In the age of Wikileaks, “whistleblowing” is a term with which we are all familiar and the role of the whistleblower is more prominent now than ever. The financial services sector is no exception, with the expectations and requirements placed upon financial institutions in relation to their whistleblowing arrangements continuing to grow.
- In late 2016 the UK’s Financial Conduct Authority (FCA) overhauled its whistleblowing regime, moving from high level guidance to specific requirements, including in relation to the adoption and communication of appropriate whistleblowing procedures.
- In March 2017 the Hong Kong Monetary Authority (HKMA) wrote to the Chief Executives of all Authorised Institutions to provide guidance on developing a sound corporate culture. The guidance cited an effective escalation policy (including a whistleblowing mechanism) as a core component of a sound corporate culture. Institutions are expected to review their governance arrangements and act upon the HKMA’s guidance by March 2018.
- In May 2017, the US Commodity Futures Trading Commission (CFTC) amended its whistleblower rules to prohibit confidentiality agreements that might impede a whistleblower’s communications with the CFTC, and also to expand the CFTC’s authority to pursue anti-retaliation claims on behalf of whistleblowers. These amendments brought the CFTC’s whistleblower rules in line with the SEC’s rules.
The type and level of protection afforded to whistleblowers varies widely across jurisdictions, as do the incentives offered for blowing the whistle. Headlines in the US point to life-changing payments being made by the SEC, CFTC, and IRS to whistleblowers. The EU Market Abuse Regulation (Article 32(4)) permits (but does not require) Member States to offer financial incentives to certain whistleblowers. It will be interesting to see if, over time, any Member States rely on this to offer incentives to whistleblowers – the UK has already considered and rejected the concept of offering financial incentives. Asian jurisdictions such as Hong Kong and Singapore have similarly eschewed a whistleblower “bounty”, although there is a reward mechanism in place for whistleblowers in mainland China who report crimes to a people’s procuratorate.
The availability or lack of rewards raises the obvious question of how relevant motive is (or should be) in a whistleblowing context. From a regulator’s perspective, if the ultimate goal is to identify and address problems before they escalate, the motive for an employee’s disclosure is unlikely to be relevant. It is noteworthy that the test for whistleblower protection under UK employment legislation refers to a public interest requirement, with potential damages being impacted by whether or not an individual has acted in good faith. Neither of these elements is a requirement of a “reportable concern” under the FCA handbook. Reportable concerns include not just protected disclosures for the purpose of UK employment legislation but any breach of the firm’s policies and procedures and any behaviour that harms or is likely to harm the reputation or financial well-being of the firm. Similarly, in the US, even whistleblowers who have some culpability in the underlying wrongdoing can be eligible for significant monetary awards. Relevant regulations currently only prohibit awards to whistleblowers who are convicted of a criminal violation related to the wrongdoing, although the SEC can (and recently has) exercised its discretion to reduce an award based on the whistleblower’s culpability and delay in reporting the violation.
Respect for the confidentiality (or, in some cases, anonymity) of whistleblowers is a core pillar of many whistleblowing regimes and an important factor in how a firm responds to a disclosure. For example:
- In France, Loi Sapin II imposes a fine of up to €30,000 and two years’ imprisonment for disclosure of a whistleblower’s identity (other than to judicial authorities) without their consent.
- The German Banking Act requires financial institutions to set up a procedure which enables employees, whilst ensuring that their identity is kept confidential, to report to competent agencies breaches of the German Banking Act and any criminal actions committed within the undertaking. Anonymous disclosures, however, are treated with greater suspicion. From a data protection perspective, there is some debate as to whether anonymous disclosures are appropriate and the Article 29 Data Protection Working Group recommends that whistleblowing systems should not encourage anonymity.
- The HKMA’s March 2017 guidance (referred to above) stated that institutions’ escalation policies should allow timely reporting of concerns “in a confidential setting without fear of reprisals”.
- In March 2016, the Supreme People’s Procuratorate in Mainland China released a set of new regulations strengthening confidentiality protections and expanding the definition of retaliation to include, for example, demotion or refusing to approve applications by an employee.
- In the UK, the FCA handbook states that a firm’s whistleblowing arrangements must “at least” be able effectively to handle disclosures where the whistleblower has requested confidentiality or has chosen to remain anonymous.
- In the US, the Sarbanes-Oxley Act of 2002 requires public companies to establish procedures for the confidential, anonymous submission of concerns by employees regarding questionable accounting or auditing matters. Even if not required by law, formal whistleblower policies are increasingly recognised as best practice and rewarded by criminal and regulatory authorities. For example, the US Federal Sentencing Guidelines provide that organisations shall take reasonable steps to have and publicise a system, which may include mechanisms that allow for anonymity or confidentiality, for employees to report potential criminal conduct without fear of retaliation. Under the Dodd-Frank Act of 2010, potential whistleblowers can also submit tips to the SEC and CFTC anonymously as long as they are represented by a lawyer.
Anonymity may be cited as creating practical hurdles – for example, the inability to follow-up with a whistleblower to gather further information or to provide feedback to them on the outcome of their disclosure. Those hurdles can usually be overcome through the use of technology and/or a request to the whistleblower when they first make contact that they follow-up on a pre-agreed date.
Firms might argue that anonymity allows aggrieved employees to raise spurious concerns about their colleagues or to vent unfounded grievances, without fear of discovery. Yet the inability to identify and sanction a whistleblower is exactly the reason for anonymity. Anonymity may be a double-edged sword but regulators appear generally to have concluded that it does more good than harm and that it is an important element of a firm’s whistleblowing arrangements.
