Recently the chief compliance officer of a global company asked me: does a company need a telephone-based whistleblower hotline anymore? In our all-technology, all-the-time world, could a company phase out telephone hotlines in favor of a web-only reporting system?
The answer to that question requires a bit of finesse. The short answer is yes: in the purest, technical interpretation of corporate governance law and SEC rules, a company isn’t required to provide a telephone hotline as one reporting option. But you would need bulletproof arguments demonstrating why your organization no longer needs a telephone hotline, and never will in the future.
Read More: Neglected Hotlines Are an Exception not the Rule
Let’s start with the letter of the law and the rules. Section 301 of the Sarbanes-Oxley Act says that companies (specifically, the audit committee) must establish procedures for “confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”
To implement that section of SOX, the Securities and Exchange Commission then adopted Exchange Act Rule 10A(m) for publicly traded companies—which just took Section 301 word for word, and turned it into an SEC requirement.
You’ll notice, however, that the words “telephone” and “hotline” aren’t in the above paragraphs. As the SEC said in its adopting release back in 2003, that’s by design:
“We are not mandating specific procedures that the audit committee must establish… Given the variety of listed issuers in the U.S. capital markets, we believe audit committees should be provided with flexibility to develop and utilize procedures appropriate for their circumstances… We expect each audit committee to develop procedures that work best consistent with its company's individual circumstances to meet the requirements in the final rule.”
So by the letter of the law, you don’t need to offer a telephone hotline. The real question is whether you can fulfill the spirit of Section 301 without offering a telephone hotline.
Appreciate the Reality, and the Symbolism
That’s a difficult argument to make. I would even say that global companies with thousands of employees and diverse operations have a more difficult time making it, because your organization is more complex. Do all your employees have easy access to the Internet at all times? Will all of them, in every country where you operate, feel confident that online channels still protect anonymity?
Whether a hotline reporting program is mandated for your organization or not, by today’s standards a hotline is expected practice for ethics and compliance programs.
Perhaps a company could make that argument. For example, if you get a constant flow of online reports but nothing over the phone, and no reports of retaliation from someone who rooted out an online identity; then, maybe, you could argue that the telephone line should be retired. But you won’t just need to make a convincing argument to your board or CFO—if the worst happens, you’ll also need to make that convincing argument to the SEC or other regulators, wondering why you retired the phone line.
Gestures matter in ethical behavior, and it’s worth considering what message might be sent (intentionally or not) by ending a hotline. Whether a hotline reporting program is mandated for your organization or not, by today’s standards a hotline is expected practice for ethics and compliance programs.
Download the 2019 Hotline & Incident Management Benchmark Report
It’s often through their hotlines that employers discover whether training is effective, where they have gaps in their policies, and whether critical cultural issues are lurking that need attention so that misconduct doesn’t take root.
The crucial issue is whether retiring a telephone hotline might impede someone’s ability to submit an anonymous report of misconduct—and lots of people get very skittish about protecting their anonymity when speaking up. Some day in the future, when we all have strong anonymizing software running on microchips implanted directly in our brains, then a telephone hotline will be obsolete.
Is that day on the horizon? For most large companies, I wouldn’t risk it just yet.