In 2023, the Securities and Exchange Commission (SEC) entered into consent decrees with five companies based on employment agreements or practices that the SEC viewed as potentially impeding employees from reporting securities law violations in violation of Rule 21F-17, the SEC whistleblower protection rule. Rule 21F-17 provides that "[n]o person may take any action to impede an individual from communicating directly with the [SEC] staff about a possible securities law violation, including enforcing or threatening to enforce a confidentiality agreement . . . with respect to such communications" (17 C.F.R. § 240.21F-17). These enforcement actions reflect the SEC's continuing commitment to pursue enforcement actions and impose fines against employers for Rule 21F-17 violations, even where there is no evidence that the employer actually enforced the confidentiality provisions against any individual and the employer voluntarily modified its practices.

Practical Law reached out to Julia M. Jordan, Ann-Elizabeth Ostrager, and William S. Wolfe of Sullivan & Cromwell LLP about issues employers should consider regarding Rule 21F-17 compliance when drafting or reviewing employment agreements and policies.

Julia is a partner in the firm's Litigation Group, and co-head of both the firm's Corporate Culture, Workplace Investigations & Whistleblower Litigation and the Labor & Employment Groups. Julia's practice focuses on internal investigations, employment matters, and complex commercial litigation.

Ann-Elizabeth is a partner in the firm’s Litigation Group, a member of the firm’s Criminal Defense & Investigations and Corporate Culture, Workplace Investigations & Whistleblower Litigation Groups, and co-head of the firm's Labor & Employment Group. Ann-Elizabeth has a diverse practice that includes employment litigation, regulatory and internal investigations, securities litigation, and cryptocurrency investigations and litigation. Ann-Elizabeth also maintains an active pro bono practice.

William is a practice area associate in both the firm's Labor & Employment and Corporate Culture, Workplace Investigations & Whistleblower Litigation Groups. His practice focuses on litigation, advice and counseling, and internal investigations involving a range of employment-related matters.

The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) was enacted in 2010 in response to the 2008 financial crisis. Among other things, Dodd-Frank added significant new whistleblower incentives and protections, including the creation of the SEC whistleblower program through the addition of Section 21F to the Securities Exchange Act of 1934 (Exchange Act). This legislation was designed to "motivate those with inside knowledge to come forward and assist the Government to identify and prosecute persons who have violated securities laws and recover money for victims of financial fraud" (S. Rep. 111-276, (Apr. 30, 2010)).

Section 21F requires the SEC to pay awards, subject to certain limits, to whistleblowers who voluntarily provide the SEC with original information about federal securities laws violations. In 2011, the SEC issued a final rule implementing its whistleblower program, which included Rule 21F-17 (Final Rule, Securities Whistleblower Incentives and Protections, 76 Fed. Reg. 34300 (June 13, 2011), codified at 17 C.F.R. §§ 240.21F-1 to 240.21F-17). Only the SEC may bring an action for an alleged violation of this rule.

Although the statutory text of Section 21F includes protections for whistleblowers against retaliation (see 15 U.S.C. § 78u-6(h)), it does not directly prohibit actions that arguably impede whistleblowing. In implementing Rule 21F-17, the SEC reasoned that the rule "is necessary and appropriate because . . . efforts to impede an individual's direct communications with [SEC] staff about a possible securities law violation would conflict with the statutory purpose of encouraging individuals to report to the [SEC] " (76 Fed. Reg. at 34352).

In 2015, the SEC announced its first Rule 21F-17 enforcement action against a company based on form confidentiality statements used to prevent witnesses from speaking with one another during an investigation. The confidentiality statements required employees to agree that, among other things, they were prohibited from discussing the subject matter of the interview (which involved potential securities laws violations) without prior approval. The confidentiality statements also warned the employees that an unauthorized disclosure may be grounds for disciplinary action, including termination. The SEC brought this action even though there was no evidence that either:

(SEC Release No. 74619 (Apr. 1, 2015).)

