This article, authored by Principal Consultant, Liz Hornby, is the first in a three-part series of articles from LEO GRC that puts the spotlight on whistleblowing. In this post, we start by looking at some of the major developments for the financial services sector in the UK, EU, and the US.
Whistleblowing is a timely topic due to the increasing focus that global regulators in that sector have placed on conduct, individual accountability, and responsibility and a recent survey of UK Bank employees that revealed that 25% would be worried about the negative consequences for them if they raised concerns at work.
Part two in this series will look at the EU Whistleblowing Directive and part three at best practice for whistleblowing training and communication.
Whistleblowing: The GRC Topic Consistently Making News Headlines
Whistleblowing is rarely out of the media, with headline-grabbing cases spanning everything from hospitals to Hollywood, and manufacturing to banks. As a result, the encouragement and protection of whistleblowers is a priority for regulators and legislators across the globe. All organizations are on notice that effective whistleblowing arrangements should form the heart of both their culture and their governance framework.
The legal and regulatory environment is particularly complex in the financial services sector. Here, whistleblowing arrangements must meet not only the general legal requirements applicable to all organizations, but also the regulations specific to individual regulatory bodies. Increasingly, these regulations must also be interpreted and applied within a wider conduct- and culture-focused regulatory agenda.
The legal and regulatory environment is changing rapidly and must be monitored closely. This is particularly true for organizations with a global presence that must comply with multiple legal and regulatory requirements across multiple jurisdictions.
Related reading: ‘Whistleblowing: Striking the Right Note’
Whistleblowing in the UK
In the UK, financial services organizations must comply with a two-tier legal and regulatory framework in relation to whistleblowing. Tier one is the Public Interest Disclosure Act 1988 (PIDA) which protects ‘workers’ from detrimental treatment or victimization from their employer if, in the public interest, they blow the whistle on wrongdoing. Tier two comprises of the whistleblowing rules and guidance introduced in 2016 by the Financial Conduct Authority (FCA) and the Prudential Regulatory Authority (PRA). The latter is mandatory for some organizations, broadly banks, and operate as guidance for others. Both of these tiers are currently under review by the respective authorities.
The UK was the first EU country to introduce whistleblower protection legislation in 1998, but PIDA is now subject to increasing levels of criticism. The main concerns voiced by bodies such as the All Party Parliamentary Group (APPG) on whistleblowing are that the legislation no longer adequately protects whistleblowers and contains no mechanism for addressing whistleblowing allegations. These concerns must also be seen in the context of the new EU Whistleblowing Protection Directive that comes into force in 2021. Brexit means that the UK will not be required to comply, but the Directive may provide a timely opportunity to review and update the UK’s own legislation.
The way that the FCA handles whistleblower cases has also been criticized by the APPG on whistleblowing and the FCA has signaled that it is reviewing its procedures as a result.
In November 2018, the FCA published a review of the whistleblowing arrangements in place within the Retail and Wholesale Banking sector. Although it identified some areas of good practice, it also highlighted areas for improvement. These included failings in relation to the role of Whistleblowers’ Champions and the inadequate provision of information and training. The FCA urged firms to review the findings and to consider the steps needed to improve their whistleblowing arrangements. Having reiterated its expectations and highlighted areas for improvement, the clear implication is that Senior Managers and organizations can expect enforcement action for failings in their whistleblowing arrangements and/or for the performance of the Whistleblowers’ Champion role.
In addition, the FCA has made it clear that effective whistleblowing arrangements are an essential part of the culture of financial services organizations. In 2020/2021, we may see this reinforced by an extension of the mandatory rules in the FCA Handbook (SYSC 18) to non-banks.
You may also like: ‘FCA CASS Rules: Top Tips for Setting Training Targets’
Whistleblowing in the EU
In October 2019, the EU’s Whistleblower Protection Directive (the Directive) was adopted by the European Council. The Directive’s central aim is to provide better protection for those who seek to expose corporate wrongdoing in the public interest. These protections are extended to a broad range of individuals—essentially anyone working in the public or private sector who could acquire information about wrongdoing in a work-related context. This group extends well beyond employees to include job applicants, former employees, supporters of the whistleblower, and journalists. The protections are against dismissal, retaliation, and any other form of discrimination, such as being denied training or receiving poor evaluations.
The scope of the Directive is limited to wrongdoing relating to EU law. This is a broad category and includes, for example, tax evasion, money laundering, public procurement offenses, product safety and road safety, environmental protection, public health, and consumer and data protection. Beyond this, national legislators are encouraged to extend the coverage to wrongdoing relating to national laws too.
The Directive will impact all private and public sector organizations with over 50 employees operating in the EU (not just those in the financial services sector). The scope extends to non-EU organizations operating in the EU, including UK organizations, post-Brexit. Relevant organizations with over 250 employees must comply with the Directive (in the form in which it has been implemented in relevant national law) from the end of 2021. There is a deadline extension for organizations with between 50 and 250 employees.
Handpicked for you: ‘Whistleblowing Solutions: The Importance of a Speak-Up Culture’
Whistleblowing in the US
The Sarbanes-Oxley Act and Dodd-Frank Act both include provisions giving whistleblowers a right of action as a result of retaliation or victimization. Like the FCA in the UK, the US regulators have also made it clear to financial services organizations that effective whistleblowing arrangements are an important regulatory and cultural expectation. In January 2019, for example, the New York Department of Financial Services (DFS) issued its Guidance on Whistleblowing Programs.
The Guidance sets out the principles that all regulated institutions should meet when designing and implementing whistleblowing arrangements. These include provisions in relation to anonymity, confidentiality, and protection from retaliation. They also refer to the importance of having a "top-down culture" that supports whistleblowers and encourages them to come forward.
In September 2020, important clarification was given by the SEC on the scope of Dodd-Frank Rule 21F-2(d)(4). The provision covers the protection of whistleblowers from retaliation.
In 2018, the US Supreme Court ruled in the Digital Realty Trust decision that Dodd-Frank Rule 21F-2(d)(4) only applies to whistleblowers that make reports to the SEC; not those who make internal reports within their organization. Not surprisingly, since the Digital Realty Trust decision, the number of tips to the SEC Office of the Whistleblower has soared. The SEC have now confirmed this interpretation and that those who make reports through internal channels are not ‘whistleblowers’ as defined by the Dodd-Frank Act. Protection may still be available under other legislation, regulations or guidance, for example, under Sarbanes-Oxley.
Unlike the position in the UK and the EU, however, the SEC Whistleblower Program, created in July 2010 pursuant to Section 922 of the Dodd-Frank Act, has allowed the Securities and Exchange Commission (SEC) to pay rewards to eligible corporate whistleblowers who voluntarily provide “original information” leading to a successful enforcement action that results in monetary sanctions over $1 million. More than $500 million has been paid out since 2011. Indeed, on September 28, 2020, the SEC issued its 100th whistleblower award under the reward program.
Discover more: ‘Engaging Compliance Training: Scenarios and Storytelling’
What Should Your Next Steps Be? Act Now!
In summary, whistleblowing arrangements, particularly within the financial services sector, are increasingly under the spotlight. The cost of non-compliance is high, not only for organizations, customers, and other stakeholders, but also the wider public and, of course, for the whistleblowers. Effective whistleblowing arrangements, including training and employee communications, are now a global GRC priority for financial services organizations and beyond.