Updating your whistleblowing policy: the EU whistleblowing directive and more
The way corporations conduct business is under greater - and more public - scrutiny than ever before. People expect far more from the companies they do business with and work for, making whistleblowing procedures an integral part of building trust and maintaining brand integrity. Recent high-profile examples of whistleblowing in action, such as the Panama Papers and Cambridge Analytica scandals, have highlighted the importance of creating a whistleblowing procedure which allows employees to feel assured that any issues they raise will be taken seriously and dealt with in confidence.
Complaints about whistleblowing procedures on the rise
In October 2020 there was a reported 61% rise in complaints to the UK’s Financial Conduct Authority (FCA) about inadequate whistleblowing procedures, and a number of the UK’s largest banks were cited as being the worst offenders. Concerns were raised about how senior executives handle complaints; whether the whistleblower’s anonymity would be upheld; and if appropriate protections were in place to prevent victimisation of complainants. The report was published after a freedom of information request was submitted by law firm Fox and Partners. Ivor Adair, a partner at the firm, said: “A growing number of employees in financial services think the whistleblowing procedures at their firms are not working as they should do and don’t properly protect whistleblowers.”
FCA’s new focus on whistleblowing
In light of this, the FCA launched a publicity campaign in March 2021 to increase awareness and improve messaging around whistleblowing in the financial services industry. The campaign, entitled In Confidence, With Confidence, includes a digital toolkit of posters and information leaflets designed to educate individuals about the regulator’s whistleblowing procedures and to reassure those who wish to report an issue through the FCA that they will be protected.
By improving people’s understanding of what whistleblowing is and how it can help expose corporate misconduct, the regulator also hopes to influence the types of complaints it receives to include more tip-offs about misconduct which is genuinely in the public interest, rather than employee grievances, which the FCA says are often mistakenly reported to its whistleblowing team. It’s worth noting that the FCA’s latest focus on whistleblowing was in part driven by accusations that its own whistleblowing team was not dealing with complaints adequately - so even the regulators don’t always get it right.
When whistleblowing goes wrong
Ensuring your whistleblowing policies and procedures are fit for purpose is important, not just for ensuring wrongdoing itself is reported and addressed, but also to ensure that staff members understand how to deal with whistleblowers appropriately and don’t create additional problems for the firm. There was a much-publicised example of this in 2016 when Jes Staley, CEO of Barclays, was fined for trying to expose the identity of a whistleblower. An individual (or individuals) had made accusations in anonymous letters about a long-standing colleague Staley had recently employed at the bank. According to the New York State Department of Financial Services (DFS), Staley instructed the bank’s chief of security to try and uncover the identity of the author of the letters. Staley was personally fined £642,430 by the FCA and Barclays was issued with a US$15m penalty by DFS for its handling of the complaint.
New whistleblowing regulation and guidance
EU Whistleblowing Directive
The EU’s Whistleblowing Directive (Directive 2019/1937) was launched to address fragmentation in approaches to whistleblowing across its member states, which has been negatively impacting people’s willingness to come forward with information. “The consequences of breaches of Union law with a cross-border dimension reported by whistleblowers illustrate how insufficient protection in one Member State negatively impacts the functioning of Union policies not only in that Member State, but also in other Member States and in the Union as a whole,” says the directive.
Deadlines for the EU directive
For larger companies (those employing 250 people or more), the deadline for implementation is December 2021, meaning firms who operate in member states have just a few months left to ensure compliance. Companies with 50-249 employees will have two additional years to comply. The main focus of the directive is to provide greater protection for whistleblowers who have historically only been protected in a handful of EU countries, resulting in resistance from individuals to report wrongdoing.
Each member state must transpose the directive into law by December 2021. It is likely there will be some differences in how each state interprets the directive into national law, so this is another consideration for affected firms when implementing their whistleblowing policy.
Key features of the EU Whistleblowing Directive
What reporting channels are needed?
