Sarbanes-Oxley 301

In this installment, we examine the predicament of our good client, Pemrose Incorporated, as it wrestles with how to reconcile Section 301 of the Sarbanes-Oxley Act of 2002 (SOX) with sometimes conflicting requirements in other jurisdictions.

SOX 301 requires that audit committees of issuers listed on US exchanges “establish procedures” for (i) receipt, retention, and treatment of complaints regarding accounting, internal accounting controls, or auditing matters; and (ii) confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. SOX 301 was codified as Exchange Act Section 10A(m), which the SEC implemented with Rule 10A-3(b)(3). (See also Nasdaq Rule 5605(c)(3) and Section 303A.06 of the NYSE Listed Company Manual.)

The adopting release for Rule 10A-3 (Release No. 33-8220) specifically provides flexibility for the audit committees to develop “procedures appropriate for their circumstances” and does not mandate specific procedures or a “one-size-fits-all” approach. However, nearly all public companies have chosen to include a whistleblower hotline as part of their SOX 301 compliance.

Pemrose’s earnest and ambitious GC, Brantley Foster, calls. “We operate all over the world and are worried that our whistleblower hotline runs afoul of local law requirements. What can we do?”

The short answer is that there is no short answer: multinational companies and foreign private issuers subject to SOX 301 (i.e., SEC registrants) may have difficulty reconciling the SOX requirement to non-US local law. In particular, some non-US jurisdictions have laws that forbid the adoption of an anonymous whistleblower hotline. For example, the French data protection authority (CNIL) in 2005 restricted the use of anonymous whistleblower hotlines by French subsidiaries of two US companies. As noted in our Client Alert on the topic, CNIL has indicated that the hotlines “could lead to an ‘organized system of denunciation’” and carry the risk that “employees may be ‘stigmatized.’”

It’s not just France – Spain and Portugal expressly prohibit anonymous whistleblowing, while certain other EU countries have established non-binding guidelines. (The SEC Staff has been in contact with EU member states regarding these issues, and its correspondence is available here.) The issue also arises in countries outside the EU. For example, Argentina has a data protection law modeled on the EU’s laws, and certain other non-EU jurisdictions in Eastern Europe have similar data protection laws.

The bottom line is that you will need to analyze this issue on a country-by-country basis, and get local advice on how to maintain a hotline in those jurisdictions.

Can Pemrose operate two types of hotlines, one tailored for local jurisdictions and one for the United States (and other jurisdictions where anonymity is not an issue)?

Probably. Although the SEC has never addressed this question directly, we think the better answer under SOX 301 and Rule 10A-3 is “yes.” Recall that SOX 301 requires companies to establish procedures for confidential, anonymous submission of information. Neither SOX 301 nor Rule 10A-3 says that this must be the sole and exclusive channel for whistleblowers, or that alternate whistleblowing procedures that are not anonymous must be discarded. Don’t forget, though, that local law may make it problematic if the US hotline is available locally. If you find yourself experiencing this collision between local law and SOX 301, let’s talk.

You May Also Be Interested In