A whistleblower policy tells everyone in your organization how to report suspected fraud, financial wrongdoing, or illegal conduct — and promises they won't be punished for raising a concern in good faith. It needs four things: a clear reporting channel (including a path that bypasses anyone implicated), an anti-retaliation guarantee, an investigation process, and a commitment to confidentiality. The IRS doesn't legally require it, but Form 990 Part VI asks every filer whether they have one (as of 2026 — verify), and answering "no" is a red flag for regulators and funders. Two parts of the federal Sarbanes-Oxley Act also apply to nonprofits: it's a federal crime to retaliate against a whistleblower or to destroy records to obstruct an investigation. Adopting a written policy is a single board vote that protects your people and your standing.
What a whistleblower policy is
A whistleblower policy is a short written document that does two jobs. First, it gives board members, staff, and volunteers a defined, safe way to report suspected fraud, theft, financial misstatement, conflicts of interest, illegal activity, or other serious wrongdoing. Second, it protects the person who reports — promising that no one acting in good faith will be fired, demoted, harassed, or otherwise penalized for speaking up.
The reason it exists is practical. The people most likely to spot fraud or a compliance problem are insiders — a bookkeeper who notices a vendor that doesn't quite add up, a program coordinator who sees cash handled loosely, a volunteer who overhears something off. Those people will only come forward if they know (a) where to go and (b) that doing so won't cost them their job or their place on the team. A whistleblower policy turns a vague hope that "someone would say something" into a documented procedure.
It applies to everyone connected to the organization — directors, officers, employees, and volunteers — and it covers concerns about anyone, including senior leadership. That last point matters: the most damaging problems often involve the very people a worried employee would normally report to, which is why a good policy always includes a route that goes around the person in charge.
Whistleblower vs. conflict-of-interest policy
These are different documents that often get confused. A conflict-of-interest policy handles disclosure and recusal when an insider has a personal stake in a decision. A whistleblower policy handles what happens when someone reports suspected wrongdoing. Most well-run nonprofits adopt both, plus a document-retention policy.
Why Form 990 asks about it
The IRS does not legally require a whistleblower policy under the Internal Revenue Code. But the annual information return asks about it directly: Form 990 Part VI, Section B includes a yes/no question — "Does the organization have a written whistleblower policy?" (Line 13, as of 2026 — verify with the current Form 990 instructions). The IRS treats it as a marker of good governance — its position is that "a well-governed charity is more likely to obey the tax laws, safeguard charitable assets, and serve charitable purposes" than one with weak governance.
Two things make this question weightier than it looks. First, Form 990 is public. Anyone — a journalist, a grantmaker, a prospective board member, a charity watchdog — can read your answers on Guidestar/Candid or the IRS site. A "no" on the whistleblower line, sitting next to "no" on conflict-of-interest and document-retention, paints a picture of an organization that hasn't done basic governance housekeeping. Second, you can only answer "yes" if your governing body has actually adopted the policy — a draft sitting in a folder doesn't count. For the full tour of the form, see Form 990 explained.
So while no law forces you to have one, the practical pressure is real: funders increasingly expect it, charity raters can mark you down without it, and it's genuinely cheap to fix. This is the same logic that drives most of good board governance — do the inexpensive, expected thing before anyone has to ask why you didn't.
The Sarbanes-Oxley angle
Most of the Sarbanes-Oxley Act of 2002 governs publicly traded companies and doesn't touch nonprofits. But two of its criminal provisions apply to every organization, including nonprofits — and they're the reason a whistleblower policy is more than a Form 990 checkbox.
- Anti-retaliation (18 U.S.C. § 1513(e)). It is a federal crime to knowingly take a harmful action against someone, with intent to retaliate, for giving truthful information to law enforcement about the possible commission of a federal offense. Violations can carry fines and imprisonment of up to 10 years (as of 2026 — verify). This applies to nonprofit employers the same as to anyone else.
- Document destruction (18 U.S.C. § 1519). It is a federal crime to knowingly alter, destroy, conceal, or falsify any record or document with intent to obstruct or influence a federal investigation. Penalties can reach fines and imprisonment of up to 20 years (as of 2026 — verify).
The National Council of Nonprofits summarizes these as the two Sarbanes-Oxley provisions that reach the nonprofit sector. Together they explain why a whistleblower policy and a document-retention policy are usually adopted as a pair: the first protects people who report, and the second makes sure no one "cleans up" records once a concern is raised. State whistleblower-protection laws may add further obligations on top of these federal rules.