All firms subject to the directive will be required to establish secure internal reporting channels for whistleblowers. These must be designed to maintain confidentiality and anonymity for the reporting person and any third party mentioned. It should also prevent any access to this information by non-authorised staff members. Whistleblowers should be able to make a report in writing and have the ability to submit reports by post, by a physical complaint box, or via an online platform, whether it be on an intranet or internet platform. They should also have the option to make their complaint orally, via a telephone hotline or voice messaging system, or both.
Who/what does the EU directive apply to?
Protections provided by the directive apply not only to employees, but also to job applicants and anyone who has provided support to the whistleblower, such as colleagues, relatives or journalists. Protections apply only to reports of breaches of EU law, such as fraud, money laundering etc.
Handling complaints internally
Whistleblowers are protected whether they choose to raise their concerns internally through their employer, externally through a supervisory authority, or publicly via the media or other public platform.
Companies are responsible for appointing an appropriate person for handling internal whistleblowing reports, such as a compliance officer, chief financial officer, executive board member or head of the HR department. The responsible person must confirm receipt of the complaint within seven days, and must update the complainant on its progress within three months.
Reporting complaints externally
All firms must ensure they provide clear and easily understandable information to all relevant parties on how to report a complaint externally as well as internally. The individual EU member states will be responsible for identifying which authorities should be contacted for whistleblowing purposes. Firms that attempt to obstruct or deter whistleblowers will be subject to penalties implemented by the individual member states.
ISO 37002 - Whistleblowing Management Systems guidance
Due for release this year, the ISO 37002 guidance on whistleblowing management systems is a global standard that seeks to provide a framework for the handling of whistleblowing reports specifically (rather than issues in relation to the whistleblower themselves.) It will provide “guidelines for implementing, managing, evaluating, maintaining and improving a robust and effective management system within an organisation for whistleblowing.”
It is the first ISO standard dedicated to whistleblowing, demonstrating how regulators and industry bodies are shifting focus towards this area of policy making. ISO 37002 is expected to be published by July this year. ISO convenor Dr Wim Vandekerckhove recently spoke to Lexology.com about the guidance and said we can expect it to fit easily alongside other standards currently in use: “At the moment ISO 37002 is not a certifiable standard like anti-bribery or compliance, but it is a plug-and-play into those standards. Think of it as a stand-alone standard that can easily be used in conjunction with those related standards,” he said. “ISO 37002 gives guidance on how to make the whistleblowing system fit with what you are already doing, to strengthen efforts and build integrity into your organisation in other ways. The standard tells you what you need to consider when you plan these systems, how you operate them and also how you review them.”
COVID-19 and its impact on whistleblowing
The way all businesses operate on a day-to-day basis has been hugely impacted by the global COVID-19 pandemic, so it is inevitable that whistleblowing will also be impacted, both in terms of attitudes towards whistleblowing policies and the number of reports raised by employees.
The whistleblowing charity, Protect, has reported an increased demand for its services during lockdown. Research carried out by the charity found that 41% of whistleblowers were ignored by their employers during the pandemic, and 20% of whistleblowers speaking up about COVID-19-related concerns went on to be dismissed. 61% of reports made to the charity’s advice hotline during this time were related to furlough fraud.
In November 2020, law firm Freshfields Bruckhaus Deringer (Freshfields) conducted a survey of 2,500 individuals in the UK, US, Hong Kong, Germany and France to assess current attitudes towards whistleblowing. It found an overall decline in the number of people involved in whistleblowing and a decline in confidence with regards to support from senior management for those who blow the whistle. When asked about the impact of COVID-19 on whistleblowing, respondents were split: 47% said the pandemic had had no impact; 28% thought it had increased and 25% thought it had decreased. This divide in opinions perhaps indicates that the true impact of the pandemic is still unknown.
