Legal compliance and risk management is at the forefront of the corporate agenda as never before for both Middle East based employers and global multinationals. Increased legislation with international implications designed to stamp out corruption and bribery has lead many employers to introduce employee codes of conduct as well as whistleblowing procedures and policies. In this update, we examine the need for such policies, the potential legal obligations on employers operating in the UAE and practical issues in managing employees who highlight wrong doing in the workplace.
Anti-bribery and corruption legislation
Organisations operating in the UAE (including employees and directors) could find themselves subject to legal proceedings under the following (we have sought to highlight the main provisions):
- UAE Federal Law No.3 of 1987, as amended, (the Penal Code) prohibits the promise, offer or provision of anything of value to a public official or civil servant or any other person charged with a public service (including a person working in the private sector but who is carrying out a public function) in exchange for the performance of any act (or refraining from performance of any act) in contravention of that person’s official obligations. The Penal Code imposes custodial sentences and fines on individuals found to be committing the above acts. The UAE has also formally ratified the United Nations Convention Against Corruption 2003.Similarly, Law No 4 of 2002 and Decree Law No. 4 of 1979 concerning the Prevention of Deceit and Fraud in Commercial Transactions effectively criminalises fraud and money laundering. Decree Law No. 1 of 2004 concerning the Control of Terrorist Crimes takes liability one step further and penalises those who fail to report certain crimes.
- The UK’s Bribery Act 2010 (the Bribery Act) prohibits the giving and taking of bribes and the making of facilitation payment, and also creates a corporate offence where an organisation fails to prevent bribery. This means that organisations are criminally responsible for bribes made on their behalf by “associated persons”, whether they know about them or not. An associated person is defined broadly as any “person who performs services for or on behalf” of the organisation, and need not even be an employee, agent or subsidiary of the organisation.The scope of the Bribery Act extends to cover overseas organisations, where they have a “connection” to the UK and the act of bribery can take place anywhere in the world. An organisation’s connection with the UK can be minimal – for example, if the act is carried out by a British citizen who is a sub-contractor and therefore is “associated” with the organisation.A business does however have a defence if it can show that it had in place “adequate procedures” designed to prevent bribery, which would include having effective whistleblowing procedures that encourage the reporting of bribery. More information on the Bribery Act and its provisions can be found here.
The anti-bribery provisions of the US Foreign Corrupt Practices Act 1997 (FCPA), make it illegal to offer, promise or provide money (or anything of value) to foreign government officials for the purposes of obtaining or retaining business. The FCPA applies to two broad categories of persons:
- those with formal ties to the US for example an entity listed on the SEC (with a subsidiary in the Middle East). This also covers a broader category, encompassing any individual who is a citizen, national or resident of the US; and
- those who take action in furtherance of a violation while in the US. For example, if a foreign company or foreign national directly or indirectly engages in any act in furtherance of a corrupt payment while in the territory of the US. For further information on the US compliance framework click here.
The extra-territorial application of the UK and US regimes means that employers in the UAE may face prosecution and associated liabilities in the UK and the US in respect of malpractice that occurs in the Middle East. It is therefore critical that processes are put in place to identify risks at an early stage as well as to manage employees who raise allegations of corporate wrong doing.
Importance of codes of conduct and corporate policy
Essentially, legislation such as the FCPA and the Bribery Act seek to define the remits and set the agenda for good business practice. Against this background, a corporate Code of Conduct fulfils a number of functions including:
- assisting in preventing regulatory breaches, fraud or other financial scandals;
- setting out clear expectations of employees and parameters for acceptable conduct which can be used as a basis for disciplinary action if necessary;
- providing a framework for employees to raise allegations of corporate wrong doing internally and managing those employees once allegations are raised; and
- providing evidence of the importance the organization places on compliance and the steps it has taken to prevent breach and protect employees raising allegations. Such steps will often be taken into account by regulators when investigating and considering sanctions for a potential breach.
Protection for whistleblowers
In order to enhance anti-bribery and corruption laws, many jurisdictions have provided protection for employees who highlight wrong doing in the workplace. In the US, the Sarbanes Oxley Act of 2002 provides protection for employees of public companies who raise complaints of fraudulent conduct; and the Dodds-Frank Wall Street Reform and Consumer Protection Act provides financial rewards for whistleblowers who supply the SEC with information about a US securities law violation that leads to successful enforcement action. For further information click here. In the UK, the Employment Rights Act 1996 (as amended by the Public Interest Disclosure Act 1998) originally provided for workers to be protected if they raised allegations of certain categories of wrong doing in good faith and internally (external disclosure is only protected in certain circumstances). In amendments introduced on 25 June 2013, the requirement for good faith was removed and a requirement that the disclosure be in the “public interest” introduced. For further information click here.
