The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) published policy statements setting out new rules on whistle-blowing which push its importance up the agenda. These set out a framework of regulatory obligations applicable to whistle-blowing in banks and insurers.

The confirmation of the new rules on October 6 follows the publication last February by the regulators of their proposed package of measures in respect of whistle-blowing in a joint PRA and FCA consultation paper.

Background and the growing regulatory significance of whistle-blowing

In the light of the financial crisis, and the strength of public and political concern regarding misconduct scandals in banking and financial services, the regulators are determined to ensure that there is a stronger whistle-blowing culture within the financial sector. This is part of their goal of changing the culture of banking and financial services.

Whistle-blowing in the sector has steadily increased in recent years, particularly to the regulators themselves. The FCA's 2014/15 annual report noted that its dedicated whistle-blowing team processed 1,340 cases in the year ending March 31, 2015, and that the number of cases they were dealing with had more than trebled over the past five years.

In 160 cases, the FCA shared information received from whistleblowers with external stakeholders including the National Crime Agency, police forces, HMRC, and other UK and overseas regulators. The FCA's annual report also confirmed that information from whistleblowers contributed to both enforcement and supervisory action in relation to firms and individuals, ranging from fines, variation or withdrawal of permissions, warning letters being issued and other early interventions, including using the information to seek clarification about activities.

However, the regulators want to encourage growing awareness internally at financial firms of whistle-blowing mechanisms and to foster greater protection for whistleblowers. In addition, they want to ensure accountability at the most senior level for the way whistle-blowing is handled and whistleblowers are treated.

There is no doubt that they have changed their approach to whistle-blowing and are giving it far greater priority following the stark findings of the Parliamentary Commission on Banking Standards, some of which were critical not only of the banking industry, but also the regulators themselves.

Which firms are affected?

The whistle-blowing rules will apply to deposit-taking firms (i.e. banks, building societies and credit unions) with £250 million or more in assets. They will also apply to PRA designated investment firms (i.e. the largest investment banks), insurance and reinsurance firms subject to the Solvency II directive, and to the Society of Lloyd's and managing agents. For other FCA regulated firms the rules constitute non-binding guidance.

Although UK branches of overseas banks and other firms are not subject to the new regime, they should take note of it as indicating what the regulators consider best practice to be. Further, the FCA intends to commence consultation soon on extending the rules to include UK branches of overseas bank.

They have also indicated that once their new rules have been in place long enough to assess their effectiveness they will consider introducing similar requirements to other regulated firms, for example stockbrokers, mortgage and insurance brokers, and investment and consumer credit firms.

Main requirements of the new rules

The main requirements of the new whistle-blowing rules that firms must implement by September 2016 are as follows.

  1. Firms must put appropriate internal whistle-blowing arrangements in place that are able to handle 'all types of whistleblowing disclosures from all types of persons'. This duty is very widely worded: it is far broader in scope than the existing regime for the employment law protection of whistleblowers as set out in the Public Interest Disclosure Act 1998 (PIDA). Unsurprisingly, it caused some concern in consultation.

In an effort to avoid misunderstanding the regulators have clarified that not all concerns raised by staff that could be categorised as 'whistle-blowing' will have to be handled by the whistle-blowing function. Firms can filter the reports they receive and redirect reports that are more suitable for another function, for example to HR. The PRA have confirmed they will only expect the whistle-blowing function to deal with genuine reportable concerns.

As employment law currently stands, a disclosure regarding a culture of bulling and harassment in a firm could qualify as whistle-blowing, but it is common sense that normally it will not be dealt with by regulatory, compliance or internal audit professionals. 

The requirement that whistle-blowing reports must be accepted 'from all types of persons' is also eye catching. The intention is to include a much broader range of individuals than qualify for employment law protection under PIDA, for example secondees, interns, volunteers, contractors and agency staff. Firms must also be prepared to accept whistleblowing disclosures from other third parties, such as the employees of suppliers or even competitors.  The regulators decided not to water this principle down despite some strong concerns raised in consultation. In relation to the inability of firms to offer protection to whistleblowers who are not employees and could be victimised by people outside the firm, they have stated that some steps can be taken, such as keeping disclosures confidential.

  1. Firms' whistle-blowing arrangements must be able to handle cases where the whistleblower has requested confidentiality or made an anonymous report. They must include reasonable measures to prevent victimisation of whistleblowers. Appropriate records must be kept of concerns raised and the outcome of whistle-blowing investigations.
  2. Firms must inform UK-based employees about the FCA and PRA whistle-blowing services. Their own internal whistleblowing procedure must ensure the effective assessment and escalation of reportable concerns by whistleblowers including where appropriate to the FCA or PRA. Firms must also require their appointed representatives and tied agents to tell their UK-based employees about the FCA whistle-blowing service.
  3. They must provide appropriate training for UK-based employees, managers of UK-based employees (including managers based abroad), and employees responsible for operating the whistle-blowing procedure.
  4. They must put text in settlement agreements explaining that workers remain entitled to blow the whistle even after leaving and signing a settlement agreement. Wording in employment contracts and settlement agreements should not deter staff from whistle-blowing.
  5. Firms must also present a whistle-blowing report to the board at least annually and inform the FCA if they lose an employment tribunal whistle-blowing claim.

There are two notable absences from the above list. First, there is no regulatory duty on staff to blow the whistle as such (although in practice many staff will have existing employment and regulatory duties to report and escalate significant concerns).

Secondly, there is no duty on firms to investigate whistle-blowing disclosures, although this duty is implicit given the purpose of the new rules and plainly firms will not be well advised to ignore whistle-blowing reports. (In addition, as previously announced, the UK's regulators are not introducing financial incentives for whistleblowers.

Whistleblowers' champion

Also notable is the requirement that by March 2016 firms must appoint a non-executive director as their whistleblowers' champion with responsibility for the effectiveness of whistle-blowing procedures. They will hold prescribed responsibility under the Senior Managers Regime for whistle-blowing, making them individually accountable to the regulators for failings. From March to September 2016 whistleblowers' champions must oversee the implementation of appropriate whistle-blowing procedures. Although their role is non-operational (in line with their status as a non-executive director) they will want to work closely with business units involved in implementing the new regime, including compliance and risk, and to receive regular updates on the progress being made by firms in preparation for the coming into force of the new regime.

Closing thoughts

The introduction of this new regime means that whistle-blowing continues to rise up the agenda for banks and insurers. The new senior managers and certification regimes (coming into force in March 2016) will also encourage whistle-blowing in the financial services sector.

The former aims to ensure that senior managers are accountable for any misconduct that falls within their areas of responsibility; the latter seeks to hold individuals to appropriate standards of conduct. It is expected that they will also make individuals more likely to take steps to report concerns, to protect their own position.

Firms will therefore need to devote greater resources to whistle-blowing procedures, but overall they should welcome the fact that the new rules announced by the PRA and FCA are primarily directed at internal whistle-blowing procedures, rather than external disclosures directly to the regulators.

Many firms will also conclude that these new rules reflect in large part established best practice in relation to whistle-blowing, with the extent of changes that firms need to make varying depending on how far their existing procedures already reflected best practice.

This article was first published on Complinet (Thomson Reuters).