The Securities and Exchange Commission (“SEC”) levied an $18 million fine against J.P. Morgan Securities, LLC (“JPMS”) for allegedly including overbroad release provisions in settlement agreements. This marks the continuation of its recent activity to enforce SEC Rule 21F-17(a), a regulation that prohibits companies from taking any action to impede or discourage whistleblowers from reporting suspected securities violations to the SEC.

The rule broadly prohibits any person from taking any action to prevent an individual from contacting the SEC directly to report a possible securities law. Specifically, the rule provides that “[n]o person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”

However, Rule 21f-17(a) does not create a private right of action. And, as we previously blogged, the SEC historically had limited enforcement activity for Rule 21F-17(a), with roughly 14 enforcement actions between 2015 and 2021. Many of those enforcement actions occurred in the context of alleged retaliation by a company against an employee for communicating with the SEC, or attempting to impede an employee’s ability to communicate with the SEC as part of an investigation.

But with the 2020 change in administration, the SEC began making up for lost time and—most importantly—initiating enforcement actions based solely on contractual language in confidentiality agreements or severance agreements that did not specifically carve out the ability for the signatory to affirmatively communicate with the SEC about potential securities violations.

JPMS Consent Order

According to the consent order, from 2020 through July 2023, JPMS included language in certain release agreements where the counterparty (brokerage or advisory clients) agreed to keep the release payment confidential and “not use or disclose (including but not limited to, media statements, social media, or otherwise) the allegations, facts, contentions, liability, damages, or other information relating in any way to the [client’s] Account, including but not limited to, the existence or terms of this Agreement.” The confidentiality language included a fairly standard exclusion that carved out responding “to any inquiry about [the] settlement or its underlying facts by FINRA, the SEC, or any other government entity or self-regulatory organization, or as required by law.”

The SEC took the position that this confidentiality language still violated Rule 21f-17(a), because the counterparty could only respond to requests for information from certain government agencies, but the exclusion did not specifically preserve the right to affirmatively report potential violations of securities laws to the SEC.

As part of the order, JPM agreed to pay an $18 million fine and to cease and desist from any further violations of Rule 21f-17(a). In recent consent orders, the SEC normally included a notification requirement and obligation to revise non-compliant agreements. Neither was required here because, after the SEC notified JPMS about this investigation, JPMS affirmatively revised its contract language and informed the 362 impacted clients that they were not prohibited from voluntarily or otherwise communicating directly with or providing information to any governmental or regulatory authority about the information leading to the settlement agreement or any other potential violation of securities law.

In the accompanying press release, SEC Enforcement Director Gurbir Grewal reiterated the rule’s breadth and proclaimed, “Whether it’s in your employment contracts, settlement agreements or elsewhere, you simply cannot include provisions that prevent individuals from contacting the SEC with evidence of wrongdoing.” Another SEC official also commented that “[t]hose drafting or using confidentiality agreements need to ensure that they do not include provisions that impede potential whistleblowers.”


Companies should take care to ensure that any confidentiality restriction does not prevent an individual from affirmatively contacting the SEC to report potential wrongdoing. Government agencies like procedural violations, and the SEC is no different. Under the SEC’s interpretation, a violation of Rule 21f-17(a) is as simple as finding a non-conforming provision, then adjusting the monetary penalty and notice requirements accordingly. The SEC has shown a renewed interest in enforcing this rule and, as its enforcement actions continue, the agency will likely use its prior actions to characterize any potential suppression as a willful violation.