Why Issuers Need a Whistleblowing Process Now and What to Do

Issuers in the European Union will have an additional regulation to comply with from December 2021 and now is the time to ensure you are ready for that deadline. Directive (EU) 2019/1937 of the European Parliament is more commonly known as the EU Whistleblowing Directive. It seeks to protect those persons who expose illegal activity by people and organisations that they witness as part of their job. Each issuer with 250 or more employees must have a whistleblowing process in place before 17 December 2021, with those employing between 50 and 249 staff facing a deadline of 17 December 2023. 

Table of content


Background to SRD II

This directive is a natural consequence of recent events. There have been a number of scandals uncovered by whistleblowers, including: 

  • The infamous 2015 case where several officials at FIFA were arrested in Zurich after a whistleblower report. This large-scale corruption that was revealed within the governing body of football is said to have totalled more than €125 million. 
  • The anonymous whistleblower, given the name John Doe, who informed German journalist Bastian Obermayer from the newspaper Süddeutsche Zeitung about the Panama Papers.These were a series of documents from Panamanian law firm Mossack Fonseca that showed more than 200,000 offshore entities were creating shell companies to avoid tax, carry out fraud and circumvent international sanctions. 

Although this new directive is yet another piece of legislation that issuers must factor into their operations, the ability to safely raise a concern and expose wrongdoing or malpractice without fear of retaliation is essential for the pursuit of justice. This is why the EU Whistleblowing Directive exists.  

The EU Whistleblowing Directive

Below is a summary of the key elements of the EU Whistleblowing Directive. 

  • Issuers must provide employees with a confidential internal reporting system by the deadline required for a company of their size
  • Organisations should train staff on how to file a report
  • All affected organisations must appoint impartial staff or departments to monitor and manage reports
  • Each organisation needs to take steps to comply with the General Data Protection Regulation (GDPR) during the whistleblowing reporting process 
  • Organisations must protect whistleblowers from retaliation following their reports, as well as knowing which other individuals require protection as a result of the report

The directive forms the minimum standards relating to the treatment of whistleblowers and their reports. Many EU member states also have additional whistleblowing policies to which issuers within their jurisdiction must adhere. Here are some examples: 

Country Additional whistleblowing legislation
Belgium There is no additional whistleblowing law in place in Belgium, but employers have a contractual duty of mutual respect when it comes to rules governing abusive dismissals, which whistleblowers could use in legal challenges. There are also rules against bullying and harassment in the workplace, which would apply if the whistleblower suffered retaliation for reporting. 
France The French Sapin II law applies to companies with more than 500 employees and is aimed at preventing corruption. Among a wide range of requirements is the one that businesses must put in place an internal reporting system. 
Ireland The Protected Disclosures Act 2014 is also called the Whistleblower Legislation and offers redress to people who have been penalised for disclosing wrongdoing in the workplace. 
Netherlands Huis voor Klokkenluiders, or the Dutch Whistleblowers’ Authority, was established in 2016 as an independent body to advise, support and offer guidance to whistleblowers as well as to investigate criminal activity in organisations and retaliation against whistleblowers.

The organisation was established under the Dutch Whistleblowers Authority Act, which requires organisations of 50 or more employees to create an internal reporting procedure. 

The authority also produced an Integrity Guide for organisations to help them establish the best possible processes.

Portugal The Portuguese Criminal Code features some clauses that apply to whistleblowers.
  • The whistleblower can be exempt from a sentence if they make a report within 30 days of the crime and before the start of the criminal investigation
  • The whistleblower can reduce their sentence if they agree to obtain evidence that identifies other responsible parties 

The whistleblowing process

This is the process for receiving, processing and investigating a whistleblowing report, as designated by the EU Whistleblowing Directive. The directive encourages reporting persons to use internal channels within the organisation for protected disclosure of information. 

1. Sending a report

The whistleblower uses one of the internal reporting systems open to them to make their report. When developing your reporting methods, you should bear in mind the right to anonymity of the reporting person as well as anyone else mentioned in the report, including people mentioned in relation to committing criminal behaviour. 

It should also comply with GDPR and be secure so that unauthorised persons cannot access the details of the report. 

For the purposes of the directive, the whistleblower could be any of the following:

  • Employees
  • Shareholders
  • Board members (including non-executives)
  • Freelance workers
  • Contractors
  • Subcontractors
  • Suppliers
  • Anyone in a senior manager role
  • Former employees
  • Prospective employees
  • Volunteers

2. Processing the report

A designated, impartial person or department must acknowledge receipt of the report within seven days. 

3. Follow-up

They must then follow up on the report, maintain communication with the whistleblower and ask them for more information if needed before they start the formal investigation. 

