US Whistleblower Compliance: SEC, CFTC, Dodd-Frank Documentation Guide 2026

Regulatory disclaimer: This article is for informational purposes only. US whistleblower obligations are sector-specific and vary by federal and state law. Consult legal counsel for your specific situation.

Whistleblower compliance in the United States operates through a patchwork of federal statutes rather than a single harmonized framework like the EU Directive 2019/1937. The key federal programs — the SEC Whistleblower Program under Dodd-Frank Section 21F, the CFTC Whistleblower Program, and the protections under Sarbanes-Oxley Section 806 — impose distinct documentation obligations. This guide covers what compliance teams at US companies and foreign companies listed on US exchanges must maintain.

The US Whistleblower Regulatory Landscape

Unlike the EU's size-based threshold (50+ employees), US whistleblower protections are sector-specific and primarily protect employees who report to federal regulators. There is no single federal law requiring all private companies to establish internal reporting channels.

Financial institutions have additional obligations under FinCEN. Banks, broker-dealers, and money services businesses (MSBs) subject to the Bank Secrecy Act (BSA) must file Suspicious Activity Reports (SARs) and maintain AML compliance programs. FinCEN oversight extends to document verification and customer due diligence under 31 U.S.C. §5318.

SEC Whistleblower Program: Documentation Requirements

The SEC Office of the Whistleblower awards between 10% and 30% of sanctions exceeding $1 million to individuals who voluntarily provide original information about securities law violations. In fiscal year 2023, the SEC awarded over $600 million to whistleblowers.

For companies, the SEC's anti-retaliation rules under Rule 21F-17 create specific documentation obligations:

• Companies may not impede employees from reporting to the SEC, regardless of any internal reporting requirements
• Separation agreements, NDAs, and confidentiality provisions that would prevent SEC reporting are unenforceable and can themselves be an SEC violation
• Companies must document that any agreement that could limit disclosures contains an explicit carve-out for government agency communications

The SEC has taken enforcement action against companies whose confidentiality agreements lacked such carve-outs, with penalties exceeding $1 million per violation. Document all employment agreements, separation agreements, and confidentiality policies to ensure they include the required carve-out language.

Internal Reporting Documentation for Public Companies

While not required by federal law, the NYSE and NASDAQ listing standards require that listed companies maintain:

• An internal audit committee or equivalent for receiving anonymous employee complaints about accounting, internal controls, or auditing matters (SOX Section 301)
• Written procedures for receiving, retaining, and treating complaints
• Anonymous submission procedures (e.g., ethics hotlines)

These requirements generate the following documentation needs:

Sarbanes-Oxley Section 806: Protecting Internal Reporters

SOX Section 806 protects employees of SEC-registered public companies who report violations of SEC rules, federal securities laws, or any provision of federal law relating to fraud against shareholders. Unlike Dodd-Frank, SOX requires the employee to report internally to a supervisor, a federal regulatory agency, or a Member of Congress.

Key documentation requirements for SOX compliance:

• Maintain a documented procedure for receiving and investigating complaints about accounting irregularities, internal controls failures, and fraud
• Document the investigation process, findings, and remedial actions taken
• Retain records for 7 years under SOX Section 802 (destruction of records in a federal investigation is a crime)

OSHA handles retaliation complaints under SOX. If an employee files a retaliation complaint, OSHA will request all documentation related to the employment action, the complaint, and the investigation. Companies should maintain contemporaneous records of all employment decisions to rebut any inference of retaliation.

FinCEN and AML Documentation: Suspicious Activity Reports

Financial institutions covered by the BSA must file Suspicious Activity Reports (SARs) with FinCEN when they know, suspect, or have reason to suspect a transaction involves funds from illegal activity, is designed to evade BSA reporting requirements, or exceeds $5,000 (for banks) or $2,000 (for MSBs).

SAR documentation obligations:

• File SAR within 30 days of detecting suspicious activity (60 days if no suspect identified)
• Maintain SAR and supporting documentation for 5 years from the date of filing
• Do NOT inform the subject of the SAR (tipping-off prohibition under 31 U.S.C. §5318(g)(2))
• Maintain the SAR filing record separately from customer files with restricted access

The SAR narrative must document: the suspicious activity, who committed it (if known), when and where it occurred, why the activity is suspicious, and the dollar amount involved. The SAR narrative is a critical compliance document subject to FinCEN and OSHA examination.

