Navigating the choppy waters of internal whistleblowing

“We must do something to stop the commodore. He disobeys orders, takes government property for himself, uses our ship for smuggling and orders the torture of our British prisoners. He is evil and corrupt.” We can only imagine secret conversations such as these among 10 sailors late one night in 1777 aboard the Warren, a U.S. naval warship anchored off the coast of Rhode Island. What we do know is that the men sent a letter to the Continental Congress that described the illegal and violent deeds of their commodore, Esek Hopkins, setting in motion efforts that resulted in the world’s first law to protect whistleblowers.

Third Lieutenant Samuel Shaw and Midshipman Richard Marven were among the 10 who figuratively jumped ship against Hopkins. When Congress received the whistleblower petitions, they immediately acted by relieving Hopkins of his command. The Navy ultimately dismissed him. He took revenge by filing a libel suit against the whistleblowers in Rhode Island where his politically powerful family lived, landing the whistleblowers in a Providence jail.

The newly formed Congress, acting on a petition from Marven and Shaw, enacted the Whistleblower Protection Act of 1778, the first such legislation in the U.S. and the world. The law obligated all U.S. inhabitants to report government wrongdoing and protected them from retaliation. (See “A Century of Lawmaking for a New Nation: U.S. Congressional Documents and Debates, 1774 – 1875,” U.S. Library of Congress and “Whistleblower’s Handbook,” by Stephen Martin Kohn, Rowan & Littlefield.)

Congress also ordered all records related to the former commodore’s removal be made public and approved payment of Marven and Shaw’s legal fees of $1,418 (equivalent to $30,445 in 2022). (See “Whistleblower’s Handbook.”) Marven and Shaw won their case. Their lawyers were paid. History was made.

Since then, external whistleblowers have continued to suffer as a result of their honesty and courage — often losing their jobs, livelihoods and wellbeing. Yet while U.S. external sentinels do receive some legal protection from federal laws, internal whistleblowers often have no legal recourse and can be forced to air their concerns externally. That’s because they must navigate a legal maze of more than two dozen U.S. laws, with varying requirements that ultimately may offer them little or no protection. Faced with such prospects, internal whistleblowers may simply give up.

Here we describe differences between internal and external whistleblowers, why organizations don’t support internal whistleblowers, reasons for protecting whistleblowers and legislation proposals to protect internal whistleblowers.

Whistleblower definitions 

Generally, an internal whistleblower is an employee who reports their concerns only within their employer’s organization. They may report to their supervisor and up through their chain of command or to in-house legal counsel, a compliance office, human resources or an internal tip line. An external whistleblower reports their concerns outside their employing organization to law enforcement agencies (federal, state or local) or to regulatory entities, such as the U.S. Securities and Exchange Commission (SEC), Department of Labor (DOL) or Occupational Safety & Health Administration (OSHA) and, sometimes, to the news media. 

A whistleblower may start internally and then go outside the organization when their concerns are ignored or they face retaliation.

A whistleblower may be an employee, a vendor, a contractor or a customer with concerns about fraudulent activities from any of the categories of the ACFE Fraud Tree (asset misappropriation, financial statement fraud or corruption) as included in the ACFE’s Occupational Fraud 2022: A Report to the Nations, page 10. Or whistleblowers might be concerned about other violations of law, such as discrimination, public health and safety, or environmental protection.

Dearth of legal protections

Navigating the myriad requirements often discourages would-be whistleblowers. Each must identify the law(s) that may provide their protection, the entity with regulatory authority for their specific situation and required reporting procedures. Also, the mixed bag of U.S. federal and state laws are designed to protect external whistleblowers, but internal whistleblowers get short shrift and receive very little legal protection from retaliation and other negative consequences of speaking up. 

The laws designed to protect whistleblowers who report to external entities, such as the SEC, DOL or law enforcement, generally do not provide comparable protection to whistleblowers who report only internally. Consider the summary of current U.S. federal legislation shown in the list in the table below. (The list isn’t exhaustive but represents the number and complexity of laws that whistleblowers must navigate.) More than two dozen laws are on the books, yet barely half contain provisions that protect internal whistleblowers. In a major precedent under the Dodd-Frank Act, the U.S. Supreme Court ruled that internal whistleblowers — even those who reported to their employers’ audit committees — weren’t protected because the law didn’t provide explicit coverage for internal disclosures. (See “Digital Realty Trust, Inc. v. Paul Somers,” Supreme Court of the United States, No. 16-1276.) Laws that do provide explicit protections for internal disclosures are identified by “yes” in the list. Every law has differing requirements for time frames and the ways whistleblowers must report their concerns, and attention to these requirements is essential. (See “Blowing the whistle,” by Sheryl Goodman and Tom Caulfield, CFE, Fraud Magazine, March/April 2022.)