The practical takeaway
Even a tiny all-volunteer nonprofit is bound by the federal anti-retaliation and anti-shredding rules. A written whistleblower policy doesn't create these duties — they already exist — but it makes them visible, sets out a process people can follow before anything reaches law enforcement, and demonstrates that the board took its responsibilities seriously.
The required elements
There's no single legally mandated template, but a workable nonprofit whistleblower policy consistently covers the same building blocks. Aim for these:
- Scope & purpose. State that the policy applies to all directors, officers, employees, and volunteers, and that it covers good-faith reports of suspected fraud, financial impropriety, legal violations, or unethical conduct.
- Reporting channel(s). Name a specific person or role to receive reports — typically a compliance officer designated by the board — and provide a second channel (e.g., the board chair or a board committee) so a reporter can bypass anyone who may be involved. Relying only on "tell your manager" fails when the manager is the problem.
- Anti-retaliation protection. Promise that no one who reports in good faith will face retaliation — termination, demotion, harassment, or any adverse action — and say that retaliation is itself a violation of the policy and may be a crime.
- Good-faith standard. Make clear the protection covers honest concerns, even if later proven unfounded, while knowingly false or malicious reports are not protected.
- Confidentiality. Explain that the organization will keep the reporter's identity confidential to the extent possible, and whether anonymous reports are accepted (note that anonymity can limit how far an investigation can go).
- Investigation process. Describe who handles reports, roughly how quickly the organization will respond, that concerns will be investigated and acted on, and how the outcome is communicated.
- Board oversight & escalation. Specify how reports involving the executive director or a board member escalate to the full board or an independent committee, and that the board reviews whistleblower activity periodically.
Grab a ready-made version from the template library rather than drafting from a blank page; reputable free samples are also published by the National Council of Nonprofits and BoardSource. If you have paid staff, have an employment attorney review the final draft — see the resources below.
Sample policy excerpt
Here's a short, plain-language excerpt you can adapt — it's illustrative, not legal advice. Below it, a quick map of which required element each clause satisfies.
Sample: [Organization] Whistleblower Policy (excerpt)
1. Purpose & scope. This policy applies to all directors, officers, employees, and volunteers of [Organization]. It encourages anyone who has a good-faith concern about suspected fraud, financial impropriety, or a violation of law or [Organization] policy to report it without fear of retaliation.
2. How to report. Concerns should be reported to the Compliance Officer, [Name/Role], by email at [address] or in writing. If the concern involves the Compliance Officer, the Executive Director, or a board member, report instead to the Board Chair at [address]. Reports may be submitted anonymously, though anonymity may limit our ability to investigate fully.
3. No retaliation. No director, officer, employee, or volunteer who in good faith reports a concern shall suffer harassment, retaliation, or adverse employment consequence. Anyone who retaliates against a good-faith reporter is subject to discipline up to and including termination, and may be subject to legal penalties.
4. Handling of reports. The Compliance Officer will acknowledge each report within [10] business days, investigate or arrange an appropriate investigation, and report findings to the Board (or its [Audit/Finance] Committee). The identity of the reporter will be kept confidential to the extent consistent with a fair investigation.
5. Good faith. Anyone reporting must act in good faith and have reasonable grounds for the concern. Knowingly false or malicious reports are a serious violation of this policy.
Adopted by the Board of Directors on [date]. Reviewed annually.
| Required element | Where it appears above |
|---|---|
| Scope & purpose | Clause 1 |
| Reporting channel + bypass route | Clause 2 |
| Confidentiality / anonymity | Clauses 2 & 4 |
| Anti-retaliation protection | Clause 3 |
| Investigation process & timing | Clause 4 |
| Good-faith standard | Clause 5 |
| Board adoption & review | Footer line |
Bracketed items are placeholders to fill in. Have an attorney review before adoption if you employ staff.
How the board adopts it
Adoption is straightforward and can happen in a single meeting. The key is that the governing body formally approves it — that's what lets you answer "yes" on Form 990 and what makes the policy real.
- Start from a template. Pull a sample policy and fill in your compliance officer, your alternate reporting route (usually the board chair), and your response timeline.
- Designate a compliance officer. Name the specific person or role who will receive and triage reports, and a backup channel for concerns about that person or senior leadership.
