It’s game time for corporate compliance professionals in Europe. In less than three months, the EU Whistleblowing Protection Directive will take effect and add a new set of requirements to the long list of compliance controls businesses in Europe must implement and maintain. With little time left to prepare and establish the frameworks needed to comply with the law, it’s important that businesses gain an understanding of what the directive entails and the new policies and processes that must be put in place before the impending deadline.
This Directive was approved in 2019 and applies to any organization with 50 or more employees. The law serves as a means to set common ground across all EU member states regarding the protection of persons who report information about threats or harm to the public interest obtained in the context of their work-related activities (i.e., whistleblowers). Businesses with 250 or more employees are required to comply by 17 December, 2021, while those with 50-249 employees will have until December 2023 to comply. The organizations concerned have the choice of entrusting an internal organizational unit to set up and operate an internal reporting office or to commission a third party.
While similar protections were previously in place in most member states, the Directive extends existing protections to ensure any employee who reports irregularities to the authorities, the media or other institutions outside the company do not face retaliation, personal disputes or any consequences to their employment. These new protections also cover the types of reports whistleblowers may submit and the reporting methods they use to do so. For example, the German Data Protection Authorities had previously admitted whistleblowing reports only if they applied to financial issues (e.g., fraud, internal accounting controls, auditing matters, corruption and bribery, banking and financial crimes, insider trading), human rights violations and environmental concerns. And authorities across the EU required whistleblowers to report internally before bringing their concerns to supervisory authorities or other public forums. The new Directive will lift these restrictions and supersede former whistleblowing rules. Notably, employees may choose to take an accusation of wrongdoing directly to the authorities or the media, even if they have opted not to submit an internal report first.
Under the Directive’s requirements, organizations are also now obligated to implement a whistleblowing framework and reporting system as part of their compliance management program. Doing so must start with appointing a responsible individual or department to serve as the primary point of accountability for the program, and establishing a process framework for how the organization will enable reporting and the chain of events and notifications that will be triggered when a report is submitted. The Directive specifies that businesses must provide employees with numerous reporting channels (written, email, phone, etc.), and then clearly communicate the details of the reporting process to their entire organization.
As a best practice (though not explicitly required in the Directive), organizations should also provide a way for whistleblowers to report anonymously. Anonymous reporting alleviates lingering concerns about retaliation, and thus may encourage employees to be more forthcoming with information that compliance officers need to be made aware of. It also creates a culture in which whistleblowers may be more inclined to report internally first rather than feeling as though external reporting is their best or only option.
Furthermore, the whistleblowing system must ensure that dutiful investigation of all reported incidents is carried out and documented in a way that is traceable in the event of a subsequent regulatory probe or litigation. This is essential from a compliance perspective, as investigation will allow the organization to determine the extent of wrongdoing, take steps to remediate issues and notify authorities when necessary. It also reinforces a culture of compliance and trust, as whistleblowers will want to know what management is doing with the information they shared.
As organizations begin to implement or refine their whistleblowing frameworks to comply with the new Directive, they should ensure:
- The necessary conditions and policies for the introduction of an internal, global whistleblowing system have been established.
- An open corporate culture of compliance that is supported and communicated by executive leadership.
- Central stakeholders such as management, works council, audit and human resources departments are involved in the decision-making process at an early stage.
- A global whistleblowing policy is integrated as part of the code of conduct and global communications strategy.
- Processes for handling reports and how to conduct internal investigations are defined, standardized and designed in compliance with data protection regulations including GDPR.
- Attention is given to technical considerations, including anonymization and encryption within the whistleblowing reporting system.
- The whistleblowing policy and reporting channels are available in all local languages pertaining to the regions in which the organization has offices.
- Appointment of experts who understand how to separate false positives and illegitimate accusations from authentic reports of wrongdoing.
While this Directive may strike organizations as yet another regulatory challenge to face, business leaders must recognize whistleblowing’s value to compliance and the global fight against fraud and corruption. Vera Jourova, EU Vice-President and Commissioner for Values and Transparency, summed up the importance of whistleblowers in saying, “They are brave people who are ready to bring illegal activities to light in order to protect the public from wrongdoing—often at great risk to their careers and livelihoods.” Indeed, whistleblowers can be an organization’s first line of defense against misconduct and in identifying serious business risks. A robust whistleblowing framework will provide an early-detection mechanism that enables swift response and mitigation and investigation of legal and compliance issues before financial penalties or reputational damage occur.
When the Directive comes into force later this year, organizations will likely experience an increase in the disclosure of misconduct, and must be prepared to respond to an influx of reports. Addressing the requirements of the Directive now will help ensure compliance, preserve business value and prevent the incidence of fraud over the long term.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.