In an ideal world, one overarching U.S. federal law would protect all whistleblowers from retaliation and would encourage them to come forward. The anti-retaliation component of such a dream law would mean that whistleblowers wouldn’t have to fear for their jobs; decreases in pay; demotions to less meaningful work; or ostracization by co-workers, managers and owners. Encouraging organizations would design simple reporting processes. Instead, employees and others must wend through a complex maze of regulations, reporting requirements and deadlines — all while looking over their shoulders and hoping they’ll be safe professionally and personally.

One bright spot for internal whistleblowers has been passage of the U.S. Anti-Money Laundering Act of 2020 (AMLA). Incorporated as Division F of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (H. R. 6395), AMLA expands whistleblower protections under the Bank Secrecy Act (BSA) to include individuals who report concerns to their employers (or various federal regulatory agencies or law enforcement agencies). (See the National Defense Authorization Act.) However, the scope of that law is very limited and doesn’t provide protection to employees at FDIC-insured financial institutions or credit unions. Congress gave strong protections to internal whistleblowers but then narrowed its scope.

Legal experts say that AMLA whistleblower protections now extend to employees who work in compliance, such as auditors and attorneys, and applies to a broad swath of companies, such as insurance companies, pawnbrokers, travel agencies and jewelers. It may also be applicable to cash-heavy businesses, such as casinos and restaurants. (See “New Whistle-Blowing Law Applies to Internal Complaints,” by Allen Smith, J.D., SHRM, June 10, 2021.)

Yet, even with an expansive application of the 2020 AMLA, the focus remains on financial crimes, such as money laundering, terrorist financing and tax fraud. (See “Fact sheet: AML Act of 2020,” by Jules W. Carter, Esq., Thomas Reuters Westlaw Today.)

AMLA’s focus on the financial sector makes sense. After all, according to the ACFE’s 2022 Report to the Nations (page 32), banking and financial services was the industry with the greatest number of occupational fraud cases, totaling 351 with median losses of $100,000. Legal protection for internal whistleblowers, including auditors, is essential in this area — particularly because terrorist financing threatens national security. Yet, there are many other industries the ACFE identified as having large losses due to occupational fraud. In the Report to the Nations (page 32), government and public administration reported 198 cases with a median loss of $150,000, and manufacturing had 194 cases with a median loss of $177,000. 

Even with smaller numbers of cases and lower median losses, industries in all sectors need stronger protections for internal whistleblowers. Enacting such protections could initially lead to larger numbers of reported cases as more internal whistleblowers come forward. Case numbers should eventually decline when potential fraudsters get the message that management will take action based on internal whistleblower reports.

We need external and internal whistleblowers

Why does legislation tend to emphasize protections for external whistleblowers? As in the Shaw and Marven cases cited earlier, the U.S. government naturally wants to know when bad actors commit corrupt acts and misappropriate public assets. It’s logical that federal and state legislation would encourage reporting such activities externally to governmental agencies or law enforcement.

The evolution of corporate structures may be another reason. More companies are now beholden to large groups of shareholders who aren’t involved in day-to-day business operations. That distance between management and shareholders has increased the need for individuals on the inside to report to external agencies, such as the SEC, DOL and OSHA, among others. Just as investors in publicly traded corporations need external auditors to opine on financial reports, these organizations also need whistleblowers to provide firsthand knowledge of acts of occupational fraud committed by management and others.

Also, there’s an overriding public expectation that witnesses to crimes should report to law enforcement. If you have evidence of violations of law, the government officials with responsibility for enforcing those laws need to know about the crimes at the earliest moment. This is the precise policy recognized by the U.S. founders in 1778, which is reflected in numerous laws. However, the reality is that most employees initially report their concerns internally. Those who suffer retaliation for raising an internal concern likely will never report to higher officials, and the chilling effect on the workplace culture is devastating.

