Whistleblower Policy
Sarbanes-Oxley Act Section 806 — Dodd-Frank Act Section 922
[Company Name]
[Company Street], [Company City], [State] [Company Zip]
Effective Date: [Policy Date]
1. INTRODUCTION AND SCOPE
1.1 [Company Name] is committed to operating with integrity and transparency. This Whistleblower Policy is designed to encourage employees and other covered individuals to report suspected wrongdoing, fraud, violations of law, or unethical conduct without fear of retaliation.
1.2 This policy applies to all directors, officers, employees (full-time, part-time, and temporary), contractors, subcontractors, agents, and any other person associated with [Company Name] who has knowledge of or a reasonable belief concerning wrongdoing.
1.3 This policy does not replace other [Company Name] policies, including the Employee Grievance Policy, which should be used for personal employment-related complaints.
2. LEGAL FRAMEWORK
2.1 This policy has been prepared in compliance with the following federal laws:
- Sarbanes-Oxley Act of 2002 (SOX), Section 806 (18 U.S.C. 1514A) — which protects employees of publicly traded companies who report securities fraud, including mail fraud, wire fraud, bank fraud, and violations of SEC rules and regulations.
- Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Section 922 (15 U.S.C. 78u-6) — which established the SEC Whistleblower Program, providing financial awards of 10-30% of sanctions exceeding $1 million and broad anti-retaliation protections.
- False Claims Act (31 U.S.C. 3729-3733) — which permits private persons (qui tam relators) to file lawsuits on behalf of the federal government for fraud against government programs, with potential awards of 15-30% of recovered funds.
- Applicable state whistleblower protection statutes of the State of [State].
2.2 Additional federal whistleblower protections may apply under specific statutes, including the Occupational Safety and Health Act (OSHA), the Clean Air Act, the Safe Drinking Water Act, the Consumer Financial Protection Act, and the National Defense Authorization Act.
3. REPORTABLE CONCERNS
3.1 This policy covers reports of the following types of suspected wrongdoing:
- Fraud, embezzlement, theft, or financial irregularity.
- Violations of federal or state securities laws.
- Violations of federal or state banking or financial regulations.
- Bribery, corruption, or violations of the Foreign Corrupt Practices Act.
- False Claims Act violations (fraud against government programs).
- Tax evasion or fraud.
- Workplace health and safety violations.
- Environmental law violations.
- Retaliation against a whistleblower.
- Cover-up or concealment of any of the above.
3.2 Employees need not be certain that wrongdoing has occurred. A good faith, reasonable belief is sufficient to make a report. Employees who make reports in good faith will not be penalized even if the report is ultimately not substantiated.
4. HOW TO REPORT A CONCERN
4.1 Reports should normally be directed in the first instance to the Designated Compliance Officer:
Name: [Officer Name]
Title: [Officer Title]
Email: [Officer Email]
Phone: [Officer Phone]
4.2 Where a concern relates to the Compliance Officer, or where the reporter does not feel comfortable approaching that person, the concern may be directed to:
[Alternative Contact Name]
Email: [Alternative Contact Email]
4.3 A confidential reporting channel is also available at: [Reporting Hotline].
4.4 When reporting a concern, employees should provide as much detail as possible, including: the nature of the concern; dates, locations, and persons involved; evidence or information supporting the concern; and any steps already taken.
5. CONFIDENTIALITY
5.1 [Company Name] will treat all whistleblower reports with strict confidentiality. The identity of a reporter will not be disclosed without that person's consent, except where required by law or where disclosure is necessary to enable a proper investigation.
5.2 Where disclosure of the reporter's identity is necessary, the reporter will be informed before disclosure is made, unless doing so is not practicable.
6. INVESTIGATION PROCESS
6.1 On receipt of a report, the Compliance Officer will acknowledge receipt [Investigation Timeline] of the concern being raised.
6.2 The Compliance Officer will assess the concern and determine the appropriate course of action, which may include an internal investigation, referral to outside counsel or auditors, or referral to a regulatory agency or law enforcement.
6.3 Investigations will be conducted promptly, objectively, and fairly. The person conducting the investigation will not be a person who is the subject of the concern.
6.4 The reporter will be informed of the general outcome of the investigation, to the extent permitted by law and considerations of confidentiality.
7. ANTI-RETALIATION PROTECTIONS
7.1 [Company Name] strictly prohibits retaliation against any person who makes a good faith report under this policy. Retaliation includes but is not limited to: termination, demotion, suspension, threats, harassment, intimidation, reduction in pay or hours, or any other adverse employment action.
