Consider Whistleblower Policy Protections

If a whistle blows in the woods, who hears it?

September 1, 2010

Does your credit union have a whistleblower policy? Of the many policies you should have to guide your operations, the whistleblower policy is probably the least discussed but may ultimately provide significant protection to both the credit union and its employees or volunteers. 

What’s a whistleblower policy?

Good whistleblower policies are designed to give employees and volunteers a chain of reporting if they become aware of wrongdoing within the organization.

Wrongdoing could consist of a blatant violation of laws or regulations such as embezzlement or money laundering. It could involve a loan officer approving loans to acquaintances that he or she knows aren’t in the field of membership, a supervisor improperly accessing accounts, or a manager insisting on adjusting entries or delaying reports that may serve to temporarily hide an operating loss at the credit union until after the next board meeting or examination.

In any of these events, an employee or volunteer may, in the absence of a whistleblower policy that’s widely known and understood, be in a quandary as to what to do upon discovering such activities. 

Why have a policy?

In the midst of various well-publicized corporate crises, such as Enron and WorldCom, many employees knew about questionable activities but weren’t sure how to report them. Congress responded by requiring publicly traded corporations to adopt a whistleblower policy and to publicize it within the organization. And, undoubtedly due to the Madoff investment scandal, the new Dodd-Frank Wall Street Reform and Consumer Protection Act strengthens employee protections from employer retaliation for reporting suspicious securities activities.

Of course, credit unions are neither publicly traded corporations nor for-profit organizations. But adopting a whistleblower policy not only makes good sense, but should be considered a best practice within the credit union industry for the same reasons it’s required for public companies.

Tax-exempt organizations began seriously focusing on the desirability of having a whistleblower policy a couple of years ago when the Internal Revenue Service (IRS) revised its Form 990, “Return of Organization Exempt from Income Tax.” State-chartered credit unions (but not federal credit unions) are required to file this form annually. 

The IRS expanded the 990 form to ask many more questions about the governance and management practices of tax-exempt organizations, including numerous questions about the policies of the tax-exempt organization, while acknowledging “information about policies isn’t required” under the tax laws. Question 13 in Part VI asks: “Does the organization have a written whistleblower policy?” The IRS explains in the instructions that it believes having a whistleblower policy is one indicator of good governance practices.

What policies should address

Because of the light—or heat—the IRS has put on this subject, credit unions can find dozens of examples of whistleblower policies simply by googling the words “whistleblower policy sample.” 

Your credit union’s size will undoubtedly influence the structure and detail of your policy. In a credit union with less than 10 employees, the reporting chain will certainly look different from that of a larger credit union with more than 200 employees.

In drafting and adopting a policy that’s right for your credit union, consider how it will work when someone discovers an employee or volunteer’s wrongdoing. What happens if a teller discovers a branch manager is shorting the count each day? Where does the controller go if he discovers wrongdoing on the part of the CFO or CEO? The policy may state an employee should first report the potential problem to his or her supervisor if the person is comfortable in doing so, but certainly you must provide an alternate process.

Your policy should designate one individual who will typically be responsible for enforcing compliance with the whistleblower policy. In many credit unions, that could be the head of risk management, fraud prevention, or compliance—or the supervisory committee chair. As addressed in the policy, the person will have the duty to investigate the reported activity and, if appropriate, recommend corrective action to executive management or the board of directors.

Make sure the designated person is at a high enough level within the credit union that he or she wouldn’t be reluctant to investigate the reported activity of a senior executive or even the CEO.

While these policies also may provide for anonymous reporting, a drawback to such an approach is that if the person didn’t provide enough information in the initial tip, the investigation and follow-up may prove difficult, if not impossible.

As you review other organizations’ whistleblower policies, you’ll see they address similar areas. Here’s a possible outline of what your policy may want to cover:

  • The policy’s purpose. Explain the importance to the credit union of having potential problems reported.
  • The expectation that employees and volunteers report concerns.
  • No retaliation for reporting, so long as the person reporting is acting with a good-faith belief there may be a problem.
  • The reporting process.
  • Confidentiality—and address the possibility of reporting anonymously, while explaining that doing so may hamper an adequate investigation.
  • How you’ll investigate any reported violations.
  • How you’ll inform employees and volunteers of the whistleblower policy and reporting procedures.

Protect employees from retaliation

While employees are specifically protected against adverse action taken as a result of reporting wrongdoing to the National Credit Union Administration (NCUA) under Section 1790b of the Federal Credit Union Act, this statutory protection doesn’t necessarily extend to reports made within the credit union chain of command that aren’t also made to NCUA. 

An effective whistleblower policy must clearly provide that your credit union won’t take any adverse action against the individual—whether a volunteer or employee—for reporting what that person reasonably believed to be wrongful activity that’s intended to be disclosed to comply with the policy. Many policies specifically state the person reporting the questionable action must do so in good faith to be protected from disciplinary action, including termination.

Educate staff and volunteers

It should go without saying that of equal importance to developing a whistleblower policy is that the policy be widely distributed to your employees and volunteers and they be regularly reminded of why and how to report possible wrongdoings. Some organizations have a form to report problems, and you can find examples along with sample policies on the Internet. 

Credit unions have (or should have) ethics policies that they require their employees and volunteers to acknowledge annually.   You can easily annually disclose your whistleblower policy along with your ethics policy, or even incorporate whistleblower provisions into your ethics policy. 

It’s crucial that management and the board of directors emphasize to each employee and volunteer that compliance with the whistleblower policy is mandatory. This approach will ensure that in the unfortunate event wrongful activities are discovered, employees or volunteers know they’re expected to report them, they’ll suffer no adverse consequences for reporting, and your creditunion will fully investigate.

CHRISTOPHER J. PIPPETT is a partner with Fox Rothschild LLP in Exton, Pa.