DATE: January 7, 2019

TO: All Institutions Regulated by the New York State Department of Financial Services

RE: Guidance on Whistleblowing Programs

The New York State Department of Financial Services is issuing this guidance to all entities chartered, licensed, or regulated by the Department. This guidance applies to all such regulated institutions regardless of industry, size, or number of employees.

In the Department's experience, a robust whistleblowing program is an essential component of a comprehensive compliance program for regulated financial services companies. Individual employees, consultants, vendors, customers, and other stakeholders are often well­ situated to observe possible wrongdoing at a company and bring it to management's attention. Whistleblowing is most useful and effective when a company has instituted a thorough and thoughtful process for receiving, evaluating, and acting on whistleblower concerns.

An institution regulated by the Department may be subject to rules or regulations regarding whistleblowing, depending on, for example, whether the institution is publicly traded, whether it is based or does business in foreign jurisdictions that have whistleblowing regulations, and whether it belongs to a self-regulatory organization. Due to the variety of entities subject to the Department's oversight, no "one size fits all" model exists for a whistleblowing program. As with virtually all compliance- or risk-related processes, the design of a whistleblowing program should be based on factors such as the institution's size, geographical reach, and the specific lines of business in which it engages.

Nevertheless, based on the Department's experience and given the importance of this issue, certain important principles and practices should be considered in determining whether a regulated institution has put into place an effective whistleblowing program. The Department is issuing this guidance to enunciate principles that all regulated institutions should account for when designing and implementing a whistleblowing program.

"Whistleblowing" means the reporting of information or concerns, by one or more individuals or entities, that are reasonably believed by such individual(s) or entity(s) to constitute illegality, fraud, unfair or unethical conduct, mismanagement, abuse of power, unsafe or dangerous activity, or other wrongful conduct, including, but not limited to, any conduct that may affect the safety, soundness, or reputation of the institution. A whistleblower may be any person who has an opportunity to observe improper conduct at a company, including current or former employees, agents, consultants, vendors or service providers, outside counsel, customers, or shareholders.

An effective whistleblowing program should, at a minimum, consider how to account for the following elements:

1. Reporting channels that are independent, well-publicized, easy to access, and consistent.

  • Institutions should have dedicated channels that employees, customers, or other stakeholders can use for whistleblowing. A toll-free phone number, a dedicated email address, or a special mailing address are all useful reporting channels. For some institutions, maintaining and monitoring more than one reporting channel will be appropriate. Reporting channels should be overseen by a designated employee or employees who have adequate independence and empowerment to ensure that whistleblower protections are maintained and reports are suitably investigated (discussed in more detail below).
  • In addition to, or as an alternative to company-managed reporting channels, institutions should consider whether to engage a third-party reporting service to enhance the whistleblowing program. Certain industry studies have shown that employees tend to rust third-party reporting services more than internal reporting channels, in part because of the perception that third-party service providers add another layer of protection for whistleblowers who might be hesitant to report directly to the company or who wish to preserve anonymity (discussed in more detail below).
  • Reporting channels should be well-publicized to employees and other stakeholders, for example, by inclusion in employee manuals and regular training programs; posted in prominent employee and customer locations; and published on a company's public website and internal webpage. Potential whistleblowers should be assured that they are protected from any form of retaliation and that their anonymity will be protected if they do choose to report anonymously.
  • In addition, managers should be trained to identify possible whistleblowing issues that they might learn of outside the usual whistleblower channels, such as complaints sent directly to the manager, issues raised during employee reviews or exit interviews, or information learned or overheard in informal conversations. Managers should know to direct those informal whistleblowing complaints to the appropriate compliance or investigative unit.

2. Strong protections for a whistleblower's anonymity.

  • In the Department's experience, many potential whistleblowers would hesitate to report if he or she believed that his or her identity either would not be kept confidential (that is, closely held among a small group of people on a "need to know" basis), or if he or she could not remain completely anonymous.
  • Accordingly, the institution's entire whistleblowing process, from the initial whistleblower submission through follow-up actions by the institution, should include safeguards to protect the anonymity of submitters who wish to remain confidential or anonymous.
  • Some investigations may benefit from further contact with a whistleblower - for example, where the whistleblower may be able to provide additional details to support an allegation - and it may be appropriate for investigators to encourage whistleblowers to provide more information. There must be adequate safeguards at all stages of the process, however, to protect the confidentiality or anonymity of those whistleblowers who do not want their identity known.
  • Where the identity of the whistleblower is known or knowable (for example, because the reporter identifies him or herself or because the nature of the report necessarily reveals the reporter), the whistleblowing process must have strong safeguards in place that ensure that the reporter's identity is closely guarded and that he or she is protected from retaliation.
  • To the extent permissible under applicable law, any deviations from a policy or practice of confidentiality or anonymity should occur only for a specific, objective, and articulable reason, should be done only with the involvement of senior compliance and legal management, and should be well-documented.

3. Established procedures for identifying and managing potential conflicts of interest.

  • A well-constituted whistleblowing program should recognize the possibility for conflicts of interest and include procedures to identify and minimize the effects of conflicts. This includes scrutiny for possible conflicts involving senior management and the Board of Directors.
  • A conflict may arise, among other ways, when an employee who handles or manages a whistleblowing matter, works on the investigation of a matter, or is among the group to whom the matter will be escalated or reported:
    • Is the subject of the whistleblowing complaint;
    • Is a possible witness to or source of information about the conduct at issue in a complaint;
    • Supervises, reports to, or has some other close relationship to the subject of the allegation or the whistleblower (if known).

