United States: New York Subjects State Licensees To Whistleblower Protections

Add the New York Department of Financial Services (the "DFS" or "Department") to the veritable orchestra of governmental entities and regulatory authorities that have issued requirements on "whistleblowing." A new governmental whistleblowing requirement in and of itself is not a cause to warble. Indeed, US financial regulators, including the Securities and Exchange Commission ("SEC"), the Commodity Futures Trading Commission ("CFTC"), the Federal Deposit Insurance Corporation ("FDIC") and the Financial Industry Regulatory Authority ("FINRA"), among others, previously released rules and guidance to encourage the reporting of concerns and the protection of whistleblowers. And there are over a dozen federal statutes that seek to protect private sector employees in specific industry sectors from retaliation against public disclosure of perceived illegal acts by their employer.

There are three reasons that the new DFS guidance issued on January 7, 2019 ("the Guidance") deserves close scrutiny. The first is that privately held, state chartered non-depository institutions licensed in New York are subject to this guidance. This includes licensed residential mortgage lenders and servicers and other types of state licensed consumer credit providers. Second, the definition of "whistleblowing" under the Guidance is extraordinarily broad, going well beyond allegations of illegal conduct. Last, the new requirement is not based on a specific whistleblowing statute or regulation prohibiting retaliation against a whistleblower. It instead simply constitutes guidance on the principles that the DFS believes should be accounted for when designing and implementing a whistleblowing program; as a result, it is not at all clear what happens under the Guidance if a licensee is determined by the DFS to have improperly retaliated against a whistleblower.

The Guidance is extensive and in many cases builds on the requirements of its federal counterparts. Entities regulated by the DFS that have whistleblower programs should take special care to review their present programs to ensure that they consider this new Guidance. Licensees without a whistleblower program may want to consider designing and implementing one in light of this Guidance.

The DFS Guidance

The Guidance broadly defines "whistleblowing" as "reporting information or concerns that are reasonably believed to constitute illegality, fraud, unfair or unethical conduct, mismanagement, abuse of power, unsafe or dangerous activity, or other wrongful conduct, including, but not limited to, any conduct that may affect the safety, soundness, or reputation of the institution." Contrast this definition, for example, with Section 1057 of the Consumer Financial Protection Act of 2010, which does not have a specific definition for whistleblowing but is written to prohibit retaliatory actions taken against employees who report "... any violation of, or any act or omission that the employee reasonably believes to be a violation of, any provision of this title or any other provision of law that is subject to the jurisdiction of the [Consumer Financial Protection Bureau], or any rule, order, standard, or prohibition prescribed by the [Consumer Financial Protection Bureau.]" This much narrower standard is limited to areas over which the Consumer Financial Protection Bureau has specific jurisdiction. The Guidance states that a whistleblower may be any person who has the opportunity to observe improper conduct at a company, including current or former employees, agents, consultants, vendors or service providers, outside counsel, customers or shareholders.

The Guidance applies to all DFS-regulated institutions, regardless of the industry and size of the organization, but the Department acknowledged that one size does not fit every whistleblower program. Therefore, the Guidance should be used to assist entities in determining the design for an effective program based on the institution's:

  • Size,
  • Geographical reach, and
  • Specific lines of business.

The Guidance enumerates 10 elements that should be accounted for as part of an effective whistleblowing program. Below we group the ten elements into three phases: receiving a whistleblower complaint, evaluating it and acting on it. It is important to reiterate that this Guidance is limited to the design and implementation of an effective whistleblowing program and does not create a direct cause of action for engaging in wrongful retaliation.1

Receiving a Complaint from a Whistleblower

The first two elements of the Guidance address reporting channels and anonymity. The Department emphasizes that it is important to establish reporting channels and employee protections and to ensure support across the organization when designing a whistleblower program in order to properly receive concerns. The Department urges, because a whistleblower program is only successful if employees report what they observe, institutions to instill confidence through genuine and demonstrated top-down support, including by allocating necessary resources to the program.

Reporting channels should be independent, well-publicized and easy to access. They may include a toll-free number, a dedicated email address or a third-party reporting service, any of which should be well-publicized to employees and other stakeholders. Programs should also train managers to identify whistleblowing issues beyond normal channels, such as during employee reviews or from informal conversations. The Guidance states that managers should also know how to direct informal whistleblowing complaints to a compliance or an investigative unit.

To ensure a whistleblower's protection, the Guidance suggests that the entire reporting process include safeguards for submitters who wish to remain anonymous. But the process should also include, when appropriate or necessary, ways for whistleblowers to provide additional information. Additionally, the reporting process should have strong safeguards in place that ensure a whistleblower is protected from retaliation. When a deviation from established safeguards is necessary, it should be for specific, objective and articulable reasons; well-documented; and only done with the involvement of senior compliance and legal management.

