Add the New York Department of Financial Services (the “DFS” or "Department") to the veritable orchestra of governmental entities and regulatory authorities that have issued requirements on “whistleblowing.” A new governmental whistleblowing requirement in and of itself is not a cause to warble. Indeed, US financial regulators, including the Securities and Exchange Commission (“SEC”), the Commodity Futures Trading Commission (“CFTC”), the Federal Deposit Insurance Corporation (“FDIC”) and the Financial Industry Regulatory Authority (“FINRA”), among others, previously released rules and guidance to encourage the reporting of concerns and the protection of whistleblowers. And there are over a dozen federal statutes that seek to protect private sector employees in specific industry sectors from retaliation against public disclosure of perceived illegal acts by their employer.
There are three reasons that the new DFS guidance issued on January 7, 2019 (“the Guidance”) deserves close scrutiny. The first is that privately held, state chartered non-depository institutions licensed in New York are subject to this guidance. This includes licensed residential mortgage lenders and servicers and other types of state licensed consumer credit providers. Second, the definition of “whistleblowing” under the Guidance is extraordinarily broad, going well beyond allegations of illegal conduct. Last, the new requirement is not based on a specific whistleblowing statute or regulation prohibiting retaliation against a whistleblower. It instead simply constitutes guidance on the principles that the DFS believes should be accounted for when designing and implementing a whistleblowing program; as a result, it is not at all clear what happens under the Guidance if a licensee is determined by the DFS to have improperly retaliated against a whistleblower.
The Guidance is extensive and in many cases builds on the requirements of its federal counterparts. Entities regulated by the DFS that have whistleblower programs should take special care to review their present programs to ensure that they consider this new Guidance. Licensees without a whistleblower program may want to consider designing and implementing one in light of this Guidance.
The DFS Guidance
The Guidance broadly defines “whistleblowing” as “reporting information or concerns that are reasonably believed to constitute illegality, fraud, unfair or unethical conduct, mismanagement, abuse of power, unsafe or dangerous activity, or other wrongful conduct, including, but not limited to, any conduct that may affect the safety, soundness, or reputation of the institution.” Contrast this definition, for example, with Section 1057 of the Consumer Financial Protection Act of 2010, which does not have a specific definition for whistleblowing but is written to prohibit retaliatory actions taken against employees who report “… any violation of, or any act or omission that the employee reasonably believes to be a violation of, any provision of this title or any other provision of law that is subject to the jurisdiction of the [Consumer Financial Protection Bureau], or any rule, order, standard, or prohibition prescribed by the [Consumer Financial Protection Bureau.]” This much narrower standard is limited to areas over which the Consumer Financial Protection Bureau has specific jurisdiction. The Guidance states that a whistleblower may be any person who has the opportunity to observe improper conduct at a company, including current or former employees, agents, consultants, vendors or service providers, outside counsel, customers or shareholders.
The Guidance applies to all DFS-regulated institutions, regardless of the industry and size of the organization, but the Department acknowledged that one size does not fit every whistleblower program. Therefore, the Guidance should be used to assist entities in determining the design for an effective program based on the institution’s:
- Geographical reach, and
- Specific lines of business.
The Guidance enumerates 10 elements that should be accounted for as part of an effective whistleblowing program. Below we group the ten elements into three phases: receiving a whistleblower complaint, evaluating it and acting on it. It is important to reiterate that this Guidance is limited to the design and implementation of an effective whistleblowing program and does not create a direct cause of action for engaging in wrongful retaliation.1
Receiving a Complaint from a Whistleblower
The first two elements of the Guidance address reporting channels and anonymity. The Department emphasizes that it is important to establish reporting channels and employee protections and to ensure support across the organization when designing a whistleblower program in order to properly receive concerns. The Department urges, because a whistleblower program is only successful if employees report what they observe, institutions to instill confidence through genuine and demonstrated top-down support, including by allocating necessary resources to the program.
Reporting channels should be independent, well-publicized and easy to access. They may include a toll-free number, a dedicated email address or a third-party reporting service, any of which should be well-publicized to employees and other stakeholders. Programs should also train managers to identify whistleblowing issues beyond normal channels, such as during employee reviews or from informal conversations. The Guidance states that managers should also know how to direct informal whistleblowing complaints to a compliance or an investigative unit.
To ensure a whistleblower’s protection, the Guidance suggests that the entire reporting process include safeguards for submitters who wish to remain anonymous. But the process should also include, when appropriate or necessary, ways for whistleblowers to provide additional information. Additionally, the reporting process should have strong safeguards in place that ensure a whistleblower is protected from retaliation. When a deviation from established safeguards is necessary, it should be for specific, objective and articulable reasons; well-documented; and only done with the involvement of senior compliance and legal management.
