The New York State Attorney General’s Charities Bureau recently issued a Guidance Document to assist nonprofits in complying with the new whistleblower policy requirements in the Nonprofit Revitalization Act of 2013, or NPRA. The guidance provides additional clarifications about the law, and addresses questions received by the Charities Bureau.
A whistleblower policy provides procedures for individuals to report suspected improper conduct without fear of retaliation or adverse employment consequences for doing so. The NPRA requires New York not-for-profit corporations and charitable trusts with 20 or more employees and annual revenue in excess of $1,000,000 in the prior fiscal year to adopt a whistleblower policy. The Guidance Document suggests that smaller nonprofits should also consider adopting such policies, especially given that the IRS Form 990 requires all organizations filing the Form 990 to disclose whether or not the organization has a written whistleblower policy.
An NPRA-compliant Whistleblower Policy must: (1) provide that no director, officer, employee or volunteer of the organization who in good faith reports any action or suspected action taken by or within the organization that is illegal, fraudulent, or in violation of any adopted policy of the organization, will suffer intimidation, harassment, discrimination, or other retaliation or, in the case of employees, adverse employment consequence; (2) provide procedures for reporting violations or suspected violations and preserving confidentiality; (3) designate a person to administer and report on the policy to the board or appropriate committee; and (4) be distributed to directors, officers, employees and volunteers.
If the organization already has a whistleblower policy that “is substantially consistent” with the NPRA requirements, the organization will be considered in compliance with this policy requirement.
Here are a few key points for organizations to consider as they review their whistleblower policies for NPRA compliance:
- Include reporting procedures that are appropriate to the organization’s structure. Organizations should take time to ensure that the procedure for reporting suspected violations takes into account the organization’s size, structure, and other unique considerations. For example, should the individual report to a supervisor before going to Human Resources? To whom should the person seeking to report a suspected violation report an issue if the potential violator is the reporting person’s supervisor?
- Clearly disclose which “adopted policies” are covered (or not covered) by the policy. The Guidance states that the “adopted policies” that must be covered by the organization’s whistleblower policy include those policies that are designed to “prevent financial wrongdoing, such as internal and external financial controls, accounting policies, and policies prohibiting fraud, theft, embezzlement, bribery, kickbacks, and abuse or misuse of corporate assets; conflict of interest policies; policies addressing unethical conduct; and harassment and discrimination policies.” The Guidance also states that certain policy violations may not be entitled to whistleblower protection, such as a complaint that a fellow employee is violating the organization’s dress code contained in the Board-adopted employment manual. The organization’s board should decide whether certain organizational policies that are not required to be included in the policy will be covered by, or excluded from, the policy, and make that clear within the policy.
- Include procedures for preserving confidentiality. Some whistleblower policies do not sufficiently address how confidentiality will be preserved for those reporting violations or suspected violations. The NPRA requires more than a simple statement that confidentiality of the person reporting the violation or suspected violation will be maintained – it must include specific procedures that outline how the confidentiality of reported information will be preserved. The person responsible for receiving reported information pursuant to the whistleblower policy should, at a minimum: (1) refrain from disclosing the identity of the whistleblower without the individual’s explicit consent; (2) store any information related to whistleblowers, allegations, and investigations in a secure location; and (3) limit the number of people with access to confidential information to the minimum number possible under the circumstances.
- Ensure that volunteers are appropriately covered by the policy. Many whistleblower policies cover employees, directors, and officers, but may not include volunteers. The NPRA requires the policy to be given to all officers, employees, trustees, directors, and volunteers. For not-for-profit corporations, the policy only needs to be given to volunteers who provide “substantial services.” For charitable trusts, the policy must be given to all volunteers.
- Determine the best process for distributing the policy. The NPRA requires nonprofits subject to the whistleblower policy requirement to distribute the policy to all directors, officers, employees and volunteers, but does not specify the method of distribution. The Guidance suggests that a best practice is to distribute the policy to each person covered by the policy, and require each recipient to acknowledge receipt and review of the policy. The Guidance further notes that this requirement may be satisfied by making the policy available on the organization’s publicly available website, but recommends providing a hard copy to anyone covered by the policy upon his or her request. The Guidance also encourages ongoing awareness of the policy through the organization’s normal compliance training and communication.