Whistleblower protection laws: a guide to international requirements

Legal requirements

There are no positive obligations on UK employers to encourage whistleblowing or to implement a whistleblowing policy. However, guidance from bodies like HM Revenue and Customs (48 pages / 693KB PDF), the Department of Business Innovation and Skills (13 pages / 95.5KB PDF) and the Ministry of Justice (45 pages / 389 KB PDF) recommends implementation of whistleblowing procedures or “speak up” policies to support and ensure compliance.

The existence of a whistleblowing policy can demonstrate an organisation’s commitment to listen to employees and encourage an open environment. When employees feel able to speak up if failings are noticed, employers can avoid further misfeasance and maximise the potential to protect their reputation.

Among other things, government guidance recommends that a whistleblowing policy facilitates anonymous reporting, takes reasonable steps to maintain confidentiality where requested, and clearly and consistently deals with all whistleblowing reports.

A whistleblowing policy should also contain a commitment to emphasise that victimisation of whistleblowers is not acceptable. Training should also be provided to all staff on the key provisions of the policy. The Advisory, Conciliation and Arbitration Service (ACAS) has published additional guidance about the law on whistleblowing in the UK.

Although the UK is not obliged to implement the terms of the EU’s Whistleblower Directive (see below), its terms remain relevant – particularly for UK-headquartered multinational firms. These companies will either have to reflect the differences in their global whistleblowing policy or choose to adopt a jurisdiction-by-jurisdiction approach, especially if some EU countries go further than required by the EU’s Whistleblower Directive.

Despite there being no positive obligation to have in place whistleblowing policies and procedures, whistleblowers are granted certain protections in the UK. These are contained in provisions inserted into the 1996 Employment Rights Act (ERA) by the 1998 Public Interest Disclosure Act (PIDA).

In March 2023 the UK government announced a review of the whistleblowing framework, designed to examine its effectiveness and inform policy decisions on improvements. It is expected that the review will be completed by autumn 2023.

Whistleblowing rules for UK financial services

There are some additional requirements on those in the UK financial services sector. The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) rules require the largest firms to put mechanisms in place to encourage a culture in which individuals raise concerns and challenge poor practice and behaviour. Smaller firms are encouraged to put similar arrangements in place.

The rules require a firm to:

•  appoint a Senior Manager as their whistleblowers’ champion;
• put in place internal whistleblowing arrangements able to handle all types of disclosure from all types of person;
• put text in settlement agreements explaining that workers have a legal right to blow the whistle;
• tell UK-based employees about the FCA and PRA whistleblowing services;
• present a report on whistleblowing to the board at least annually;
• inform the FCA if it loses an employment tribunal with a whistleblower; and
• require its appointed representatives and tied agents to tell their UK-based employees about the FCA whistleblowing service.

Listed companies

The 2018 UK Corporate Governance Code (20 pages / 268KB PDF) imposes obligations on premium listed companies. Under ‘Section O’ in the code, the board of each premium listed company is required to “establish procedures to manage risk” and “oversee the internal control framework”. Whistleblowing arrangements are included in these internal controls.

Whistleblower protections

Protection is provided for those who make a “qualifying disclosure” of information which is also a “protected disclosure”. Protection is only available if:

• a qualifying disclosure of information is made; and
• this is made in accordance with various statutory mechanisms for disclosure.

Qualifying disclosure

A qualifying disclosure is any disclosure of information which, in the reasonable belief of the worker making the disclosure, is made in the public interest and tends to show one or more of the following:

• criminal offences;
• breach of any legal obligation;
• miscarriages of justice;
• danger to the health and safety of any individual;
• damage to the environment; and
• the deliberate concealing of information about any of the above.

Protected disclosure

For a qualifying disclosure to also be a protected disclosure, it must be made to:

• the worker's employer;
• the person responsible for the relevant conduct – if the worker reasonably believes that the person is solely or mainly responsible for the relevant conduct, or if the complaint relates to a matter which is the legal responsibility of that person and not the employer;
• legal advisers;
• government ministers – if the worker is employed by an individual or body appointed under any enactment; or
• a person prescribed by an order made by the secretary of state.

