EU Whistle-blowing regulations: the right questions to ask in and outside Europe

Written by Frank Staelens on Friday December 17, 2021

• Organisations must ask themselves: ’How do we organise compliance in a way that limits reputational risks and avoids rights abuses?’
• Non-EU multinationals will need to set up parallel whistle-blowing functions in Europe.

Today marks the deadline for all EU member states to have transposed the EU Whistleblower Protection Directive[1] into national law. It is a deadline most member states, however, have not been able to meet; these now intend to transpose the Directive within the next 3 to 9 months. Any EU fines because of these delays will affect only the member states themselves, not any underlying organisations.

During the transposition process, member states have the liberty to extend the initial scope of the EU Directive. The European Commission even recommended member states extend the protection scope for whistle-blowers from EU law breaches to national law breaches. The fact that many states have already decided to do so is of course a positive evolution (though the notion of 27 different interpretations is somewhat worrying). Next to the reporting scope, there are some marked differences between member states’ implementation, including:

• the compliance deadline
• organisations submitted
• intra-group organisation
• whistle-blower feedback deadlines and methods, and
• fines for non-compliance.

Deconstructing the decentralised approach

Organisations have two options ahead of them: operating under a centralised policy or a national policy. Those organisations which seek to limit the reporting rights to the ones applicable in the member state where the whistle-blower is based will need to work with national policies.

Although the decentralised, national policy approach seems the obvious choice, there are several substantial arguments against it.

The administrative burden

First, it will significantly increase the administrative burden, including the need to keep multiple local policies up-to-date and the development of training to inform local stakeholders of their rights. All local stakeholders should also be informed of their equal reporting, information and protection rights. Alongside internal stakeholders such as employees, temporary personnel, directors and shareholders are external stakeholders – applicants, former employees, contractors and suppliers.

The external reporting risk

Applying different reporting rights and protections in different member states will also increase stakeholder uncertainty. Such whistle-blower ambiguity is best avoided, as it will push them towards using their rights to directly report to the competent authorities instead of reporting into the organisation.

Forum shopping

Different reporting rights and protections can, furthermore, encourage whistle-blowers to forum shop. One type of forum shopping is to send in multiple reports on the same issue to multiple destinations, combining either anonymous with named reports, group with local reports or internal with external reports.

A second form is the re-qualification of national law breaches of public interest as EU law breaches. If, for instance, the reporting of the criminal act of misappropriation of company assets is not protected in a specific member state, whistle-blowers may then choose to report it as: an AML breach if the criminal proceeds were transferred; as a GDPR breach if there was a data leak; or as an EU tax law breach if the fraud resulted in the incorrect tax reporting.

A third way is to report to the competent authority of another sister subsidiary of the country of that subsidiary that offers better protection. The fourth and final means of forum shopping could be to report to an involved business partner such as a customer, because your customers will need to facilitate the whistle-blowing from your employees related to their organisation. Each example demonstrates the adverse consequences of limiting reporting rights.

The centralised approach

The other option is working with a centralised policy on a group level. A centralised approach implies working with the greatest common denominator of national reporting rights. It is even worth extending the reporting rights independently from the different national regimes to all serious concerns reporting, provided that the reporting is performed in good faith. This should help create a real speak-up culture and avoid negative consequences like the temptation towards external reporting and/or forum shopping, both of which increase the risk of reputation damage.

Even if a group chose to work with a centralised policy, it will still not be able to share resources with EU subsidiaries that have more than 249 employees. All these subsidiaries require local whistle-blowing functions. Local whistle-blowing managers will not be able to inform the group if it has not been pre-approved by the whistle-blower. If these approvals are not obtained – and the local entity is unable to organise the whistle-blowing management in accordance with the case governance principles of competence, diligence and impartiality – then outsourcing will be the only remaining option. 

Independent of the whistle-blower’s choice of group or local-level reporting, an organisation remains solely responsible for setting up proper procedures that guarantee ID protection and protection from any retaliation against the whistle-blower. So, in the case of local reporting, the group could on the one hand be uninformed because the whistle-blower is not willing to involve them and on the other remain responsible for making sure that the case receives proper local handling by a competent impartial person in such a way that local management is not tempted to intervene or retaliate.

The requirement to organise local whistle-blowing functions relates to both case handling/investigations and reporting systems. The objective of Europe is for the whistle-blowers to have a free choice between group and local reporting. All subsidiaries with more than 49 employees require internal reporting systems, which for subsidiaries with more than 249 employees will need to be run separately from the group reporting system. This does not mean that these subsidiaries cannot use the same gateway software, but there will be a need for Chinese walls to guarantee the free choice of the whistle-blower between group and local reporting.

The local whistle-blowing function should be implemented in accordance with the case governance principles of ‘competence, diligence and impartiality’. 

