications, the SEC stayed true to its earlier enforcement approach and found the provision waiving a right to recovery as violating 21F-17 (see here and here).

Without admitting or denying the findings, Monolith agreed to pay a $225,000 civil money penalty. Notably, the SEC did not find any instances in which a former Monolith employee who signed the separation agreement communicated with Commission staff about potential securities law violations or that the company took any action to enforce the provision or otherwise prevent such communications.

The SEC took enforcement action despite the remedial measures Monolith implemented after it was first contacted by enforcement staff in April 2023. For example, Monolith revised its separation agreement voluntarily to make clear that it would not restrict a departing employee's right to communicate with governmental agencies, including the SEC, and that the separation agreement did not in any way limit a separated employee's ability to obtain an incentive award in connection with providing information to governmental agencies. Monolith's revised separation agreement now provides that "nothing in this Agreement shall bar or impede in any way your ability to seek or receive any monetary award or bounty from any governmental agency or regulatory or law enforcement authority in connection with protected 'whistleblower' activity."

Monolith also notified, or used reasonable efforts to notify, employees who had signed a prior separation agreement that the agreement does not in any way limit their ability to obtain a whistleblower incentive award.

Just a Stone's Throw Away … Another Settlement for Rule 21F-17 Violations

In another , the SEC settled with a Texas-based international real estate services firm for violating Rule 21F-17 by discouraging employees from filing complaints with regulators.

The SEC found that during an 11-year period – from 2011 to 2022 – the firm required departing employees to attest in their separation agreement that they had not filed a complaint about the firm or any of its affiliates with "any state or federal court or local, state or federal agency" to be eligible to receive severance pay. In 2015, the firm amended the language to make clear that the agreement did not prevent the employee from participating in any investigation by a state or federal regulator agency. Enforcement staff found, however, that this language was prospective and did not cover the time up until the employee signed the agreement.

As with Monolith, the SEC took action even though the agency was not aware of the firm actually retaliating against a whistleblower or preventing anyone from coming forward. Without admitting or denying the allegations, the firm agreed to pay a $375,000 civil penalty. And, as Monolith did, the firm revised the language in its severance agreements after being contacted by enforcement staff.

In addition, the firm took extra remedial measures, including auditing and revising 300 different separation agreement templates that it used in 54 countries, training 50 members of its global compliance teams on the whistleblower protection rule and that, as a result of these revisions and training, more than 100,000 employees worldwide certified that they understood they were not limited in their ability to communicate with any agency, including the SEC, without notice or approval from the firm. The firm also contacted those former employees who had signed separation agreements in 2021 and 2022 and advised them of the protections afforded to them by the whistleblower rule.

In its Sept. 19, 2023, order, the SEC commended the firm for its "swift and far-reaching remediation" and high-level cooperation with the investigation. In announcing the settlement, Eric Werner, Regional Director of the SEC's Fort Worth office, stated:

It is critical that employees are able to communicate with SEC staff about potential violations of the federal securities laws without compromising their financial interests or the confidentiality protections of the SEC's whistleblower program.

Penalties Are Getting Bo[u]lder and Bo[u]lder

Finally, right before the end of the fiscal year, the SEC announced settlement with D.E. Shaw & Co. LP (DESCO), a New York-based investment adviser, for its violations of Rule 21F-217. In a Sept. 29, 2023, order, the SEC described the violative conduct, which occurred over several years dating back to 2011 and included requiring:

  • all new employees to sign employment agreements prohibiting them from disclosing confidential information to anyone outside of DESCO without authorization unless required by law, court order, or other regulatory or governmental body, with no exception for voluntary communications with the SEC concerning possible securities laws violations
  • certain (but not all) departing employees to sign separation agreements certifying that they had not filed any complaints with any governmental agency, department or official in order to receive certain post-departure payments, including deferred compensation and other benefits; the agreements contained this release language:

The Employee represents and warrants to the Company that the Employee has not made, filed or lodged any complaints, charges, or lawsuits or otherwise directly or indirectly commenced any proceeding against any member of the D. E. Shaw Group and/or any Covered Persons and Entities with any governmental agency, department, or official; any regulatory authority; or any court, other tribunal, or other dispute resolution body.

Notably, and unlike in most of the other settlements discussed here, the SEC was aware that at least one DESCO employee was initially discouraged from communicating with SEC staff about potential securities law violations.

DESCO tried to remediate. In 2017, in the wake of several SEC settlements involving Rule 21F-17 violations, DESCO updated its policies and procedures and announced via companywide email that employees were free to communicate directly with, or provide information to, the government regarding possible violations of law or regulations without notifying DESCO. The firm also required employees to certify annually thereafter that they received and reviewed the updated policies. However, the SEC found that the firm did not go far enough because it did not update its new employee agreements until two years later, in April 2019, and did not revise the release in certain separation agreements until July 2023, after the SEC investigation began. In a similar settlement in June 2021, the SEC found that although the company had language compliant with Rule 21F-17 in its code of conduct, its compliance manual and annual compliance training materials contained conflicting and unlawfully restrictive language that prevented employees from contacting regulators without prior approval from the legal or compliance department.