7.2 Under the Sarbanes-Oxley Act section 806 (18 U.S.C. 1514A), employees of publicly traded companies who report securities fraud are protected from retaliation. A complaint must be filed with OSHA within 180 days of the retaliatory act.
7.3 Under the Dodd-Frank Act section 922 (15 U.S.C. 78u-6), employees who report securities violations to the SEC are protected from retaliation regardless of whether the employer is publicly traded. The statute of limitations for a retaliation claim is 6 years from the date of the violation or 3 years from the date the employee knew or should have known of the facts, whichever is earlier, but no more than 10 years after the violation.
7.4 Under the False Claims Act (31 U.S.C. 3730(h)), employees who are retaliated against for filing or assisting in a qui tam action are entitled to reinstatement, double back pay, and compensation for special damages.
7.5 Any employee who retaliates against a whistleblower will be subject to disciplinary action, up to and including termination.
8. EXTERNAL REPORTING
8.1 Employees are encouraged to report concerns internally first. However, employees have the right to report directly to external regulatory agencies without first reporting internally. This right is protected under federal law.
8.2 Relevant external regulatory agencies include:
[Regulatory Bodies Reference]
8.3 Under the SEC Whistleblower Program established by the Dodd-Frank Act, individuals who voluntarily provide original information to the SEC that leads to successful enforcement action with sanctions exceeding $1 million may be eligible for an award of 10-30% of the monetary sanctions collected.
9. RECORD KEEPING
9.1 [Company Name] will maintain a confidential register of all whistleblower reports received, the steps taken to investigate each concern, the outcome, and any action taken.
9.2 Records will be retained for a minimum of seven years, consistent with SOX document retention requirements and applicable state statutes of limitation.
10. POLICY REVIEW
10.1 This policy will be reviewed at least annually, or sooner following any significant change in law, regulation, or organizational structure.
10.2 The policy owner is: [Policy Owner].
10.3 The next scheduled review date is: [Review Date].
11. POLICY APPROVAL
This Whistleblower Policy has been reviewed and approved on [Approval Date] by [Approved By] on behalf of [Company Name].
Compliance Officer: [Officer Name], [Officer Title] ([Officer Email] | [Officer Phone])
Alternative Contact: [Alternative Contact Name] ([Alternative Contact Email])
Policy Owner: [Policy Owner]
Approved By: [Approved By]
Effective Date: [Policy Date]
Next Review Date: [Review Date]
Approved By / Authorized Signatory
[Approved By]
Signature
Date: ________________
What Is a Whistleblower Policy?
A Whistleblower Policy in the United States establishes the obligations and procedures governing the conduct it regulates.
In the United States, whistleblower protection is established by a framework of federal statutes. The Sarbanes-Oxley Act of 2002 (SOX) was enacted in response to major corporate and accounting scandals at companies including Enron and WorldCom. Section 806 of SOX (18 U.S.C. 1514A) provides protection to employees of publicly traded companies who report securities fraud, including mail fraud, wire fraud, bank fraud, and violations of SEC rules and regulations. Section 301 of SOX requires the audit committees of publicly traded companies to establish procedures for the receipt, retention, and treatment of complaints regarding accounting, internal accounting controls, or auditing matters, including procedures for the confidential, anonymous submission of concerns by employees.
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 significantly expanded whistleblower protections. Section 922 of Dodd-Frank (15 U.S.C. 78u-6) established the SEC Whistleblower Program, which provides financial awards of 10 to 30 percent of monetary sanctions exceeding one million dollars for individuals who voluntarily provide original information leading to successful SEC enforcement actions. The Dodd-Frank Act also provides broad anti-retaliation protections that extend beyond the publicly traded company requirement of SOX.
The False Claims Act (31 U.S.C. 3729-3733) provides a separate framework for reporting fraud against federal government programs. Under the Act's qui tam provisions, private persons (relators) may file lawsuits on behalf of the government and may receive awards of 15 to 30 percent of the funds recovered. Most states have enacted their own whistleblower protection statutes that supplement federal protections.
When Do You Need a Whistleblower Policy?
A Whistleblower Policy is needed by every organization in the United States, regardless of whether it is publicly traded, privately held, or nonprofit. While the Sarbanes-Oxley Act imposes specific requirements on publicly traded companies, the principles of whistleblower protection apply broadly, and having a written policy is a recognized best practice for all organizations.