Evaluating a Whistleblower Complaint

The next three elements of the Guidance address conflicts of interest, staffing and investigative procedures. Due to the nature of a whistleblower's concerns, institutions must consider how to properly manage conflicts, investigate concerns and follow up on allegations. Procedures should include how to identify and minimize the effects of conflicts involving senior management and the board of directors. Procedures should also consider how to manage conflicts that may arise through the employee who handles or manages a whistleblowing matter, especially if the reviewer supervises, reports to or has some other relation with the subject of the allegation.

To conduct investigations of whistleblower concerns, the Department suggests that qualified, independent, un-conflicted staff should abide by established procedures. The use of objective standards should be built into procedures to evaluate the risk of each allegation and to assist in determining what "quantum of evidence" a report will require to trigger escalation.

The Guidance outlines that the staff evaluating a whistleblower's concern should be adequately trained to manage all stages of a complaint, including its reception, determining a course of action, investigating and potentially referring or escalating the issue. To carry out their duties, the staff should have significant autonomy, independence, empowerment and access to senior management. Specifically, the Guidance lists that reviewers should be trained to:

  • Ensure confidentiality, anonymity (if desired) and protection from retaliation;

  • Handle all reporting channels in a consistent manner;

  • Sort out non-whistleblower matters that do not require a detailed investigation;

  • Recognize the possibility of independent reports being related to the same wrongdoing;

  • Investigate allegations;

  • Evaluate the results and assess the merits of each complaint, and escalate valid complaints to the appropriate division for action;
  • Report to un-conflicted senior management; and
  • Maintain, for audits, records of the process.

The Department recognizes that while larger institutions may have a dedicated staff for whistleblowing concerns, all institutions should ensure staff members have sufficient time to dedicate to this review. Staffing levels should be periodically reevaluated to ensure that all submitted complaints receive appropriate attention.

Acting on a Whistleblower Complaint

The final five elements of the Guidance address follow-up, retaliation, confidentiality, oversight and corporate culture. The Department states that whistleblower concerns should follow procedures to appropriately engage in follow-ups and responses while managing concern for confidentiality and prevention of retaliation. To do so, the whistleblowing program should be overseen by the appropriate leaders, including senior managers, auditors, the board of directors or other stakeholders. Additionally, institutions should establish protocols to refer matters to the appropriate business unit, the legal department, internal or external auditors, independent board members or government authorities, as necessary. Institutions should create and maintain auditable records of referrals and actions taken in response to whistleblowing complaints.

During an investigation, the whistleblower's identity should remain anonymous when appropriate, and safeguards should be taken to also protect the integrity of the investigation itself, the subjects of the allegations and the institution's reputation when necessary. Finally, the Guidance also echoes the concerns of federal regulators, stating that concrete steps should be implemented to ensure that whistleblowers are protected from any form of retaliation, regardless of whether or not the allegation is ultimately determined to be well-founded.

The Guidance notes that whistleblowers will come forward only if they have confidence in the whistleblowing program. Senior managers and the board of directors must consistently demonstrate support for the whistleblowing function through both their words and their actions.


The DFS states that its Guidance constitutes "principles and best practices" that all entities that it regulates should consider in implementing a whistleblower program. While the DFS does not expressly state that the Guidance constitutes a requirement to establish a whistleblowing program or to ensure that such a program include each and every element set forth in its Guidance, the DFS views a robust whistleblowing program as an "essential element of a comprehensive compliance program" for regulated financial services providers. Given the importance that DFS has assigned to this topic and the detailed steps that the agency has set forth with regard to establishing and managing a whistleblower program, regulated entities should expect that the DFS will include whistleblower programs in its audits and examinations and will review these programs in light of the size and type of regulated entity to gauge their effectiveness. Regulated entities should also expect that the DFS may seek to take action against those entities that do not make good faith efforts to consider and implement the Guidance, although it is not clear what the legal violation would be for a licensee that is found to have implemented an inadequate whistleblower program or violated its own program in the case of an individual employee. Moreover, given the DFS's prominence in regulating providers of financial services, it is very possible that other state financial services regulators will follow in the footsteps of DFS and establish similar guidance, or requirements, regarding whistleblower programs in their jurisdictions.

1 Note, for example, Section 1057(a) of the Consumer Financial Protection Act of 2010, which provides that "[n]o covered person or service provider shall terminate or in any other way discriminate against, or cause to be terminated or discriminated against, any covered employee or any authorized representative of covered employees by reason of the fact that such employee or representative, whether at the initiative of the employee or in the ordinary course of the duties of the employee (or any person acting pursuant to a request of the employee) ..." engaged in whistleblowing."

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Cadwalader, Wickersham & Taft LLP
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Cadwalader, Wickersham & Taft LLP
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions