The challenges for financial services firms in implementing the EU Whistleblowing Directive

This article was first published in Thomson Reuters Regulatory Intelligence

Global financial services firms with operations in the EU should not be complacent about the impact of the Whistleblowing Directive. Although Brexit means that the UK has left the EU, the directive is still relevant to UK business with an EU footprint. UK based financial services firms will therefore need to decide whether and how to change their whistleblowing arrangements to comply with a patchwork of new rules. Financial Services firms in the UK are already subject to the FCA's rules on whistleblowing contained in Chapter 18 of the SYSC part of the FCA Handbook. We consider the challenges faced by financial services firms in implementing the requirements of the new regime alongside the current regime introduced by the FCA.

The Whistleblowing Directive was due to be transposed by EU member states into national law on 17 December 2021. Many member states have delayed doing so. This delay is not helping business to plan and achieve uniformity across their organisation. There is no option but to delay implementing a unified response to the new regime until the position is clear in each jurisdiction.

The Directive applies to every organisation operating in a member state irrespective of size. But there is one key provision that is dependent on the number of workers engaged by that firm. Those firms who currently have more than 250 workers in any member state, and any firm who will have 50 or more workers as at 17 December 2023, must establish secure and confidential internal reporting channels. This requirement raises a number of challenges. 

Most firms want to operate one channel across their organisation rather than separate channels in each jurisdiction.  Whether this is possible is, unfortunately, still not completely clear. Whilst the EU Commission stated that in its opinion each company with more than 250 employees needs its own “system” or at least an internal department dealing with incoming notifications, northern European countries have already clearly stated that this is not required in their interpretation of the Directive. It seems that Germany and Austria will follow, but this is still under discussion.

Who should be the recipient of the notifications made via the internal channel?

If a channel can be used by workers in multiple jurisdictions, the tricky question is, should access to the notifications  be restricted on a jurisdiction by jurisdiction or even company by company basis. A particular issue for a group with more than one legal entity in the same jurisdiction but each having more than 250 employees. It is also unclear, the extent to which local management can be informed by the person monitoring the channel about the content of the notifications. The directive states that the channel must be monitored by an independent appropriate person with no conflict of interest, however, because jurisdictions can goldplate the directive some states are likely to include stricter wording.  Pending clarification the best advice is to implement a technical solution, which can be adopted when we have certainty about the legal position.

There are a number of technical solutions offered by whistleblowing hotline providers.  These enable a firm to preserve the anonymity of whistleblowers and firmly anchor compliance in the company.

What features should you look for when designing a whistleblowing "hotline"?

They should allow reports to be made in multiple languages to enable global use.  They should be designed to input a report using any end device, a smartphone, tablet or PC.   Importantly the hotline should have an integrated case management system which allows the investigation, HR, legal or compliance team to process cases efficiently and easily and direct within the specialised department.  The hotline must be secure and comply with GDPR requirements.  Firms should check any hotline uses encryption technology and has the appropriate SSL certificate to ensure data cannot be accessed outside the company.   Particular care must be taken if the hotline is hosted outside the EU to ensure GDPR compliance.

A key requirement of the Directive is the need to preserve confidentiality of reporting and so any system must allow whistleblowers to report their information anonymously to the employer/company. Communication with the whistleblower should also remain completely anonymous following the complaint being raised, unless they choose to reveal their identity.   This can be built into a firm's internal reporting channels.

The Directive does provide that workers must be aware of their right to report through external channels but if the breach can be addressed internally and the whistleblower considers there is no risk of retaliation member states should encourage use of internal channels.   The FCA's rules emphasise that whistleblowers must be informed that reporting to the FCA or PRA is not conditional on a report being made using the firm's internal arrangements and so financial services firms will need to manage this difference in approach.

Firms need to implement procedures for reporting and follow-up

Unlike SYSC 18 which includes a requirement to provide feedback "where this is feasible and appropriate" the Directive provides clear timeframes for responding to a report.  The report must be acknowledged within seven days of receipt and feedback must be provided in a period of no more than three months from the date when the report was acknowledged.  It is not uncommon for whistleblowing allegations in financial services to involve complex complaints, often involving regulatory issues and detailed fact patterns.   In these circumstances, it will not always be possible to resolve a complaint in three months.    Appropriate feedback can address the action envisaged or taken as follow up and the grounds for that follow up at the time the feedback is given.   Therefore, although a final conclusion may not be reached in three months the whistleblower must receive appropriate follow up in this window.

In addition, the regime also establishes the system for reporting to the whistleblower. The  preamble to the Directive makes it clear that the reporting person should be informed of the investigation's progress and outcome in all cases. Any oral report or meetings with a whistleblower must be recorded.  This differs from the regime under SYSC 18 which imposes a requirement to keep records of reports that are made and how such reports are dealt with.

As is to be expected the Directive prohibits retaliatory action against whistleblowers, such as demotion or dismissal, but it goes further than this by prohibiting  both threats and attempts to retaliate, including using social media.  

What sanctions will be imposed for non-compliance?

The sanctions vary depending on the relevant breach.  It is matter for each jurisdiction to determine the appropriate penalty. 

The approach many jurisdictions have taken for a failure to establish internal reporting channels is to impose an administrative fine.  This can be several thousand euros as is the intention in Germany but this is not the case in every jurisdiction.  For example, Austria has not introduced any financial penalty.  Irrespective of whether there is a risk of fines, non-compliance could result in claims for damages. The directive as well as local implementing legislation clearly require companies to establish an internal reporting channel. If this requirement is ignored this could result in a claim for damages against the company and personal sanctions against its management. Recently a higher German court made clear that it is within the management’s duty of care to establish a compliance management system, although there was no specific law explicitly requiring this at the time.  We anticipate that when local implementing legislation is introduced imposing an obligation to implement internal reporting channels, those management teams who chose to ignore this will face claims for a  breach of their duty of care to employees, potential disclosure of confidential information and reputational damage.

For the first time across the EU there will be a system that protects all whistleblowers from detrimental treatment. They will have the ability to bring claims for damages should their employer fail to adhere to the company's basic principles.

What steps should firms take to comply?

Firms should consider the following:

• Monitor the implementation of the directive across member states to assess whether any member states implementing measures go beyond the provisions of the directive.It will then be for firms to decide whether to impose the highest standard across all jurisdictions in which they operate or whether to implement a patchwork of different rules.They also need to review any processes together with their obligations under SYSC 18.
• Introduce training to reinforce the prohibition on retaliation, the obligations to preserve confidentiality and how to escalate reports.
• Introduce a whistleblowing reporting framework including an internal reporting channel and engage with social partners across Europe, for example trade unions or works councils, to do so.
• Consider whether the firm can comply with the various practical considerations introduced by the directive, for example, can the firm comply with the timeframes provided for in the directive, can it maintain the confidentiality of the identity of the whistleblower and if not what steps should be taken to ensure that these requirements are met.