On January 7, 2019, the New York State Department of Financial Services (DFS or the “Department”) issued guidance regarding internal whistleblowing programs, calling a “robust” whistleblowing program an “essential component of a comprehensive compliance program for regulated financial services companies.”
The guidance “is intended to detail principles and best practices that all institutions regulated by the Department should account for when designing and implementing their whistleblowing programs.” The guidance is organized around ten principles that DFS states should, at a minimum, be taken into consideration for an effective whistleblowing program. The guidance applies to all DFS-regulated institutions, “regardless of industry, size, or number of employees.”
DFS acknowledges that some DFS-regulated institutions already may be subject to rules or regulations regarding whistleblowing and that, due to the variety of entities subject to the Department’s oversight, there is no such thing as a “one size fits all” whistleblowing program. DFS goes on to say that the design of a whistleblowing program, as with virtually all compliance- or risk-related processes, should be based on factors such as the institution’s size, geographical reach and business.
The DFS guidance follows closely on the heels of a consent order announced last year resolving asserted violations of New York Banking Law by a major bank, purportedly for failing to implement effective governance and controls with respect to its whistleblowing program. The consent order includes remedial measures the bank is required to implement, and recites as best practices for a whistleblowing program: (i) protections for all whistleblowers, whether or not anonymous, (ii) appropriate independence the bank’s whistleblowing, investigative and security functions in connection with whistleblowing matters, and (iii) adequate training, including for senior management and the board.
Not surprisingly, the guidance that DFS has issued focuses on protecting independence, confidentiality and anonymity and establishes a definition of whistleblowing that goes beyond complaints by employees.
The guidance defines “whistleblowing” as “the reporting of information or concerns, by one or more individuals or entities, that are reasonably believed by such individual(s) or entity(s) to constitute illegality, fraud, unfair or unethical conduct, mismanagement, abuse of power, unsafe or dangerous activity, or other wrongful conduct, including, but not limited to, any conduct that may affect the safety, soundness, or reputation of the institution. A whistleblower may be any person who has an opportunity to observe improper conduct at a company, including current or former employees, agents, consultants, vendors or service providers, outside counsel, customers, or shareholders.”
The ten principles and practices identified as needing to be taken into account are:
- Independent, well-publicized, easy-to-access and consistent reporting channels
Companies should have dedicated—and well publicized—reporting channels that whistleblowers can use to report a problem, whether internally managed or run by a third-party reporting service, with oversight by designated employees who have adequate independence and empowerment to ensure that whistleblower protections are maintained and reports are suitably investigated. But the guidance also states that managers should be trained to identify and escalate possible whistleblowing issues raised outside the usual whistleblowing channels, such as those made directly to a manager during employee reviews or exit interviews or information learned or overheard in informal conversations.
- Strong protections for whistleblower anonymity
Companies should have safeguards in place at all stages of the whistleblowing process to ensure the anonymity of whistleblowers who wish to remain anonymous. Deviations from confidentiality or anonymity (to the extent permissible under applicable law), should occur only for a specific, objective and articulable reason, should be done only with the involvement of senior compliance and legal management, and should be well documented.
- Established procedures for identifying and managing conflicts of interest
Companies should incorporate procedures for identifying and minimizing conflicts of interest that may arise when an employee who handles a whistleblowing matter may be the subject of or a witness to a whistleblowing matter, or supervises or reports to or has a relationship with the subject of the whistleblower allegation.
- Adequately trained staff members to receive and manage whistleblowing complaints
Companies should ensure that staff members dedicated to the whistleblowing function have sufficient time, resources and training to handle responsibilities that “likely include at a minimum” eight enumerated items. Among the eight are ensuring confidentiality and protection from retaliation, investigating allegations, recognizing connections between separately reported allegations, and maintaining auditable records of the process. The guidance also states that dedicated whistleblowing staff should have significant autonomy, empowerment and access to senior management in order to operate effectively.
- Established procedures for investigating allegations of wrongdoing
Companies should have established procedures by which whistleblowing complaints are investigated appropriately, using objective standards for evaluating risk and including steps for escalating more serious allegations or the involvement of the general counsel or outside counsel. These procedures, according to the guidance, should be tailored to what is warranted in each particular case.
- Established procedures for ensuring appropriate follow-up to valid complaints
Companies should have established procedures to respond to valid complaints, refer or report to others such as the legal department, auditors, independent directors or government authorities, as necessary, and maintain auditable records of whistleblowing complaints and the actions taken in response.
- Protection against retaliation
Companies should take “concrete steps” to ensure that whistleblowers are protected from retaliation, including when the complaint is ultimately determined to be unfounded.
- Confidential treatment
Beyond protecting the confidentiality of the whistleblower, companies should have more general safeguards to protect the confidentiality of whistleblowing matters more broadly, to protect (i) the integrity of in-process investigations, (ii) the subjects of whistleblowing allegations from suffering consequences due to as yet unverified allegations, and (iii) the institution’s reputation until claims are adequately investigated.
- Appropriate oversight by senior managers, auditors, and the Board of Directors
Companies should ensure significant oversight by and attention from senior managers, internal and external auditors and the Board of Directors. The DFS guidance notes that what constitutes adequate oversight will vary from institution to institution.
- A top-down culture of support for the whistleblowing function
Companies should instill confidence in the whistleblowing program by demonstrating support for the program across management, including by allocating appropriate resources to the whistleblowing function. The DFS guidance specifically states that whistleblowers will come forward only if they have confidence that their complaint will be heard and given due consideration by an independent and objective reviewer, and that they will not be punished for coming forward.
In setting forth these ten principles, the DFS guidance clearly builds on the foundation of existing SEC and stock exchange rules and Federal Sentencing Guideline incentives, as well as practices that have become accepted practice in US corporate governance. Certain of the principles listed—such as protecting whistleblowers from retaliation and requiring dedicated reporting channels—are firmly entrenched in the existing legal landscape relating to whistleblowing. Others, like promoting a culture of support for whistleblowing, have been recognized by the NYSE and Nasdaq as important components of any corporate code of ethics. But the DFS whistleblowing guidance brings these various regulatory and incentive schemes together, applies them to all DFS-regulated institutions, and in some instances, converts some acknowledged best practices into regulatory expectations.
For more information, view a copy of the DFS Guidance on Whistleblowing Programs.