A well-functioning compliance program helps to create a positive corporate culture. It also helps to identify and address potential conduct risks. Recent regulatory developments in the EU and US demonstrate the importance of devoting time and attention to this important subject. In particular, the European Parliament has recently adopted a “Directive on the protection of persons reporting on breaches of Union law” (Directive), and the US Department of Justice (DOJ) has recently issued extensive guidance on what companies must do in order to receive credit for having an effective compliance program.
The Directive, which is applicable for all companies with more than 50 employees that are located in an EU Member State, imposes obligations and requirements with respect to whistleblowers. In particular, the Directive has the following consequences:
- It is mandatory to establish a whistleblowing system with an internal reporting channel designed, set up and operated in a manner that ensures confidentiality of the whistleblower’s identity and prevents access of non-authorized staff members.
- The Directive gives the whistleblower the opportunity to choose the most appropriate channel, depending on the individual circumstances of the case. In addition, the whistleblower may even address the public and the media directly. This leads to considerable (reputational) risks for the companies. In order to give a strong incentive to the whistleblower to use the internal reporting line first, the attractiveness of this reporting channel should be highly improved (e.g. trainings, easy access, strong confidentiality safeguards and potentially even financial rewards).
- Member States shall take necessary measures to prohibit any form of retaliation against the whistleblower (i.e. measures as suspension, dismissal, transfer, negative appraisal, non-renewal of a fixed term contract are prohibited). If disciplinary measures are taken against the whistleblower, the employer has the burden of proof that the respective measure was not based on the employees reporting.
In the United States, the DOJ recently issued updated guidance on the evaluation of compliance programs in April 2019 (Guidance). The Guidance provides important insight into how DOJ will evaluate whether a company has an effective compliance program.
- the compliance system should take into account the specific risks of the company presented by, among other factors, the location of its operations, the industry sector, the competitiveness and the quality of products of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, or charitable and political donations. DOJ will evaluate whether the company has devoted disproportionate resources to low-risk areas and missed higher risk areas.
- Companies should provide a complaints hotline, through which employees can report allegations of a breach of the company’s code of conduct or company policies and raise complaints. Companies will usually provide a means for employees to report alleged misconduct confidentially or anonymously, and DOJ will generally expect this to be the case.
- DOJ will evaluate how companies track information about whistle-blower/hotline complaints and the effectiveness of their compliance programs. DOJ will look at whether companies have and use metrics effectively
- DOJ will ask what actions members of senior management have taken to build a culture of compliance and what compliance expertise has been available on the Board. DOJ may inquire whether the board and/or external auditors have held executive or private sessions with compliance and control functions.
- Companies should make efforts to ensure that compliance policies and procedures are integrated into the organization, including through periodic training for directors, officers, relevant employees, and, where appropriate, agents and business partners.
The aforementioned regulations and principles show how important a well-run compliance system and whistleblowing system will be in the future and companies are well advised in reviewing their respective structures to ensure their organizations meet the respective standards and to benefit from a well-functioning compliance structure which reduces the risk of criminal liability for both the company and its employees.