The EU Whistleblowing Directive while not law in the UK does catch UK firms if they trade in the EU.
Since the UK left the EU ‘we’ are no longer subject to EU regulations and Parliament is slowly (very slowly) repealing EU laws and unpicking the web of integration in law and regulations. This will no doubt take years.
In the meantime the UK and EU signed a Trade and Co-operation Agreement (“TCA”), which has applied provisionally since 1 January 2021, it contains far-reaching level playing field provisions. The UK and EU agreed not to weaken or reduce their labour and social protections below the levels in place at the end of the transition period (31 December 2020) and to continue to strive to increase their respective labour and social levels of protection. Where there are significant divergences (which have a “material impact on the level playing field for trade and investment”), the EU can take appropriate rebalancing measures.
We are yet to see the implications of the Retained EU Law (Revocation and Reform) Bill which is currently being debated in the UK Parliament but this has the potential to impact a vast array of employment-related regulations. What this means practically is any UK firm that meets the thresholds that means the EU requires a Whistleblowing system will have to implement one to remain able to trade in the EU legally.
How Many employees make a Whistleblowing system mandatory via the EU Whistleblowing Directive?
Section 2 (1), letter q) of the EU Whistleblowing Directive provides that the new regulation will apply to companies that:
Have employed more than 50 employees during the previous year;
Have adopted the organizational and management model required by Legislative Decree no.231/2001, even if they employed less than 50 employees during the previous year; or
Operate in markets expressly mentioned by the law (financial services, products and markets; transport safety; environmental protection; prevention of money laundering and terrorism), even if they have employed less than 50 employees during the previous year.
Companies employing at least 250 employees are required to comply with the Whistleblowing Decree by 15 July 2023.
Companies employing less than 250 employees may benefit from an extension of the compliance until 17 December 2023.EU Whistleblowing Directive
What classification of person is covered by the EU Whistleblowing Directive?
Section 3 of the EU Whistleblowing Directive identifies the categories of individuals to whom the protections of the Whistleblowing directive apply. Namely:
Employees, self-employees, consultants, independent contractors, volunteers, trainees;
Individuals covering administrative, managerial, supervisory or representative roles;
So-called “facilitators”, i.e. individuals assisting a whistleblower in the notification process and working in the same context;
Relatives of the whistleblower as well as individuals linked to the latter by a stable emotional bond; and
Colleagues of the whistleblower having a regular and continuous relationship with the whistleblower.
Practically, this means anyone connected to the whistleblower is protected.
What can the EU do if a firm doesn’t have a Whistleblowing System?
Section 21 of the EU Whistleblowing directive provides for sanctions applicable to companies failing to adopt the necessary measures to handle whistleblowing in a timely fashion. In particular:
A fine ranging between €5,000 and €30,000 where retaliatory activities are ascertained, the obligation of confidentiality is infringed and where the company has hindered, or attempted to hinder, the fulfillment of a whistleblowing procedure; or
A fine ranging between €10,000 and €50,000 where the company failed to establish the whistleblowing channel, or such channel does not comply with the provisions of the EU Whistleblowing Directive, or where the company failed to follow up on a notification of wrongdoing.
The body with authority to issue sanctions and which has investigative powers is different in each country in the EU, these can also act as the recipient of notifications if the channel provided for in the EU Whistleblowing Directive has not been established within the company.
What the above means practically is a UK company trading in the EU can be fined if it doesn’t meet the EU decree requirements. There is no doubt the EU could also ban the firm from trading in the EU. Politically, if several UK companies breached the decree the EU could require the UK to intervene under the “TCA” (see first paragraph).
What internal requirements must UK firms meet?
Section 5 of the EU Whistleblowing Directive provides that information on the functioning of the whistleblowing channel must be made available to stakeholders both physically in the workplace and through posting on a specific section of the company’s website. Firms can outsource the whistleblowing system to external providers but it must be advertised internally in the company. Best practice is also to provide a portal that helps firms investigate whistleblowing concerns and provide audit and record keeping to show actions conducted.
What are the implications for UK finance firms?
Global financial services firms with operations in the EU should not be complacent about the impact of the Whistleblowing Directive. Although Brexit means that the UK has left the EU, the directive is still relevant to UK business with an EU footprint. UK based financial services firms will therefore need to decide whether and how to change their whistleblowing arrangements to comply with a patchwork of new rules. Financial Services firms in the UK are already subject to the FCA’s rules on whistleblowing contained in Chapter 18 of the SYSC part of the FCA Handbook.