Publicly traded companies are required under SOX Section 301 to establish procedures for receiving employee complaints about accounting, internal accounting controls, and auditing matters. The SEC and the Department of Justice have repeatedly emphasized the importance of strong internal reporting mechanisms as a factor in enforcement decisions.
Private companies, nonprofit organizations, and government contractors also benefit significantly from having a whistleblower policy. Organizations that receive federal funding or perform work under federal contracts are subject to the False Claims Act and may face significant liability for fraud. Having a written policy encourages internal reporting before concerns escalate to external agencies.
The policy should be established when an organization is formed or when operations begin. It should be reviewed at least annually, and should be updated whenever there is a significant change in applicable law or regulation, a change in the organization's structure or operations, or following any incident that reveals deficiencies in the existing reporting or investigation procedures.
A whistleblower policy is also an important component of an organization's overall compliance program. The Department of Justice's guidance on the evaluation of corporate compliance programs identifies the existence of effective reporting mechanisms as a key factor in determining the adequacy of a compliance program.
What to Include in Your Whistleblower Policy
A complete Whistleblower Policy must address several essential elements to comply with federal requirements and provide meaningful protection to reporters.
The scope section should identify all persons covered by the policy, including directors, officers, employees, contractors, and agents. The policy should clearly distinguish whistleblower concerns from personal employment grievances and direct employees to the appropriate procedure for each.
Reportable concerns should be clearly defined, including fraud, securities law violations, financial irregularities, bribery, False Claims Act violations, workplace safety hazards, environmental violations, and the concealment of any such wrongdoing.
Designated compliance officer information should include the officer's name, title, email, and phone number. An alternative contact must be identified for situations where the designated officer is the subject of a concern or is unavailable.
Reporting channels should include a confidential reporting hotline or email and, where the organization permits, an anonymous reporting option. The Dodd-Frank Act allows anonymous tips to be submitted to the SEC through attorneys.
The investigation process section should describe the acknowledgment timeline, the assessment and investigation procedures, the independence requirement for investigators, and how the reporter will be informed of the outcome.
Anti-retaliation protections must be clearly stated, referencing the specific federal statutes that apply: SOX Section 806 for publicly traded companies, Dodd-Frank Section 922 for SEC reports, and the False Claims Act for qui tam actions. The policy should state that retaliation will result in disciplinary action.
External reporting rights should inform employees of their right to report directly to regulatory agencies, including the SEC, CFTC, DOJ, OSHA, and EPA. The SEC Whistleblower Program and its potential financial awards should be described.
Record-keeping requirements should specify a minimum retention period of seven years, consistent with SOX document retention requirements. The policy review schedule, policy owner, and approval authority should be clearly identified.
Sources & Citations
Statutory citations link to official government sources.
- 18 U.S.C. 1514US – Cornell LII
- 15 U.S.C. 78uUS – Cornell LII
- 31 U.S.C. 3729US – Cornell LII
- Sarbanes-Oxley Act of 2002US – Cornell LII
- SOXUS – Cornell LII
- Sarbanes-Oxley ActUS – Cornell LII
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Whistleblower Policy (United States) [Legal document template]. Forms Legal. https://forms-legal.com/usa/business/policies/whistleblower-policy
"Whistleblower Policy (United States)." Forms Legal, 2026, https://forms-legal.com/usa/business/policies/whistleblower-policy.
@misc{formslegal-whistleblower-policy,
author = {{Forms Legal}},
title = {Whistleblower Policy (United States)},
year = {2026},
howpublished = {\url{https://forms-legal.com/usa/business/policies/whistleblower-policy}},
note = {Free legal document template. Based on Uniform Commercial Code (UCC)}
}Also available for these jurisdictions:
Frequently Asked Questions
A Whistleblower Policy sets out an organization's rules and expectations on a specific subject so that employees, customers, or users know what is required of them and what they can expect in return. A written Whistleblower Policy gives a business a consistent standard to apply, which supports fair treatment and creates a record the business can rely on if a dispute or investigation arises. Many policies also address legal compliance: workplace policies intersect with Title VII, the Americans with Disabilities Act, and the Fair Labor Standards Act, while privacy and data policies engage laws such as the California Consumer Privacy Act (CCPA). A clearly written Whistleblower Policy should state its scope, who it applies to, the rules themselves, and how the organization will handle violations. Distributing the Whistleblower Policy and obtaining acknowledgment from those it covers makes it more effective, because a policy that is never communicated offers little protection.
