Like all rules, those in the Financial Conduct Authority’s new Senior Managers Regime on whistleblowing can be met with multiple responses. Firms will need to take great care in how they are implemented but it should be possible to find a clear path between the rock of FCA enforcement and the hard place of excessively complex internal policies.
The consequences of breaching the new rules would be serious for firms and employees. SYSC 18.3.9 states that “acting to the detriment of a whistleblower” could (if relevant): “affect the firm’s satisfaction of threshold condition 5 (Suitability) or, for an approved person or a certification employee, their status as such”.
Equally, the rules “aim to encourage a culture in which individuals raise concerns and challenge poor practice and behaviour” . This makes the FCA’s position inescapably clear – firms must protect whistleblowers or face the consequences. In such a climate, being able to show proper adherence to the rules will go a long way to avoiding damaging regulatory sanctions.
Before going further, it is worth considering the scope of the rules. The key provisions are mandatory. SYSC 18.3.1(1) requires firms to: “establish, implement and maintain appropriate and effective arrangements for the disclosure of reportable concerns by whistleblowers”. The wording of this requirement is itself of some interest. The definition of ‘reportable concerns’ includes:
- anything that would be the subject-matter of a protected disclosure, including breaches of rules;
- a breach of the firm’s policies and procedures; and
- behaviour that harms or is likely to harm the reputation or financial well-being of the firm. 
The list is broad and clearly represents an attempt by the FCA to err on the side of caution (and the whistleblower). The consultation on the proposals produced broad support for this approach, with 30 of 35 respondents supporting them, but there is also cause for circumspection . The wide definition may result in a minefield of minor disclosures that are better dealt with through other avenues of employee reporting, such as a standard grievance procedure. The FCA’s view is that such a risk is outweighed by the need to protect whistleblowers – though naturally the FCA isn’t bearing the consequent burden. Of course, the regulator could have created a list of covered disclosures specifically tailored to the financial regulated sector. Such a list might have avoided a tidal wave of minor disclosures while also adequately protecting whistleblowers. The opportunity has been lost.
From a firm’s point of view however, such consistency with the existing statutory regime is helpful since employment tribunal cases could shed some light on what may be considered a protected disclosure. Yet it must always be borne in mind that the FCA is not the tribunal and is not operating under the same rules of procedure. Nor is it required to respect the tribunal’s interpretation of the law.
The rest of SYSC 18.3.1 effectively outlines the minimum requirements a firm’s whistleblowing arrangements must fulfil. These include being able effectively to handle disclosures, escalate, document and provide feedback on disclosures. Training for various classes of employees is also required.
What SYSC 18.3.1 does not provide is any kind of guidance on the meaning of some of its key terms. Exactly what makes an arrangement ‘effective’ or ‘appropriate’? What would constitute a ‘reasonable measure’ to prevent victimisation of a whistleblower under SYSC 18.3.1(c)? Exactly how these terms will be interpreted by the FCA in the whistleblowing context is not clear.
As with so many areas of compliance, the correct understanding of the rules by those who will have to implement them is as vital as the policies themselves. Like most FCA rules, the whistleblowing provisions of the handbook mandate ‘arrangements’ not mere ‘policies’. Having good ideas on paper is not enough – the actual practice of the firm must reflect the handbook’s stipulations.
Other requirements in the rules include communication to employees of their ability to report matters to the regulator (SYSC 18.3.6) and a ban on gagging clauses in any settlement agreement with an employee (SYSC 18.5).
Thus, the rules require certain arrangements to be made, while leaving much of the detail to be determined by each firm. In reality, given the variety of entities regulated by the FCA, this is the only approach it could have taken. In one sense the rules are an important opportunity, as they allow a firm to shape its policies to its own requirements. On the other hand, the rules provide precious little guidance on what ‘arrangements’ will be deemed sufficient. A variety of approaches to this problem could be taken.
First, a firm could decide to do the bare minimum required and implement arrangements that only deal with those areas mandated by the rules. This response has the advantages of minimal cost and being able to deduce what the FCA will require of firms from its actions and pronouncements in the months to come. A more extensive whistleblowing policy could then be implemented thereafter. The obvious risk here is that the firm may be found to be in breach of the rules, or not to have proper arrangements in place, if an incident emerges. Additionally, if the company was investigated by the FCA at a later stage, the deliberate adoption of such an approach might colour the regulator’s view of the corporate’s other decisions. For example, if a criminal investigation arises from an employee’s report to the FCA, the fact that the company is viewed (rightly or wrongly) as reluctant to protect those reporting dishonesty will not endear it to the prosecutor or the court.
Also, the ‘minimalist’ approach risks being overwhelmed in the heat of the moment. If the whistle is blown on major malpractice within the company, tempers are likely to be lost. If there are no strong whistleblowing policies backed by extensive training, the whistleblower may receive harsh and summary treatment. Such actions, however understandable, might unduly provoke the FCA and create the impression of precisely the kind of culture the authority is trying to avoid. The potential consequences could be serious.