4. Formal investigation

The directive demands a “diligent follow-up” on the whistleblower’s report.

5. Resolution

The organisation must provide the whistleblower with a resolution to their report within three months of receipt. The individual or competent department responsible should include details of the grievance procedure if the outcome does not meet the reporting person’s expectations. 

This can include details of escalating the matter to competent supervisory bodies. If they still do not receive the resolution they require, they can make their report through the media or press as long as it is a public concern. 

Whistleblowing systems 

Here are some examples of internal whistleblowing reporting systems you could use within your business, as well as the advantages and disadvantages they bring in terms of compliance. 

System Advantages Disadvantages
Phone
  • Accessible for most people
  • Having a real-time conversation helps the interviewer draw out more information     
  • Costly to operate 24/7 with specially trained staff
  • Reliant on the operator taking accurate notes
Email
  • Convenient for filing a report        
  • Reporting person must create a new email account if they want to remain anonymous
  • Labour-intensive, manual process to remain GDPR-compliant
  • Security concerns
Physical postbox
  • Can include physical evidence to back up the report
  • Easy to use
  • There is a risk someone will see the reporting person issuing their report
  • Requires secure filing
  • Requires manual sorting
  • Not suitable for remote staff
  • Hard to follow up anonymous reports if there are no contact details given
Ombuds function
  • Independent body, not connected to the issuer that can be seen as truly impartial    
  • The whistleblower might not like the idea of their report leaving the organisation    
Digital whistleblowing platform
  • GDPR-compliant
  • Provides reminders of action points to remain compliant
  • Visual dashboard helps to keep track of report progress
  • Secure and confidential
  • Unique token system ensures the confidentiality of the reporting person
  • Encourages structured reporting to make investigation easier
  • Keeps reports filed and easily accessible for internal auditors
  • Requires an internet connection for the reporting person

Best-practice tips

Introduce a whistleblowing policy

Compliance with the EU Whistleblowing Directive requires issuers to have a process in place to receive, investigate and resolve reports, whilst also protecting the people who make disclosures. This requires an internal policy that adheres to the legal obligations set forth by the directive and any additional regulations within your country. 

You should choose the reporting channels that fit your business the best and make meeting the legal requirements as easy as possible. These channels should be described in your policy. 

Promote your policy

Your staff need to know how the policy works, how it can protect them if they make a report and the consequences if they retaliate against a colleague who makes a report. Publishing it on your intranet is a good way of helping employees find and understand the policy easily and assuaging any fear of reprisals.

Reassure your employees

One of the major fears for whistleblowers is that they will suffer retaliation in the form of unfair dismissal, pay cuts, being passed over for promotion, bullying, coercion or any other detriment as a result of making their report in good faith. The protections that you offer should form a key part of your messaging to ensure employees feel comfortable with the idea of blowing the whistle should they need to. You should detail disciplinary proceedings that will take place for anyone attempting to intimidate a reporting person.

Provide training 

It is essential that you provide training to employees on all levels on how to raise awareness of criminal offences. Not only is it a legal requirement, but it could save your organisation money and prevent reputational damage. 

If your employees feel confident about the ease of the whistleblowing process, this will increase the likelihood that they will report any potential legal violations and unethical conduct early and before they become more widespread.

If your leadership, from top-level managers to line managers, are aware of the process of dealing with disclosures, they will be able to promote an open culture where whistleblowing is seen as normal.

Encourage whistleblowing

The culture of the organisation is important for encouraging people to report complaints of unlawful behaviour and to show you take  the safety of the individual seriously. If you are shown to prize openness and honesty throughout the workplace, at every level, this helps embolden employees to use the whistleblowing system. 

Do whistleblowers have legal protection?

The EU Whistleblowing Directive requires issuers and other organisations to provide free legal advice to whistleblowers. It also makes it illegal for anyone to retaliate against a whistleblower. The directive states that “it is crucial that reporting persons who do suffer retaliation have access to legal remedies and compensation.”

The legal remedies and compensation available depend on the seriousness of the issues and the nature of the retaliation committed on the reporting person who made the allegations. 


 

Conclusion

If you do not have your whistleblowing process in place, there is still time, but you must act quickly. You should choose your procedures carefully and opt for the whistleblowing systems that work best for your organisation and allow you to comply with the timelines, privacy, security and confidentiality requirements of the directive. 

If you choose to implement a digital whistleblowing system, IntegrityLog can help. The platform is fully compliant with the EU Whistleblowing Directive and provides easy, safe reporting. The interactive dashboard helps you keep track of all open cases and approaching deadlines. You can try IntegrityLog here

References and Further Reading