Both internal and external whistleblowers are key to the success of any effort in any entity wanting to prevent and detect occupational fraud. Since 1996, when the ACFE published the first Report to the Nation, its research has shown that tips are the most frequent way occupational fraud is discovered. In the 2022 Report to the Nations (page 4), tips provided information on 42% of cases reported.

“The overwhelming majority of employees who see problems want to blow the whistle internally first,” says Dana Gold, senior counsel and director of education for the Government Accountability Project, in The Washington Post. “Understanding this can — and should — encourage employers to respond appropriately when workers report problems, protecting them from reprisal and investigating and addressing their disclosures thoroughly.” (See “Five myths about whistleblowers,” by Dana Gold, The Washington Post, Outlook, April 5, 2019.)

Yet, because management often labels whistleblowers as troublemakers and doesn’t sufficiently handle internal concerns, many employees and others must change course and tell their stories to external agencies and the media, even though it could’ve been resolved internally — likely faster and at lower cost.

Let’s consider why an organization wouldn’t act on information provided by an internal whistleblower. The possibilities include: 

• Cost: Management might invoke the classic chestnut, “Budgets are tight.” 
• Disrespect for the whistleblower: The organization might not hold the person or their position in high regard, so their concerns don’t merit attention. Management might perceive the whistleblower as a snitch or traitor.
• Cover-up of actual wrongdoing and major crimes. 
• Reputational damage: The whistleblower’s manager might be concerned for their own professional standing. They might think, “What if my boss thinks I should’ve prevented this situation? I’ll just ignore it and it will go away.” Or the CEO and other top executives, including directors, might worry about the organization’s image if the allegations prove to be true. Either of these can be called the “ostrich trick” — stick your head in the sand.

Some reasons employees may not speak up internally with concerns about unethical or possibly illegal activities can include:

1. Employer inaction in the past when concerns were reported.
2. Managers/owners who discourage reporting problems.
3. Fear that they may lose their jobs, be demoted or ostracized.
4. Fear for their or their family’s physical safety.
5. Not knowing their rights and protections.

Most of these reasons may motivate employees to blow the whistle externally, especially if they can do so anonymously. 

Reality of whistleblower concerns 

Some of the cases that have received national and international attention and that demonstrate the reality of whistleblower concerns include the following:

Harry Markopolos reported his concerns multiple times about Bernard Madoff running a gargantuan Ponzi scheme to the SEC for nearly 10 years. The SEC ignored him. In 2008, Madoff’s sons reported him, and the SEC finally took action. Markopolos described fearing for his life and the safety of his family in his book, “No One Would Listen.” The ACFE named Markopolos Certified Fraud Examiner of the Year in 2009. (See “Chasing Madoff: An Interview with Harry Markopolos, CFE, CFA,” by Dick Carozza, CFE, Fraud Magazine, May/June 2009.)

Sherron Watkins, in August 2001, wrote a letter to Ken Lay, chairman of Enron, and met with him to express her concerns about accounting improprieties and her fear that the company would implode. She hoped Lay would form a crisis management team to address the situation and try to save the company. Instead, she learned in February of 2002 while testifying before Congress, that Lay had contacted Enron’s law firm to see if he could fire Watkins. (See “Twenty years later, could another Enron happen?” by Sherron Watkins, Fraud Magazine, November/December 2021 and “Constant Warning: An Interview with Sherron Watkins,” by Dick Carozza, CFE, Fraud Magazine, January/February 2007.)

Tony Menendez was an executive at Halliburton in 2005 when the company asked him to approve “bill and hold” transactions that recorded revenue for the sale of equipment that hadn’t yet been manufactured. After filing a confidential complaint with the SEC and Halliburton’s board of directors, his identity was disclosed and he experienced numerous acts of retaliation, including falsified performance evaluations. Menendez left the company and was embroiled in a nine-year legal battle, which he eventually won. Menendez received the 2016 ACFE Sentinel Award. (See “He fought Halliburton and won: An interview with Tony Menendez, CFE, Sentinel Award recipient,” by Dick Carozza, CFE, Fraud Magazine, May/June 2016.)