Identity Verification and Document Management in US Whistleblower Context

US companies face distinct document management challenges in whistleblower programs. The Foreign Corrupt Practices Act (FCPA) extends US anti-bribery law to foreign nationals and entities that act in the US or listed on US exchanges. FCPA investigations regularly involve extensive document review and identity verification of intermediaries and agents.

Customer Due Diligence (CDD) Rule (31 CFR § 1010.230): Covered financial institutions must verify the identities of beneficial owners of legal entity customers. This requirement intersects with whistleblower programs when reports involve potential beneficial ownership fraud.

CheckFile supports 3,200+ document types across 32 jurisdictions, enabling compliant identity verification for both domestic and cross-border document checks. The KYC banking solutions are calibrated for US regulatory requirements, including FinCEN's CDD Rule.

For employment verification — relevant when investigating whistleblower allegations about workforce fraud — our document verification platform supports I-9 verification workflows and employment eligibility checks under the Immigration Reform and Control Act (IRCA).

Corporate Transparency Act (CTA) Intersection

The Corporate Transparency Act (31 U.S.C. §5336), effective January 1, 2024, requires most US companies to report beneficial ownership information (BOI) to FinCEN. This creates whistleblower exposure: employees who discover unreported or falsely reported beneficial ownership may report to FinCEN.

Companies should document their BOI compliance and maintain records of:

• Initial BOI filings and updates
• Verification of beneficial owner identities
• Legal analysis supporting any claimed exemption

FinCEN violations can result in civil penalties of up to $591 per day and criminal penalties of up to $10,000 and 2 years' imprisonment.

Building a US-Compliant Whistleblower Programme

Unlike the EU's prescriptive framework, US compliance is primarily about avoiding retaliation and maintaining the right records. A practical US-focused checklist:

• Audit all employment agreements and confidentiality policies for SEC carve-out language
• Document the ethics hotline or anonymous complaint procedure for SOX-covered entities
• Maintain a complaint log with retention schedule aligned to SOX (7 years)
• Brief HR on OSHA retaliation complaint procedures and documentation requirements
• Establish SAR filing procedures with 30-day tracking and 5-year retention for BSA-covered entities
• Train compliance staff on DOJ's FCPA enforcement priorities and document retention

Integrate this review into your broader compliance risk assessment to ensure the whistleblower programme is covered in annual internal audits.

Frequently Asked Questions

Is a US private company required to have an internal whistleblower reporting channel?

There is no universal federal requirement for private companies. However, NYSE/NASDAQ listed companies must comply with SOX Section 301 anonymous complaint procedures. FinCEN-regulated financial institutions must have AML whistleblower provisions as part of their BSA compliance programs. State laws (e.g., California Labor Code, New York Labor Law Section 740) may impose additional obligations.

Can employers discipline employees for bypassing internal channels and going directly to the SEC?

No. SEC Rule 21F-17 prohibits any action that impedes a potential whistleblower from communicating with the SEC. Disciplining an employee for reporting directly to the SEC — even without using internal channels first — constitutes illegal retaliation under Dodd-Frank.

How long must SAR-related documents be retained?

SARs and supporting documentation must be retained for 5 years from the date of filing under 31 CFR § 1020.320(d). Investigation records supporting the SAR narrative should be retained for the same period. Bank examination records may require longer retention under federal banking agency regulations.

What are the SEC whistleblower award eligibility requirements?

To qualify for an SEC award, a whistleblower must: (1) voluntarily provide (2) original information (3) that leads to a successful SEC action with sanctions exceeding $1 million. Reports must be submitted through the SEC's Tips, Complaints, and Referrals (TCR) system or Form WB-APP. Internal reports that are subsequently provided to the SEC may qualify if made within 120 days of the internal report.

Does CCPA apply to whistleblower data?

The California Consumer Privacy Act (CCPA)/CPRA includes a partial employee exemption that has been extended. However, companies should treat whistleblower data as sensitive personal information and apply appropriate data minimisation, access controls, and retention policies as part of a comprehensive privacy programme.