Impartiality is the most difficult to organise, because it presumes that there is no interference from the business. The function that can easily justify its full independence from the business, and at the same time is not conflicted, is the compliance function. Other risk functions could be assigned provided that their impartiality in whistle-blowing case handling is guaranteed. Management reporting, meanwhile, is best organised through an ethics committee; such a committee is also the most appropriately placed to take care of communication and escalation management.

Diligence will require both a consistent and timely follow up on cases. A risk-scoring methodology will be needed to ensure a consistent approach and support a defensible position. In order to capture a timely follow-up, organisations will also need to organise themselves around the regulatory feedback deadlines (notification within seven days, status reporting within three months, etc.).

The principle of competence presumes that the case recipient has experience with the handling of the reported matters and the handling of whistle-blowers in general. Regulators have already stated that if organisations are unable to organise the whistle-blowing case handling in accordance with the governance principles, then outsourcing is an optional available to them.

You may also like to read:

• Whistle-blowing: Good apples, bad apples and behavioural science
• [Video] All you need to know about 6AMLD
  
• A new study reveals whistleblowing arrangements in UK and European companies

For non-EU multinationals it is even recommended running a European whistle-blowing programme, with local case handlers assigned and who keep all whistle-blowing data in Europe. From a GDPR perspective, the transferring of whistle-blowing data outside Europe will require setting up binding corporate rules based on the standard data protection clauses issued by the European Commission and the follow-up on any additional data transfer controls imposed by the European Data Protection Authorities where their subsidiaries are based.

Furthermore, in order to have a valid legal basis for such data transfers outside Europe, non-EU multinationals will need to look for consent from the whistle-blower. In general, unnecessary consent levels are best avoided because they could again push the whistle-blowers to use their rights to directly report to the competent authorities. 

Asking the right questions

The pertinent question for all organisations is: ‘How do we organise compliance in a way that limits reputational risks and avoids rights abuses?’

Certain forms of rights abuse may also affect groups beyond EU borders.

Let’s imagine a situation where you would like to terminate the contract with one of your key suppliers in Europe. If the EU supplier learns about this before you have officially communicated your decision, then an individual of that firm could decide to organise a staged whistle-blowing, with the aim of blocking your decision. In this case an employee of the EU supplier would enter a report based on reasonable suspicions of wrongdoing in the past. Your decision to terminate will then trigger the reversed burden of proof, meaning that you would need to prove that there is no link between the whistle-blowing and your decision to terminate the contract.

It is wise, therefore, to consider that the reversed burden of proof that rests upon organisations can complicate the issuance of any negative decisions against the legal entities that the reporting persons own, work for or are otherwise connected to in a work-related context.

The latter also applies for negative decisions against the employees of your EU subsidiaries. Any dismissal, suspension, demotion, salary decrease, etc., that is preceded by the whistle being blown might result in additional investigation costs to prove the missing link. To avoid this risk, organisations might consider assigning an external case recipient who takes care of the identity management. Knowing whistle-blowers’ identities is of no value to organisations in most of the cases. The identity only becomes important when a case can be qualified as high or critical risk. 

Reputation risks can result from direct reporting to competent authorities because they can lead to the bypassing of the organisation, questioning or investigation by the authorities and even public exposure in a worst-case scenario. Organisations should therefore create the ideal environment for internal reporting, which I believe should include the following.

• A whistle-blowing policy with clear procedures, description of rights and protection measures.
• A confidential reporting setup that requires whistle-blower consent before reporting access can be granted beyond the initial recipient.
• Secure reporting channels within a two-way encrypted environment.
• Multi-accessibility by all internal and external reporting stakeholders.
• Anonymous reporting function without IP logging.
• Consistent and timely follow-up based on a risk-scoring methodology.
• Documented decisions to create defensible positions.
• Avoidance of unnecessary consent levels for whistle-blowers.
• Outsourcing of ID management to avoid rights abuse. 

Regulations and SMEs

Regulations are often not enforced on SMEs. They therefore consider the risk of non-compliance fines to be low in many EU countries. However, the main risk here is not fines but reputation damage. Not facilitating confidential reporting or non-diligent follow-up on feedback deadlines can result in public disclosure immunity. As a result, whistle-blowers could be given the opportunity to go public and reveal their grievances in the press or on social media, while remaining eligible for protection against any form of retaliation. 

Most governments within the EU have been working on draft whistle-blowing laws for more than a year without any form of communication with organisations. It is thus imperative that company managers and directors across Europe are aware of the reputational and rights abuses risks related to the new whistle-blowing regulations.

About the author

Frank Staelens is Managing Director at Whistleblowing Management EU. He will join the team of Compliance4Business in January 2022. Frank provides daily support on whistle-blowing management, from process design, over the implementation of reporting systems, up till the case handling and investigations. He is a Certified Fraud Examiner and former Big 4 Forensic Audit Partner. Frank founded the Confidential Reporting Network, a European network of whistle-blowing management experts.

References:

[1] EUR-Lex, Directive (EU) 2019/1937 Of The European Parliament And Of The Council, 23 October 2019: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019L1937&from=en – accessed December 2021