Wider disclosure may also be protected provided that rigorous conditions are met. For example, the worker must reasonably believe that the information disclosed, and any allegation contained in it, are substantially true. In addition, the disclosure must not be made for the purposes of personal gain – although rewards offered under statute, for example by HM Revenue and Customs, are allowed.

The worker must also:

• have previously disclosed substantially the same information to their employer or to a prescribed person; or
• reasonably believe, at the time of the disclosure, that they will be subjected to a detriment by their employer if they disclose the matter to the employer or to a prescribed person; or
• reasonably believe, where there is no prescribed person, that material evidence will be concealed or destroyed if a disclosure is made to the employer.

Additionally, in all the circumstances of the case, it must be reasonable for the disclosure to be made. These rules may be relaxed in exceptionally serious cases.

Key protections

The UK ERA creates two levels of protection for whistleblowers: dismissal and detriment. Under the ERA, the dismissal of an employee will be automatically unfair if the reason, or principal reason, for their dismissal is that they have made a "protected disclosure". The Act also protects workers from being subjected to any detriment on the ground that they have made a protected disclosure.

Both of these rights are available from day one of employment, with no qualifying period of employment or work needed before the individual may bring a claim. Where a protected disclosure of information is made to someone other than the employer there can be no breach of any express or implied contractual duties.

Legal requirements

In October 2019 the EU passed its Whistleblower Directive (40 pages / 1.39MB PDF(the Whistleblower Directive), which details various obligations on employers to establish whistleblowing reporting channels, practices and procedures, as well as granting protections to whistleblowers. It describes minimum requirements and protections as well as timescales.

The Whistleblower Directive does not contain an obligation to accept and act on anonymous reports, although there are other pre-existing obligations affecting particular industries. EU member states are free to make their own requirements on this subject, although anonymous whistleblowers who meet the requirements of the Whistleblower Directive must be protected if their identity is revealed.

Reporting channels

Under the Whistleblower Directive, companies with more than 50 workers must establish reporting channels and procedures for receiving and following up on reports of violations of EU law. Companies with 250 or more employees should have had these in place by 17 December 2021, while companies with between 50 and 249 employees have until December 2023 to comply.

Whistleblowers can choose whether to report violations internally or to competent authorities through external reporting channels. Reporting channels must:

• be independent;
• be adequately resourced;
• ensure confidentiality of the identity of the reporting person and any third party mentioned in the report; and
• be accessible only by authorised personnel.

While the reporting function may be outsourced to an externally operated channel, the extent of the external provider’s role is limited, and any follow up investigation must still be carried out by the company. A parent company, or any other company within the group, will not be considered as an external third-party provider.

Information on reporting channels must be clear and easily accessible, for example by posting at a visible location on the company’s website, and included in the company’s code of conduct and ethical guidelines, as well as in courses and training seminars on ethics and integrity.

The Whistleblower Directive requires each legal entity with 50 or more workers within a group to establish channels and procedures for internal reporting. While group-level reporting channels can support those available for each group entity, they cannot be the only option. Local proximity and accessibility of reporting channels to workers is a key requirement. Workers must be given access to a reporting channel local to their place of work, although it is for a whistleblower to decide whether to report locally or at group level.

Companies in the private sector with 50 to 249 workers may share resources for the receipt of reports and any investigation to be carried out, for example by operating a joint internal reporting channel. For companies in the private sector with 50 to 249 employees, investigations may be conducted by a parent company if certain conditions are met, including that the whistleblower is given the right to object to the parent company investigating.

Public disclosure

There are strict conditions to be met for protection to be available following public disclosure. These include that:

• internal external reporting has been attempted; and
• there is reasonable anticipation of immediate endangerment of public interests; or
• there is a risk of retaliation or low prospects of the breach being effectively addressed.

