A Whistleblower Policy is a formal written document that establishes an organization's procedures for receiving, investigating, and responding to reports of suspected wrongdoing, fraud, violations of law, or unethical conduct. The policy identifies designated compliance officers, describes reporting channels including confidential and anonymous options, sets out investigation procedures, and details the anti-retaliation protections available to persons who report concerns in good faith.

In the United States, whistleblower protection is established by a framework of federal statutes. The Sarbanes-Oxley Act of 2002 (SOX) was enacted in response to major corporate and accounting scandals at companies including Enron and WorldCom. Section 806 of SOX (18 U.S.C. 1514A) provides protection to employees of publicly traded companies who report securities fraud, including mail fraud, wire fraud, bank fraud, and violations of SEC rules and regulations. Section 301 of SOX requires the audit committees of publicly traded companies to establish procedures for the receipt, retention, and treatment of complaints regarding accounting, internal accounting controls, or auditing matters, including procedures for the confidential, anonymous submission of concerns by employees.

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 significantly expanded whistleblower protections. Section 922 of Dodd-Frank (15 U.S.C. 78u-6) established the SEC Whistleblower Program, which provides financial awards of 10 to 30 percent of monetary sanctions exceeding one million dollars for individuals who voluntarily provide original information leading to successful SEC enforcement actions. The Dodd-Frank Act also provides broad anti-retaliation protections that extend beyond the publicly traded company requirement of SOX.

The False Claims Act (31 U.S.C. 3729-3733) provides a separate framework for reporting fraud against federal government programs. Under the Act's qui tam provisions, private persons (relators) may file lawsuits on behalf of the government and may receive awards of 15 to 30 percent of the funds recovered. Most states have enacted their own whistleblower protection statutes that supplement federal protections.

A Whistleblower Policy is needed by every organization in the United States, regardless of whether it is publicly traded, privately held, or nonprofit. While the Sarbanes-Oxley Act imposes specific requirements on publicly traded companies, the principles of whistleblower protection apply broadly, and having a written policy is a recognized best practice for all organizations.

Publicly traded companies are required under SOX Section 301 to establish procedures for receiving employee complaints about accounting, internal accounting controls, and auditing matters. The SEC and the Department of Justice have repeatedly emphasized the importance of robust internal reporting mechanisms as a factor in enforcement decisions.

Private companies, nonprofit organizations, and government contractors also benefit significantly from having a whistleblower policy. Organizations that receive federal funding or perform work under federal contracts are subject to the False Claims Act and may face significant liability for fraud. Having a written policy encourages internal reporting before concerns escalate to external agencies.

The policy should be established when an organization is formed or when operations begin. It should be reviewed at least annually, and should be updated whenever there is a significant change in applicable law or regulation, a change in the organization's structure or operations, or following any incident that reveals deficiencies in the existing reporting or investigation procedures.

A whistleblower policy is also an important component of an organization's overall compliance program. The Department of Justice's guidance on the evaluation of corporate compliance programs identifies the existence of effective reporting mechanisms as a key factor in determining the adequacy of a compliance program.

A comprehensive Whistleblower Policy must address several essential elements to comply with federal requirements and provide meaningful protection to reporters.

The scope section should identify all persons covered by the policy, including directors, officers, employees, contractors, and agents. The policy should clearly distinguish whistleblower concerns from personal employment grievances and direct employees to the appropriate procedure for each.

Reportable concerns should be clearly defined, including fraud, securities law violations, financial irregularities, bribery, False Claims Act violations, workplace safety hazards, environmental violations, and the concealment of any such wrongdoing.

Designated compliance officer information should include the officer's name, title, email, and phone number. An alternative contact must be identified for situations where the designated officer is the subject of a concern or is unavailable.

Reporting channels should include a confidential reporting hotline or email and, where the organization permits, an anonymous reporting option. The Dodd-Frank Act allows anonymous tips to be submitted to the SEC through attorneys.

The investigation process section should describe the acknowledgment timeline, the assessment and investigation procedures, the independence requirement for investigators, and how the reporter will be informed of the outcome.

Anti-retaliation protections must be clearly stated, referencing the specific federal statutes that apply: SOX Section 806 for publicly traded companies, Dodd-Frank Section 922 for SEC reports, and the False Claims Act for qui tam actions. The policy should state that retaliation will result in disciplinary action.

External reporting rights should inform employees of their right to report directly to regulatory agencies, including the SEC, CFTC, DOJ, OSHA, and EPA. The SEC Whistleblower Program and its potential financial awards should be described.

Record-keeping requirements should specify a minimum retention period of seven years, consistent with SOX document retention requirements. The policy review schedule, policy owner, and approval authority should be clearly identified.