Financial firms: revise whistleblowing policies for ‘new world’ of work

The UK has indicated that it will not update domestic law to reflect the changes in the EU Whistleblowing Directive (40-page / 1.5MB PDF), which must be transposed by EU member states by 17 December 2021 (with some exceptions). However, UK headquartered multinational firms will either have to reflect the changes in their global whistleblowing policy, or choose to adopt a jurisdiction-by-jurisdiction approach, particularly if some EU countries go further than required by the directive.

Businesses in Germany with a works council will need to enter into a consultation process before making any changes to their policies in light of the directive. This can take a number of months, and it is therefore important to ensure that sufficient time is built into implementation plans to allow this process to conclude.

Whistleblowing in the UK financial sector

The UK’s financial regulators use the term ‘whistleblowing’ to refer to the disclosure by certain stakeholders, including employees, of ‘reportable concerns’ about a wide range of actions by a regulated firm including regulatory breaches, systems and controls failings, breaches of policies and wider reputational or financial harm. Whistleblowers may make their allegations to other parties in the company – ‘internal’ whistleblowing – or to external regulators, law enforcement and, in more limited circumstances, the media.

This definition is in addition to, and much wider than, the protections applicable to workers generally who make protected disclosures under the Public Interest Disclosure Act.

Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) rules require the largest firms to put mechanisms in place to encourage their employees to raise concerns internally and to regulators. They are also required to appoint a senior manager as a ‘whistleblowers’ champion’, responsible for the effectiveness of these arrangements. Smaller firms are encouraged to put similar arrangements in place.

UK law protects workers from ‘detriment’, including dismissal, in employment because they made a protected disclosure.

The EU Whistleblowing Directive

The EU ‘directive on the protection of persons who report breaches of Union law’ came into force on 17 December 2019, and member states have two years to implement its provisions into domestic law. It requires EU companies with more than 50 employees, and all legal entities in the public sector unless exempt under national law, to set up internal whistleblowing procedures, with guaranteed confidentiality for whistleblowers. Whistleblowers will also be able to make protected disclosures to competent authorities through external reporting channels, and to the media, where it is in the public interest to do so or no action is taken in response to reports through other channels.

The directive allows jurisdictions to remove the 50 employee threshold in certain circumstances. The Spanish government is considering doing this, which may mean the directive is of wider impact in Spain than in other jurisdictions.

The directive also contains measures applicable to all entities, regardless of size, which require them to protect the confidentiality of whistleblowers and to protect whistleblowers and those assisting them from retaliation.

The directive goes further than UK law and the FCA and PRA regime in a number of important respects.

Investigation and feedback

The directive introduces time limits within which organisations and authorities that receive protected disclosures must handle whistleblowers’ reports, along with a new requirement to provide “feedback” to the reporting person on the outcome of the investigation. The entity must acknowledge receipt of the report within seven days and provide feedback within a reasonable timeframe “not exceeding three months from the acknowledgement of receipt” for internal reports.

Feedback is defined as “the provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up”.

Firms should be aware that, depending on the complexity of the complaint, three months may not be sufficient time in which to investigate. Over 50% of respondents to a recent poll by Pinsent Masons, the law firm behind Out-Law, anticipate that three months will not be sufficient  Given the timescales there may need to be a triaging of complaints, for example based on level of seriousness, to allow these timescales to be met. Just under half of respondents to the same poll said that they do not currently triage complaints in this way).

Prohibition on retaliation

The prohibition on retaliation in the directive is not new: UK law, for example, already protects whistleblowers from detriment, up to and including dismissal. However, it is unlikely that many firms actively monitor this: 60% of respondents to the recent Pinsent Masons’ poll confirmed that such monitoring was not in place. Carrying out a review of your whistleblowing policy offers you an opportunity to do so.

Monitoring should not be carried out by line managers, as this could give rise to detriment claims. Instead, HR or a similar business function should regularly review historical whistleblowing reports to ensure that individuals who have raised a reportable concern have not later been penalised – for example, by having not been offered promotion, salary reviews or bonuses for which they are eligible.

Interestingly, article 19 of the directive lists examples of activities that could be considered “retaliation” – some of which are common HR processes, such seeking psychiatric or medical referrals. If the whistle is blown during a complex employee management process involving sickness or grievance, these referrals will be common and it will be crucial to ensure that there is a clear separation between the respective internal processes and decision makers.

In France, if an employee’s dismissal is found to be because they have blown the whistle, their termination will be null and void. Compensation is likely to be very high, as no discount is given for other remuneration received since termination. The approach in France is therefore punitive as well as compensatory, and this is unlikely to change in light of the directive.

Confidentiality

Strict requirements in the directive around maintaining the confidentiality of the reporting person may create difficulties for the investigation.

The directive provides that the identity of the reporting person must not be disclosed “to anyone beyond the authorised staff members competent to receive or follow up on reports”, without that person’s explicit consent. The confidentiality obligations extend to “any other information from which the identity of the reporting person may be directly or indirectly deduced”.