Key Takeaways:
- A version of this article also appeared in Compliance & Enforcement May 9, 2024. Access that version here.
- As artificial intelligence (“AI”) use and capabilities surge, a new risk is emerging for companies: AI whistleblowers. Both increased regulatory scrutiny over AI use and record-breaking whistleblower activity have set the stage for an escalation of AI whistleblower-related enforcement.
- AI enforcement and whistleblower protection are priority areas for both the SEC and the DOJ, and the risk of AI whistleblowers is rising as whistleblower protections and awards expand, internal company disputes over cybersecurity and AI increase due to a lack of clear regulatory guidance, and public skepticism mounts over the ability of companies to offer consumer protections against cybersecurity and AI risks.
- Given robust federal whistleblower incentive programs and rapidly emerging recent AI enforcement activity, companies adopting AI should consider updating their policies and procedures to prepare for AI whistleblower risks.
As artificial intelligence (“AI”) use and capabilities surge, a new risk is emerging for companies: AI whistleblowers. Both increased regulatory scrutiny over AI use and record-breaking whistleblower activity has set the stage for an escalation of AI whistleblower-related enforcement. As we’ve previously written and spoken about, the risk of AI whistleblowers is rising as whistleblower protections and awards expand, internal company disputes over cybersecurity and AI increase due to a lack of clear regulatory guidance, and public skepticism mounts over the ability of companies to offer consumer protections against cybersecurity and AI risks.
AI enforcement and whistleblower protection are priority areas for both the SEC and the DOJ. The longstanding whistleblower program at the SEC has yielded dozens of significant enforcement actions. The SEC has repeatedly warned market participants against “AI washing” and has charged its first-ever AI fraud cases. The U.S. Department of Justice (“DOJ”) similarly launched its AI enforcement program in February by announcing an initiative targeting the detection and prosecution of crimes perpetrated through AI. In March, the DOJ announced a new pilot whistleblower rewards program that reaffirmed its focus on AI, stating that prosecutors would integrate AI assessments into evaluations of corporate compliance programs and would seek “stiffer sentences” for AI misuse.
Given robust federal whistleblower incentive programs and rapidly emerging recent AI enforcement activity, companies adopting AI should consider updating their policies and procedures to prepare for AI whistleblower risks.
SEC Whistleblower Program. The SEC’s Office of the Whistleblower is integral to the SEC’s current aggressive approach to enforcement and remedies. The SEC has praised the contributions of whistleblowers as essential to detecting wrongdoing in the securities markets and protecting investors, and has issued over a billion dollars to whistleblowers whose tips have led to successful enforcement actions. Under federal law, whistleblowers who provide the SEC with original, timely, and credible information that leads to a successful enforcement action may be eligible for awards ranging from 10 to 30 percent of the money collected, when monetary sanctions exceed $1 million. Fiscal year (“FY”) 2022 and 2023 were each record-setting years for the SEC’s whistleblower program. In FY 2023, the SEC issued an unprecedented number of whistleblower awards totaling nearly $600 million, with a record-breaking $279 million award to a single whistleblower. The SEC also received more than 18,000 tips, representing an approximately 50% increase in such tips over FY 2022.
The SEC has also brought numerous enforcement actions against companies that fail to safeguard the rights of whistleblowers under federal law or that retaliate against whistleblowers. Rule 21F-17 of the Securities Exchange Act of 1934 prohibits any person from taking any action to impede individuals from contacting the SEC to report a possible securities law violation, including enforcing or threatening to enforce a confidentiality agreement. Accordingly, institutions are prohibited from taking actions to impede potential whistleblowers from reporting conduct to the SEC.
Notably, the SEC has recently sharpened its focus on enforcing Rule 21F-17. The five 21F-17 enforcement actions brought in FY 2023 constitute approximately a quarter of all Rule 21F-17 actions brought since 2015. In light of SEC’s aggressive Rule 21F-17 enforcement, companies should make reasonable efforts to avoid even the appearance of impeding whistleblowing and ensure that their compliance programs protect the rights of whistleblowers.
DOJ Whistleblower Program. On March 7, 2024, Deputy Attorney General Lisa O. Monaco announced a new pilot whistleblower rewards program offering financial incentives for individual whistleblowers to report wrongdoing to DOJ. The program is intended to “fill gaps” in the “patchwork quilt” of existing whistleblower programs at the SEC and other federal agencies to “address the full range of corporate and financial misconduct that the Department prosecutes.”
The pilot program relies on the DOJ’s existing authority to pay awards for information or assistance leading to criminal or civil forfeitures. Under this program, individuals who report truthful information concerning corporate or financial misconduct not already known to the government, who were not involved in the underlying criminal activity, and who have no other relevant financial disclosure incentives (e.g., qui tam or other government whistleblower programs) will be eligible to receive a portion of the resulting forfeiture. Whistleblowers will be paid only after all victims have been appropriately compensated.
The DOJ’s program presents significant reporting issues for companies to consider. For example, because whistleblowers only get credit for reporting conduct that is not already known to the DOJ, employees are more likely to report misconduct to the DOJ without first notifying their companies. Similarly, the credit that companies get for self-reporting misconduct is dependent on reporting wrongdoing that this is not already known to the DOJ. Accordingly, the program can create incentives for both the companies and whistleblowers to promptly report misconduct to the DOJ before other does. Additionally, the visibility of the program, as well as the significant awards it offers, may create challenges for companies’ efforts to encourage employees to report misconduct via internal channels. The DOJ’s pilot program also increases the risk of potential criminal consequences for alleged interference with whistleblower activity.
Practical Tips for Updating Whistleblower Policies and Procedures. To mitigate the risks posed by AI and prepare for AI whistleblower complaints, companies should consider adopting the following measures:
- Training: Train managers involved in AI on relevant whistleblower protections and law to mitigate whistleblower risks.
- Employee or Contractor Agreements: Review all confidentiality agreements, including severance agreements, releases, codes of conduct, ethics manuals, training materials, and investor materials, for compliance with the Rule 21F-17 requirement not to impede individuals from contacting the SEC to report a possible securities law violation.
- Addressing Complaints Promptly: Avoid delays in responding to whistleblowers where practicable so not to increase the likelihood that whistleblowers will become frustrated and escalate their complaints externally.
- Taking Concerns Seriously: Take all whistleblower complaints seriously, including ones that are vague or inflammatory. Even one legitimate concern in an otherwise baseless complaint that is not properly investigated can trigger investigative and enforcement risk.
- Protecting Whistleblower Anonymity: If the whistleblower is anonymous, take reasonable measures to protect that anonymity throughout an investigation. If the identity of the whistleblower is known to investigators, it is best not to share this identity with others in order to limit the risk of retaliation or investigative taint.
- Providing Context for Decisions: Whistleblowers may have valid concerns but lack the broader context for the priorities and competing considerations of their companies. When addressing a whistleblower’s concerns, consider providing them with the additional context, when appropriate, on the costs, risks, and business impacts of alternative proposed courses of action, and why those may not be achievable.
- Consulting Counsel: Consider involving counsel when faced with complaints regarding alleged violations of law in connection with AI, especially if any adverse action (including cutting off access to company systems and denying access to company facilities) is being considered against an employee or independent contractor who has raised the concern. Involving outside counsel may also help strengthen privilege claims over the investigation and provide a level of independence.
- Expert Investigation Team: Ensure that the investigation team has the necessary AI expertise to evaluate the whistleblower’s allegations or has access to consultants who can assist in that evaluation.
This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.