It is key to understand that such protection can apply to employees of businesses if they are publicly listed in the US; or have a presence in the UK or if the worker has a sufficient connection with the UK, regardless of whether the individual was actually working wholly or entirely outside of the UK or US.
In the UAE, the State Audit Institution, which is the UAE’s sole anti-corruption authority, provides a mechanism on its website through which wrongdoing within state-owned entities and central government departments can be reported. Complaints can be made anonymously, which may encourage reporting without fear of retaliation.
Generally, in the UAE private sector there is no blanket protection for employees highlighting corporate wrong doing. However, there are some protective provisions in place, including:
- The Dubai Financial Services Authority (DFSA), which is the independent financial services regulator for the Dubai International Financial Centre (DIFC), requires that all persons and entities licensed by the DFSA have appropriate procedures and protections to allow employees to disclose any information to the DFSA or to other appropriate bodies involved in the prevention of market misconduct, financial crime or money laundering. Whilst this is limited to individuals and entities licensed by the DFSA, it does encourage a culture of reporting within the DIFC generally.
- DIFC Law No. 4 of 2005, as amended, (the DIFC Employment Law), which applies to employees based within or who ordinarily work within or from the DIFC, specifically requires that employers provide and maintain a workplace that is “free from harassment, safe and without risks to employees’ health” and makes an employer “liable for any act of an employee done in the course of employment”. This may extend to harassment suffered as a result of having reported malpractice.Employers in the DIFC will have a defence to such action where they have taken reasonable steps to prevent the employee from doing that act or from doing acts of that description in the course of employment. The implementation of an effective internal reporting procedure would no doubt be considered a reasonable preventative step.
On a wider GCC view, it is notable that the QFC employment law does provide protection for employee whistleblowers, however, this provision is largely untested as to scope and effect.
There is increasing discussion around the need for federal legislation to be introduced to encourage whistleblowers to ‘show courage’ and come forward with their concerns.
In late 2012, it was reported that the draft code of Corporate Governance for Developers issued by the Dubai Land Department, contained a protection clause for whistleblowers. The draft code also envisages the appointment of an Audit Committee responsible for ensuring a framework is put in place to protect a whistleblower from dismissal or discrimination. It remains to be seen whether this whistleblowing regime will come into effect.
In June 2013, UAE legislators put forward a bill to create a new anti-corruption authority named “The Federal Authority for Combating Corruption” (the FACC). Under the proposed federal law, which was drafted in accordance with the United Nations Convention Against Corruption, the definition of corruption includes the following activities:
- money laundering;
- breach of trust;
- abuse of public functions or authorities;
- damage to public property; or
- the concealment of the proceeds of any of these crimes.
The legislation would empower the FACC to issue regulations to protect whistleblowers from being prosecuted criminally, civilly or administratively. This protection will extend to whistleblowers who report information in relation to corruption in good faith. Whistleblowers will be presumed to be acting in good faith if it appears that they revealed information in the public interest and with the belief that enough information exists to justify the complaint. The proposed legislation is under deliberation and is widely expected to be passed by legislators before the end of 2013.
Practical steps when implementing code of conduct and whistleblowing policies
- The policy should be in simple language and encourage employees to raise concerns as a matter of course, ensuring the worker is able to bypass the level of management at which the problem may exist (an email address or hotline to receive concerns may be the best method).
- The policy should be publicised internally and regular training should be provided to staff on its provisions and their obligations under it.
- Appropriate technical and organisational measures should be applied to keep secure any information and personal data that has been disclosed or gathered during an investigation (e.g. limited access to files whether electronic or hard copy and password protecting documents).
- Care should be exercised in certain jurisdictions as the concept of legal privilege is limited. It may also not be possible to maintain the anonymity of the whistleblower should a matter progress to investigation, particularly where external reporting to a regulatory authority is required or where the employment of the individual responsible for the breach is terminated.
Jeanine Conley and Patrick Campbell of Baker Hostetler