Whistleblower protections

Reporting persons are protected if:

• they had reasonable grounds to believe that the information reported or disclosed was true or correct when they reported; and
• reports were made through designated internal or external channels.

Public disclosures are protected only in specified circumstances. There is a presumption that retaliatory action has taken place if the whistleblower asserts that they have suffered any damage, with the person accused of taking detrimental action having to “demonstrate that the action taken was not linked in any way to the reporting or the public disclosure".

Key protections

Key protections for whistleblowers include:

• hindrance – whistleblowers must not be prevented or dissuaded from reporting including by threatening, intimidating, or frightening;
• identity – with limited exceptions, a whistleblower’s identity, and that of any third party named in their report, must remain confidential;
• retaliation – retaliation measures against whistleblowers are prohibited; and
• access to legal remedies and compensation – whistleblowers must have access to free advice and suitable remedies in the event of retaliation, such as workplace harassment or dismissal.

EU members states must provide for sanctions for breach of the protections as well as for those who knowingly make false reports.

Legal requirements

The Whistleblower Protection Act (WPA) came into force on 2 July 2023. In addition to the violations of EU law covered by the Whistleblower Directive, the WPA extends the requirement to include breaches of criminal laws, as well as certain administrative laws protecting life and limb,  health or the rights of employees and their representative bodies, if and to the extent a violation of such administrative law carries administrative fines.

Reporting channels

Enterprises with 50 employees or more must establish an internal reporting office and procedures for receiving and following up on reports of legal violations in scope of the WPA. While enterprises with 50 to 249 employees have until 17 December 2023 to comply, those with at least 250 employees had until 2 July 2023. 

Specified enterprises in the financial sector must meet the 2 July 2023 deadline, regardless of the number of employees. Anonymous reports "should" be processed, but there is no legal obligation to do so. Reporting channels do not have to enable anonymous reporting.

Whistleblowers are generally free to decide whether they first contact an internal reporting office or go directly to an external reporting office. Public disclose will attract protection where the whistleblower has first reported the violation to the external reporting office and the external reporting office has not taken appropriate follow-up measures within three months or has failed to inform the whistleblower accordingly.

In addition, the protection also applies if there are sufficient reasons to assume that there is a threat to the public interest, a fear of reprisals or a lack of prospect of the case being resolved.

Key whistleblower protections

Whistleblowers who meet the conditions of reasonable belief in the truth and accuracy of their report and report through permitted channels are protected from retaliation or the threat of retaliation. Retaliation includes:

• dismissal or refusal of promotion;
• changes in the transfer of tasks;
• disciplinary measures; or
• discrimination or bullying.

In the event of a violation of the prohibition of retaliation, the whistleblower must be compensated for the resulting damage. The burden of proof that a retaliation was not based on a report is shifted to the company, if raised by the whistleblower.

Except in certain circumstances, the identity of the whistleblower, and of any persons named in their report, must remain confidential. However, the identity of a whistleblower who intentionally or grossly negligently reports incorrect information about violations is not protected under the WPA.

The WPA permits the disclosure of information on the identity of whistleblowers at the request of the law enforcement authorities in criminal proceedings, on the basis of an order in an administrative procedure following a report or on the basis of a court decision. It also permits the disclosure of information about the whistleblower if this is necessary for follow-up measures or if the whistleblower has previously consented to the disclosure.

Legal requirements

A 2022 transposition law regulating the protection of persons reporting on infringements, anti-corruption and regulations transposes the Whistleblower Directive into Spanish law. Passed in February 2023, the transposition law came into force on 13 March 2023, with a further period allowed to enable compliance.

The transposition law applies to companies in the private sector with 50 or more workers and to public organisations of any size. Regardless of their size, it also applies to all political parties, trade unions, business organizations, as well as the foundations that depend on them, which receive public funds for their financing.