As of December 1, 2023, the SEC had brought 21 enforcement actions under Rule 21F-17 in connection with the alleged use of employment agreements or other personnel practices that potentially impeded whistleblowing, including five enforcement actions in 2023.

In addition to the SEC whistleblower rule (Rule 21F-17), the Commodities Futures Trading Commission (CFTC) has a similar whistleblower rule that was also created by the Dodd-Frank Act and prohibits any person from taking "any action to impede an individual from communicating directly with the [CFTC's] staff about a possible violation of the Commodity Exchange Act, including by enforcing, or threatening to enforce, a confidentiality agreement or predispute arbitration agreement with respect to such communications" (17 C.F.R. § 165.19(b)).

The SEC's three most recent Rule 21F-17 enforcement actions were announced in September 2023.

The SEC settled an enforcement action against a privately held energy and technology company for allegedly using employee separation agreements that allowed the employees to "retain the right to participate in any [governmental investigations or actions]," but required the employees to waive their rights "to recover money damages or other individual legal or equitable relief awarded by any such governmental agency." The settlement agreement specifically noted that the SEC was unaware of any employees who were impeded from whistleblowing or the Company taking any action to enforce the offending provision. The SEC found that this provision nonetheless "raised impediments to participation in the [SEC's] whistleblower program by having the employees forego the critically important financial incentives that are intended to encourage persons to communicate directly with the [SEC]." The company had undertaken remedial actions, including notifying former employees that the agreements did not limit their ability to obtain financial awards in connection with the provision of information to government agencies. The company agreed to pay a $225,000 civil monetary penalty, which accounted for the company's remedial actions. (SEC Release No. 98322 (Sept. 8, 2023).)

Just weeks later, the SEC resolved another enforcement action against the subsidiary of a publicly traded commercial real estate services and investment firm in connection with its use of a separation agreement requiring that employees represent they had "not filed any complaint or charges against [the company] . . . with any . . . state or federal agency." After using this language for several years, the company added protective language to its form separation agreement stating, in relevant part, that "[n]othing in this Agreement shall be construed to prohibit Employee from filing a charge with or participating in any investigation or proceeding conducted by the . . . [SEC]." The SEC viewed this clarifying language as insufficient because the carve-out was "prospective in application" and therefore "did not remedy the impeding effect of the Employee Representation." The SEC again acknowledged that it was unaware of any employee who had been prevented from communicating with the SEC or the company taking action against any former employee based on a breach of the challenged provision. After learning of the SEC's investigation, according to the SEC, the company undertook "extensive remedial action," including updating its policies, training compliance personnel, modifying its employee agreements, and providing notifications to certain employees who signed the previously requested representation. The company agreed to pay a $375,000 civil monetary penalty, which the SEC stated accounted for the company's cooperation and remedial actions. (SEC Release No. 98429 (Sept. 19, 2023).)

In a third recent action, the SEC settled charges with a registered investment advisor in connection with its prior practice of requiring employees to sign various agreements prohibiting the unauthorized disclosure of confidential information unless authorized by the company, or if required by law or court order, without any exception for potential SEC whistleblowers. The Company's separation agreements also required the employees to represent that the employee "has not made, filed or lodged any complaints, charges, or lawsuits or otherwise directly or indirectly commenced any proceeding . . . with any governmental agency, department, or official; any regulatory authority; or any court, other tribunal, or other dispute resolution body." (SEC Release No. 98641 (Sept. 29, 2023).)

Unlike the other two settlements discussed above, the SEC stated that it was aware of one employee who was "initially discouraged from communicating with [SEC] staff about potential violations of securities laws" due to the language at issue. The settlement agreement further noted that in March 2017, the company sent an email to all employees confirming that "[n]othing in any . . . employment agreement, confidentiality agreement, or any other firm policy or agreement shall prohibit an employee from communicating directly with or providing information . . . to any regulator or any other national, federal, state or local governmental agencies or commissions regarding possible violations of law or regulation," and that notice to the company was not required if they did so. The SEC noted, however, that the company did not include similar language in its employment agreements until about two years later, after the SEC investigation began. The settlement agreement noted that the Company willfully violated Rule 21F-17, and the company agreed to pay a $10 million civil penalty, which was the highest penalty as of December 1, 2023 for a stand-alone Rule 21F-17 violation.

