Whistleblowing Management: The Coming Regulatory Storm

Europe’s New Regulations Will Have a Global Impact

In honor of National Whistleblower Appreciation Day, Frank Staelens discusses the EU Whistleblower Protection Directive (WPD) at length. Frank explains the regulation’s broad impact and offers guidance for compliance.

Most listed companies and large public organizations already consider whistleblowing management as an important governance mechanism with, in most cases, boards/audit committees being accountable to measure its effectiveness. This group is now moving toward the use of whistleblowing systems beyond reporting wrongdoing and starting to understand that instilling a transparent, “speak up” culture is perceived by stakeholders as a sign of good health.

However, many other organizations still have a different position on the subject. Some of the reasons offered for not facilitating whistleblowing management include:

• Self-denial or self-protection by company management
• A non-transparent culture or fear of abusive reporting
• It is not a regulatory mandate in most countries
• Lack of budget or other investment priorities
• Lack of knowledge about the benefits

Key Arguments for Facilitating Whistleblowing Management

• A “speak up” culture helps to reduce employee turnover.
• Whistleblowers have proven to be the most effective information source on and protection against unethical and criminal behavior within organizations.
• Whistleblowing helps to avoid public disclosures and the associated reputation risks.
• Whistleblowing management will become mandatory in Europe as a result of the new EU Whistleblower Protection Directive (EU WPD).

The Scope of the EU WPD

Scope of Applicability

Within the EU: All member states have until December 17, 2021 to transpose the new whistleblower protection rules into national law.

Within member states: All private and public organizations based in Europe, independently from ownership and location of head offices, will need to comply with the EU WPD principles (organizations with less than 250 employees have two more years to organize their compliance.

Within organizations: All internal persons with both standard and non-standard employment relationships and specific categories of external persons (former employees and business partners such as contractors and suppliers) have rights under the EU WPD.

Scope of Breaches

Protection of persons reporting on breaches of EU law and member states are encouraged to extend the scope to national law breaches (EU law breaches or potential violations covered include, among others, financial services regulations, anti-money laundering directives, fraud and corruption detrimental to EU interests, data protection regulations, corporate tax law, competition law and market abuse regulations, public procurement rules, public health and safety, environmental protection, etc.).  

Scope of Protection

All internal and external persons related to the reporting of wrongdoing in a work-related context.

“The EU is committed to having a well-functioning democratic system based on the rule of law. That includes providing a high level of protection across the Union to those whistleblowers who have the courage to speak up. No one should risk their reputation or job for exposing illegal behaviors.”

– Anna-Maja Henriksson, Finland’s Minister of Justice

EU WPD Principles and Duties to Comply With

Principle of 3-Tier Reporting Structure

Organizations will need to install tier-1 internal reporting, communicate on the tier-2 reporting structure setup by the competent authorities and allow the conditional reporting to the public with full protection for the whistleblower (organizations with fewer than 50 employees or municipalities with fewer than 10,000 inhabitants are not required to install tier-1 internal reporting lines).

Principle of Free Choice Between Tier-1 and Tier-2 Reporting

The whistleblower should be allowed to directly report to the authorities without first going through an internal reporting process.

Duty of Confidentiality

Reporting should be setup in a confidential way. Confidential reporting means that only the recipient of the report should know the identity of the reporter, and this identity should not be disclosed to anybody else without the approval of the reporter. Organizations have a duty of confidentiality and should organize themselves so that they can ensure the protection of the identity of all internal and external persons related to the reporting. Although the EU WPD does not require the facilitation of anonymous reporting, it is likely that it will trigger a more progressive approach in this respect because not facilitating it will increase the likelihood for whistleblowers to opt for tier-2 reporting to the authorities. Considering the duty of confidentiality, it is best to leave the choice to disclose identities to the whistleblower.

Duty of Feedback

The rules create an obligation to provide feedback to whistleblowers within certain delays, such as for receipt confirmation of the initial report within seven days and for status reporting within three months. Both organizations and authorities have feedback obligations (for the latter there is a possibility of extending the deadline to six months in duly justified cases).

Duty of Governance

This requires organizations to assign case managers who are competent, diligent and impartial.

Duty of Data Protection Compliance

Whistleblowing management should be set up in compliance with the privacy-by-design and the privacy-by-default principles of the EU General Data Protection Regulation (GDPR).

Duty of Documentation and Information

Organizations are required to fully document the whistleblowing processes and inform their employees, business partners and competent authorities about them.