The transposition law contains a broader scope of reportable concerns than in the Whistleblower Directive, extending  to other misconduct of general interest, including in particular infringements affecting the public treasury which seriously harm the financial interests of the state or that significantly alter the objective action and impartiality of public bodies involving corrupt practices.

Anonymous reporting is permitted under the transposition law, and particular sectors in Spain, including the financial services sector, also have in place their own whistleblowing requirements. 

Reporting channels

Responsibility for establishing reporting channels lies with the entity’s directors or board of directors in consultation with the legal representatives of workers. Internal channels must:

• be designed, established, and managed in a secure manner;
• ensure the confidentiality of the identity of the informant and any third party mentioned in the communication; and
• ensure data protection and prevent unauthorised access.

Entities are also required to give clear and accessible information on external reporting channels including to competent authorities and, where appropriate, to other EU the institutions or bodies.

Whistleblower protections

The transposition law provides for the protection of individuals disclosing information or facts in good faith and where they are reasonably considered to be true.

Key protections

Key protections for whistleblowers, according to EU guidelines, include a prohibition on retaliation, threats or attempts at retaliation. This includes:

• dismissal;
• negative references in the workplace;
• suspension of contracts;
• intimidation;
• unfavourable treatment; and
• reputational damages.

There is a rebuttable presumption in favour of the whistleblower who suffers damage, so that the burden of proof is reversed should they claim damages for infringement of their rights, and they will be entitled to support and advice from the Independent Authority for the Protection of Whistleblowers. Whistleblowers who self-report misconduct in which they have participated can expect to be treated with some leniency.

The Independent Authority for the protection of persons reporting on infringements must provide support and effective protection measures to whistleblowers. It must provide comprehensive, accessible, free information and advice on that support and protection. Exceptionally, it can also provide whistleblowers with financial and psychological support.

Legal requirements

A French transposition law, which came into force on 1 September 2022, transposes the Whistleblower Directive into French national law and modifies the 2016 ‘Sapin II’ law – which had previously unified the status of whistleblowers in France. 

The French transposition law covers disclosures about:

• crimes or offences;
• threats or prejudice to the general interest; and
• violations, or attempts to conceal a violation, of an international commitment duly ratified or approved by France, of a unilateral act of an international organisation adopted on the basis of such a commitment, or of EU or French legislation and regulation.

Reporting channels

Internal reporting channels must be established by state administrations and public and private entities with over 50 employees, though exclusions are in place for certain small municipalities. Entities in scope must have in place policies and procedures detailing the internal procedure for making a whistleblower report. 

Internal channels must be accessible to eligible whistleblowers; must make provision enabling submission of reports in writing and/or orally and must set out a timeline for acknowledgement and follow-up. They must also:

• be designed, established, and managed in a secure manner;
• guarantee the integrity and confidentiality of the data collected; and
• ensure data protection and prevent unauthorised access.

Anonymous reporting is permitted. Entities are also required to give clear and accessible information on external reporting channels including to competent authorities and, where appropriate, to other EU the institutions or bodies.

Public disclosures may qualify for protection where the person wishing to disclose the information meets the criteria of a whistleblower and:

• the whistleblower has referred the matter to an external authority which has not provided an appropriate response within the required timeframe;
• in the event of serious and imminent danger for reports that do not concern information obtained in a professional context;
• in the event of imminent or obvious danger to the general interest, in particular when there is an emergency situation or a risk of irreversible harm, for reports concerning information obtained in a professional context. This criterion is slightly more flexible than the criterion of serious and imminent danger; or
• if the whistleblower risks reprisals by referring the matter to the external authority or if the authority cannot effectively remedy the subject of the report, in particular if evidence can be concealed or destroyed or if there are serious reasons to believe that the authority is in a conflict of interest, in collusion with the perpetrator of the facts or implicated in these facts.

Whistleblower protections

To benefit from legal protection as a whistleblower, the reporter must:

• be a natural person;
• act in good faith and without direct financial compensation; and
• if the information reported was obtained outside a professional context, the whistleblower must have had personal knowledge of it.