- Have an attorney review it if you have staff. Employment and state whistleblower law varies; a short review before adoption is worth it once payroll is involved.
- Put it on a meeting agenda and vote. The board reviews the draft, asks questions, and approves it by motion. Record the approval in the minutes with the date.
- Distribute and store it. Share it with all staff and volunteers, include it in onboarding, and file the signed/dated copy under your document-retention policy.
- Review it periodically. Revisit annually — the board confirms the policy still works, updates the compliance officer if that person changed, and logs the review.
Whistleblower policy readiness
- The board has formally adopted a written policy
- A compliance officer is named, with an alternate reporting route that bypasses leadership
- The policy promises no retaliation for good-faith reports
- Confidentiality (and anonymity, if offered) is addressed
- The investigation process and timing are spelled out
- You can answer "yes" on Form 990 Part VI
- It's distributed to staff/volunteers and filed with your records
For where this sits among your other founding documents, see how to start a nonprofit and the broader governance & compliance hub.
Grab the whistleblower template and approve it next session
You don't have to write this from scratch. Our template library includes a ready-to-adopt whistleblower policy your board can approve in a single meeting — one more "yes" on your Form 990 and one less worry for funders. And while you tighten governance, Good Circles can add recurring, unrestricted income: supporters pick your cause once, then a share of their everyday local spending funds you automatically — an estimated $72 per active supporter per year (≈ $36,000/year from 500 supporters), free for nonprofits. (A Main Street–first marketplace launching September 2026.)
Claim a Founding Nonprofit spot →Sources & tools
Free first
- IRS — Form 990 Part VI (Governance) — The IRS governance FAQ and instructions covering the Part VI questions, including the written whistleblower policy line and what "yes" requires.
- National Council of Nonprofits — Whistleblower protections — Plain-English explainer of the two Sarbanes-Oxley provisions that apply to nonprofits and what a whistleblower policy should do.
- Federal anti-retaliation provision (18 U.S.C. § 1513(e)) — The Sarbanes-Oxley criminal statute making retaliation against a whistleblower a federal offense — the legal backbone of your no-retaliation clause.
Paid — optional labor-savers
- Employment / nonprofit attorney review — A lawyer reviews your draft policy against federal and state whistleblower and employment law before the board adopts it. Worth it when Worth it before you adopt the policy if you have paid staff, since state whistleblower and employment rules vary and missteps create real liability.
Last verified 2026-06-16. Figures and rules change — verify at the source before you act.
FAQ
Is a whistleblower policy legally required for nonprofits?
No federal law under the Internal Revenue Code requires it. But Form 990 Part VI asks every filer whether they have a written whistleblower policy (as of 2026 — verify), and answering "no" on that public form is a red flag for regulators, funders, and charity raters. Separately, two Sarbanes-Oxley criminal provisions already bind all nonprofits: it's a federal crime to retaliate against a whistleblower or to destroy records to obstruct an investigation. So while the written policy itself isn't mandated, the underlying duties are, and adopting a policy is strongly recommended.
What must a whistleblower policy include?
At minimum: its scope (covering directors, officers, employees, and volunteers); a reporting channel, including a route that bypasses anyone who may be implicated; an anti-retaliation promise for good-faith reporters; a good-faith standard; a confidentiality commitment (and whether anonymous reports are accepted); an investigation process with a rough timeline; and board oversight for reports involving senior leadership. A typical policy also names a compliance officer to receive reports.
How does Sarbanes-Oxley apply to a nonprofit?
Most of Sarbanes-Oxley applies to public companies, but two criminal provisions reach every organization, including nonprofits. The anti-retaliation provision (18 U.S.C. § 1513(e)) makes it a crime to retaliate against someone for giving truthful information to law enforcement about a possible federal offense, with penalties up to 10 years (as of 2026 — verify). The document-destruction provision (18 U.S.C. § 1519) makes it a crime to destroy or falsify records to obstruct a federal investigation, with penalties up to 20 years (as of 2026 — verify).
How does the board adopt a whistleblower policy?
Start from a template, name a compliance officer plus an alternate reporting route that bypasses leadership, and have an attorney review it if you employ staff. Put the draft on a meeting agenda and have the governing body approve it by motion, recording the date in the minutes. Only then can you answer "yes" on Form 990. Finally, distribute it to staff and volunteers, file it under your document-retention policy, and review it annually.