DFS Whistleblower Guidance: Advice and a Warning Shot
In this Employment Issues column, Philip M. Berkowitz and Margaret Watson write: At the end of the day, again, the Guidance is sound. But it is issued on facts that demonstrate that what are suggestions today may turn into minimum requirements tomorrow. The warning shot has been fired, and employers, whether in financial services or otherwise, would do well to review and conform policies in this area.
March 13, 2019 at 02:50 PM
8 minute read
At the start of this year, the New York State Department of Financial Services (DFS) issued a “Guidance on Whistleblowing Programs.” The DFS is the department of the New York state government responsible for enforcing regulating financial services and products within the state, including those subject to the insurance, banking and financial services laws. The Guidance recognizes that there is no “one size fits all” model for a whistleblower program. Although certain statutes may mandate the existence of a whistleblower program, with the most limited exception, the laws, rules and regulations do not specify the design of these programs.
Many laws prohibit employers in the private sector from retaliating against whistleblowers, but with the most limited exception, these statutes do not mandate any formal whistleblower program. For example, the Occupational Safety and Health Act 1970 (OSHA) protects those who have reported or complained about workplace safety and health issues and Title VII, the ADA, ADEA, and related anti-discrimination statutes all contain prohibitions against retaliation for any employee who complains in good faith of a perceived violation of one of these laws, but none of these statutes mandates a whistleblower program.
On the other hand, the rules promulgated by the Securities and Exchange Commission in connection with implementation of §301 of the Sarbanes-Oxley Act mandate, among other things, that the audit committees of public companies (i.e., issuers listed on U.S. exchanges) establish whistleblower procedures that include programs for “the confidential, anonymous submission by employees” of concerns regarding questionable accounting or auditing matters. See 17 CFR §240.10A-3.
Accordingly, the DFS has shared with the business community what its experiences in compliance investigations and related prosecutions has taught it are the essential “pillars” of any bona fide whistleblower program.
The Guidance is sound. Indeed, in many respects, DFS provides a best practices manual, for free. And they should be applauded for doing so. However, viewed in the larger context in which these practices were developed, one should be wary that this free advice may simply constitute a notice period for what will soon be mandated provisions for any bona fide whistleblower program, whether by DFS or other government entities.
DFS identifies 10 pillars that “any effective whistleblower program should include.” Each is worthy of attention. They are:
(1) Reporting channels that are independent, well-publicized, easy to access, and consistent;
(2) Strong protections for a whistleblower's anonymity;
(3) Established procedures for identifying and managing potential conflicts of interest;
(4) Staff members adequately trained to receive whistleblowing complaints; determine a course of action; and competently manager any investigation, referral, or escalation;
(5) Established procedures for investigating allegations of wrongdoing;
(6) Established procedures for ensuring appropriate follow-up to valid complaints;
(7) Protecting whistleblowers from retaliation.
(8) Confidential treatment.
(9) Appropriate oversight of the whistleblowing function by senior management, internal and external auditors, and the Board of Directors; and
(10) A top-down culture of support for the whistleblowing function.
We will not address in depth all of the reasons for each of these pillars, as the DFS has done a nice job of providing such information in its relatively short and concise Guidance which can be found online. We will, however, put some of these best practices in context.
First, the pillars must be understood in the context of intending to create a program to encourage people, primarily employees (though some programs explicitly extend to vendors, customers or any “persons”) to come forward with notice of any perceived wrongdoing; and not just to provide a channel for them to do so. As the DFS's experience shows and businesses know all too well, the source of crimes to businesses (including theft, corruption, espionage, money laundering, etc.) most often originates with the participation of insiders. Accordingly, insiders or other employees are usually eye-witnesses to such conduct or suspected conduct.
Against this background, the design of any whistleblower program must be not just to provide a reporting channel, but to incentivize employees to come forward and raise their concerns. In order to do this, the designers of any program must understand the risk analysis that the reporting employee confronts. Why should she say anything? To be blunt, what's in it for her? Why should she stick her neck out? Or as she might say, “What do I care?” “Why should I put my job on the line?” “Who is going to believe me?” and “Who is going to protect me?”
