At the start of this year, the New York State Department of Financial Services (DFS) issued a “Guidance on Whistleblowing Programs.” The DFS is the department of the New York state government responsible for enforcing regulating financial services and products within the state, including those subject to the insurance, banking and financial services laws. The Guidance recognizes that there is no “one size fits all” model for a whistleblower program. Although certain statutes may mandate the existence of a whistleblower program, with the most limited exception, the laws, rules and regulations do not specify the design of these programs.

Many laws prohibit employers in the private sector from retaliating against whistleblowers, but with the most limited exception, these statutes do not mandate any formal whistleblower program. For example, the Occupational Safety and Health Act 1970 (OSHA) protects those who have reported or complained about workplace safety and health issues and Title VII, the ADA, ADEA, and related anti-discrimination statutes all contain prohibitions against retaliation for any employee who complains in good faith of a perceived violation of one of these laws, but none of these statutes mandates a whistleblower program.

On the other hand, the rules promulgated by the Securities and Exchange Commission in connection with implementation of §301 of the Sarbanes-Oxley Act mandate, among other things, that the audit committees of public companies (i.e., issuers listed on U.S. exchanges) establish whistleblower procedures that include programs for “the confidential, anonymous submission by employees” of concerns regarding questionable accounting or auditing matters. See 17 CFR §240.10A-3.

Accordingly, the DFS has shared with the business community what its experiences in compliance investigations and related prosecutions has taught it are the essential “pillars” of any bona fide whistleblower program.

The Guidance is sound. Indeed, in many respects, DFS provides a best practices manual, for free. And they should be applauded for doing so.  However, viewed in the larger context in which these practices were developed, one should be wary that this free advice may simply constitute a notice period for what will soon be mandated provisions for any bona fide whistleblower program, whether by DFS or other government entities.

DFS identifies 10 pillars that “any effective whistleblower program should include.” Each is worthy of attention. They are:

(1) Reporting channels that are independent, well-publicized, easy to access, and consistent;

(2) Strong protections for a whistleblower’s anonymity;

(3) Established procedures for identifying and managing potential conflicts of interest;

(4) Staff members adequately trained to receive whistleblowing complaints; determine a course of action; and competently manager any investigation, referral, or escalation;

(5) Established procedures for investigating allegations of wrongdoing;

(6) Established procedures for ensuring appropriate follow-up to valid complaints;

(7) Protecting whistleblowers from retaliation.

(8) Confidential treatment.

(9) Appropriate oversight of the whistleblowing function by senior management, internal and external auditors, and the Board of Directors; and

(10) A top-down culture of support for the whistleblowing function.

We will not address in depth all of the reasons for each of these pillars, as the DFS has done a nice job of providing such information in its relatively short and concise Guidance which can be found online. We will, however, put some of these best practices in context.

First, the pillars must be understood in the context of intending to create a program to encourage people, primarily employees (though some programs explicitly extend to vendors, customers or any “persons”) to come forward with notice of any perceived wrongdoing; and not just to provide a channel for them to do so. As the DFS’s experience shows and businesses know all too well, the source of crimes to businesses (including theft, corruption, espionage, money laundering, etc.) most often originates with the participation of insiders. Accordingly, insiders or other employees are usually eye-witnesses to such conduct or suspected conduct.

Against this background, the design of any whistleblower program must be not just to provide a reporting channel, but to incentivize employees to come forward and raise their concerns. In order to do this, the designers of any program must understand the risk analysis that the reporting employee confronts. Why should she say anything? To be blunt, what’s in it for her? Why should she stick her neck out? Or as she might say, “What do I care?” “Why should I put my job on the line?” “Who is going to believe me?” and “Who is going to protect me?”

These questions are not spurious. Indeed, a cursory review of the number of whistleblower claims filed across industries and involving all types of alleged illegal conduct makes one thing clear: perceptions of retaliation are real, real enough to make any person think twice before they raise a complaint. So any bona fide program must not just provide a complaint reporting procedure, it must adequately address these concerns.

As the DFS’s Guidance recognizes, one has to change this risk analysis. Employers should create a culture where (1) reporting is favored, not frowned upon, and (2) where the whistleblower is safe, both in terms of having their identity protected in the first instance and then policing that they are not retaliated against when they are identified for bringing forth what are good faith complaints of perceived unlawful conduct.

Among other things, the Company needs a mechanism to insure that all complaints are reviewed and that persons with knowledge of what is a potential violation of the law or Company policy can “triage” the complaints to determine both the seriousness of the harm alleged (i.e., urgency) and who is best suited to evaluate what. The Company needs to train personnel in investigations, and the program also needs accountability. Nothing will kill a program quicker than having people bring forth good faith complaints, and having those complaints fall on deaf ears or have no outcomes.

In this investigation phase, the Company also needs to continue to protect the integrity of the entire program, that is, police the confidentiality protections afforded the whistleblower, insure the due process protections to be afforded the alleged wrongdoer, manage potential conflicts of interest among the stakeholders, and ultimately take action on violations that have been identified.

As with any culture change, this requires buy-in from the top, a business case for the program, training and more training of all involved, so that each understands the importance of their roles, accountability for oversight of and implementation of the program, and rewards for an effective program. These factors must all exist at the same time and work in tandem. Stated differently, if any one of the pillars falls, the program is in jeopardy of crashing down, usually with the whistleblower crushed in the collapse.

More significantly, the Guidance recognizes the other often ignored reality: be careful what you wish for. By definition, if a Company successfully designs a program that provides effective complaint channels, protection for the complainers, and a culture of respect and recognition for all involved in the successful implementation of “see something, say something,” the Company must be prepared for a potential onslaught of “complaints.”

In other words, if you build it, they will come. And employers should welcome the complaints. Yes, some will be frivolous, some will be trite and not involve any type of wrongdoing, some may be confusing or difficult to understand, and some may lead the employer to see wrongdoing that needs to be corrected—and/or reported. As the Guidance explains, if you want your program to survive beyond its initial roll-out, you need to be prepared for a potential rush of claims, and embrace it.

The alternative is for employees to go straight to the regulators, or to their own lawyers, without giving the employer an opportunity to address those of the complaints that are meritorious, and without letting employees know that their complaints are being heard and taken seriously.

Experience has shown over and over again that the best policies in writing (and design) are not worth the paper they are written on if the conduct of those at the top does not reflect complete and total buy-in for the values the policies espouse.

At the end of the day, again, the Guidance is sound. Indeed, it is careful, thorough, and insightful. But it is issued on facts that demonstrate that what are suggestions today may turn into minimum requirements tomorrow. The warning shot has been fired, and employers, whether in financial services or otherwise, would do well to review and conform policies in this area.

Philip M. Berkowitz is a shareholder of Littler Mendelson and co-chair of the firm’s U.S. international employment law and financial services practices. Margaret Watson is a shareholder of the firm and a member of its financial services industry group.