Whistle-Blowing Laws under Sarbanes-Oxley: Are Multinationals Vulnerable?

By Mrigayanka Roychowdhury
Hill & Associates (India) Private Limited.



The corporate world has witnessed a phase of tremendous re-structuring. Driven by the Sarbanes-Oxley Act most multinationals are accelerating their efforts towards compliance with whistle-blowing laws.

Recently, the question of extra-territorial application of this law has opened Pandora's box. Multinationals are now finding themselves between a rock and a hard place. Ensuring fraud prevention in the form of investigations and whistleblower hotlines leaves the company vulnerable to employee harassment and discrimination claims, not to mention the liability under domestic data protection and privacy laws.

The following article deals with the procedural inconsistencies of Sarbanes-Oxley and its incompatibility with foreign laws. The article also discusses the impact of the Act on multinationals and sheds light on various options that can help multinationals overcome vulnerabilities in the areas of fraud investigations and whistleblower complaints, while at the same time ensuring legal compliance.



The Sarbanes-Oxley Act has ushered in a new era of corporate compliance, despite being a domestic legislation it is seen by most as a stepping-stone towards global corporate transparency. Section 310 raised the bar for corporate ethical conduct and provided much needed solutions to fraud prevention.

Unlike most whistleblower laws, the Sarbanes-Oxley provisions are not limited to providing a legal remedy for wrongfully discharged employees. The legislation addresses four main areas namely:

  1. Internal and independent audit committees, and procedures for employees to file internal whistleblower complaints anonymously and confidentially.
  2. Ethical standards for attorneys who practice before the Securities and Exchange Commission (SEC), that requires attorneys to blow the whistle on their employer or client. 
  3. Amendment to the federal obstruction of justice statute, and criminalized retaliation against whistleblowers who provide information in good faith, to a law enforcement officer about the commission of a Federal offense. 
  4. Jurisdiction of SEC to enforce Sarbanes-Oxley whistleblower-related provisions, and criminal penalties for violations.

These provisions collectively provide a unique and comprehensive framework that enforces whistleblower protection for corporate employees. The statutory definition of protected whistle blowing is very broad and covers reports to government officials and supervisors, as well as participation in SEC or shareholder proceedings.

However, the litmus test for any legislation is to bridge the gap across theory to practice. So while the Sarbanes-Oxley scores high on the point of crucial content, it is yet to convert into purposeful practice.


Extra-territorial Inapplicability

Section 806 is a vital component in that it affords an umbrella of protection to the whistle-blower. It is one of the essential elements that stand guard to the effectiveness of the Act.

Companies cannot retaliate against employees who provide information about fraudulent activity, wrongdoing or misconduct within the company. The protection is afforded to employees regardless of whether they report the matter to their superiors, the relevant investigating authority/regulatory agencies or even to members of Congress. 

With the addition of Section 1513(e) to Title 18 of the U.S. Code, the provision stated that retaliation against whistle-blowers was not to be tolerated, and was a criminal offense, carrying penalties from a large fine to 10 years in prison.

In January 2006, the US First Circuit Court of Appeals held that protection to whistleblowers under Section 806 did not extend to overseas employees of US listed companies. The focus was on Sections 301, 806 and 1107.

On the basis of its legislative history, the Court did not find any express intent to invoke extraterritorial jurisdiction for Section 806. In the case of Section 1107, which provides criminal liability for retaliation against whistle-blowers, legislative history suggests that it was enacted as an amendment to a section of the U.S. code that explicitly provides for extraterritorial jurisdiction. Pursuing indeterminate logic, the Court reasoned that since the Congress placed Section 1107 in a statute authorizing extra-territorial jurisdiction; consequently not doing the same for Section 806 indicated that Section 806 was inapplicable to overseas employees.

It must be noted however, that the procedural content of the section itself acts as a barrier to extra-territorial application. The procedure requires an employee to bring their complaint before the US Secretary of Labor. The applicability as well as authorization of such a procedure on an extra-territorial basis is impractical, not only on procedural level but also for reinstatement and equitable relief, which may conflict with local laws.

The Court also contrasted the various sections and found that unlike Section 806, Section 301 does not purport to confer enforceable rights on employees and hence would not implicate foreign sovereignty. In this context, the Court seems to have overlooked the conflict between Section 301 and the data protection and privacy laws of EU.

Section 301 and Section 1107 of the Sarbanes-Oxley Act are still applicable to the non-U.S. operations of listed companies.