Key protections

If the person meets the definition of a whistleblower and has complied with the reporting rules laid down by law, then:

• it is forbidden to force or incite a whistleblower to renounce his or her status as a whistleblower;
• it is forbidden to subject whistleblowers to reprisals in connection with their whistleblowing. Retaliation may take the form of any measure subsequent to the whistleblowing, such as dismissal, suspension, lay-off, reduction in remuneration, disciplinary action or discrimination;
• outside the workplace, no right, licence or permit may be refused or withdrawn from a whistleblower; and
• whistleblowers may not be subjected to or threatened with harassment or intimidation.

Legal requirements

Australia’s whistleblowing regime is found in the 2001 Corporations Act, the 1953 Taxation Administration Act (TAA), and the 2019 Treasury Laws Amendment (Enhancing Whistleblower Protections) Act.

The Corporation Act provides for whistleblower rights and protections, requires companies to implement a whistleblowing policy and imposes certain obligations, in respect of the whistleblower protection provisions, on the auditors and company officers.

Under the Corporation Act, all public companies, large proprietary companies, foreign corporations and trading or financial corporations must have a compliant whistleblowing policy. A company will be classified as a ‘large proprietary company’ if it satisfies two of the following requirements:

• the consolidated gross operating revenue of the company and the entities it controls, if any exist, for the financial year is AUD50 million or more;
• the value of the consolidated gross assets of the company or the entities it controls, if any exist, at the end of the financial year is AUD25m or more; and
• the company and any entities it controls have 100 or more employees at the end of the financial year.

Reporting channels

In Australia, a whistleblowing policy must include a range of internal and external disclosure options, with information on how to access each available option, together with clear instructions on how to make a disclosure through those options. The options should allow disclosures to be made confidentially, securely and outside of business hours. 

Subject to the options available, a whistleblowing policy may include the following:

• information on how to contact the company’s eligible recipients in person or through post or email;
• the telephone number for the company’s internal whistleblower hotline or the company-authorised external hotline; or
• a link to the company-authorised external whistleblower platform.

A company’s policy must include a statement advising that disclosures can be made anonymously and still be protected under the Corporations Act.

Whistleblower protections

A whistleblower is protected against detrimental conduct and will be entitled to anonymity if:

• they have made a qualifying disclosure of information;
• the whistleblower is an eligible whistleblower; and
• the disclosure is made to an eligible recipient.

A ‘qualifying disclosure’ is any disclosure of information from an eligible whistleblower who has reasonable grounds to suspect that the information being disclosed concerns misconduct or an improper state of affairs or circumstances in respect of a company or organisation.

‘Reasonable grounds’ means that a reasonable person, in the position of the eligible whistleblower, would also suspect that the information being disclosed indicates misconduct or a breach of law. This information can be about the company or organisation, or an employee or officer of the company or organisation, engaging in conduct which constitutes:

• an offence against, or breach of the Corporations Act, the 2001 Australian Securities and Investments Commission Act, the 1959 Banking Act, the 2001 Financial Sector (Collection of Data) Act, the 1973 Insurance Act, the 1995 Life Insurance Act, the 2009 National Consumer Credit Protection Act, or the 1993 Superannuation Industry (Supervision) Act;
• an offence against any other law of the Commonwealth of Australia punishable by imprisonment for a period of 12 months or more; or
• a danger to the public or the financial system.

Eligible whistleblower

An eligible whistleblower is someone who is, or has been:

• an officer or employee of the company, such as current and former employees who are permanent, part-time, fixed-term or temporary, interns, secondees, managers and directors;
• a supplier of goods or services to the company, whether paid or unpaid, including their employees;
• an individual who is an associate of the company;
• a relative, dependent, or spouse of any of the above; or
• an individual prescribed by the 2001 Corporations Regulations as being an eligible whistleblower in relation to the company.

