2024 WLG Whistleblower Guide: Washington, DC, USA

Is there a law to protect whistleblowers? If so, which law?

Yes, several laws in the US protect whistleblowers. For example, 31 USC. § 3730(h) of the US False Claims Act ("FCA”) provides a cause of action for a whistleblower who is retaliated against because of the whistleblower’s efforts to stop a violation of the FCA, a law that applies broadly to companies or individuals that contract with the US government or sell products reimbursed by US government programs. Additionally, The Dodd-Frank Wall Street Reform and Consumer Protection Act and The Sarbanes-Oxley Act of 2002 ("SOX”) provide retaliation protections for whistleblowers who report possible violations of the federal securities laws in the context of companies traded on US stock exchanges.

Are companies legally obliged to introduce a whistleblowing system?

There is no US law requiring all companies to establish a whistleblowing system, but laws and regulations applicable to certain companies do. For example, when US Federal Acquisition Regulation (FAR) § 52.203-13 is included in a company's contract with the US government, the company must implement an internal control system that includes an internal reporting mechanism, such as a whistleblowing hotline, for employees to report suspected improper conduct. In addition, SOX requires audit committees of securities issuers, such as publicly traded companies, to establish procedures for the receipt of complaints related to accounting issues and audit controls.  

 If so, which companies must introduce a whistleblowing system (number of employees, turnover, sector)?

See the answer to Question 2 above.

 What forms can a whistleblowing system take (written, verbal, email, electronic tool)?

There is no requirement that a whistleblowing system or hotline take certain forms of whistleblowing, but most systems accept whistleblower reports in all forms, whether by email/electronically, by some other written means, by phone, or in person through a supervisor, compliance, human resources, or company leadership.  

Which reports must be permitted?

In the US, it is considered a best practice for companies to allow whistleblower reports regarding all topics and in all forms to capture the broadest set of information to determine if further investigation or other action is warranted.  With monetary awards provided by many US government agencies for whistleblowing (including to international whistleblowers), most companies provide robust internal reporting channels.  See, for example, See Something, Say Something: DOJ Launches Corporate Whistleblower Awards Pilot Program | Advisories | Arnold & Porter (arnoldporter.com) and Top Five Takeaways From the SEC’s Annual Whistleblower Report | Advisories | Arnold & Porter (arnoldporter.com)

 Must anonymous reporting be guaranteed?

Certain US laws and regulations, such as FAR § 52.203-13 and SOX, require that entities subject to these laws establish whistleblowing hotlines that allow for anonymous and confidential reporting. However, if reporters choose to identify themselves, it is advantageous for companies to meet with those individuals to (i) provide assurance that their complaint has been received and taken seriously and (ii) fully investigate their complaints.    

Who must be able to provide information (only employees or also external third parties)?

In the US, it is best practice for whistleblowing hotlines to accept information from both employees and external third parties, and many US companies allow both. However, some regulations, such as FAR § 52.203-13, only require that the hotline accept information from employees.

Can companies rely on one centralized hotline, or is it necessary to have one hotline for each subsidiary?

It is common for companies in the US and those subject to US laws to utilize only one centralized hotline. However, as noted above, many companies also allow for the submission of information through a web form, email, or through a supervisor and through multiple language-specific channels (e.g., reporting in the home country's national language plus English for multinationals). Ultimately, the system should allow for timely, complete reporting.

Can a whistleblowing system also be operated by an external body (e.g. consultant)?

It is common for companies in the US and those subject to US laws to have an external third party operate the company's hotline program. However, in many instances, the reports go to specific individuals within the company (such as compliance, legal, or human resources) for review and determination of whether an internal investigation or other action is warranted.  Law firms generally do not serve this function in the US for malpractice liability reasons.

Are sanctions imposed for failure to introduce a whistleblowing system?

Certain companies that fail to implement whistleblowing systems can have severe consequences. For example, companies that are subject to SOX may not be able to list their securities on a national US securities exchange if they fail to implement whistleblower systems, as discussed in question 2.  Even if not required by regulation, whistleblowing systems in the US are considered critical to effective compliance programs. The US Department of Justice ("DOJ”) releases guidance to companies called the Evaluation of Corporate Compliance Programs ("ECCP”). Under the ECCP, the DOJ considers the establishment of a whistleblowing system in its determination regarding whether a company has established mechanisms to effectively detect and prevent misconduct. This factor may impact the DOJ’s decision to bring charges or negotiate a plea deal.  In addition, companies subject to FAR § 52.203-13 that fail to implement a hotline may be liable for breach of contract or, in extreme cases, may risk being suspended or debarred from doing business with the US Government.