European Commission proposes new rules to protect whistleblowers

Unlawful activities and abuses of law, such as fraud, corruption and other serious irregularities, may occur in any private or public organisation. Many recent events, such as the diesel scandal or the revelations about the Panama Papers, have only come to light through information from whistleblowers. However, these whistleblowers often fear retaliation or the termination of their employment contract if they report their concerns either within the organisation concerned, or to an outside authority, or when they disclose the information to the public. In light of this, the European Commission has presented a proposal for a Directive on the protection of whistleblowers ("the Proposal" or "the Directive") on 23 April 2018 (COM(2018) 218 final), which offers minimum standards of harmonisation on whistleblower protection.

The scope of the proposed Directive coves infringements of EU law in areas such as public procurement, product and transport safety, environmental protection, but also public health, consumer protection, food safety and financial services. The scope of the Directive is deliberately broad: it is intended to protect not only private or public sector employees who have obtained information about a breach but also self-employed persons, members of the management body and subcontractors, suppliers and whistleblowers whose employment relationship has not yet begun and who are in the process of recruitment or who gained information through pre-contractual negotiations (Article 2 of the Proposal).

The proposal focuses on whistleblowing systems in companies, authorities and organisations and foresees a three-level reporting system according to which the whistleblower will only be protected if they comply with these levels of escalation:

(1)In the first place, the whistleblower should raise issues with their employer. This requires that the company establishes trustworthy internal communication channels and procedures for reporting and follow-up of reports, e.g. in the form of electronic platforms, telephone hotlines or ombudsmen. The aim is to pass the information on the possible violation directly to the persons who can investigate, assess and eliminate the matter at short notice. The relevant reporting channels must be designed, set up and operated in a way that ensures the anonymity of the whistleblower and that prevents unauthorised access. This obligation applies to legal entities in the private sector with at least 50 employees or with an annual business turnover or an annual balance sheet of at least EUR 10 million and to all private legal entities (of any size) operating in the area of financial services or vulnerable to money laundering or terrorist financing (Article 4 (3) of the Proposal). In addition, all state and regional administrations and municipalities with more than 10,000 inhabitants must maintain such reporting channels (Article 4 (6) of the Proposal). If a report is received, the company must clarify the facts and, if the employee wishes, give them an answer within a reasonable time. Alternatively, the reporting channels may be provided by a third party, such as external counsel, auditors, trade union representatives or external providers of reporting platforms (Article 6 of the Proposal).

(2)Secondly, if either the company does not react to an indication transmitted via the internal reporting channel or if the company is not legally required to set up a reporting system, the whistleblower may directly contact the competent state authorities. Member States shall designate the authorities responsible for receiving the notifications and ensure compliance with the reporting channel requirements.

(3)As a last resort, if the whistleblower's report via internal and/or external channels does not lead to an adequate response and appropriate action within the prescribed timeframe, they may disclose the information to the public domain (e.g. via public web platforms, social media, civil society organisations) or to the media (Article 13 (4) of the Proposal). If the whistleblower does not adhere to the levels of escalation and addresses possible breaches to the public without first reporting to their employer internally and/or to a regulatory authority externally, they will not be protected by the proposed new rules. So going public, e.g. via journalists and the media, will only be permitted as a last resort.

The proposal protects the whistleblower by prohibiting and punishing any retaliatory actions against the whistleblower, e.g. dismissal, downgrading, denial of promotion, disciplinary measures, loss of salary, harassment and intimidation, reputational damage, blacklisting, discrimination. The burden of proof is reversed in this respect, i.e. the company or organisation affected by the whistleblowing notification must prove that it is not taking any retaliatory measures against the whistleblower. Even in a possible lawsuit the whistleblower is to be granted comprehensive protection, including the right to an effective remedy, to a fair trial as well as the presumption of innocence and the rights of defence (Article 16 of the Proposal).

Finally, the national legislators must, according to Article 17 of the Proposal, provide for effective, proportionate and dissuasive penalties. Companies and managers will face high penalties if they obstruct whistleblowers or do not maintain confidentiality of the whistleblowers' identity. Conversely, sanctioning rules seek to protect companies from malicious or abusive reports or disclosures.

The proposed Directive is still in the drafting stage. But the Commission plans to have the Directive adopted by May 2019 and implemented by the Member States by mid-May 2021. The European Commission hopes that an agreement will be reached with the Member States and the European Parliament before the European elections in May 2019. However, in a resolution of July 6, 2018 (federal printed matter 173/18), the German Federal Council expressed many doubts about the Directive, which makes it at least questionable whether the timetable set by the European Commission can be adhered to. If an agreement is finally reached, it will be up to the Member States to introduce or maintain provisions more favourable to the rights of whistleblowers than those set out in the Directive. Even though the Proposal only regulates how infringements of EU law are dealt with, it calls on the Member States to adopt the same rules for violations of national law. Whether the German legislator will go that far or not may not make any difference in day-to-day business. Once a report has been made, companies will not be allowed to ignore it. The risk is too high that the company would be accused of having failed to remedy deficiencies of which it was aware.

Regardless of the question of when and how Germany will implement the Directive into national law, companies should promptly address the issue of establishing internal whistleblower systems and individual protection mechanisms in order to check whether and to what extent existing compliance management systems must be revised.

Raid on DZ Bank in connection with "cum ex" deals

At the end of August 2018, a spokeswoman of the Central Institute of Volks- and Raiffeisenbanken (Zentralinstitut der Volks- und Raiffeisenbanken) confirmed that the General Prosecutor's Office of Frankfurt (Generalstaatsanwaltschaft Frankfurt) had searched the premises of DZ Bank on 11 July 2018 in Frankfurt in connection with the so-called cum ex financial scandal.

In our May 2018 edition of this newsletter we reported on this topic, which may be considered to be the largest tax fraud scheme in German history. Throughout Germany, a number of investigations are underway which concern domestic and foreign banks. Cum ex transactions were share transactions which in some cases enabled banks to obtain multiple refunds of capital gains tax that had only been paid to the German fiscal authorities once. Until 2012, there was a regulatory gap in trading with (cum) and without (ex) dividends, which stock traders exploited. The German state is said to have lost more than €10 billion, according to current estimates.

The raid on DZ Bank's premises took place as part of an investigation against four traders of DZ Bank. Two have already been dismissed and the bank is currently seeking financial compensation from them. The other two traders are still working at the institution due to legal reasons, but now in different areas and departments.

At DZ Bank, the tax authorities allegedly uncovered cum ex deals during an audit in 2013. The authorities then initiated investigations, and DZ Bank itself also began internal investigations. Investigation reports, including those prepared with the help of external auditors, were made available to the authorities. However, these reports were apparently insufficient for the investigators. DZ Bank is alleged to have cheated the state of more than €131 million through the cum ex deals. According to the German newspaper "Süddeutsche Zeitung", the second largest German bank claims to have paid a total of € 149 million to the German tax authorities by way of compensation, including interest; the bank quickly made a clean sweep. According to "Süddeutsche Zeitung", many financial institutions, especially those from abroad, do not cooperate sufficiently from the point of view of the authorities.