Eligible recipients

To receive protection, a whistleblower must make the qualifying disclosure to an eligible recipient, which includes:

• a director, company secretary or senior manager of the company;
• an auditor, including both internal and external auditors;
• an actuary of the company;
• a person authorised by the company to receive such disclosures;
• the Australian Securities and Investment Commission (ASIC);
• the Australian Prudential Regulatory Authority (APRA); 
• a Commonwealth body nominated for this purpose in the 2001 Corporations Regulations;
• a legal practitioner, if the whistleblower is seeking legal advice on whether the protections apply to them; and
• a journalist or member of the Commonwealth parliament or a state or territory parliament, but only in limited circumstances.

Key protections

Key protections for eligible whistleblowers include anonymity. A company cannot disclose the identity of the whistleblower or any information that might be likely to lead to the identification of that individual. The company must also take reasonable steps to ensure that such information is not disclosed without the whistleblower’s consent – except in that the company can report the information to regulators or law enforcement or to a lawyer to seek advice on whistleblower protections.

Information likely to lead to identification of the individual can also be disclosed where it is reasonably necessary for the purposes of investigating, provided that all reasonable steps are taken to reduce the risk of identification. Reasonable steps could include, among other things, removing the whistleblower's name, position title, team and other identifying details from their disclosure.

A company must also not cause or threaten detriment to a whistleblower because of a suspected or actual qualifying disclosure. This includes conduct by an employee or officer of the company where that employee or officer:

• aids, abets, counsels or procures the detrimental conduct;
• induces, whether by threats, promises or otherwise, the detrimental conduct;
• in any way, by act or omission, directly or indirectly, is knowingly concerned in, or party to, the detrimental conduct; or
• conspires with others to effect the detrimental conduct.

Even where a person has not in fact made a qualifying disclosure, they will receive protection from detrimental conduct where another person threatens detriment because they believe or suspect that a qualifying disclosure has been made by the first person.

An individual or company might cause detriment to a whistleblower employee if they:

• dismiss that employee;
• injure that employee in their employment;
• alter the employee’s position or duties to their disadvantage;
• discriminate between that employee and other employees of the same employee;
• harass or intimidate that employee;
• harm or injure that employee, including psychological harm; or
• damage the employee’s property, reputation, business, financial position, or cause any other damage.

Federal framework

Currently, there are no federal law provisions in the United Arab Emirates (UAE) specifically relating to whistleblowing protections or obligations. Notwithstanding this, under the Federal Decree Law No. (31) of 2021, there is a positive obligation on all individuals to report criminal conduct.

However, this could potentially pose a problem for employees who are under a statutory obligation to maintain confidentiality in relation to their employment under Article 16 of the 2021 UAE Labour Law. There is nonetheless a form of protection under the UAE Labour Law, which provides that an employee’s termination resulting from the employee filing a complaint to the Ministry of Human Resources and Emiratisation, or filing a case against them, qualifies as unlawful termination.

The recourse afforded to employees under the UAE Labour Law for unlawful termination in such an event, provided that the Labour Court finds the termination to be unlawful, is the award of up to three months’ total salary in compensation. Separately, there is sector-specific legislation in the UAE, for instance in the banking sector, which offers protection to whistleblowers.

The Central Bank of the UAE (CBUAE) has set up an online whistleblowing portal where reports can be submitted anonymously. The CBUAE Whistleblowing policy sets out a non-exhaustive list of matters in respect of which individuals may make reports, including concerns of:

• fraud, corruption and bribery;
• profiting from confidential information in trading or other income generating activity;
• disclosure or leak of restricted information;
• unfair favouritism of a particular financial institution or contractor;
• ·overstepping official delegation of authority to achieve a private gain;
• failure to abide by legal and regulatory obligations;
• discrimination or harassment;
• ·violation of CBUAE Code of Conduct;
• endangering health and safety; or
• covering up wrong-doing.

