SEC steps up enforcement of rule 21F-17 Whistleblower Protections

12 December 2023 4 min read

By Cassie Boyle

At a glance

  • Employers are encouraged to review their agreements, policies, and procedures to ensure they do not impede the ability of employees to directly communicate with the Securities and Exchange Commission (SEC).
  • SEC penalties, including a USD225,000 fine and a USD10 million penalty, underscore the consequences of companies violating Rule 21F-17 through improper language in agreements that restrict employees from reporting potential securities law violations.

Based on recent enforcement activity by the SEC, employers are encouraged to review their agreements, policies, and procedures to ensure they do not impede the ability of employees to directly communicate with the SEC - or other federal agencies based on applicable laws – to report a possible securities law violation.

Whistleblower protections

The Dodd-Frank Wall Street Reform and Consumer Protection Act, enacted on 21 July 2010, amended the Exchange Act by adding Section 21F, ‘Whistleblower Incentives and Protection,’ to encourage whistleblowers to report possible violations of the securities laws by providing financial incentives, prohibiting employment-related retaliation, and providing various confidentiality guarantees.  

To fulfil this congressional purpose, the SEC adopted Rule 21F-17, which prohibits any person from taking any action to impede an individual from communicating directly with the SEC about a possible securities law violation, including enforcing or threatening to enforce a confidentiality agreement with respect to such communications. According to the SEC, improperly restricted language in severance agreements, non-disclosure agreements, as well as a company’s internal policies, procedures and guidance may also violate Rule 21F-17(a).

Additionally, if the individual who has initiated communications with the SEC works for an entity that has counsel, the SEC may communicate directly with that individual without the consent of the entity's counsel. 17 C.F.R. § 240.21F–17(b).

Recent enforcement actions

Since its first enforcement action in 2015, the SEC has brought a total of 21 enforcement actions based on actions taken to impede reporting – with five of those actions initiated in the last year. In September 2023 alone, the SEC settled with three companies it charged with violating the Rule 21F-17.

In September 2023, the SEC entered into a settlement with a privately held company based on allegations that the company required departing employees to waive their rights to monetary awards for reporting possible securities law violations to the SEC. According to the SEC’s order, the company’s separation agreement stated that it did not intend to limit the signing individual’s right or ability to file a charge or claim with any federal, state or local agency or participate in any action, but took away the individual’s right to recover a money damages or other relief awarded by any government agency. Notably, the SEC acknowledged that it was ‘unaware of any instances’ in which a former employee who signed such an agreement failed to report a potential securities law violation or the company took action to prevent a report.

Without admitting or denying the findings, the company agreed to pay a USD225,000 penalty and change its separation agreement’s language to provide that ‘nothing in this agreement shall bar or impede in any way your ability to seek or receive any monetary award or bounty from any governmental agency or regulatory or law enforcement authority in connection with protected ‘whistleblower’ activity.’

In another matter, the SEC instituted case-and-desist proceedings based on a company’s use of a separation agreement which required individuals to represent and acknowledge that they had not filed any complaint or charges against the company with any local, state or federal agency. According to the SEC’s order, the introductory language further provided that the employee could not execute the agreement prior to the date of termination. The SEC found that, read together, this language and the employee representation improperly required the employee to represent that at the time of executing the agreement the employee had not filed a complaint or charges based on either:

  • events occurring at any time before termination; or
  • events occurring between the termination and the employee’s executing the agreement. 

While the company modified the agreement in 2015 to state that the agreement shall not be construed to prohibit the employee from filing a charge with the SEC (among other agencies), the SEC found that the amendment was prospective in application and therefore did not remedy the agreement’s impeding effect.

Significantly, the SEC imposed a USD375,000 civil penalty notwithstanding the company’s cooperation, prompt remediation program, and lack of any specific instances in which a former employee was prevented from communicating with the SEC.

Also in September, the SEC imposed a USD10 million civil penalty against an investment advisor for Rule 21F-17 violations. According to the SEC’s order, the company required new employees to sign confidentiality agreements that prohibited them from disclosing the company’s confidential information to anyone outside the company unless authorised by the company or required by law or court order. In addition, from at least 2011 through 2023, the company required hundreds of departing employees to sign releases affirming that they had not filed any complaints with any governmental agency, department, or official in order for them to receive deferred compensation and other benefits.

While the company sent a firm-wide email in 2017 stating that nothing in the agreements prohibited employees from communicating with governmental bodies concerning possible violations and updated its policies and employment agreements in 2019, the SEC noted that the company did not revise its release until 2023 during the SEC’s investigation.