The FCA and PRA have recently published new rules on whistleblowing procedures for UK branches which will apply from 7 September 2017.
In October 2015 the FCA and PRA introduced new rules requiring relevant deposit-takers and firms to introduce internal whistleblowing arrangements, but decided to consult first in relation to which aspects of the regime should apply to UK branches of overseas firms. That consultation took place in the autumn of 2016, and the responses and final rules have now been confirmed.
These rules supplement the statutory protections all employees and workers have under employment legislation.
UK branches will need to ensure their staff are informed of the option of reporting to the regulators, and given access to the internal whistleblowing arrangements of any UK group company. Staff handbooks or policies will need to be updated by 7 September 2017.
The new FCA rules apply to UK branches of EEA and non-EEA banks.
The PRA rules apply to UK branches of non-EEA banks and non-EEA insurers (including reinsurers). The original proposal to also cover UK branches of EEA insurers has been dropped.
2. The new obligations
Inform staff of regulators' whistleblowing services
UK branches must tell their UK-based staff about the FCA and PRA whistleblowing services. The specifics of the obligation differ depending on the regulator.
The FCA rules require branches to inform their UK-based staff that they may disclose 'reportable concerns' (see box below) to the PRA or FCA and the methods of doing so. It must be made clear that there is no requirement to use any internal whistleblowing procedure in the first instance or before reporting to the regulator and that reports can be made internally and to the regulator simultaneously or consecutively. This information is to be given by including it in the employee handbook or other equivalent document.
The PRA rules provide that the branch must inform its staff:
- that they may disclose anything that would be the subject-matter of a 'protected disclosure' (see box below) directly to the PRA or FCA,
- of what would constitute a protected disclosure,
- that the PRA and FCA are prescribed persons under s43F Employment Rights Act 1996 and the effect of making a protected disclosure to the regulator,
- of the means available to make a protected disclosure to the PRA or FCA.
In an addition to the original draft, the FCA rules now note that the possibility for employees to report direct to the regulator does not override any obligation of the branch or its employees to report breaches to their home state regulator of matters reserved by an EU instrument to that regulator.
Allow use of UK group company's whistleblowing channel
There are additional obligations where the UK branch is part of a group with a company in the UK subject to the FCA/PRA's broader whistleblowing rules.
The FCA rules require the overseas bank to inform the UK branch staff of the whistleblowing arrangements in the UK group company and that they can be used by the UK branch staff. This information is to be given by including it in the branch's employee handbook or other equivalent document.
The PRA rules (applicable to non-EEA deposit-takers) provide that the UK company must provide information to the branch on their internal whistleblowing channel and make it available to the branch's staff; the branch is obliged to inform its staff of that channel and that they can use it. The consultation response notes that the PRA does not expect the UK company to contact all workers individually at UK branches within the same group – they should send the details to the most relevant member of staff at the branch, such as the branch manager or head of HR, who can distribute them among workers at the branch. This obligation does not apply to insurers.
The remainder of the October 2015 rules (see below) are not applied to UK branches, although to the extent appropriate these will remain good practice guidance. The PRA notes that replicating aspects of the wider rules, in particular requiring UK branches to establish their own internal whistleblowing channels, was not desirable because whistleblowers may have less or no protection in the firm's home country and could be put at risk of dismissal or detrimental treatment if they raise concerns internally.
3. The October 2015 rules
In summary, the October 2015 rules on whistleblowing require relevant firms to:
- appoint a senior manager under the SMR or SIMR (generally a non-executive director) as whistleblowers’ champion with "prescribed responsibility" for overseeing the integrity, independence and effectiveness of the firm’s policies and procedures on whistleblowing;
- put in place internal whistleblowing arrangements able to handle all types of disclosure from all types of person;
- include text in settlement agreements explaining that workers have a legal right to blow the whistle;
- tell all UK-based employees about the FCA and PRA whistleblowing services;
- present a report on whistleblowing to the board at least annually;
- inform the FCA if it loses an employment tribunal case with a whistleblower; and
- ensure appointed representatives and tied agents to tell their UK-based employees about the FCA whistleblowing service
- consider whether training is appropriate for staff, managers and the whistleblowing team.
The rules require the implementation of internal whistleblowing arrangements able to handle "all types of disclosure from all types of person".
"All types of disclosure"
Firms' procedures should be able to handle disclosures of a "reportable concern", which go beyond "protected disclosures" under employment legislation (see box below).
Please click here to view the box.
In contrast to the test for a "protected disclosure", there is no requirement for a "reportable concern" to be in the public interest, or for the whistleblower to have a reasonable belief in its accuracy. Instead, firms will be left to assess each "reportable concern" and respond appropriately. The FCA and PRA provide that the whistleblowing arrangements should not be used where the nature of the issues properly fall within the scope of grievance processes or other procedures. The PRA notes that firms can filter out genuine whistleblowing reports and redirect reports that would be better dealt with by other areas of the organisation.
The result for firms and individuals is a regime with differing levels of risk attaching to different disclosures depending on whether the concern raised is a protected disclosure (and therefore both employment legislation and the FCA/PRA rules apply) or a reportable concern that is not also a protected disclosure (in which case only the FCA/PRA rules will be relevant).
"All types of person"
Further, the rules make clear that the arrangements should be accessible by anyone, not just employees or others currently protected under employment legislation. While the FCA accepts that not every disclosure will result in an investigation, it expects "due consideration" to be given to investigating each concern raised, with the decision and consideration recorded.
Nature of arrangements
Through their arrangements, firms must:
- give whistleblowers access to different methods of communication (eg, email and phone);
- be able to deal with concerns confidentially and (when requested) maintain the anonymity of the whistleblower (unfortunately, no guidance is given on how firms should deal with scenarios where it may be impossible to properly investigate a complaint without jeopardising the confidentiality of the whistleblower);
- assess and, where appropriate, escalate to the regulators or law enforcement agencies matters raised internally;
- maintain appropriate records, including tracking outcomes;
- prepare up-to-date written procedures that are readily available to employees outlining the firm’s processes for complying with the whistleblowing rules;
- provide feedback to whistleblowers when appropriate; and
- take reasonable measures to ensure that no person under the control of the firm engages in victimisation of the whistleblower. With respect to external whistleblowers, a key aspect to this will likely be protecting their confidentiality, a measure which the FCA and PRA note may help protect external whistleblowers from victimisation by people outside of the firm's control.
Firms failing to comply with the new requirements set out by the FCA and PRA may find themselves not only in breach of the new rules, but also of Principle 2 (due skill, care and diligence) and Principle 3 (management and control) of the Principles for Businesses. The FCA notes that it would regard as a serious matter any evidence that a firm had acted to the detriment of a whistleblower, and that such evidence would be relevant to an assessment of the fitness and propriety of a firm and its staff, potentially affecting the firm’s continuing satisfaction of Threshold Condition 5 (Suitability) or an approved person's or certification employee's status as such.