Whistleblowers seeking to report fraud, waste, and abuse, or other violations of federal or state laws, can utilize U.S. whistleblower laws. Many offers strong protections and incentives, such as awards and protection against retaliation, and even allow for anonymous reporting. There are dozens of laws at the federal, state, and local levels as well, which encourage whistleblowers to come forward with information. Below is an overview of those laws, with additional links to help you learn more about them, and information on how to obtain legal assistance from our whistleblower law firm if you choose to become a whistleblower.
U.S. Whistleblower Laws
| Law or Program Name | Date Enacted | Frauds or Violations Covered | Associated Laws or Acts | Who’s Eligible (roles) | Agency(s) Responsible | Award Percentage | Protections | Anonymous Filing | Requires Attorney | Statute of Limitations |
|---|---|---|---|---|---|---|---|---|---|---|
| Dodd-Frank Act (Whistleblower Provisions) | July 21, 2010 | Established SEC/CFTC whistleblower programs targeting securities & commodities law violations; strengthened FCPA provisions; addressed broad financial market stability issues | Securities Exchange Act of 1934, Commodity Exchange Act, SOX, FCPA | Defined eligibility for SEC/CFTC programs (individuals with original, voluntary info); expanded SOX protections | Established 10-30% award range for SEC/CFTC programs | Created strong anti-retaliation protections (incl. direct reporting to agencies, double back pay, direct court access) & confidentiality for SEC/CFTC whistleblowers | Yes, for SEC/CFTC programs if represented by attorney | Yes, for anonymous filing under SEC/CFTC programs | Retaliation Claim (Dodd-Frank): Later of 6 yrs from violation or 3 yrs from discovery (max 10 yrs from violation). (Extended SOX Retaliation SOL): to 180 days | |
| SEC Whistleblower Program | 2010 (Dodd-Frank Act) | Federal securities law violations (e.g., market manipulation, insider trading, accounting fraud, FCPA by issuers) | Dodd-Frank Act, Securities Exchange Act of 1934, FCPA (for issuers), SOX | Any individual (insider or outsider, regardless of citizenship) providing original, voluntary information; some exclusions apply (e.g., certain gov't/SRO staff, privileged info); compliance/audit staff eligible under specific conditions | SEC | 10-30% of recovery over $1M | Anti-retaliation (via Dodd-Frank & SOX), Confidentiality | Yes, if represented by attorney | Yes, for anonymous filing/award eligibility | Reporting Violation: No specific SOL, but delay can reduce award; practically, report within 5 yrs (SEC penalty SOL). Claiming Award: 90 days after SEC posts Notice of Covered Action. Retaliation (Dodd-Frank): Later of 6 yrs from violation or 3 yrs from discovery (max 10 yrs from violation). Retaliation (SOX): 180 days to file with OSHA. |
| CFTC Whistleblower Program | 2010 (Dodd-Frank Act) | Commodity Exchange Act (CEA) violations (e.g., fraud/manipulation in futures, swaps, options, commodities, digital assets, forex; spoofing; BSA violations by registrants) | Dodd-Frank Act, Commodity Exchange Act (CEA) | Any individual providing voluntary, original information via Form TCR leading to sanctions >$1M; some exclusions apply | CFTC (Whistleblower Office) | 10-30% of recovery over $1M | Anti-retaliation (via Dodd-Frank), Confidentiality | Yes (tip can be anonymous w/ or w/o attorney; award claim requires attorney for anonymity) | Yes, for anonymous award claim | Reporting Violation: Info must be submitted after 7/21/2010; no specific SOL, but delay can reduce award; report within 5 yrs (CFTC penalty SOL). Claiming Award: 90 days after CFTC posts Notice of Covered Action (or 90 days after Related Action judgment). Retaliation: 2 years from retaliatory act to file lawsuit. |
| FinCEN Whistleblower Program | 2020 (Anti-Money Laundering Act - AMLA) | Bank Secrecy Act (BSA) violations (e.g., AML program failures, SAR/CTR filing failures, KYC issues); Violations of specific U.S. sanctions laws (IEEPA, Kingpin Act, Trading With the Enemy Act) | AMLA, BSA, IEEPA, Kingpin Act, Trading With the Enemy Act | Any individual providing voluntary, original information; Compliance/audit staff explicitly eligible | FinCEN (Treasury Dept.), DOJ (can bring actions leading to awards) | 10-30% of recovery over $1M (from Treasury or DOJ actions) | Anti-retaliation (covers internal reporting), Confidentiality | Yes, if represented by attorney | Yes, for anonymous filing | Reporting Violation: Generally within gov't SOL (e.g., 6 yrs civil BSA, 5 yrs criminal BSA; varies for sanctions). Claiming Award: Process/deadline not yet specified in official guidance. Retaliation: 90 days from retaliation to file with OSHA. |