Karen Silkwood lost her life in 1974 in a mysterious car accident en route to meet a reporter from The New York Times to provide evidence of health and safety issues at the Oklahoma nuclear facility where she worked. Officers who investigated the automobile accident said no documents were in her car despite witnesses reporting she had incriminating documents with her when she left to meet the reporter. Silkwood’s story was the subject of many investigative reports and a movie. (See “The Killing of Karen Silkwood: The Story Behind the Kerr-McGee Plutonium Case,” by Richard L. Rashke, IRL Press, 1981, 2000.)

Validation of whistleblower concerns are also reflected in lesser-known cases:

Mary Bozoyan, a veteran math teacher at William Cullen Bryant High School in Queens, New York, experienced retaliation in 2015 after she publicly criticized the principal in a grade-fixing scandal. Bozoyan has multiple physical disabilities (spinal stenosis, arthritis and herniated discs). She said the principal locked her out of a restroom near her classroom and denied her access to a side entrance that’s closer to her classroom. (See “School ‘retaliates’ against disabled teacher for criticizing principal,” by Susan Edelman, New York Post, Nov. 1, 2015.)

Ceferino Doculan, a lab technician and 20-year employee of a hospital blood bank in a New Jersey hospital, was fired in 2010 after he complained that his new supervisor didn’t have proper credentials to manage the laboratory. Before his firing, he allegedly was disciplined multiple times, for poor work quality. In 2013, the jury verdict was in favor of Doculan, and he was awarded compensatory and punitive damages. (See “Whistleblower awarded $2.1 million in case against Bayone Medical Center,” by Michalangelo Conte, The Jersey Journal, May 20, 2013.)

Rosemary Salerno, general manager for a Kansas City, Missouri, property management firm, said she was fired in 2018 because she wouldn’t redirect money earmarked for charity to operating expenses for the financially strapped shopping center, Zona Rosa. She’d worked there for 14 years. In 2019, a jury sided with Salerno in a wrongful termination lawsuit against her former employers. Salerno also had to fight a separate civil suit in which her former employer alleged she’d misdirected business funds for her personal use. That court also ruled in her favor. (See “Salerno Awarded Millions,” by Debbie Coleman Topi, The Landmark, Oct. 16, 2020.)

Kenneth Kendrick, a former assistant manager at a peanut processing plant in Plainview, Texas, had to wait nearly 10 years to see justice delivered by the courts in 2015 against managers at the now-defunct Peanut Corporation of America (PCA). An estimated 23,000 victims became ill, and many died because of contamination at PCA facilities in the 2008-2009 Salmonella outbreak — one of the worst in U.S. history. Kendrick’s reports to federal and state authorities (and to the media) fell on deaf ears. Ultimately, a nonprofit organization listened and convinced the U.S. Food and Drug Administration to investigate. (See “Praise for an Unlikely ‘Whistleblower,’” by Darin Detwiler, Food Safety News, Sept. 25, 2015.)

Reasons for protecting internal whistleblowers 

There are many good reasons for protecting internal whistleblowers and encouraging them when a company has a truly effective internal concerns program. For one, most employees report internally first. Without adequate legal protection, most whistleblowers can suffer retaliation and may not obtain an adequate remedy. Another reason is that in cases where law enforcement doesn’t need to be immediately notified about a violation of law the sooner a whistleblower reports their concerns, the sooner their organization can address them and reduce their losses. According to the ACFE's 2022 Report to the Nations (page 23), tips result in fraud schemes with shorter durations (approximately 12 months) and relatively low median losses ($117,000).

Basic cost-benefit analysis also shows that protecting internal whistleblowers is financially prudent. Employers with robust reporting systems experience lower government fines and lower losses from lawsuits. In one study, researchers found an inverse relationship between the number of internal whistleblower reports and such fines and losses. (See “Evidence on the Use and Efficacy of Internal Whistleblowing Systems,” by Stephen Stubben and Kyle Welch, Journal of Accounting Research, July 1, 2020, Volume 58, Issue 2, available on Social Science Research Network.

“Effective whistleblowing programs not only make legal and ethical sense, but they also help companies to emerge stronger than their competitors,” says Andrew Gordon, EY global forensic & integrity services leader. (See Gordon’s EY article, “How a robust whistleblowing framework can help create long-term value,” Feb. 16, 2021.)

