New rules on whistleblowing have come into effect which impact certain Financial Conduct Authority (FCA) and Prudential Regulatory Authority (PRA) regulated financial services firms. The aim of these rules is to promote a change in workplace culture to encourage workers to raise concerns and challenge poor practices or behaviours.

These new rules came into effect on 7 September 2016. The changes are recapped below.

Which firms are obliged to implement these new rules?

The new rules apply to firms which are UK entities and which:

  • take deposits and have assets of £250 million or more (including banks, building societies and credit unions);
  • are PRA-designated investment firms; or
  • are insurance and reinsurance firms within the scope of the Solvency II Directive, the Society of Lloyds and managing agents.

Although the rules are not mandatory for other FCA and PRA regulated firms, they have non-binding guidance status and may be taken into account in the event of a regulator investigation compliance or governance issues.

What are firms required to do?

Relevant firms must create and maintain an independent whistleblowing channel, i.e. a means through which disclosures can be made and are then effectively assessed and dealt with. The channel must permit anonymous and confidential disclosures and cannot be limited to matters which the firm believes would amount to ‘whistleblowing’. It must also be open to everyone, including the public. Complaints that would not amount to whistleblowing (for example employee grievances or customer complaints) can however be identified and then dealt with outside the firm’s whistleblowing regime. Whilst there is an obligation to promote the availability of the whistleblowing channel to the firm’s workforce, there is no equivalent obligation to promote its availability to the wider public.

Firms are also now obliged to make employees aware of the FCA and PRA’s services as an alternative to their own process. They can no longer instruct employees to raise matters internally before contacting the regulators, although they can still encourage them to do so.

However, importantly, these rules do not introduce a regulatory obligation on the firm’s staff to blow the whistle.

What are the obligations regarding staff training in respect of these new rules?

The workforce must receive bespoke training as follows:

  • UK based employees must receive training that includes the following:
  • A statement that the firm takes the making of reportable concerns seriously;
  • A reference to the ability to report reportable concerns to the firm and the methods for doing so;
  • Examples of events that might prompt the making of a reportable concern;
  • Examples of action that might be taken by the firm after receiving a reportable concern by a whistleblower, including measures to protect the whistleblower’s confidentiality; and
  • Information about sources of external support such as whistleblowing charities.

Managers of UK based employees must receive training that includes the following:

  • How to recognise when there has been a disclosure of a reportable concern by a whistleblower;
  • How to protect whistleblowers and ensure their confidentiality is preserved;
  • How to provide feedback to a whistleblower, where appropriate;
  • Steps to ensure fair treatment of any person accused of wrongdoing by a whistleblower; and
  • Sources of internal and external advice and support on the matters referred to above.

Note that this requirement applies, even if the managers are not based in the UK.

Employees with responsibility for operating the firm’s internal whistleblowing arrangements must receive training that includes how to:

  • Protect a whistleblower’s confidentiality;
  • Assess and grade the significance of information provided by whistleblowers; and
  • Assist the whistleblowers’ champion when required.

How do these rules fit in with the Senior Manager/Certificate Regime?

These rules are designed to work in conjunction with the Senior Manager/Certificate Regime. This means that detrimental treatment of a whistleblower will impact on the FCA/PRA’s assessment of the firm’s suitability status and the assessment of the individual culpable for the detrimental treatment as a fit and proper person.

Is there anything else affected firms need to be aware of?

  • Whistleblowers’ Champion. As we previously reported, relevant firms also need to appoint a whistleblowers’ ‘champion’ (ordinarily a non-executive director, but otherwise a “senior manager” within the FCA or PRA regimes). The designated “Champion” is tasked with oversight of the whistleblowing policies and procedure and filing an annual report to the Board, to be made available to the FCA or PRA on request.
  • Settlement agreements. A statement must now be included in settlement agreements stating that the agreement does not prevent the individual from making a protected disclosure. This will likely already be familiar to clients operating in the US financial services sector. Further, the agreement must not contain any promise from the employee that they have not made a protected disclosure or know of any information which could lead to such a disclosure being made.
  • Tribunal claims. If the firm loses a “whistleblower” claim (i.e. an employment tribunal claim that a member of staff was subjected to a detriment or unfairly dismissed for “blowing the whistle”) then this must be reported to the FCA/PRA, as appropriate.


In practice, many firms will already have robust whistleblowing procedures in place, in particular where they are subject to Sarbanes Oxley. Firms should however review their current procedures to check they do comply with the specifics of these new rules - in particular the fact the whistleblowing channel should be open to the public, and the new staff training obligations that may include some non-UK managers. Adequate systems will need to be put in place to identify those UK and non UK employees who will need to be trained (and flag up where employees, such as US managers, move into roles where training is required) and to keep a record what has been delivered. Finally, as noted above, even if certain FCA/PRA regulated firms are not obliged to implement these new rules, they must still be treated as non-binding guidance meaning that they may in fact start to become the norm in the financial services sector.