Strong Whistleblower Protections Reflect a Positive Compliance Culture

By Maria T. Vullo

In a recent submission (PDF: 2.36 MB) to Congress, the U.S. Securities & Exchange Commission (SEC) reported that, for fiscal year 2018, the SEC paid the largest whistleblower awards since the institution of its program in 2012 following the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank).  Specifically, in FY 2018, the SEC awarded 13 individuals over $168 million collectively for tips that led to actions by the SEC to protect investors.[1]

Other statutes likewise provide financial incentives to whistleblowing.  Under the False Claims Act (FCA), for example, persons who report fraud in government contracting can receive up to 30 percent of the government’s recovery in an action.  Many states, including New York, have enacted state-level equivalents of the FCA.  For many decades, the FCA has contributed to large recoveries to the U.S. Treasury, with an expansion of recoveries in part due to the reporting of violations by whistleblowers.

Surely, these laws help to encourage whistleblowers to come forward and provide substantial assistance to governmental authorities in pursuing law violators.  However, the external reporting of law violations to governmental authorities is only one area where the protection of whistleblowers is important.  The internal reporting of concerns within an organization is of equal importance and should be addressed as a matter of the organization’s governance practices essential to employing a strong compliance culture, regardless of whether the corporation is a public or an otherwise regulated company.

Indeed, a recent article in Harvard Business Review discussed an analysis of companies with internal whistleblower programs and concluded that whistleblowing within an organization is crucial to the financial health of the company.  According to this study, companies with strong internal whistleblower reporting reflect an environment having open communication channels and employee trust in management, even to the point of making the company more profitable.  In particular, the article posits that companies with higher usage of whistleblower programs have fewer lawsuits and lower settlements, as the concerns are addressed internally before they become larger problems.

Regardless of the merits of this analysis, management’s attention should be focused on internal whistleblower programs as part of the organization’s overall compliance framework, independently of external reporting systems such as the SEC’s program.  Indeed, a robust whistleblower program should be considered an essential component of a comprehensive compliance program for all companies, including public companies subject to the SEC’s jurisdiction and regulated financial services companies.  In fact, the New York State Department of Financial Services recently issued whistleblowing guidance (PDF: 3.11 MB) to all entities regulated by the Department, following a consent order and $15 million fine imposed against one institution for management failures in this area.

Considering the importance of the issue to both federal and state regulators, as well as the thesis that healthier companies have strong whistleblower programs, all companies should periodically review their whistleblower programs and consider whether any changes are necessary.  While each company’s whistleblower program will differ based on the institution’s size, geographical reach and lines of business, every program should include certain fundamental principles.

First, a whistleblower program should include a dedicated mechanism for employees to report information in a safe and secure manner.  The channels of communication must be readily available and known to all employees, and employees must trust the security and integrity of the chosen channels for communication.  At a minimum, the person or persons to whom information is reported must have adequate independence from management and be empowered and trained to investigate the information provided without interference from management or persons who may be the subject of the complaint.  Without confidence in the channels of communication, employees will be discouraged from reporting incidents that otherwise should be reported through a viable whistleblower program.

Second, a whistleblower program should include strong protections for the whistleblower, including provisions that allow the whistleblower to remain anonymous.  While complete anonymity often cannot be assured for the complaint to be adequately investigated, the program must provide confidence that the whistleblower’s identity will be closely held among a small group of people necessary to investigate the information provided by the whistleblower.  In addition, every whistleblower program must include provisions that protect the whistleblower from any form of retaliation or adverse action.

Third, a viable whistleblower program should include procedures for the investigation of complaints, including procedures for the review of allegations of wrongdoing by qualified staff who are independent and not conflicted.  In addition, the program should include objective standards to investigate complaints, including standards regarding the level of evidence needed to trigger escalation and further action, as well as for the closing of the investigation.  The program must also include requirements of proper recordkeeping of complaint reviews and investigations.

Fourth, an important component of a whistleblower program is its oversight by appropriate senior managers.  The level of oversight may include senior members of the company’s legal, compliance and audit departments, as well as the Board of Directors and outside counsel and auditors, depending on the nature of the allegations and the information learned in the investigation.  In all cases, senior management including the Board of Directors must fully support the whistleblower program, including by allocating appropriate resources and by vocally embracing the principle that open communication is valued by the organization.

These principles are not exhaustive but are minimum standards necessary for an adequate whistleblower program.  At bottom, a strong whistleblower program demonstrates management’s dedication to a compliant organization in which all employees and stakeholders have confidence, leading to a healthier workplace and a more successful company.


[1] The SEC has also amended its regulations in light of the U.S. Supreme Court’s recent decision in Digital Realty Trust, Inc. v. Somers, 138 S. Ct. 767 (2018), holding that the anti-retaliation protections of Dodd-Frank apply only when the employee reports the violation to the SEC.

Maria T. Vullo is a senior fellow at NYU School of Law’s Program on Corporate Compliance and Enforcement, and is former Superintendent of the Department of Financial Services.


The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.