Furthermore, internal whistleblowers are often long-term, competent and loyal employees. They raise concerns because they care about their employers, co-workers, clients, customers and the public. They’re likely to be highly skilled and well-versed in their jobs. Why let all that corporate memory, training and dedication be driven outside the company?

According to the 2022 Report to the Nations (page 21), employees comprise the source of more than 50% of all tips about fraud. Employees who raise such concerns are likely to be knowledgeable about ways to detect and prevent occupational fraud, and other illegal or unethical activities. Given that fraud prevention is much easier and usually less costly than trying to recover losses after fraud is detected, encouraging internal whistleblowers should be a no-brainer. As for the qualitative reason to encourage and protect internal whistleblowers? Quite simply, it’s the right thing to do.

Legislation to protect internal whistleblowers 

Because we don’t live in a utopian world, we’ll never get to a place where all employers respect and protect internal whistleblowers. Historically, corporate America hasn’t been supportive of whistleblowers. Thus, some form of regulation is required at the federal level if internal whistleblowers will have any uniform and consistent protections.

Here are some proposed key provisions of such legislation:

• Provide the same level of protection for internal and external whistleblowers — don’t distinguish between a whistleblower who goes directly to the government or a whistleblower who reports internally to the compliance department or a manager.
• Protect employees who cover their “official work duties.” Some of the earliest whistleblower cases concerned auditors who did their job “too well.” Auditors and compliance officials often must report bad news up the chain of command and can be subject to retaliation if they don’t water down or ignore certain violations. Thus, an employee needs to be protected if they raise a concern as part of their official duties. 
• The law must recognize that most whistleblowers initially raise concerns with their managers, including direct supervisors. Thus, the legislation must fully protect complaints to a supervisor in addition to whistleblowers’ complaints they’ve raised through formal compliance procedures. 
• Many organizations rely on corporate or outside attorneys to review internal whistleblower allegations. The law must protect reports to attorneys, and it should prohibit organizations from relying on the attorney-client privilege to cover up any retaliation flowing from an internal report to an organization lawyer. 

Encourage and protect internal whistleblowers

Organizations often consult fraud examiners about ways in which they can establish or enhance anti-fraud policies and procedures. One of your key recommendations should be to encourage and protect internal whistleblowers. You don’t need to know all the legal channels whistleblowers might use when reporting externally or all aspects of applicable laws. But it’s important to convince clients and your employers that having proper internal procedures and respect for internal whistleblowers can greatly improve the probability that employees will report their concerns in-house, and they’ll be beneficial for all parties. 

Even though it’s been nearly 20 years since the presentation of the ACFE’s first Cliff Robertson Sentinel Award in 2003, ACFE Chairman and founder, Joseph T. Wells, CFE, CPA, was correct then and now in describing whistleblowers as “corporate sentinels — our front line of defense against wrongdoing.” (See “ACFE Awards First Cliff Robertson Sentinel Award to Namesake,” Fraud Magazine, November/December 2003.)

Carolyn Conn, Ph.D., CFE, CPA, is a clinical associate professor of accounting at Texas State University in San Marcos, Texas. Her areas of interest in teaching and research are accounting ethics and fraud examination. She’s the 2021 ACFE Educator of the Year. Contact her at cc31@txstate.edu.

Stephen M. Kohn, an attorney specializing in whistleblower and qui tam cases, founded Kohn, Kohn, & Colapinto LLP in 1988, and the National Whistleblower Center that same year. Kohn won the largest-ever individual whistleblower reward/qui tam payment for UBS whistleblower Bradley Birkenfeld ($104 million). He helped draft key U.S. whistleblower legislation & regulatory rules, including those incorporated into the Sarbanes-Oxley Act, Dodd-Frank Act, the IRS Qui Tam whistleblower amendments and the Whistleblower Protection Enhancement Act. He’s the author of the upcoming book “Rules for Whistleblowers” (Lyons Press 2023). Contact him via grace.schepis@whistleblowersnews.com.

Grace Schepis is a special correspondent for Whistleblower Network News. In spring 2022, she graduated magna cum laude from the University of Alabama with a master’s degree in public administration and a bachelor’s in political science. On campus, she was a staff writer for the Pacemaker-award winning campus newspaper, The Crimson White. Contact her at grace.schepis@whistleblowernews.com.