As reflected in the SEC's recent enforcement action against a privately held company with approximately 236 employees, the SEC has exercised such authority (SEC Release No. 98322 (Sept. 8, 2023)). This action was particularly notable given that the settlement documentation does not reflect that the challenged activity involved any securities transaction. In the press release accompanying the settlement, the regional director of the SEC's Denver office specifically noted that "[b]oth private and public companies must understand that they cannot take actions or use separation agreements that in any way disincentivize employees from communicating with SEC staff about potential violations of the federal securities laws." (SEC Release No. 2023-172 (Sept. 8, 2023).)

In resolving an enforcement action, the SEC may consider the duration, scope, and nature of the conduct at issue, and whether and when the employer undertook remedial measures. Most of the SEC's settlements for alleged Rule 21F-17 violations have been resolved for under $1 million, but several have significantly exceeded that figure.

In the most recent enforcement action against an investment advisor, the SEC and the company agreed to a $10 million dollar penalty. The SEC specifically found that the violation was willful and noted the company's failure to revise all of its agreement forms after identifying the issue and sending a firm-wide communication to all employees advising them of their whistleblowing rights.

In 2016, the SEC settled a Rule 21F-17 enforcement action for a $1.4 million penalty where the company expressly prohibited employees from "at any time in the future voluntarily contact[ing] or participat[ing] with any governmental agency in connection with any complaint or investigation pertaining to the Company," even though several employees previously asked the company to modify that language. That settlement also included an allegation of whistleblower retaliation under Section 21F(h) of the Exchange Act. (SEC Release No. 79607 (Dec. 20, 2016).)

Other cases where the SEC imposed Rule 21F-17 civil monetary penalties exceeding $1 million similarly involved both Rule 21F-17 violations and other alleged securities law violations.

Given the SEC's recent enforcement actions, employers should consider reviewing their various agreements and policies to ensure they do not contain language the SEC has deemed violative of the whistleblower rule (Rule 21F-17). Employers should review any agreements that contain provisions that could be construed as potentially impeding the rights of employees to communicate with the SEC about possible securities laws violations or that purport to require the prior authority of the company before having any such communication, including:

Employers should also consider reviewing their internal policies, procedures, codes of conduct, compliance manuals, training materials, and other such documents for language that may implicate Rule 21F-17 or contradict confidentiality provisions in their agreements.

Additionally, because Rule 21F-17 is not limited to agreements between employers and their employees, companies should review their agreements with third parties, such as contractors, customers, and consultants, for language that could be construed as impeding whistleblower rights. For example, in 2017 the SEC brought a civil litigation against a broker and investment advisor alleging the company violated Rule 21F-17 by requiring a customer to agree not to discuss the matter with the Financial Industry Regulatory Authority (FINRA) or the SEC to have her money returned. In June 2023, the court granted summary judgment in favor of the SEC. (SEC v. Vaccarelli, , at *5 (D. Conn. June 29, 2023).)

Similarly, in SEC v. Collector's Coffee Inc., the SEC alleged that the defendants "attempted to resolve investor allegations of wrongdoing against them by conditioning the return of investor money on the agreement of the investors to confidentiality clauses prohibiting the investors from communicating with law enforcement, including the SEC, about the alleged securities law violations," and even "went so far as to file a lawsuit claiming that the victims breached the confidentiality provision by communicating with SEC staff about possible securities law violations." The court "readily" concluded that conduct violated Rule 21F-17, and granted summary judgment to the SEC. (, at *4 (S.D.N.Y. Nov. 17, 2021).)

