An important gauge of the compliance and ethics program’s success is how comfortable employees and third parties feel about raising questions and concerns.
Soon all public and private organizations in the EU with more than fifty (50) employees will soon be required to comply with a new EU Whistleblower Protection law. The new law highlights the importance of responsive, transparent, and timely whistleblowing case management. So just implementing a hotline is not enough. Organizations must consider confidentiality, acknowledgment of the tip or compliant, response times, the competence of persons receiving the reports, communication with the whistleblower, and feedback on how the case is being processed. The new law also includes the right to report concerns externally while remaining legally protected. That’s a risk organizations must avoid. With the December 2021 deadline fast approaching, there is no better time for management and boards to act. Below is a timeline for your reference.
- Before April 2018: Whistleblowers were sufficiently protected in only a few EU member states. The lack of precise protective mechanisms has meant that only a few employees have been prepared to report misconduct in companies.
- April 2018: EU Commission launches a proposal for a directive aimed at providing uniform protection for the whistleblower
- March 2019: “Provisional Agreement” was reached between the EU states and the European Parliament
- April 16, 2019: European Parliament adopted regulations for EU-wide whistleblower protection
- October 2019: Official adoption of the directive by the EU Council
- December 16, 2019: Entry into force as Directive 2019/1937
- December 2021: Deadline for implementation of the directive by EU member states into national law
The new EU Whistleblowing Directive 2019 introduces minimum standards for the protection of whistleblowers and requires many public and private entities to introduce their own internal whistleblowing channels. EU countries are required to implement the directive no later than December 2021. To guarantee an EU-wide standard for the protection of whistleblowers, the European Union adopted a regulation for whistleblower protection in December 2019. In a two-year implementation period, EU member states will be obliged to implement the directive into their own national laws until 2021. This writing summarizes the critical aspects of the new law and what companies should do now, for tomorrow!
The core feature of the new law is protection for whistleblowers. The key points are:
- Protection not only exists for employees who report their concerns but also for job applicants, former employees, supporters of the whistleblower, and journalists.
- These persons are protected from dismissal, degradation, and other discrimination.
- Protection applies only to reports of wrongdoing relating to EU law, such as tax fraud, money laundering or public procurement offenses, product and road safety, environmental protection, public health, and consumer and data protection (the EU is encouraging national legislators to extend this to also covering wrongdoing relating to national laws).
- The whistleblower can initially choose whether to report a concern internally within the organization or directly to the competent supervisory authority. If nothing happens in response to such a report, or if the whistleblower has reason to believe that it is in the public interest, they can also go directly to the public. They are protected in both cases.
With these safeguards, the EU is signaling to whistleblowers that they have nothing to fear while encouraging individuals to report on the organization’s infringements.
Create the necessary conditions for the introduction of an internal whistleblower- system:
- Ensure an open corporate culture, which is also supported by management.
- Ease employee concerns by showing that implementing a whistleblowing system does not involve placing everyone under general suspicion, but is there to help bring to light misconduct in the organization.
- Involve central stakeholders such as management, the works council, or the human resources department in the decision-making process at an early stage.
- Set up a process for handling reports.
Define what your organization’s requirements are in terms of an appropriate reporting channel for your business. For example, clarify which languages the whistleblowing system should be available in, whether third parties (such as suppliers) should also be allowed to issue reports and which data protection requirements must be fulfilled.
Implement the reporting system.
- Define explanatory texts, FAQs, and questionnaires.
- Define access rights and escalation principles.
- Test the finalized system.
- Publish the system in all relevant places, such as in the Code of Conduct or on the Intranet.
Develop a successful communication strategy:
- Define your campaign messages.
- Choose appropriate media and channels for your campaign.
- Repeat these communications activities regularly.
- Also, think about what measures could be taken to help prevent misconduct from occurring.
The Public Interest Disclosure Act (PIDA), enacted in 1998, protects against workplace retaliation against whistleblowers and allows for anonymous reporting. Other European countries have similar frameworks, including Ireland, Italy, and the Netherlands.
Additionally, both the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) expect regulated firms to adopt internal whistleblowing systems and appoint a senior manager as their “whistleblowers’ champion.” Moreover, the Serious Fraud Office (SFO) encourages companies to self-report misconduct by providing cooperation credit and, potentially, a DPA to self-reporters. And, if prosecuted under the U.K. Bribery Act or Criminal Finances Act 2017, the existence of internal procedures that include whistleblower reporting mechanisms is a factor that may help establish a defense to corporate offenses of bribery or facilitation of tax evasion, respectively.
Implementing a hotline involves more than the installation of software. Organizations must have a proper triage process, whereby allegations and issues are evaluated, prioritized, and responded to in a timely and consistent manner. In order to do this, organizations must:
- Assess the merit of the facts and sources for each allegation.
- Document and set aside meritless reports.
- When time permits, evaluate the root cause of meritless reports where there appears to be a large volume.
- Assess the type of issue involved.
- Personal grievance, false tip, misunderstanding, theft of property, financial misrepresentation, corruption, material risk, etc.
- Determine the functions, individuals, or outside experts, that will be required to participate or lead the investigation
- Agree-upon investigation procedures and parties.
- Escalate high-risk reports to an oversight body.
- Establish a protocol for determining the risk level of reports.
- Determine the who, what, where, when, how for reporting on high risk and medium risk issues
- For the highest risk reports, identify the appropriate oversight body to ensure the investigation and result are appropriately communicated and disclosed, where needed
- Address reporting abuses.
Timely Updates and Communication
Once issues and reports have been triaged and assigned to the appropriate parties, Organizations must develop a process for communicating timely updates to relevant stakeholders.
- Updates may be entered directly into the compliance hotline tool or a separate process workflow, so all relevant parties are aware of the status
- Access permissions on the ability to edit or view the status should be limited to the lead investigation team/function only
- If the investigation is performed under privilege, then a separate communications and reporting process will need to be discussed at the beginning of the investigation
- Any communications, documents or other information should be appropriately maintained and archived at the conclusion of the investigation.
- Designate a hotline champion.
- When responding to tips, the response protocol often determines the overall success of the whistleblower program.
- Document and communicate the intake and triaging process to relevant stakeholders
- The Chief Compliance and Ethics Officer should have oversight of the helpline, but may want to delegate intake, screening, and triaging to other functions.
- Ensure there is coordination between Legal, Compliance, Internal Audit, and Human Resources or People Services.
- Incoming reports should go to at least two parties.
- Identify individuals who are responsible for assigned activities when team members are on leave or on vacation
- Build-in and establish a formal, periodic assessment of the hotline’s effectiveness and create accountability for improvements.
One solution to consider is EQS Integrity Line. As a secure, intuitive, and flexible whistleblower reporting and case management system, it fulfills all requirements of the new EU Whistleblower Directive. The system offers features such as a roles & permission management, audit trail, a case chat function, and advanced reporting functionalities. I personally participated in a demonstration of the EQS product and its worth a look!
With the directive focusing on the whistleblowing process, these features are key to being compliant. Companies large and small around the world trust EQS Integrity Line to help them identify and manage corporate misconduct. To learn more about EQS Integrity Line, please follow this link.
Download the free 2019 Whistleblowing Report– a study conducted by the Swiss [university HTW Chur in cooperation with EQS Group – which highlights how companies use whistleblowing systems to deal with illegal and unethical actions.
I welcome your thoughts and comments and thanks to EQS and Ali Rampurawala from Baker Tilly’s Global Forensic, Compliance, and Integrity Services and Solutions practice for contributing to this writing!