The Second U.S. Circuit Court last week decided that whistleblowers who report internally before going to the SEC are covered by Dodd-Frank’s anti-retaliation rules. In other recent GRC headlines: New rules that address algorithmic trading risks are imminent, and a survey found that boards of directors are looking for more risk management input from senior management.
Second Circuit: Internal whistleblowers protected by Dodd-Frank
In an opinion that bolsters the U.S. Securities and Exchange Commission’s stance on the subject, a divided Second Circuit Court of Appeals panel decided that employees who report company misconduct internally are protected by rules to prevent whistleblower retaliation under the Dodd-Frank Act.
The decision addresses the conflict between a Dodd-Frank subsection that defines what a whistleblower is and another that addresses who is protected by the law’s anti-retaliation provisions. Describing the circumstances under which Dodd-Frank was passed, the Second Circuit opined that because of “the realities of the legislative process … it is not at all surprising that no one noticed that the new subdivision [that addresses anti-retaliation protections] and the definition of ‘whistleblower’ do not fit together neatly.” The panel ruled that the conflict is ambiguous enough to warrant deference to the SEC’s interpretation.
The Second Circuit’s ruling diverges from an earlier ruling by the Fifth Circuit, a disagreement that the majority opinion of the Second Circuit’s panel acknowledged. According to Bloomberg law reporter Catherine Foti, the Second Circuit’s opinion makes it likely that the Supreme Court will decide whether to extend Dodd-Frank’s anti-retaliation protections to internal whistleblowers.
New rules on the horizon to control high-frequency trading risks
The Commodity Futures Trading Commission (CFTC) is working on proposals to contain risks stemming from the use of algorithmic, or high-frequency, trading, which accounts for 70% of the volume in futures markets. CFTC chairman Timothy Massad said in a speech that the proposed rules also aim to minimize disruptions and unfairness that are the result of algorithmic trading processes.
Massad added that algorithmic trading has changed how the CFTC performs its regulatory role, with enforcement now requiring a greater investment in IT, analytics and experienced staff. These investments are shared among the CFTC, self-regulatory organizations and the National Futures Organization.
The proposals, which will be issued for comment this fall, will also likely include requirements for software and hardware development, as well as cybersecurity protections. The CFTC has already put some rules into effect to address the risks associated with increased automated futures trading, including requirements that trading hardware and software infrastructure be regularly tested before going live.
Majority of boards seek more risk management involvement from senior management
Sixty percent of surveyed boards of directors are seeking more involvement in risk oversight from their senior management teams, according to a study commissioned by the American Institute of CPAs and the Chartered Institute of Management Accountants. However, the survey also found that less than 35% of these organizations have a formal risk management program in place. The study, which surveyed more than 1,300 executives worldwide, also found the following:
- 70% of those surveyed do not describe their organization’s risk management oversight as “mature.”
- Less than 40% of organizations are satisfied with how risk exposure is reported to senior management.
- Only 46% of boards at U.S.-based companies assign risk oversight duties to a board committee, while 70% of company boards in regions outside the U.S. do so.
- Only 44% of U.S. organizations have internal management-level risk committees in place, while more than 60% of organizations in regions outside the U.S. do so.
A report accompanying the survey findings acknowledges that the overall risk environment is challenging for organizations, but adds that there are barriers that hinder the effectiveness of enterprise-wide risk oversight. The report suggests some ways organizations can improve, including conducting an assessment of the organization’s current risk management approach, and boards approaching senior management to articulate current risk approaches so they can assess the company’s efficacy in monitoring emerging risk.