Evaluating a Whistleblower Complaint
The next three elements of the Guidance address conflicts of interest, staffing and investigative procedures. Due to the nature of a whistleblower’s concerns, institutions must consider how to properly manage conflicts, investigate concerns and follow up on allegations. Procedures should include how to identify and minimize the effects of conflicts involving senior management and the board of directors. Procedures should also consider how to manage conflicts that may arise through the employee who handles or manages a whistleblowing matter, especially if the reviewer supervises, reports to or has some other relation with the subject of the allegation.
To conduct investigations of whistleblower concerns, the Department suggests that qualified, independent, un-conflicted staff should abide by established procedures. The use of objective standards should be built into procedures to evaluate the risk of each allegation and to assist in determining what “quantum of evidence” a report will require to trigger escalation.
The Guidance outlines that the staff evaluating a whistleblower’s concern should be adequately trained to manage all stages of a complaint, including its reception, determining a course of action, investigating and potentially referring or escalating the issue. To carry out their duties, the staff should have significant autonomy, independence, empowerment and access to senior management. Specifically, the Guidance lists that reviewers should be trained to:
- Ensure confidentiality, anonymity (if desired) and protection from retaliation;
- Handle all reporting channels in a consistent manner;
- Sort out non-whistleblower matters that do not require a detailed investigation;
- Recognize the possibility of independent reports being related to the same wrongdoing;
- Investigate allegations;
- Evaluate the results and assess the merits of each complaint, and escalate valid complaints to the appropriate division for action;
- Report to un-conflicted senior management; and
- Maintain, for audits, records of the process.
The Department recognizes that while larger institutions may have a dedicated staff for whistleblowing concerns, all institutions should ensure staff members have sufficient time to dedicate to this review. Staffing levels should be periodically reevaluated to ensure that all submitted complaints receive appropriate attention.
Acting on a Whistleblower Complaint
The final five elements of the Guidance address follow-up, retaliation, confidentiality, oversight and corporate culture. The Department states that whistleblower concerns should follow procedures to appropriately engage in follow-ups and responses while managing concern for confidentiality and prevention of retaliation. To do so, the whistleblowing program should be overseen by the appropriate leaders, including senior managers, auditors, the board of directors or other stakeholders. Additionally, institutions should establish protocols to refer matters to the appropriate business unit, the legal department, internal or external auditors, independent board members or government authorities, as necessary. Institutions should create and maintain auditable records of referrals and actions taken in response to whistleblowing complaints.
During an investigation, the whistleblower’s identity should remain anonymous when appropriate, and safeguards should be taken to also protect the integrity of the investigation itself, the subjects of the allegations and the institution’s reputation when necessary. Finally, the Guidance also echoes the concerns of federal regulators, stating that concrete steps should be implemented to ensure that whistleblowers are protected from any form of retaliation, regardless of whether or not the allegation is ultimately determined to be well-founded.
The Guidance notes that whistleblowers will come forward only if they have confidence in the whistleblowing program. Senior managers and the board of directors must consistently demonstrate support for the whistleblowing function through both their words and their actions.
The DFS states that its Guidance constitutes “principles and best practices” that all entities that it regulates should consider in implementing a whistleblower program. While the DFS does not expressly state that the Guidance constitutes a requirement to establish a whistleblowing program or to ensure that such a program include each and every element set forth in its Guidance, the DFS views a robust whistleblowing program as an “essential element of a comprehensive compliance program” for regulated financial services providers. Given the importance that DFS has assigned to this topic and the detailed steps that the agency has set forth with regard to establishing and managing a whistleblower program, regulated entities should expect that the DFS will include whistleblower programs in its audits and examinations and will review these programs in light of the size and type of regulated entity to gauge their effectiveness. Regulated entities should also expect that the DFS may seek to take action against those entities that do not make good faith efforts to consider and implement the Guidance, although it is not clear what the legal violation would be for a licensee that is found to have implemented an inadequate whistleblower program or violated its own program in the case of an individual employee. Moreover, given the DFS’s prominence in regulating providers of financial services, it is very possible that other state financial services regulators will follow in the footsteps of DFS and establish similar guidance, or requirements, regarding whistleblower programs in their jurisdictions.
1 Note, for example, Section 1057(a) of the Consumer Financial Protection Act of 2010, which provides that “[n]o covered person or service provider shall terminate or in any other way discriminate against, or cause to be terminated or discriminated against, any covered employee or any authorized representative of covered employees by reason of the fact that such employee or representative, whether at the initiative of the employee or in the ordinary course of the duties of the employee (or any person acting pursuant to a request of the employee) …” engaged in whistleblowing.”