In the past few years, whistleblowing has been attracting increasing levels of media and regulator attention all over the world and continues to be in the spotlight in 2023. Companies need to deal with new, increasingly strong legal frameworks encouraging people to speak up and offering them greater protection when they do. In this blog post we look at these new developments and consider their implications for compliance programs.
New regulations in many regions
The EU Whistleblowing directive aims to protect whistleblowers – meaning not only employees, but all reporting persons who acquired information in a work-related context – who report breaches of EU law in a number of policy areas such as public procurement, AML, product safety, environmental protection, and public health. Member states were engaged to ‘gold plate’ the provisions of the directive when implementing it, covering a broader base of reportable concerns than the directive itself covered. Many EU member states have now finally transposed the directive (which had to implemented by December 2021) into national law – see most recently for example Italy, Spain and Belgium, all extending the material scope of the directive to more or even all kinds of offences. Other countries such as Germany, where whistleblower protection had not been strictly regulated before, are still struggling with the implementation, leaving companies in the dark as to what the specific requirements might be. At present, it is not yet clear when the current legislative process in Germany will end. A so-called mediation committee (“Vermittlungsausschuss”) is scheduled for 9 May 2023, at which an attempt will be made to reach a consensus on the disagreements on the current draft of the implementation law.
Although it sets a common minimum standard, the encouragement to member states to ‘gold plate’ the directive’s provisions means that its implementation into EU member states’ national law has led to variations in regimes between member states – differences that companies' should be aware of and reflect in their policies and procedures. This state-by-state variation can make it challenging to operate a globally consistent approach unless companies level-up to the highest standard in all jurisdictions.
The directive requires companies with 50 or more employees to set up internal reporting channels that maintain the confidentiality of whistleblowers and provide for certain follow-up measures, for example acknowledging the report and giving feedback within certain timeframes. The directive states that companies with fewer than 250 employees may share resources for receiving and investigating reports by whistleblowers. A point of uncertainty was whether a group level reporting channel would be sufficient to meet the directive’s requirements or whether each group company with 250+ employees would need to establish its own reporting channels and investigative function at a local level. The EU commission took the latter position, expecting that subsidiaries with 250 or more employees establish their own local reporting channels and investigation processes (although conceding that group wide channels could continue to operate alongside such local channels, giving employees a choice as to which route to use). This requirement for local arrangements poses major challenges for some businesses, which might not have fully-fledged compliance, HR and legal functions sitting in all of their local entities, or which might have deliberately chosen to operate a system providing for the central handling and oversight of whistleblowing investigations.
On the ‘group versus local’ issue, some of the national implementation laws have adopted the position of the EU commission and explicitly stipulate the requirement of decentralised reporting channels. The draft implementation law in Germany, on the other hand, provides for the possibility of central reporting channels at group level. These different interpretations pose considerable difficulties for corporations operating across Europe.
Although the directive encourages whistleblowers to report internally first, they can choose to report externally to public authorities and, if certain conditions are met, even the media. Companies are likely to prefer internal whistleblowing so that they hear of issues first and can take prompt steps to investigate (and to control any investigative process). They should therefore think about how to persuade whistleblowers to raise their issues internally, rather than externally. Operating (and being seen to operate) an efficient whistleblowing system, in which concerns are taken seriously, investigated promptly and appropriate feedback given, will be an important part of this process.
Protection of whistleblowers from retaliation is another important part of instilling confidence in an internal whistleblowing system. The directive provides for comprehensive protections for whistleblowers. Necessary measures are to be taken to prohibit any form of retaliation. Notably, if a report is made, the employer needs to prove that a subsequent detrimental decision (eg disciplinary action against the whistleblower) is not linked to the report, so in this respect the burden of proof is reversed in favour of the whistleblower. (For more details on the directive please see our previous blog post here.)
In the US the US Anti-Money Laundering Whistleblower Improvement Act (“AML Whistleblower Improvement Act”) broadens the protections for whistleblowers regarding certain financial institutions, strengthens incentives for whistleblowers to report, and expands the scope of violations to include laws concerning US economic sanctions. The Act establishes enhanced monetary incentives for whistleblowers by establishing a minimum of a 10% award to a whistleblower of the amount recovered by the Government, when information leads to recoveries in excess $1 million. The Act also created a $300 million “Financial Integrity Fund” for the payment of awards, comprised of monetary penalties collected by the Departments of Justice and Treasury and the investments of the fund.
The AML Whistleblower Improvement Act now defines ‘whistleblower’ as any individual who provides information relating to a violation to their employer, “including as part of the job duties of the individual” or to the Secretary of the Treasury or the Attorney General. This change could potentially include corporate auditors and compliance professionals, who did not typically qualify as whistleblowers under previous guidance. Additionally, by not requiring whistleblowers to be US citizens or US residents, foreign nationals of any country can anonymously and confidentially report violations and receive an award. The broad, bipartisan support for the Act suggests there may be increased enforcement actions initiated by whistleblowers by the Department of Treasury’s Financial Crimes Enforcement Network (FinCen) and the Office of Foreign Assets Control (OFAC).
In other regions of the world regulators have become more active as well. For example, in the Middle East the Dubai Financial Services Authority (DFSA) launched a UAE Whistleblower protection reform in 2022, applicable to all DFSA regulated entities operating in or from the Dubai International Financial Center. The new regulation, which largely mirrors the UK FCA regime, provides enhanced legal protection to whistleblowers who report suspected misconduct internally and externally and obliges regulated entities to implement appropriate internal policies and procedures to facilitate such reporting. This is a positive step in transforming business cultural attitudes towards whistleblowing in the region.
Looking at the UK, we see some movement towards the FCA regime being considered the standard that non-financial services companies should also be aiming for in terms of their whistleblowing arrangements. For example, adopting whistleblowing policies, appointing a ‘whistleblowing champion’ with oversight of the organisation’s whistleblowing arrangements, and ensuring all stakeholders in the whistleblowing process receive regular training on the policies and handling whistleblowing reports.
Implications for Compliance programs
In view of the new legal frameworks emerging across the globe, companies must take steps to ensure that they are compliant with all relevant requirements, including establishing/revising reporting channels as well as policies and procedures that protect to the extent possible (or required) the confidentiality of whistleblowers and prohibit retaliation. At the same time companies need to consider how to deal with other - potentially diverging - requirements that exist or come up in specific areas such as in the in the financial services area or in recent supply chain laws. For example, the new German Supply Chain law requires companies to establish a complaints procedure for the reporting of human rights and environmental risks/violations. Finding the best way to implement all relevant procedures will be a challenge for many companies, particularly where their preference is to operate a globally consistent or centrally managed whistleblowing framework.
In order to encourage employees to use internal reporting channels rather than reverting to external channels or even the media, companies are well advised to build strong and robust reporting channels that employees are familiar with and have confidence in, ensuring easy access and strong confidentiality safeguards. Information and training on the company’s procedures and systems are key.
Crucially, whistleblower reports help companies to quickly identify risk-related issues and expose misconduct in the workplace and thus play an important role in any compliance program.