The decision creates a significant loophole in application since most companies institute whistleblower hotlines in domestic and overseas operations simultaneously. It also seems to defy the general intent of the Act of protecting and encouraging whistle-blowing, but keeping in mind the procedural incompatibility in the present legislation, the court seems to have had little choice.


Conflict of Laws

Recently in May 2005, the French data protection authority (CNIL) refused to allow McDonald's France to operate an anonymous reporting system as required by Sarbanes-Oxley. In June 2005, a local German labor court in Wuppertal refused to allow Wal-Mart to operate a company ethics hotline for reporting misconduct. The court held that the system violated the co-determination rights of the local works council.

E.U. data protection laws set forth strict conditions for the collection, use and disclosure of personal information and require that the processing of personal information must not adversely affect the personal freedom of individuals. The laws also restrict the transfer of personal information from the European Union to certain countries, like the United States.

In addition to this the 25 member states in the European Union each maintain their individual legal systems and data protection enforcement systems. European labor law greatly restricts the ability of companies to implement anonymous complaint systems without the consent of employee representatives, such as the works councils that exist in many countries. This is in direct conflict with the Sarbanes-Oxley provisions.

Thus, compliance with Sarbanes-Oxley may result in a breach of E.U. data protection law and labor law exposing multinational companies to potential liability on both sides of the Atlantic.

The public and media focus on data protection and privacy issues are likely to bring increased scrutiny and reputation risk to companies operating whistleblower hotlines. At this point it is essential for a company to ensure that ethics hotlines are run professionally and that they incorporate basic standards of fairness and due process. The most effective alternative for a company would be to operate a third-party ethics hotline.


The 'External' Alternative

Sarbanes-Oxley compliance is beneficial in prevention of corporate fraud, but at the same time it also exposes the company to liabilities in the form of procedural misconduct while addressing fraud allegations. Disclosure or discovery of the complainant's identity lays the company vulnerable to harassment or discrimination charges, which can have a serious impact. However, if we consider realistically, the discovery of the complainants identity is almost inevitable incase of an internal investigation.

Since fraud and embezzlement mostly involve unlawful depletion of company assets, investigation pertaining to the same would require certain expertise that may not be readily available internally. Moreover, Section 806 could disqualify an internal audit. Section 201 of Sarbanes-Oxley makes it clear that public accountants who audit a company's financial statements are advocates of the company, and cannot perform independent forensic work.

A third party investigator provides an effective solution by maintaining independence and confidentiality during investigations. The third party has no motivation to seek the complainant's identity and is concerned merely with ascertaining the correctness of an allegation.

External agencies dealing with such matters have the required expertise and infrastructure to deal with fraud related issues, and such a venture would not only ascertain compliance, but would also be more cost effective to a company. Such agencies provide solutions not only for investigations but also for fraud prevention. They are specialists who take traditional compliance a step further into areas such as fraud examination, fraud risk assessment, forensic work, business consulting, business valuation, bankruptcy, due diligence, business intelligence etc.

The penalties for violation ought to be incentive enough for companies to conduct investigations through external agencies; investors and regulators will expect nothing less. This will also develop measures that will lead to an accurate investigation while at the same time maintaining anonymity and confidentiality.

Such an action serves the dual purpose of ensuring Sarbanes-Oxley compliance and protecting the company from employee harassment claims. In the long run it affords the company transparency and accountability in assets.



Sarbanes-Oxley compliance efforts are revealing weaknesses in controls and business processes while accelerating efforts to re-mediate these problems. This has resulted in tremendous improvements in corporate structuring. But the essence of effectiveness lies in a forward-looking approach, and the corporate coding of an organization is not enough. The law must be all encompassing and apply on all subsidiaries of an organization regardless of the territorial barriers.

In this day and age, corporate governance has spread beyond territorial boundaries and taken on a global face thereby creating a loophole in enforcement due to conflict in laws of various countries. With the burgeoning growth of multinationals the need of the hour is a legislation that can address fraud prevention extra-territorially.

This step would be complementary to the basic principle behind Sarbanes-Oxley. If the key aim is to minimize fraud and related issues, then the laws must apply to all areas that have the potential to affect the audits of an organization, and that would include overseas subsidiaries.

Selective application of laws will not provide an effective solution. The current legislation remains silent on many key issues. While on one hand it encourages whistle blower hotlines in overseas subsidiaries, conversely it does not provide the whistle-blower adequate protection to come forward. This gap in procedure creates a loophole that leaves the company as well as the employee vulnerable.

The Sarbanes-Oxley Act is a step in the right direction, but it is yet to incorporate the global aspect of corporate governance in order to mandate its effectiveness in entirety.