Whistleblowing is in the news. Current events are a timely reminder of the importance of having in place sound and up-to-date policies, procedures and programs for whistleblowing. A number of prudential regulators, such as federal and state bank regulators, and the Securities and Exchange Commission, all include review of a company’s whistleblowing program as standard in periodic examinations or inspections.
A robust whistleblowing program is an essential component of a comprehensive compliance program for financial institutions and other large corporations. Individual employees, consultants, vendors, customers, and other stakeholders are often well-situated to observe instances of wrongdoing at a company and bring it to management’s attention. Whistleblowing is most useful and effective when a company has instituted a thorough and thoughtful process for receiving, evaluating, and acting on whistleblower concerns.
The recent regulatory guidance on whistleblowing issued by the New York Department of Financial Services contains important suggestions for a sound whistleblowing program. The NY DFS guidance highlights key pillars of a strong whistleblowing program, including the following elements:
- Reporting channels that are independent, well-publicized and easy to access. These may include internal and external reporting channels, such as a dedicated and anonymous e-mail address, and a toll-free number operated by an outside vendor.
- Strong protections for a whistleblower’s anonymity, including the availability of end-to-end anonymity in reporting channels, robust policies against retaliation, and adequate protections if a whistleblower decides to identify him- or herself to investigators.
- Compliance and investigative personnel that are adequately trained to receive whistleblowing complaints; determine a course of action; and competently manage any investigation, referral, or escalation.
- Investigation procedures that include objective standards for evaluating the risk presented by each allegation and ensure that more serious allegations, such as those involving possible fraud or criminal conduct, carrying material reputational risk, or implicating senior management, are subject to appropriate scrutiny, escalation, and follow-up where complaints are deemed valid.
- Significant oversight by and attention from appropriate senior managers, internal auditors and the Board of Directors, as appropriate. While what constitutes adequate oversight will vary from institution to institution, suitable direct and indirect oversight may include senior members of the compliance division or the legal department, a senior member of the internal audit division, and/or an independent director.
- Established procedures for identifying and managing potential conflicts of interest. A well-constituted whistleblowing program should recognize the possibility for conflicts of interest and include procedures to identify and minimize the effects of conflicts.
- Perhaps most importantly, a top-down culture of support of the company’s whistleblowing function. Senior management and the Board of Directors must consistently support the whistleblowing function, such as by allocating appropriate resources to the whistleblowing function, and demonstrate their support through strong internal and external messaging, and corporate conduct consistent with such messaging.
Other sources to consult concerning whistleblowing programs include the SEC’s 2018 Whistleblower Program report, the National Council of Nonprofits, and the U.K. Financial Conduct Authority.
In the long run, a robust and effective whistleblowing program will inure to the benefit of the corporation and its stakeholders, as it will ensure that any wrongdoing is identified and remedied in an adequate fashion; and that it is self-disclosed to government or self-regulatory authorities, as appropriate, which is typically preferable to having the misconduct brought to light by the government, regulator, or media.