It is widely acknowledged that employees who report misconduct within their organisations play a key role in exposing breaches and preventing similar incidents from happening in the future.
However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. In this context, the European Union deemed it necessary to provide specific whistleblower protection, with the Whistleblowing Directive providing an opportunity for capital markets firms to sharpen their investigative policies and contribute to best practice.
Individual countries have already introduced regulations that address elements of the whistleblowing process. In the UK, the Senior Managers and Certification Regime (SM&CR) makes individuals more accountable for their conduct and competence, while in France, Sapin II requires financial services firms with more than 250 staff to adopt a whistleblowing policy.
The EU Whistleblower Directive goes further by defining minimum standards of protection for anyone who speaks up about breaches of EU laws regardless of the type of business. Matt Smith, CEO of global regtech firm SteelEye, observes that the reach of the EU directive extends beyond its UK equivalent, covering individuals within an organisation such as volunteers and interns as well as board members.
According to Tori Reichman, chief customer officer of whistleblower reporting software developer Vault, the directive will potentially contribute towards a change in attitudes and reporting processes for European-based organisations and teams that want to avoid the reputational, financial and operational costs associated with misconduct issues.
“More transparency and inclusivity, and a more honest internal culture may well develop as a result of an organisation’s efforts to go beyond mere compliance, bridging the trust gap between employees and employers,” she says.
The conversation around misconduct reporting extends beyond HR to leadership and board members who must factor the organisation’s conduct into strategy meetings, investment propositions and other activities. “Capital markets firms affected by issues of retaliation against whistleblowers need to review their processes and the risks involved,” Reichman adds.One of the key impacts of the directive will be the need for increased oversight and monitoring of digital communications to ensure there is no retaliation against whistleblowers. “This is a massive undertaking and requires automation and machine learning to ensure compliance in an efficient manner,” suggests Shaun Hurst, regulatory advisor for EMEA at archiving and compliance technology company Smarsh. “New models and rules will need to be implemented, staff will need to be trained, and existing compliance software will need to be reassessed to ensure it is up to the task.”
It is also clear that any processing carried out must comply with GDPR. The directive specifically mentions ‘breaches of GDPR’ as a reportable event. “Therefore, firms should be reassessing their data protection frameworks to ensure that all data handling processes, access rights management and other security measures are sufficient to ensure compliance with GDPR generally as well as the specific need to ensure confidentiality of a whistleblower,” says Hannah Rossiter, a managing director in the financial services compliance and regulation practice of proprietary data, technology and insights provider Kroll.
Firms must ensure they have sound record keeping and data retrieving capabilities to assess claims made months prior agrees Smith: “A lot of what is required cannot be managed systematically. It is a case of truly understanding the legislation and implementing the related processes to respond to a claim.”
This will likely be an evolution of what capital markets firms are already doing, taking into account TCF (Treating Customers Fairly) as well as SM&CR, the Public Interest Disclosure Act 1998, and MiFID II says Hurst.
“However, they will need to take a fresh approach and view of their existing compliance activities to ensure they are taking into account the scope of the directive as it pertains to areas such as procurement; corporate tax; environmental safety; consumer protection; privacy, data, security, information and network security; and criminal activity,” he continues. “The UK already takes the majority of these areas into account with its existing whistleblowing protection, but EU member states may not have had this mandate.”
At this point, it should be noted that the full effect of the directive will only be felt when it is enshrined in law across all 27 member states. Capital markets firms will likely need to review and potentially enhance their existing processes for dealing with misconduct reporting, particularly if they are using legacy solutions such as hotlines or manual processes. These incumbent solutions often lead to increased risk related to retaliation prevention and response times.
“By implementing a progressive reporting structure for data collection and monitoring incidents, software solutions will be able to support organisations in identifying problems and connecting the dots on repeated patterns, which can be a game changer,” says Reichman.
Many large financial services firms already have whistleblowing reporting structures in place. However, Rossiter observes that outsourcing to an external vendor aligns well with the directive’s explicit requirement for confidentiality and for management of alerts to be dealt with by individuals or entities who are independent from the firm’s operational activities.
Since the directive provides minimum standards for EU member states to use as a basis for the implementation of local laws it is vital that organisations are up to date and compliant with the various regulations being introduced across the countries in which their employees work and reside.
Reichman observes that one of the key stipulations is for internal channels to be available and that organisations are therefore turning their attention to internal reporting mechanisms.
“End-to-end solutions that combine the ‘human touch’ with technology are the answer,” she says. “Organisations need approaches that delve deeper into internal cultures and behaviours rather than simply relying on old methods of reporting such as legacy hotlines. Along with the issues of trust and reputation detailed above, misconduct reporting and resolution are best dealt with internally, which can greatly reduce the time between case submission and resolution.”
Whether firms manage compliance in-house or rely on vendors for support, training is a key activity – and not only for teams monitoring compliance of the directive.
“Employees need to be fully informed about the new rules and how to report violations,” says Hurst. “Beyond training, companies need to assess any areas that may be the cause of whistleblowing in the first place. In general, this is an ongoing activity but it might be an opportunity to take a fresh approach.”
Firms will already have some form of communications monitoring in place, but they will need to improve how they are doing this and also the scope. “Monitoring will need to include the protection of whistleblowers as well as alerting for language that would suggest a toxic culture against whistleblowers,” Hurst concludes.
Subscribe to our newsletter