Under the CBUAE Whistleblower Policy, whistleblowers are offered protection against threats and retaliation whereby they can make a report with their compliance unit. This unit must subsequently prepare a formal report along with recommendations as to the appropriate course of action and temporary measures to the governor of the CBUAE.

The UAE Federal Tax Authority (FTA) has also launched a whistleblower program for tax violations and evasions, known as the ‘Raqeeb’ program. An informant under the Raqeeb program is defined as a natural person who informs the FTA that a natural or legal person – defined as an organisation, entity, or company – is conducting illegal activities in respect of tax, or did not fulfil its tax obligations.

Informants cannot submit complaints anonymously, but their identity will remain confidential and protected by the FTA. Informants under this program are eligible for monetary reward for reporting tax evasion.

Legal requirements

Currently, the only Emirate offering specific statutory protections for whistleblowers is the Emirate of Dubai. These protections were introduced by the 2016 Dubai Financial Crime Law, which only applies within Dubai.

The UAE also has a number of free zones which have their own legal systems, including most notably the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Markets (ADGM). The DIFC laws also offer explicit protections for whistleblowers. The ADGM has also issued ‘Guiding Principles on Whistleblowing’ in December 2022, which is a non-binding set of principles that can assist entities in the ADGM in implementing a whistleblowing infrastructure reflective of global practices.

Reporting channels

The Dubai Financial Services Authority (DFSA) regulates financial services conducted in or from the DIFC.  In April 2022 it launched a new regime for whistleblowing which requires all DFSA regulated entities in the DIFC to put in place effective internal whistleblowing policies and procedures. The DFSA recommends that the policies cover:

• internal arrangements to allow for the disclosure of regulatory concerns;
• adequate procedures to deal with, assess and escalate whistleblower reports within the entity and, where appropriate, to the DFSA or any other relevant authority;
• reasonable measures to protect the identity and confidentiality of the whistleblower;
• reasonable measures to protect the whistleblower from suffering any detriment or dismissal;
• procedures to provide feedback to the whistleblower, where appropriate; and
• measures setting out how the entity will manage any conflicts of interest and the fair treatment of any individual accused of committing a breach by a whistleblower.

The policies and procedures put in place by the DFSA-regulated entities should be appropriate to the nature, scale and complexity of that entity’s business and must be reviewed periodically to ensure they are adequate, effective and up to date.

The DFSA has set up an email address dedicated to receiving whistleblowing reports. Whistleblowers can submit any information on regulatory breaches regardless of whether or not an internal report has been made within the company.

Whistleblower protections

Under the Dubai Financial Crime Law, for a whistleblower to be protected the whistleblowing report must be true; related to an activity that may affect the economic security of Dubai; and made to the Dubai Centre for Economic Security (DESC).

The protection only applies, however:

• when the information provided by a whistleblower creates a “reasonable suspicion” that a regulated entity, or an officer or employee of the regulated entity, has breached legislation administered by the DFSA or engaged in money laundering, fraud or another financial crime; and
• the disclosure is made in “good faith”.

It is for the person making the disclosure to establish that these tests are met in order to receive protection.

Key protections

An employee who makes a such a disclosure to the DESC will be protected against disciplinary action in their workplace and must not be subject to mistreatment or discrimination, including employment dismissal.  The DESC is authorised to afford any whistleblower the 'necessary protection', which may include protection at the reporter's home address, keeping information about their identity or location confidential, protection in the reporter's workplace and making sure they face no discrimination or mistreatment as a result.

Employee who make disclosures will also not be deemed to be in breach of any non-disclosure or confidentiality agreement signed and entered into with their employer. However, whistleblowers risk falling foul of the UAE’s far-reaching privacy laws should they share confidential company information, even inadvertently, as part of the disclosure.

In practice, if an employee were to be dismissed for whistleblowing, this would be an unfair dismissal. Companies are also prohibited from causing any detriment to their employees for reporting a wrongdoing, whether internally or externally.