4. Staff members adequately trained to receive whistleblowing complaints; determine a course of action; and competently manage any investigation, referral, or escalation.

  • Institutions should have qualified staff dedicated to managing the reporting channels and otherwise receiving whistleblowing complaints and overseeing the investigation and referral process. This responsibility will likely include at a minimum:
    • Ensuring confidentiality, protection from retaliation, and anonymity (if desired) of whistleblowers;
    • Ensuring that all complaints received through the dedicated reporting channels and informal reporting channels are collected and handled in a consistent manner;
    • Conducting an initial triage to sort out complaints that are not actual whistleblowing matters and those that can be evaluated without the need for a detailed investigation;
    • Recognizing when apparently independent reports may in fact be separate pieces of evidence of the same wrongdoing, which should be the subject of a single comprehensive investigation;
    • Investigating allegations or referring them to other appropriate staff for investigation;
    • Evaluating the results of any investigation, assessing the merits of each complaint, and escalating or referring valid complaints to the appropriate division for action (keeping in mind the internal chains of command pertinent to a particular complaint and potential conflicts of interest that might exist);
    • Reporting about the whistleblowing function to appropriate unconflicted senior management; and
    • Maintaining auditable records of the complaint-handling process.
  • Larger institutions will likely have one or more staff members solely dedicated to the whistleblowing function. Where the whistleblowing function is managed by staff with other duties, the institution should ensure that the assigned personnel have sufficient time to dedicate to this important function. Staffing levels should be periodically reevaluated to ensure that all submitted complaints receive appropriate attention.
  • Institutions should ensure that the staff tasked with managing the whistleblowing function have significant autonomy, independence, empowerment, and access to senior management to ensure they carry out thei duties effectively and efficiently.

5. Established procedures for investigating allegations of wrongdoing.

  • Institutions should establish procedures to ensure whistleblowing complaints are investigated appropriately by qualified, independent and un-conflicted staff.
  • Investigation procedures should include objective standards for evaluating the risk presented by each allegation and ensure that more serious allegations - such as those involving possible fraud or criminal conduct, carrying material reputational risk, or implicating senior management are subject to appropriate scrutiny, including possible immediate escalation or involvement of the general counsel or outside counsel.
  • Investigations should include consideration both of what investigative steps are warranted in each particular case and what quantum of evidence supporting a particular report will trigger escalation or further action.

6. Established procedures for ensuring appropriate follow-up to valid complaints.

  • Institutions should establish protocols to govern referral of valid complaints to the appropriate business unit or division and ensure that the institution takes appropriate action. Protocols should also account for situations where it is also necessary to refer or report the matter to others, such as the Legal Department, internal or external auditors, independent Board members, or government authorities.
  • Institutions should create and maintain auditable records relating to referrals and actions taken in response to whistleblowing complaints.

7. Protecting whistleblowers from retaliation.

  • As discussed above, in addition to protections for confidentiality and anonymity, institutions must take concrete steps to ensure whistleblowers are protected from any form of retaliation, whether the report is made anonymously or not, whether the allegation is reported internally or directly to an external body, and whether the allegation is ultimately determined to be well-founded or not.

8. Confidential treatment.

  • In addition to protecting the confidentiality or anonymity of the whistleblower's identity where appropriate, whistleblowing programs should also include more general safeguards designed to maintain the confidentiality of the whistleblowing matters themselves.
  • This confidentiality serves several purposes, including:
    • Protecting the integrity of in-progress investigations;
    • Protecting the subjects of allegations from suffering consequences due to as-yet­ unverified allegations; and
    • Protecting the institution's reputation until claims are adequately investigated.

9. Appropriate oversight of the whistleblowing function by senior management, internal and external auditors, and the Board of Directors.

  • As an important part of a robust compliance program, the whistleblowing function should receive significant oversight by and attention from appropriate senior managers, auditors and the Board of Directors, as applicable. While what constitutes adequate oversight will vary from institution to institution, suitable direct and indirect oversight from the following, as applicable, may be appropriate:
    • Senior members of the compliance department;
    • Senior members of the legal department;
    • An independent director;
    • Senior members of the internal audit department;
    • External auditors.

10. A top-down culture of support for the whistleblowing function.

  • Whistleblowing is only meaningful if potential whistleblowers come forward and report what they observe. And whistleblowers will come forward only if they have confidence in the whistleblowing program - confidence that their complaint will be heard and given due consideration; confidence that the person receiving and investigating the complaint does not have a conflict of interest and otherwise is independent and objective; confidence that they will be protected from retaliation for raising the concern; and confidence that their anonymity (if desired) will be protected.
  • Institutions can best instill that confidence in potential whistleblowers through genuine and demonstrated support for the whistleblowing program from across management.
  • Senior management and the Board of Directors must consistently support the whistleblowing function, such as by allocating appropriate resources to the whistleblowing function and demonstrate their support through their words and deeds.

This guidance is intended to detail principles and best practices that all institutions regulated by the Department should account for when designing and implementing their whistleblowing programs. It is not intended to limit the scope or applicability of any law or regulation.