The Internal Revenue Service (IRS) requires tax-exempt organizations to report on the annual Form 990 whether they have adopted a written whistleblower policy—a strong signal that the IRS views whistleblower protection as a key part of the governance oversight the IRS expects of nonprofit organizations. A well-drafted policy provides robust protections for whistleblowers, including confidentiality and protection from retaliation. In addition to the requirements of their own internal policies, nonprofits are subject to state, federal, and even international laws protecting whistleblowers, depending on the circumstances.
A recent case demonstrated what can happen when an executive attempts to breach those whistleblower protections, even when unsuccessful. Last week, the U.K.'s Financial Conduct Authority (FCA) announced its third largest fine ever on an individual when it fined Jes Staley, the CEO of Barclays, for attempting to reveal the identity of a whistleblower.
This situation arose in 2016, when an anonymous whistleblower submitted two letters to the Barclays' Board of Directors. The letters raised concerns about a senior executive who had recently been recruited by Mr. Staley to join Barclays from a competitor bank where Mr. Staley had also recently worked. These concerns about the executive were "of a personal nature," and the letter also highlighted the fact that Mr. Staley had known of the issues yet still recruited the individual. While the Board of Directors initiated an investigation into the matter, Mr. Staley attempted to use Barclays' Information Security team to determine the author of the two letters. Although it appears that Mr. Stanley was told that doing so was inappropriate, months later, Mr. Staley asked if the investigation had been cleared, and then tried again to have the Information Security team identify the author. Ultimately, an internal investigation by Barclays determined that Mr. Staley had "honestly, but mistakenly believed" that his actions were lawful.
Nevertheless, the FCA fined Mr. Staley £642,000 ($870,000), as did Barclays, which fined Mr. Staley £500,000 ($674,000) in compensation. Further, Barclays' whistleblower compliance program is now subject to additional oversight [by the FCA??] as a result of the incident. Despite the heavy fines, many thought that Mr. Staley was fortunate to keep his job.
The case is an important reminder of the multitude of ways any organization (including nonprofits) can find itself running afoul of the strict protections afforded to whistleblowers, which could be imposed by law or under its own policies.
In the U.S., the most prominent protections are found in the False Claims Act and provisions of the Dodd-Frank Wall Street reform legislation. The False Claims Act prohibits companies from retaliating against a whistleblower. The Act ensures that whistleblowers will be restored to their employment or made "whole" if they are discharged or merely harassed for relating a potential False Claims Act violation. This is in addition to the requirement that False Claims Act complaints be filed under seal for at least sixty days to protect the whistleblower's identity. Pursuant to Dodd-Frank, the SEC established rules empowering the Commission to take action against employers that attempt to retaliate against whistleblower employees by creating a private right of action for employees who feel they have been targeted. Additionally, the Whistleblower Protection Act protects employees of the federal government.
Besides these federal whistleblower protections, states have similar protections such as those found in state analogues to the federal False Claims Act. And overseas, the FCA in the UK recently created rules that require companies to employ a "whistleblower champion" whose sole responsibility is to ensure that whistleblowers are not harassed. All of this is in addition to the strictures a nonprofit organization may have imposed on itself through its own policies.
The simple fact is that there are strict protections for whistleblowers and indeed significant potential penalties for running afoul of those protections, such as by trying to take action against a whistleblower. Not only must organizations avoid conduct that can be seen as retaliatory, today, they also should have in place proactive internal compliance and monitoring measures to ensure such retaliation does not occur. Nonprofit organizations and their executives would do well to not make the same mistakes as Barclays' CEO.