If a whistleblower chooses to identify themselves and alleges that they have suffered some form of retaliation as a result, the consequences may be significant. The employment law consequences of subjecting whistleblowers to detriment are generally well understood, but the reputational damage and regulatory scrutiny attached to any whistleblowing-related detriment claim mean that there is significant risk in treating whistleblowing only as an HR issue. It is also in a firm’s clear interest to handle whistleblowers well. Doing so can allow the firm to spot issues and remedy them whilst retaining control of the process - something which will be lost if the individual, feeling that the firm is not taking them seriously, goes to the regulator or the press with their complaint.
In the UK, firms are required to notify the FCA if they have lost an employment tribunal claim brought by a whistleblower. This obligation applies regardless of the subject matter of the employee’s disclosure – a clear indication of the interest shown by the FCA in a firm’s attitude generally towards whistleblowing and its ability to handle appropriately any concerns that are raised. The FCA handbook states that the FCA would regard as a serious matter any evidence that a firm had acted to the detriment of a whistleblower, with such evidence potentially calling into question the fitness and propriety of the firm or relevant members of staff.
Similarly, in September 2016, the SEC announced its first settlement with a firm based solely on the Dodd-Frank Act’s anti-retaliation provisions that did not also involve a substantive violation of US securities laws. This case is a reminder of the importance of implementing strong antiretaliation policies and procedures that are followed even in cases involving allegations by whistleblowers that are ultimately determined to be unfounded.
Indeed, a clear whistleblowing policy is typically the first step in demonstrating an understanding of the importance of whistleblowing and the careful handling of disclosures. The variations in the employment law and regulatory landscape between jurisdictions can make it challenging to adopt a one-size-fits-all international whistleblowing policy. Nevertheless, given the global nature of today’s businesses, the significant cooperation between regulators across the world and the extra-territorial reach of some bribery and corruption and competition laws, it is critical to look at whistleblowing on a global basis and to understand that concerns raised in one jurisdiction could impact on another.
Most whistleblowing policies will include the following features:
- The objectives of the policy; namely to establish a clear and accessible procedure for employees to raise concerns.
- A broad description of the types of concern that may be reported via the company’s whistleblowing procedures.
- The relationship with other policies and procedures; for example personal grievances and complaints should be raised under the company’s grievance policy.
- The process for raising a complaint. If required, this may include a reminder to employees that they can make a report directly to their local regulator, if they so wish, and that the company will not impede the employee’s ability to cooperate with the regulator.
- A statement that there will be no retaliation against the whistleblower for making a disclosure.
- A statement that the whistleblower’s disclosure will, to the extent possible, be treated as confidential and that the whistleblower may make an anonymous disclosure.
- Separate sections to include detail on any local law requirements, taking into account the nuances of any particular regulatory regime or difficulties created by data protection requirements.
Underlying any whistleblowing policy aimed at staff, a firm may also find it helpful to have an internal policy on how to handle disclosures. Often complaints that come into a firm’s whistleblowing hotline or which otherwise come to the firm’s attention are dealt with in different ways depending on their subject matter. For example, complaints that are personal to an individual may be dealt with via the company’s grievance process, reports of other employees’ personal conduct may be dealt with by HR through a disciplinary or harassment process and complaints relating to compliance or regulatory issues may be handled by the compliance or legal teams.
If different processes apply to complaints depending on their subject matter, it is sensible to articulate the reason for directing a complaint down a particular route, so that an explanation can be given to a regulator in the event of a later challenge.
The following is a suggested process for handling disclosures:
- All complaints that are received, whether by managers, HR, a whistleblowing hotline or compliance, are reported to a central triage team or individual.
- The triage team considers the subject matter of the complaint, along with any recommendation as to how it should be dealt with, and confirms the route that should be followed.
- The triage team also considers any immediate notifications that are required – e.g. to regulators or to a senior individual with designated responsibility for whistleblowing.
- The complaint is investigated and addressed appropriately, and the outcome is recorded.
Most financial institutions will already have an established employee whistleblowing policy. Whilst this will form the foundation of the firm’s whistleblowing arrangements, a critical factor in the success of such arrangements is whether or not the firm’s culture is one in which whistleblowing is encouraged. This is an area where the tone is set from the top and where a perceived lack of support for whistleblowers (or worse, a perception that retaliation will be the consequence of any disclosure) can undermine the effort put into the firm’s policies and procedures.
Regulators have recognised the importance of the most senior individuals promoting and supporting whistleblowing. In the UK, for example, a whistleblowers’ champion must be appointed by firms. This will be a nonexecutive director who is subject to the Senior Managers Regime. The whistleblowers’ champion will be responsible for preparing an annual report to the board of directors, which may be made available to the regulators on request. They will be responsible for the integrity, independence and effectiveness of the firm’s whistleblowing procedures, but need not have day to day responsibility for handling disclosures and are not expected to receive direct approaches from whistleblowers.
The HKMA guidance of March 2017 also emphasises the need to set an appropriate “tone from the top” and that it is senior management’s responsibility to put in place effective mechanisms for sharing and communicating a bank’s culture, including whistleblowing mechanisms which allow timely reporting of any “illegal, unethical or questionable practices”. Results of the whistleblowing mechanism (as well as other feedback mechanisms) must be reported to a relevant board-level committee, at least annually.
It is important for employers to consider how they will measure the success of their whistleblowing arrangements. Even in the absence of a requirement to do so, it may be helpful to compile an annual report on use of the company’s whistleblowing hotline. Equally, it may be enlightening from time to time to survey the company’s employees to assess their awareness and understanding of the whistleblowing policy. A high volume of reports of noncompliance or misconduct may feel like bad news, but in the context of measuring the success of a speak-up culture, it may be a good indication that the company’s strategy is working.