In a more recent podcast dissecting the findings of the report, Caroline Stroud from Freshfields’ London office said we should be prepared for an increase in employee litigation post-pandemic due to issues such as furlough fraud and inadequate health and safety measures. We should also be prepared for scrutiny from the regulators. “There is an enormous potential for misconduct to have occurred where you have remote working and less supervision,” she says. “Businesses need to think about how they’re going to manage that risk, because regulators will come looking with hindsight and expect things to have been done during the pandemic...What companies should [do] now is assess that risk; look at whistleblowing statistics, see if there are hotspots; perhaps take on board the fact that people feel more disconnected, so carry out some trainings around visibility...encouraging people to speak up - and record all of that and document it [for the regulators.]”
Updating your whistleblowing policies and procedures due to COVID-19
23% of respondents in the Freshfields survey felt that whistleblowing procedures needed to be updated as a result of COVID-19. Firms should now be thinking about the logistics of their whistleblowing procedures from a remote-working perspective: do employees still have access to reporting methods? Is their ability to remain anonymous impacted by working from home? Are they able to get in touch with their line manager easily during normal working hours and, if not, do they have an alternative method for raising complaints?
Financial rewards and whistleblowing
The topic of financially rewarding whistleblowers is a contentious one. US corporate ethics hotlines saw a decline in reports in 2020, falling by 7.1% overall. But the SEC (Securities and Exchange Commission) - which offers a financial reward to whistleblowers (if they provide original information that leads to a successful enforcement action worth more than US$1m) received the highest number of reports it has seen since 2011. In the past three and a half years, the agency has made the five top largest awards in its whistleblowing programme’s history; two at US$50m, and one each at US$39m, US$37m and US$33m.
Despite those impressive amounts, in reality, only a small percentage of reports actually lead to financial rewards. However, some argue that providing a financial reward encourages those who worry about losing their jobs to come forward. Others argue that this only really works in the financial services industry, where enforcement actions usually generate large funds. In another setting, such as a hospital, care home or school, this often isn’t the case, but individuals blowing the whistle put just as much at risk by speaking up.
In 2014, the UK’s FCA expressed its concerns about the idea of introducing financial rewards into the whistleblowing process after the Prudential Regulation Authority and Bank of England looked into the idea. It said “In our view, financial incentives could create a number of moral and other hazards,” including potential malicious reporting, entrapment and conflicts of interest in court. It looks unlikely that UK regulators will switch to the US approach anytime soon, but some countries are following the US example, including Canada. In 2016, the Ontario Securities Commission set up the Office of the Whistleblower, offering maximum rewards of C$5m for successful tip offs. And although the FCA, PRA and Bank of England don’t offer rewards for whistleblowers, the UK’s Competition Markets Authority (CMA) does offer up to £100,000 in exchange for information they can use to help tackle cartels.
Getting it right internally
In June 2020, a study into whistleblowing in the financial services industry (Silence in the City 2) revealed that more than 90% of whistleblowers who contacted Protect for advice had already raised concerns internally. This demonstrates the importance of ensuring your internal whistleblowing procedures work and allow employees to maintain anonymity where possible. Feedback to complainants is also hugely important, because if an individual doesn’t have confirmation that their complaint is being addressed, they are more likely to seek external advice or contact the press. Law firm Bryan Cave Leighton Paisner advises using a triage system “to establish whether the issues raised are in the nature of grievances (typically involving behaviour specific to the complainant alone and dealt with by HR) or whether they qualify as whistleblows (typically involving behaviour non-specific to the complainant alone or at all and dealt with under the firm’s whistleblower policy).” Most whistleblowing guidance encourages internal reporting first, so providing staff with a visible and accessible reporting channel - and encouraging line managers to adopt an open-door policy - could be the difference between an internal investigation and a public scandal.
The EU Whistleblowing Directive:
ISO 37002 - Whistleblowing Management Systems guidance:
Protecting your firm against unnecessary regulatory and reputational risks of whistleblower investigations:
Whistleblowing 2020 – declining confidence to speak up:
ISO 37002 on whistleblowing management systems - The ethics perspective:
The Best Warning System: Whistleblowing During Covid-19:
Silence in the City 2:
More from Risk Universe by RiskBusiness