| IRS Whistleblower Program | 2006 (Tax Relief and Health Care Act) | Tax underpayment/violations >$2M (or individual income >$200k for mandatory award); lesser amounts for discretionary award. Covers tax evasion, false returns, hidden assets, etc. | IRC § 7623, IRC § 6103 (confidentiality), Taxpayer First Act (TFA) (protections) | Any individual (except certain Treasury/gov't employees) providing specific, credible, original info via Form 211 | IRS (Whistleblower Office) | Mandatory: 15-30% (if thresholds met). Discretionary: Up to 15% (if thresholds not met) | Anti-retaliation (via TFA), Confidentiality (IRS protects identity unless legally required, e.g., testimony) | No (must identify self on Form 211, but IRS maintains confidentiality) | No (but recommended) | Reporting Violation: Within IRS SOL for assessment (generally 3 yrs, 6 yrs for >25% income omission, no limit for fraud/failure to file). Claiming Award: No specific deadline; determined by IRS after tax collected & appeal periods expire; can appeal determination to Tax Court within 30 days. Retaliation (TFA): 180 days from retaliation to file administrative claim. |
| False Claims Act (FCA) (Qui Tam) | 1863 (major amendments 1986) | Knowingly submitting false claims to U.S. gov't, false records for claims, conspiracy, retaining overpayments (e.g., Medicare/Medicaid fraud, defense contractor fraud) | 31 U.S.C. §§ 3729-3733; Anti-Kickback Statute, Stark Law (often related in healthcare) | Private individuals ("relators") with non-public info; must be first-to-file; some exclusions (e.g., certain gov't employees) | DOJ (investigates & decides intervention); Relator files suit in federal court | 15-25% of recovery (if DOJ intervenes); 25-30% of recovery (if DOJ declines & relator prevails) | Anti-retaliation (31 U.S.C. § 3730(h)), Initial confidentiality (suit filed under seal) | No (filed under seal initially, but identity known to DOJ/court; usually revealed if case proceeds) | Yes (required to file qui tam lawsuit) | Filing Qui Tam Lawsuit: Later of 6 yrs from violation OR 3 yrs after US official knew/should have known (max 10 yrs from violation). Retaliation: 3 years from retaliatory act. |
| Sarbanes-Oxley Act (SOX) | 2002 | (Focus is anti-retaliation for reporting) Violations of mail/wire/bank/securities fraud laws, SEC rules, or laws re: fraud against shareholders (often involves financial reporting, internal controls) | Securities Exchange Act of 1934, Dodd-Frank Act | Employees of public companies, their subsidiaries/affiliates, and their contractors/subcontractors | DOL (OSHA investigates, ALJ/ARB adjudicate); Federal Court (if DOL delays >180 days); SEC (enforces substantive SOX rules) | None directly (focus is on remedies for retaliation). Reported info might qualify for SEC award if reported to SEC | Anti-retaliation (18 U.S.C. § 1514A) covering internal & external reporting; Remedies: reinstatement, back/front pay, special damages (incl. emotional distress), attorney fees | No (retaliation complaint to OSHA requires identification; internal reporting may be anonymous via company channels) | No (but strongly recommended) | Retaliation: 180 days from awareness of retaliation to file complaint with OSHA. |
| Whistleblower Protection Act (WPA) | 1989 (amended 2012, 2017) | Violation of law/rule/regulation, gross mismanagement, gross waste of funds, abuse of authority, substantial/specific danger to public health/safety | Civil Service Reform Act of 1978 (CSRA) | Most federal executive branch employees, former employees, applicants; some exclusions (e.g., FBI, CIA, NSA, military, some USPS) | Office of Special Counsel (OSC) (investigates disclosures & retaliation); Merit Systems Protection Board (MSPB) (adjudicates retaliation appeals) | None (focus is corrective remedies for retaliation: reinstatement, back pay, consequential/compensatory damages, attorney fees) | Protection against retaliatory "personnel actions" (broadly defined); Confidentiality for disclosures to OSC | Disclosure to OSC can be anonymous/confidential; Retaliation complaint to OSC/MSPB requires identification | No (but highly advisable) | Retaliation Complaint to OSC: 3 years from knowledge of personnel action. Appeal to MSPB (IRA): 65 days from OSC closure notice date (or 60 days from receipt) OR anytime after 120 days of OSC inaction. Appeal to MSPB (Otherwise Appealable Action): 30 days from action/notice. |
| Foreign Corrupt Practices Act (FCPA) | 1977 (amended 1998) | Anti-Bribery: Bribing foreign officials to obtain/retain business. Accounting: Falsifying records or inadequate internal controls (issuers only), often to conceal bribes | Securities Exchange Act of 1934, Dodd-Frank Act (for awards/protections), SOX (for protections), Foreign Extortion Prevention Act (FEPA) | Individuals reporting FCPA violations by issuers may be eligible via SEC program; potentially CFTC program if commodities involved. Open to U.S./foreign citizens worldwide | DOJ (criminal enforcement, civil for non-issuers); SEC (civil enforcement for issuers) | Via SEC/CFTC programs: 10-30% of recovery over $1M | Via Dodd-Frank (if reported to SEC); Via SOX (if internal report at public co. or report to other authorities); Confidentiality via SEC/CFTC programs | Yes, via SEC/CFTC programs if represented by attorney | Yes, for anonymous filing via SEC/CFTC | Reporting Violation (for SEC/CFTC award): Follow SEC/CFTC rules; report promptly within gov't SOL (5 yrs criminal anti-bribery, 6 yrs criminal accounting; 5 yrs SEC civil penalty, 10 yrs SEC disgorgement). Claiming Award (SEC/CFTC): 90 days after Notice of Covered Action/Related Action judgment. Retaliation (Dodd-Frank): Later of 6 yrs from violation or 3 yrs from discovery (max 10 yrs from violation). Retaliation (SOX): 180 days from awareness to file with OSHA. |