On January 7, 2019, the New York State Department of Financial Services (the "DFS") issued new guidance on whistleblowing programs ("WP") to all entities regulated by the DFS regardless of industry, size or number of employees—hello representative offices, bit licensees and money services companies.
The DFS defines whistleblowing as:
reporting of information reasonably believed to constitute illegality, fraud, unfair or unethical conduct, mismanagement, abuse of power, unsafe or dangerous activity or other wrongful conduct including conduct that might affect safety, soundness or reputation
Anybody can be a whistleblower including employees (and ex-employees), vendors, outside counsel (!) and customers.
While the DFS recognized that a whistleblower program has to be tailored to the characteristics of the regulated entity; nevertheless, all regulated entities should design and have a WP as an "essential" part of a compliance program.
At a minimum, an effective program should consider the following 10 elements that are explained in five single-spaced pages:
Independent, publicized, easy to use reporting channels
A reporting channel is a toll free telephone number or mail or email address. Some companies should have more than one channel that is overseen by dedicated personnel who can ensure things are done correctly. Using a third party might even be better. The existence of the channels should be well publicized in training materials, where customers might be, where employees are and on websites. The announcements should assure potential whistleblowers that they will be safe from retaliation and can make anonymous reports. Managers need to be trained to spot potential issues from inadvertent whistleblowers who may blurt out issues almost anywhere.
The WP has to protect anonymity from start to finish. Some whistleblowers will want to be completely anonymous and this needs to be respected through safeguards. Other whistleblowers may provide their identities, but this information should be closely held and revealed on a "need to know" basis only and the whistleblower should be protected from retaliation. If there is a need to breach confidentiality, senior legal or compliance staff should be brought in and the rationale for this decision has to be well documented.
Managing conflicts of interest
On the theory that you shouldn’t investigate yourself, a WP should have procedures to identify and minimize conflicts, particularly involving senior officers or directors. The DFS thinks you may have a conflict if you are the subject of a complaint, a witness or a supervisor of the complainant and you are investigating the issue.
The WP staff needs to be qualified to oversee the reports and the process of handling the information received. At a minimum, the staff needs to be capable of managing confidentiality and retaliation issues, follow through, use judgment to assess the complaints, manage investigations, escalating where warranted, making effective reports and keeping good records. The staff should have enough time to devote to this important function and be given the authority to carry out their duties effectively, including having access to senior management.
A WP should have procedures to insure independent qualified staff investigates complaints. Objective standards should be established to evaluate risks and treat serious issues with appropriate escalation. Each investigation should evaluate what investigative steps are needed and what evidence is available to support management action.
Procedures to ensure follow-up
The WP has to have procedures regarding referrals to management for action and whether further referrals are needed such as to the auditors or regulators. This should all be documented as part of auditable records.
The WP must contain concrete steps to protect against retaliation even if the allegation is determined to be not well founded.
A WP should have safeguards to insure that the whistleblowing process is managed confidentially. These should protect ongoing investigations, the subjects of complaints and the reputation of the company.
Senior management oversight
Like any compliance function, senior managers need to give it attention and support and have oversight from a body of senior officers and directors.
Culture of support
Whistleblowing only works if there are actual complaints and this hinges on the confidence of complainants about the WP and the protection of anonymity, no retaliation, and that the complaint will be heard. Thus, senior management must support the WP by giving it the finances needed to do the job and actual support and emphasis as an important compliance tool.
* * *
Many financial companies have whistleblower policies—but only the biggest companies have programs as detailed as outlined by the DFS. This type of "nanny state" guidance should actually be done as part of a formal regulation that is adopted after the public has a chance to critique the ideas here and offer suggestions for improvement. It is interesting that the federal regulators are moving away from issuing "guidance" and in fact have advised banks that they may treat "guidance" as just that and not to worry about be cited for violations. Nonetheless, this should not be ignored and ALL regulated entities need to hone their WP.