A Whistleblower Policy is enforceable to the extent it does not conflict with federal, state, or local law and has been properly communicated to the people it governs. A workplace Whistleblower Policy generally does not override the at-will employment presumption unless it promises specific terms, and employers often include language confirming the policy is not a contract. For consumer-facing policies, enforceability depends on adequate notice and, for online terms, the user's manifestation of assent, which courts examine closely. A Whistleblower Policy cannot require conduct that the law prohibits or waive rights that statutes protect, and provisions that do so are unenforceable even if signed. To strengthen a Whistleblower Policy, the organization should keep it consistent with current law, apply it uniformly, document distribution and acknowledgment, and update it when the underlying regulations change, because selective or outdated enforcement undermines its legal value.
A Whistleblower Policy should be reviewed at least annually and whenever the law, the business, or the relevant risks change, because an outdated policy can mislead the people it governs and expose the organization to liability. Employment policies may need revision when federal or state rules change, such as updates to leave laws, wage-and-hour requirements, or anti-harassment standards under Title VII. Privacy and data policies should track evolving requirements like the California Consumer Privacy Act (CCPA) and other state privacy statutes that continue to take effect. When the organization revises a Whistleblower Policy, it should date the new version, communicate the change to those affected, and obtain fresh acknowledgment where appropriate. Keeping prior versions on file shows what rule applied at a given time, which matters if a dispute concerns conduct that occurred under an earlier version of the Whistleblower Policy.
A Whistleblower Policy is legally binding in the United States once the parties capable of contracting sign it with the intent to be bound under Uniform Commercial Code (UCC). American contract law, drawn from the Restatement (Second) of Contracts and each state's common law, recognizes a Whistleblower Policy as enforceable when it shows offer, acceptance, consideration, and reasonably definite terms. Courts in the state whose law governs the agreement will hold the parties to its written terms unless a party proves fraud, duress, mistake, unconscionability, or that the subject matter is illegal. A signed Whistleblower Policy carries more evidentiary weight than an oral understanding because the writing fixes what each party promised and reduces later disputes over who agreed to what. To strengthen enforceability, the parties should each keep an original signed copy, date their signatures, and complete every blank rather than leaving terms open to interpretation by a judge.
A Whistleblower Policy is governed primarily by the law of the state where it is signed or where the parties agree it will apply, and the rules differ from one state to another. While the core contract principles — offer, acceptance, consideration, and capacity — are consistent nationwide, states set their own requirements on matters such as witnessing, notarization, recording, limitation periods, and mandatory disclosures. A Whistleblower Policy valid in one state may need extra formalities to be effective in another, which matters when the parties live in different states or the subject of the agreement is located elsewhere. Including a governing-law clause that names a single state reduces uncertainty about which rules apply if a dispute arises. The parties should confirm the requirements of the state whose law controls the Whistleblower Policy before signing, because following the wrong state's formalities can leave the document unenforceable or vulnerable to challenge.
A Whistleblower Policy does not require a lawyer in most routine situations, and many individuals and small businesses prepare one using a clear written template that covers the standard terms. American law does not condition the validity of a Whistleblower Policy on attorney involvement; what matters is that the parties understand the terms and sign voluntarily. Legal review becomes worthwhile when the amounts at stake are large, the relationship is complex, the parties are in different states, or the agreement involves unusual conditions, tax consequences, or rights that are difficult to reverse. An attorney can confirm the document complies with the governing state's law and tailor clauses such as indemnification, dispute resolution, and termination. For straightforward matters, a carefully completed Whistleblower Policy from forms-legal.com gives the parties a solid written record; consulting a licensed attorney remains the safer path whenever the consequences of a mistake would be costly or hard to undo.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Employee Handbook
Create a comprehensive workplace policy guide with this US Employee Handbook. Covers at-will employment, anti-discrimination policies, leave entitlements, code of conduct, benefits overview, disciplinary procedures, and technology use in compliance with federal and state employment law.
Anti-Bribery and Corruption Policy
Create a comprehensive Anti-Bribery and Corruption Policy compliant with the Foreign Corrupt Practices Act (FCPA) of 1977, the Sarbanes-Oxley Act of 2002, and state anti-bribery laws. Covers prohibited conduct, gifts and hospitality thresholds, third party due diligence, books-and-records requirements, confidential reporting, whistleblower protections, training, and enforcement.