Key Risks to Manage

Staged Whistleblowing (Threats)

If an employee learns about eminent sanctions/dismissal or missing out on promotions/salary increases in the future, it could trigger him/her to seek the protection as a whistleblower. Although there should be a link between the reporting and the adverse treatment, it will be presumed to be related to the whistleblowing if the employer is unable to provide proof of the missing link. Whistleblowers are relieved from the burden of proof, but they should be able to explain the reasonable grounds for believing in the truthfulness of the reporting, and they are allowed to report on the basis of suspicions.

Public Disclosure Immunity

Not providing feedback within the deadline and not facilitating tier-1 internal reporting or improper communication on the three-tier reporting structure could lead to public disclosure immunity for the whistleblower. I expect that it will be difficult for EU organizations to deny the EU WPD, even if they are based in member states with little enforcement, due to the exposure to public disclosure immunity and the associated reputation risks. Organizations that decide to not implement the EU WPD will constantly run the risk of personnel going outside without having the ability to sue for damages because courts are likely to sanction them instead of the personnel member.

Abusive Reporting Coverage

The principle of free choice between tier-1 and tier-2 reporting and the reversed burden of proof around adverse treatments will lead to more abusive reporting. Though an organization that can prove the intent to harm on the basis of lies will be able to sue for damages, it will remain difficult to recover substantial direct and indirect losses from individuals, and the risk of abusive reporting will remain difficult to cover by insurance carriers.

Functional Challenges

European Setup

From a privacy-by-design perspective, it is best to make sure all case-related information – including within Europe and in cases where data is sent outside Europe – is covered by the Binding Corporate Rules made available by the European Commission.

Secure Setup

From a security perspective, it is best to work with both certified data centers and a certified software platform that allows a two-way encrypted communication with all internal and external stakeholders (the whistleblower, witnesses, subjects of investigation, case managers, company risk management, investigators, crisis managers, lawyers, etc.).

Future-Proof Scalable Setup

On top of the above, a scalable and future-proof setup requires the following functionalities: automated metadata erasure within anonymous dialogue functions, integration of existing mail addresses, multiple reporting channels (both in writing and verbally), automated machine translation, automated risk category routing, automated alerting, personal data deep search and anonymization, a solution for channeling tier-2 reporting to the authorities in a secure and informed way and investigative document management and task assigning, among others.

ISO Compliant Setup

From an ISO compliance perspective, organizations should consider obtaining certification for both the ISO27001 security standards and the future ISO37002 whistleblowing management guidelines expected to be released around mid 2021.  

Operational Challenges

Allowing Tier-2 Reporting While Encouraging Tier-1 Reporting

Legal support will be required to assess how far an organization can go in encouraging internal reporting and ensuring the appropriate handling of internal reports without creating the impression that they want to deny the right for direct reporting to the authorities.

Avoiding Large Implementation Delays

Organizations will need to consult a large number of internal stakeholders; agree upon triage protocols, escalation management processes, crisis management plans and service-level agreements; organize documentation and communication processes; and get external support in periods of high demand for services.

Obtaining Back-Up Services Within Short Delays

Given the public disclosure risks associated with not respecting the deadlines for providing feedback to whistleblowers, all organizations should prepare to obtain back-up services within 48 hours.

Justifying Impartiality

For small and medium organizations that do not have risk management functions separated from the business, the (partial) outsourcing of case management might be the only way to justify the impartial treatment of whistleblowers. Defense lawyers that sue employers for adverse treatment related to whistleblowing are also expected to challenge the organization on the implementation of their duty of impartiality.

Planning for the Second Half of 2020

So, what should organizations already have planned for the end of the year?

• Whistleblowing management gap analysis to better understand your readiness status and support timely planning for process and platform improvements related to EU WPD compliance, ISO certification preparations and reputation risk management.
• Platform selection process to ensure the right choice of technology – tech that is compliant and future-proof and covers the needs of all your risk management functions.
• Service provider selection to ensure prompt access to all required support (case management, investigation, GDPR compliance, public relations and legal), both first line and back up.
• Process design drafting, including whistleblowing policies, identity protection setup, impartial case management organization, triage protocols and feedback monitoring setup, escalation processes, a crisis management plan, privacy-by-design and default frameworks, international group strategy and data protection binding corporate rules.
• Information approach drafting to comply with the information duties toward employees and their representative bodies, business partners and competent authorities.
• ISO 37002 certification preparation in case you are looking to improve your image as a transparent organization.
• Association support solicitation with the objective to develop standardized approaches on a sector level for small organizations.