A second approach is to integrate new arrangements required by the rules within a broad and comprehensive whistleblowing framework. This response will certainly fulfil the FCA rules and may well encourage whistleblowers to report problems internally, thus allowing the corporate to manage the flow of information to the regulator and the situation more broadly. For example, SYSC 18.3.1(2)(a)(i) requires firms’ arrangements to be able to ‘handle’ cases where confidentiality has been requested by the whistleblower. A fully developed policy with all parts of the procedure allocated to trained staff and a set of principles governing the issue of confidentiality would both satisfy the FCA’s requirements and encourage a cooperative relationship with the workforce.
Another example of the ‘maximum engagement’ approach would be to action the (optional) provision SYSC 18.3.8, and invite appointed representatives and tied agents to implement appropriate whistleblowing procedures. Such overtures would, of course, have to be sensitively handled so as not to damage commercial relationships. Nevertheless, going ‘above and beyond’ in this way might well carry significant weight with the FCA in any future investigation.
There are a number of particular areas of the rules that firms will have to give careful consideration.
First is the question of whether to outsource whistleblowing arrangements. SYSC 18.3.3 makes it clear that operating arrangements under SYSC 18.3.1 through a third party is legitimate, but that firms still bear the responsibility for making sure the arrangements meet the rules. Various questions arise. Would a third party be more or less likely to be seen as trustworthy by employees? Could the use of such an entity help reassure the FCA that decisions relating to whistleblowing were being taken impartially? Are these considerations outweighed by the extra cost such arrangements will be likely to incur? Clearly, the answers to all these questions will vary but many firms may wish to consider using a professional and independent entity to manage their whistleblowing procedures.
Even more cryptically, the FCA states that firms who opt to use a third party entity in relation to whistleblowing must “consider how to manage any conflicts of interest”. This provision is perhaps the most opaque within the rules. One possible implication is that sister companies or subsidiaries may be too beholden to the corporate to manage whistleblowing fairly. On the other hand, it could be taken to mean that professional firms asked to manage whistleblowing procedures might have a vested interest in telling the company what it wants to hear.
A second area where firms have wide latitude is dealing with whistleblowing that is either malicious or could be dealt with under other procedures. SYSC 18.3.2 makes clear that firms can encourage employees to use other channels (eg grievance procedures) and take action against anyone making ‘false and malicious allegations’. Many respondents to the consultation apparently requested guidance on how to deal with malicious complaints. The FCA has provided little answer to these queries, merely referring obliquely to the need to ‘demonstrate’ malice and knowledge that the disclosure was false. 
While the FCA clearly intends to signal some of the limits of whistleblowing here, firms will need to consider very carefully both the wording of their policies and what action they will wish to take in these circumstances. For example, what quality of evidence will be needed for a complaint to be deemed malicious? Who will assess it? Will the firm report it to the regulator under all circumstances? A middle course will probably be appropriate in most cases but the details will be important.
Third, firms will want to approach the issue of who to appoint as whistleblowers’ champion (which must be done under SYSC 18.4) with extreme care. The rules do not require the holder of this post to have ‘day to day’ responsibility for whistleblowing, but this might be both convenient and practical. At the same time, the rules make clear that the champion should have the resources and access to information which enables them to carry out the role effectively (SYSC 18.4.5(1)).
The above are helpful issues to consider in advance, but what should the approach be when a firm is actually faced with a whistleblowing complaint? Comprehensive treatment of this issue is beyond the scope of this article and will obviously depend on the particular firm involved. However, the rules (and their background) do point towards some key elements of an effective approach.
Firms dealing with a whistleblowing procedure will be best protected by adhering strictly to the arrangements and procedures they have laid down. Not only is this likely to produce a more orderly response, it will help conciliate the FCA further down the line. A second useful principle is to try to view matters from the regulator’s point of view. For example, have appropriate records been kept? Has the spirit of the rules been implemented, or is the firm merely doing the bare minimum required? Third, a firm would be well advised to document every stage of the process and retain these documents for later inspection. These principles, while necessarily of an abstract nature, will condition a firm’s response in the way most likely to conciliate the FCA.
Overall, the rules are simple and coherent, even if they are opaque on some key points. Firms required to implement the arrangements outlined would be well advised to do so carefully but should not encounter overwhelming difficulties in doing so. The problems will come later as more employees become concerned about protecting themselves from either direct involvement in perceived wrongdoing or association with the apparent wrongdoing of others. There is likely to be a growing need for high-quality staff in internal human resources and compliance functions trained to handle the growth in employee concerns that come to the surface.
This article was originally published in Compliance Monitor, and can be found here.