Despite its attempted remediation, the SEC found that DESCO "raised impediments to whistleblowing" and "undermine[d] the purpose of Rule 21F-17, which is to 'encourage individuals to report to the [SEC].'" According to the SEC, DESCO willfully violated Rule 21F-17 (meaning the person charged knew what they were doing).1 Without admitting or denying the SEC's findings, DESCO agreed to be censured (the other two companies described above were not) and pay a $10 million civil penalty.

In imposing this penalty, the SEC considered DESCO's remedial actions, including revising the exit release to affirmatively advise departing employees of their right to contact regulators with concerns about potential legal or regulatory violations without notice to DESCO. The firm has used the revised release in separation agreements since July 2023. DESCO also sent letters to all former employees, regardless of whether they signed a release when they left, to let them know they are free to communicate with the government without DESCO's notice or approval.

In the SEC's announcement, Director of Enforcement Gurbir Grewal cautioned:

Entities employing confidentiality, separation, employment and other related agreements should take careful notice of today's enforcement action. The Commission takes seriously the enforcement of whistleblower protections and those drafting or using these types of agreements should take equally serious their obligations to ensure that they don't impede whistleblowers from contacting the Commission.

Our Column's Take on Rule 21F-17 Enforcement

Some takeaways from these settlements:

  1. Noncompliant Policies Are Enough to Trigger Enforcement. Of the ways in which the SEC has enforced a Rule 21F-17 violation to date (preventing reporting, threatening retaliation and restricting compensation awards), the vast majority of violations do not include a showing that the company actually prevented a former employee from communicating with the SEC or recovering an award (see here, here and here). However, in the DESCO settlement, there was evidence that at least one employee was discouraged from talking to the Commission. There are other settlements (here and here) in which whistleblowers have been fired in retaliation for contacting the SEC, but those are not as common as settlements involving strictly violative language in policies and procedures.
  2. Bigger Penalties May Be the New Norm. The $10 million penalty in the DESCO settlement is the second largest imposed to date, after the mammoth $35 million penalty levied against another company in February 2023. In that settlement, additional charges likely impacted the penalty amount. There, in addition to Rule 21F-17 violations, the SEC found that the company violated Exchange Act Rule 13a-15(a) for failing to maintain or implement necessary disclosure controls to collect and review employee complaints about workplace misconduct.2 However, the DESCO settlement involves only whistleblower protection violations. Is the $10 million penalty imposed on DESCO an anomaly? Perhaps not. While the average Rule 21F-17 penalty has been in the low six figures historically, the penalties are ticking up. DESCO coupled with some more recent $1 million to $2 million penalties, compared to $100,000 to $250,000 penalties on average a few years ago, suggest that the cost for violating Rule 21F-17, like the price of groceries, may continue to rise.
  3. Remedial Measures Likely Will Not Prevent the SEC from Imposing a Sanction for a Rule 21F-17 Violation. In each of these settlements, the settling party cooperated with the staff during the investigation and revised its agreements and policies but did not avoid penalty. This has been consistent with not only the SEC's prior 21F-17 enforcement, but broader enforcement trends. Under this administration, outside of certain perks cases and the rare instances where companies avoid a civil penalty all together, if the SEC is filing an enforcement action, there will almost certainly be a civil monetary penalty.
  4. Matchy-Matchy Is Good. Compliant and uniform language across the spectrum throughout company policies, procedures, employment agreements and releases/separation agreements, to name a few – and not just in certain documents that may conflict with others – is more likely to keep the SEC away. Company policies should be mirrored and supported through like actions in the form of training, periodic employee acknowledgement of compliance, and frequent and specific employee communication.

Consequently, companies of all sizes would do well to ensure that any policy, procedure, handbook or written agreement – including agreements with new or departing employees – contains the language and components necessary to comply with Rule 21F-17 before the SEC comes knocking.

The Holland & Knight SECond Opinions Blog will continue to monitor this issue, and we will provide updates on additional developments. If you need further information on this topic or anything related to SEC enforcement, please contact the authors or another member of Holland & Knight's Securities Enforcement Defense Team.


1 Wonsover v. SEC, 205 F.3d 408, 414 (D.C. Cir. 2000) (quoting Hughes v. SEC, 174 F.2d 969, 977 (D.C. Cir. 1949)).

2 Rule 13a-15(a) requires an issuer to maintain sufficient procedures to collect, process and disclose the information required in its SEC filings.

Related Insights