The EU Whistleblowing Directive was due to be transposed by EU member states into national law on 17 December 2021. The Directive applies to every Financial organisation operating in a member state irrespective of size. But there is one key provision that is dependent on the number of workers engaged by that firm. Those firms who currently have more than 250 workers in any member state, and any firm who will have 50 or more workers as at 17 December 2023, must establish secure and confidential internal reporting channels. This requirement raises a number of challenges.
Who should be the recipient of the notifications made via the internal channel?
If a channel can be used by workers in multiple jurisdictions, the tricky question is, should access to the notifications be restricted on a jurisdiction by jurisdiction or even company by company basis? Aranea can be set up to provide ‘managers and report responders/investigators’ separately in each jurisdiction to enable those reports to meet individual state by state nuances. This resolves issues for a group with more than one legal entity in the same jurisdiction but each having more than 250 employees also. The reporting of each case can then be decided internally by the organisation as Aranea facilitates an ‘Admin’ role that can directed to personnel inside the organisation as it see’s fit.
What features should you look for when designing a whistleblowing system?
They should allow reports to be made in multiple languages to enable global use. They should be designed to input a report using any end device, a smartphone, tablet or PC. Importantly the system should have an integrated case management system which allows the investigation, HR, legal or compliance team to process cases efficiently and easily and direct within the specialised department. The system must be secure and comply with GDPR requirements. Firms should check the system uses encryption technology and has the appropriate SSL certificate to ensure data cannot be accessed outside the company. Particular care must be taken if the hotline is hosted outside the EU to ensure GDPR compliance.
Aranea meets all of these requirements.
A key requirement of the Directive is the need to preserve confidentiality of reporting and so any system must allow whistleblowers to report their information anonymously to the employer/company. Communication with the whistleblower should also remain completely anonymous following the complaint being raised, unless they choose to reveal their identity.
Aranea has anonymity and encryption built in.
The Directive does provide that workers must be aware of their right to report through external channels but if the breach can be addressed internally and the whistleblower considers there is no risk of retaliation member states should encourage use of internal channels. The FCA’s rules emphasise that whistleblowers must be informed that reporting to the FCA or PRA is not conditional on a report being made using the firm’s internal arrangements and so financial services firms will need to manage this difference in approach.
Aranea facilitates both internal and external reporting within its set up.
Firms need to implement procedures for reporting and follow-up
Unlike SYSC 18 which includes a requirement to provide feedback “where this is feasible and appropriate” the Directive provides clear timeframes for responding to a report. The report must be acknowledged within seven days of receipt and feedback must be provided in a period of no more than three months from the date when the report was acknowledged. Appropriate feedback can address the action envisaged or taken as follow up and the grounds for that follow up at the time the feedback is given. Therefore, although a final conclusion may not be reached in three months the whistleblower must receive appropriate follow up in this window.
Aranea’s built in Investigation portal provides reminders to ensure reports are acted on within the timescales.
In addition, the regime also establishes the system for reporting to the whistleblower. The preamble to the Directive makes it clear that the reporting person should be informed of the investigation’s progress and outcome in all cases. Any oral report or meetings with a whistleblower must be recorded. This differs from the regime under SYSC 18 which imposes a requirement to keep records of reports that are made and how such reports are dealt with.
As is to be expected the Directive prohibits retaliatory action against whistleblowers, such as demotion or dismissal, but it goes further than this by prohibiting both threats and attempts to retaliate, including using social media.
For the first time across the EU there will be a system that protects all whistleblowers from detrimental treatment. They will have the ability to bring claims for damages should their employer fail to adhere to the company’s basic principles.
What steps should firms take to comply with the EU Whistleblowing Directive?
Firms should consider the following:
Monitor the implementation of the directive across member states to assess whether any member states implementing measures go beyond the provisions of the directive. It will then be for firms to decide whether to impose the highest standard across all jurisdictions in which they operate or whether to implement a patchwork of different rules. They also need to review any processes together with their obligations under SYSC 18.
HX5 monitors across the EU to ensure Aranea meets the requirements wherever it is deployed in the EU.
Introduce training to reinforce the prohibition on retaliation, the obligations to preserve confidentiality and how to escalate reports.
Introduce a whistleblowing reporting framework including an internal reporting channel and engage with social partners across Europe, for example trade unions or works councils, to do so.
Consider whether the firm can comply with the various practical considerations introduced by the directive, for example, can the firm comply with the timeframes provided for in the directive, can it maintain the confidentiality of the identity of the whistleblower and if not what steps should be taken to ensure that these requirements are met.