The SEC's enforcement actions for violations of Rule 21F-17 have covered a wide variety of terms in employment-related agreements and policies. Examples include:

Employers generally should consider including language protecting whistleblower reporting rights in any agreement or policy that could potentially implicate Rule 21F-17, including documents with confidentiality, non-disparagement, or other non-disclosure provisions, as well as employee policies regarding confidentiality, investigations, or complaint reporting.

However, carve-out language allowing whistleblowing will not necessarily insulate employers from liability, and a company's exposure may depend on the placement of the language and timing of its implementation. The SEC has brought actions against several companies under Rule 21F-17 even though the company had otherwise advised employees that whistleblowing was permitted.

For example, the SEC charged a registered broker-dealer because its compliance manual prohibited employees from contacting any regulator without prior approval from the company's legal or compliance department and included similar language in its compliance training. Notably, the company's code of conduct (adopted after implementing the challenged language) specifically stated that "[n]othing in this policy or any other Company policy or agreement is intended to prohibit you (with or without prior notice to the Company) from reporting to or participating in an investigation with a government agency or authority about a possible violation of law, or from making other disclosures protected by applicable whistleblower statutes." (SEC Release No. 92237 (June 23, 2021).)

Similarly, in two of the September 2023 enforcement proceedings discussed above, the companies had taken steps to notify employees that they were permitted to report securities laws violations, but the SEC found their communications inadequate and that employees might still be deterred from whistleblowing activities.

Companies should also exercise caution with language that has commonly been included in separation and settlement agreements regarding an employee's right to recover monetary damages for released claims. The SEC has brought enforcement actions to the extent such language can be construed to limit an employee's right to receive a whistleblower award (versus damages for a released claim).

For example, the SEC charged a health insurance provider with violating Rule 21F-17 by requiring departing employees who wanted to receive severance payments to waive "any right to any individual monetary recovery . . . in any proceeding brought based on any communication by Employee to any federal, state, or local government agency or department." The agreements also contained carve-out language providing that "[n]othing herein shall be construed to impede the employee from communicating directly with, cooperating with or providing information to any government regulator." The SEC explained in the settlement agreement that restrictions on monetary recovery for reporting securities law violations to the SEC "undermine the purpose of Section 21F and Rule 21F-17(a)." (SEC Release No. 78950 (Aug. 16, 2016).)

No, an employer's failure to enforce an offending provision does not absolve the employer from potential liability in an enforcement action. Many of the SEC's settlements in this area have expressly acknowledged that the SEC was not aware of any actions taken by the company to enforce the challenged employer practices or of any employee who was actually impeded from whistleblowing.

The Director of the SEC's Division of Enforcement, Gurbir Grewal, recently addressed this specific issue. In an October 24, 2023 speech, Grewal instructed that companies "need to look at these [prior SEC enforcement] orders and the violative language cited by the [SEC] and think about how those actions may impact your firms. And if they do, then take the steps necessary to effect compliance." Grewal continued, "Proactive compliance also requires you to really engage with personnel inside your company's different business units and to learn about their activities, strategies, risks, financial incentives, counterparties, and sources of revenues and profits . . . . In our 21F-17 example, it means working with your firm's human resource and legal functions to make sure that your employment agreements and policies are up-to-date and not in violation of that rule. But none of this can be a one-time thing. Your businesses and operations change, risk areas change, and enforcement priorities change . . . . So education and engagement always needs to be a continuing, ongoing effort . . . . Effective execution is equally important." (SEC Div. of Enforcement, Director Gurbir S. Grewal, Remarks at New York City Bar Association Compliance Institute (Oct. 24, 2023).)

The SEC's recent heightened interest in the terms and conditions of employment parallels efforts by other federal agencies in the employment space. For example:

Given the SEC's recent enforcement actions and focus on employment-related agreements by other administrative agencies, employers should consider reviewing their form agreements and employee policies and revising them as necessary to conform with the current law and regulations.