These questions are not spurious. Indeed, a cursory review of the number of whistleblower claims filed across industries and involving all types of alleged illegal conduct makes one thing clear: perceptions of retaliation are real, real enough to make any person think twice before they raise a complaint. So any bona fide program must not just provide a complaint reporting procedure, it must adequately address these concerns.
As the DFS's Guidance recognizes, one has to change this risk analysis. Employers should create a culture where (1) reporting is favored, not frowned upon, and (2) where the whistleblower is safe, both in terms of having their identity protected in the first instance and then policing that they are not retaliated against when they are identified for bringing forth what are good faith complaints of perceived unlawful conduct.
Among other things, the Company needs a mechanism to insure that all complaints are reviewed and that persons with knowledge of what is a potential violation of the law or Company policy can “triage” the complaints to determine both the seriousness of the harm alleged (i.e., urgency) and who is best suited to evaluate what. The Company needs to train personnel in investigations, and the program also needs accountability. Nothing will kill a program quicker than having people bring forth good faith complaints, and having those complaints fall on deaf ears or have no outcomes.
In this investigation phase, the Company also needs to continue to protect the integrity of the entire program, that is, police the confidentiality protections afforded the whistleblower, insure the due process protections to be afforded the alleged wrongdoer, manage potential conflicts of interest among the stakeholders, and ultimately take action on violations that have been identified.
As with any culture change, this requires buy-in from the top, a business case for the program, training and more training of all involved, so that each understands the importance of their roles, accountability for oversight of and implementation of the program, and rewards for an effective program. These factors must all exist at the same time and work in tandem. Stated differently, if any one of the pillars falls, the program is in jeopardy of crashing down, usually with the whistleblower crushed in the collapse.
More significantly, the Guidance recognizes the other often ignored reality: be careful what you wish for. By definition, if a Company successfully designs a program that provides effective complaint channels, protection for the complainers, and a culture of respect and recognition for all involved in the successful implementation of “see something, say something,” the Company must be prepared for a potential onslaught of “complaints.”
In other words, if you build it, they will come. And employers should welcome the complaints. Yes, some will be frivolous, some will be trite and not involve any type of wrongdoing, some may be confusing or difficult to understand, and some may lead the employer to see wrongdoing that needs to be corrected—and/or reported. As the Guidance explains, if you want your program to survive beyond its initial roll-out, you need to be prepared for a potential rush of claims, and embrace it.
The alternative is for employees to go straight to the regulators, or to their own lawyers, without giving the employer an opportunity to address those of the complaints that are meritorious, and without letting employees know that their complaints are being heard and taken seriously.
Experience has shown over and over again that the best policies in writing (and design) are not worth the paper they are written on if the conduct of those at the top does not reflect complete and total buy-in for the values the policies espouse.
At the end of the day, again, the Guidance is sound. Indeed, it is careful, thorough, and insightful. But it is issued on facts that demonstrate that what are suggestions today may turn into minimum requirements tomorrow. The warning shot has been fired, and employers, whether in financial services or otherwise, would do well to review and conform policies in this area.
Philip M. Berkowitz is a shareholder of Littler Mendelson and co-chair of the firm's U.S. international employment law and financial services practices. Margaret Watson is a shareholder of the firm and a member of its financial services industry group.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrump Mulls Big Changes to Banking Regulation, Unsettling the Industry
SEC Issues $6.75M Fine Against Financial Firm Led by Trump's Choice to Lead Commerce Dept.
3 minute readTrending Stories
- 1Senate Confirms Last 2 of Biden's California Judicial Nominees
- 2Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 3Tom Girardi to Surrender to Federal Authorities on Jan. 7
- 4Husch Blackwell, Foley Among Law Firms Opening Southeast Offices This Year
- 5In Lawsuit, Ex-Google Employee Says Company’s Layoffs Targeted Parents and Others on Leave
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250