The PRA and FCA are introducing a "package" of new whistleblowing rules designed to build on and formalise the good practice already found in the financial services sector. The new rules will require certain regulated firms to formalise whistleblowing procedures and encourage the disclosure of suspected misconduct so that those blowing the whistle can do so confident that their concerns will be considered and that there will be no personal repercussions backed up by the threat of potential regulatory sanctions against the firm.

Key dates

7 March 2016 – appoint a whistleblowers' champion

8 March to 7 September 2016 – whistleblowers' champion to oversee the design and development of the firm's whistleblowing procedures

7 September 2016 – new rules in force

Who will the rules apply to?

Deposit-takers with over £250 million in assets, to PRA-designated investment firms (typically UK banks, building societies and credit unions), and to insurers subject to the Solvency II Directive, as well as to the Society of Lloyd's and managing agents. The rules will have the status of "non-binding guidance" for all other firms, who may wish to comply voluntarily.

How does its scope differ from the current whistleblowing rules?

The existing framework providing legal protection to whistleblowers is already wide, both in terms of who and what it covers. However, under the new regime firms' whistleblowing procedures will apply on an even more expansive basis.  This will include the self-employed, agents, employees of subsidiaries, appointed representatives, customers and competitors and should extend to almost any allegation of wrongdoing, not just those already covered under the existing framework.

Under the new rules, matters subject to whistleblowing disclosure are extended to a breach of any regulatory rule, failure to comply with a firm's policies or procedures and the almost limitless concept of any behaviour that "harms or is likely to harm the firm's reputation or financial wellbeing".  These are described in the new rules as "reportable concerns".

In future will employees be under a duty to disclose wrongdoing?

There is no specific regulatory rule requiring employees to blow the whistle.  Of course it would be open to individual employers to require this as part of employees' contracts if they wished to do so and for senior employees it is already not uncommon to have a requirement that they should disclose their own or other's wrongdoing. This already applies automatically to those who have fiduciary duties, such as directors, and can also apply to other senior managers. 

The nature of the new rules applying to senior managers which encourages them to protect their own personal position may, however, lead to more senior managers blowing the whistle. For example, senior managers in banks and insurers (who are subject to the Senior Managers Regime (SMR)/Senior Insurance Managers Regime (SIMR)) will be keen to show that they took all reasonable steps to prevent a regulatory breach occurring, and this may involve reporting their concerns under the whistleblowing procedure.    

Who is the whistleblowers' champion?

The whistleblowers' champion is a senior individual who will be responsible for overseeing the effectiveness of internal whistleblowing policies and procedures, and preparing an annual report to the Board; they do not need to have a day-to-day operational role handling disclosures. To support them in their role, they must have access to independent legal advice and dedicated training.  They are expected to be a non-executive director but one does not have to be appointed just for this purpose. They must however be a senior manager or director, subject to the SMR/SIMR.

Key HR action points

  • Familiarise yourself with the new rules and in particular the guidance set out in the PRA supervisory statement 
  • Audit your existing whistleblowing policies and procedures
  • Identify whether your procedures comply with the revised regulatory requirements and any steps that will need to be taken - ensure disclosures can be made confidentially; policies need to advise employees of the ability to whistleblow direct to the PRA/FCA and how to do so and to reflect the new framework more generally
  • Identify which internal function or functions are best able to meet the new requirements as having operational responsibility for whistleblowing disclosures (both internally and from external parties). In many cases this may mean a move from HR to internal audit, compliance, legal or a specialist third party
  • Check terms of contracts of employment and template settlement agreements that they do not contain any provisions which prevent or discourage an employee from making a protected disclosure or a "reportable concern". You may want to go further and include a positive contractual obligation on employees to raise wrongdoing
  • Ensure that there are no provisions in settlement agreements  or other contracts which require any signatory to state they have not made a protected disclosure, or that they know of no information that could form the basis of one
  • Draw up terms of reference for your whistleblowers' champion and undertake one-to-one training with them on discharging their regulatory obligations and how, in practice, to manage whistleblowing disclosures and prepare the annual report
  • Train employees to help them understand the legal and regulatory framework and their rights and duties, how to identify wrongdoing and what steps are available to them (not forgetting to train overseas employees where appropriate)
  • Train those responsible for the operation of your whistleblowing policy on their duties and how to undertake and manage an investigation
  • Consider whether to have contractual whistleblowing arrangements with tied agents and authorised representatives
  • Notify the regulator where an employment tribunal finds that a whistleblower suffered detriment or was unfairly dismissed as a result of blowing the whistle
  • You should consider how you will deal with:
    • Disclosures from people who have not revealed their identity
    • Allowing disclosures to be made through a range of communication methods
    • Assessing and escalating concerns raised by whistleblowers within the firm as appropriate, and, where this is justified, to the FCA, the PRA or an appropriate law enforcement agency
    • Keeping records of disclosures and tracking the outcome of whistleblowing reports;
    • Tracking what happens to an internal whistleblower to determine whether they are subsequently disadvantaged as a consequence of speaking out
    • Providing feedback to whistleblowers, where appropriate
    • Ensuring that no person under the firm’s control engages in victimising whistleblowers, and how to take appropriate measures against those responsible for such victimisation
    • Taking action against individuals who have made false or malicious disclosures