New York State Department of Financial Services Issues Guidance on Whistleblowing Programs

On January 7, 2019, the New York State Department of Financial Services (the “Department”) published Guidance on Whistleblowing Programs (the “Guidance”). The Guidance defines whistleblowing as “the reporting of information or concerns, by one or more individuals or entities, that are reasonably believed by such individual(s) or entity(s) to constitute illegality, fraud, unfair or unethical conduct, mismanagement, abuse of power, unsafe or dangerous activity, or other wrongful conduct, including, but not limited to, any conduct that may affect the safety, soundness, or reputation of the institution.” The Guidance is directed to all institutions regulated by the Department – i.e., all institutions chartered, licensed, or regulated by the Department – regardless of size, industry, or number of employees.

As the Guidance states,

[A] robust whistleblowing program is an essential component of a comprehensive compliance program for regulated financial services companies. Individual employees, consultants, vendors, customers, and other stakeholders are often well-situated to observe possible wrongdoing at a company and bring it to management’s attention. Whistleblowing is most useful and effective when a company has instituted a thorough and thoughtful process for receiving, evaluating, and acting on whistleblower concerns.

Importantly, the Guidance notes that regulated institutions may be subject to a variety of rules and regulations relating to whistleblowing, “depending on, for example, whether the institution is publicly-traded, whether it is based or does business in foreign jurisdictions that have whistleblowing regulations, and whether it belongs to a self-regulatory organization.” Thus, the Guidance recognizes that there can be no “one size fits all” approach to whistleblowing programs. Rather, the Guidance states a whistleblowing program must be appropriately tailored depending “on factors such as the institution’s size, geographical reach, and the specific lines of business in which it engages.” That said, the Guidance sets forth minimum, non-binding “principles that all regulated institutions should account for when designing and implementing a whistleblowing program.” These fall within ten categories:

  1. Establishing reporting channels that are independent, well-publicized, easy to access, and consistent;
  2. Creating strong protections to ensure the anonymity of whistleblowers;
  3. Establishing procedures to identify and manage potential conflicts of interest;
  4. Adequate training of staff in the intake of whistleblower complaints, determining a course of action, and competent management of an investigation, referral, or escalation;
  5. Establishing procedures for investigating allegations of wrongdoing;
  6. Establishing procedures for ensuring appropriate follow-up of valid complaints;
  7. Protecting whistleblowers from retaliation;
  8. Maintaining the confidentiality of whistleblowing matters;
  9. Providing appropriate oversight of the whistleblower function by senior management, internal and external auditors, and the Board of Directors; and
  10. Creating a culture of support for whistleblowing from the institution’s leadership.

Several of the above elements address the need to carefully and thoughtfully intake complaints in a way that preserves the anonymity of the whistleblower and the confidentiality of the matter. The Guidance notes that third-party vendors may provide an invaluable service in this regard, and one that may be even more effective, given studies showing that employees (unsurprisingly) are more trusting of third-party reporting mechanisms. Indeed, some vendors in our experience offer a rudimentary reporting mechanism through a 24-hour hotline that preserves anonymity for the cost of less than a thousand dollars for an annual subscription. Of course, this modest price for obtaining an early internal report is a worthwhile investment when one considers the exorbitant costs (to say nothing of headaches) that come from an external whistleblower complaint and resulting government investigation.

Indeed, the incentives for companies to encourage internal whistleblowing reports are compelling. For one thing, companies that are able to detect and remediate improper conduct are in a better position to determine whether voluntary disclosure to authorities is appropriate under the circumstances, with all the costs and potential benefits such a decision entails. For another thing, whistleblowers in public companies are themselves strongly incentivized to report externally to public authorities – such as the U.S. Department of Justice, the U.S. Securities and Exchange Commission, the U.S. Commodities and Futures Trading Commission, and the Internal Revenue Service – by bounty programs that offer whistleblowers enormous rewards from potential recoveries. Companies are always better off proactively addressing whistleblower reports than reacting to them when learning of them for the first time through the service of subpoenas, target letters, or civil investigative demands.

Finally, the Guidance also counsels companies to adopt robust procedures for managing the intake and investigation of bona fide whistleblower reports. Naturally, even bona fide reports will vary greatly in degree of seriousness or potential cost, and some may be appropriately resolved through small internal investigations by company personnel that may not need the protection of privilege that investigation by legal counsel would provide. On the other hand, in the most serious cases, where the protections of privilege would be beneficial, the expertise of skilled and experienced investigators and the guidance of independent outsiders with credibility before government agencies can be invaluable. Under such circumstances, the Guidance recognizes, outside counsel can add value. Indeed, as the Guidance notes, “more serious allegations – such as those involving possible fraud or criminal conduct, carrying material reputational risk, or implicating senior management – are subject to appropriate scrutiny, including possible immediate escalation or involvement of the general counsel or outside counsel.”

While the Guidance is advisory and non-binding, our own experience counseling companies strongly suggests companies would ignore the Guidance at their great peril.