On 7 October 2019, the Council of the European Union formally adopted a new Directive on the protection of persons who report breaches of Union law. The Directive was published in the Official Journal of the European Union on 26 November 2019 and will come into force on 17 December 2019. The Directive's purpose is to guarantee a high level of protection to persons who publicly disclose information on breaches which is acquired in the context of their work-related activities (referred to in this article as 'reporting persons' or 'whistleblowers') across a wide range of sectors, including public procurement, financial services, money laundering, product and transport safety, nuclear safety, public health, consumer and data protection.
Member States have until 17 December 20211 to bring into force the laws, regulations and administrative provisions necessary to comply with the Directive. Although the UK may have left the EU within this time frame and may not implement the Directive as such, it is nevertheless likely to be relevant in a number of ways:
- it exceeds the current requirements relating to whistleblowing under UK law and may be regarded as best practice. The UK All Party Parliamentary Group on Whistleblowing published its first report in June 2019, which included recommendations for revisions to the current law and the creation of an Independent Office of the Whistleblower. There may therefore be some momentum for change to the current UK laws;
- it will be relevant for all companies with operations in continental Europe; and
- it will need to be taken into account by companies which maintain a single global whistleblowing framework.
Financial services firms in the UK are already subject to the Financial Conduct Authority's (FCA) extensive rules on whistleblowing contained in Chapter 18 (SYSC Senior Management Arrangements, Systems and Controls) of the FCA Handbook. This article considers where the requirements of the Directive differ from and/or impose additional obligations to the current requirements for financial services firms under UK law and the FCA's whistleblowing requirements.
What the Directive says
In broad terms, the Directive:
- requires2 the creation of safe channels for internal reporting by legal entities in the private and public sector, and for external reporting to competent authorities; and sets out the conditions under which public disclosures will be protected;
- provides measures for protecting the confidentiality of whistleblowers;
- provides measures for protecting whistleblowers, and those assisting whistleblowers, from retaliation. Workers, civil servants, the self-employed, shareholders, management, unpaid volunteers, contractors, sub-contractors and suppliers, former employees, and persons going through a recruitment process are all regarded as whistleblowers under the Directive;
- sets out requirements for Member States to provide advice and support for whistleblowers, and training for public officials on how to deal with whistleblowing.
Key differences under the 'new' provisions
So, where does the Directive differ from the current requirements under UK law and SYSC 18? Key areas of difference include the following:
- Applicability: The Directive applies to any organisation, whether private or public, big or small. Legal entities in the private sector with at least 50 workers will be required to adopt internal channels and procedures for whistleblower reporting. This requirement also applies to all legal entities in the public sector. Member States may exempt from this obligation municipalities with fewer than 10,000 inhabitants or fewer than 50 workers3, and other entities with fewer than 50 workers . In contrast, the applicability of the FCA's whistleblowing rules does not depend on the number of workers in a company.
- Internal vs external reporting: Article 7 of the Directive provides that Member States shall encourage reporting through internal reporting channels before reporting through external reporting channels, where the breach can be addressed effectively internally and the reporting person considers that there is no risk of retaliation. In contrast, the FCA's rules emphasise that whistleblowers must be informed that reporting to the FCA (or PRA) is not conditional on a report first being made using the firm's internal arrangements.
- Procedures for reporting and follow-up: Unlike SYSC 18, the Directive4 provides concrete timeframes for specific steps in the handling of a report: receipt of the report must be acknowledged within seven days, and "feedback" must be provided in a reasonable timeframe, "not exceeding three months5 from the acknowledgement of receipt". "Feedback" is defined as "the provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up"; "follow-up" is defined as "any action taken by the recipient of the report or any competent authority, to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including through actions such as an internal enquiry, an investigation, prosecution, an action for recovery of funds, or the closure of the procedure". The Directive clearly contemplates that investigations may be completed within three months of the report being made, and where the investigation is relatively straightforward and self-contained that may be possible. However, it seems unlikely that this will be possible in all cases, particularly where the investigation is large and complex. In those circumstances, the feedback to the reporting person will need to address the action envisaged or taken as follow-up, and the grounds for that follow-up, as at the time that the feedback is given. The preamble to the Directive makes clear that "in all cases the reporting person should be informed of the investigation's progress and outcome"6.
- Records: Article 18 of the Directive provides that records should be made of reports made orally and of meetings held with the reporting person. The reporting person should be given the opportunity to check, rectify and agree the record by signing it. This may require a change to some firms' current procedures.
- Prohibition on retaliation: This prohibition is, of course, not new, but the Directive7 also expressly prohibits threats and attempts of retaliation, and sets out a long list of actions which may constitute retaliation, ranging from dismissal and demotion, to harm to a person's reputation "particularly in social media".
- No liability for acquisition of, or access to, information: Whistleblowers will not incur liability for acquisition of, or access to, the information which is reported or publicly disclosed pursuant to the Directive, provided that the acquisition/access did not constitute a self-standing criminal offence8.
- Reversal of the burden of proof: In court proceedings relating to a detriment suffered by the whistleblower, if the whistleblower establishes that he/she made a report or public disclosure pursuant to the Directive, and suffered a detriment, it is presumed that the detriment was made in retaliation for the report or the public disclosure9. The burden shifts to the person who has taken the detrimental measure to prove it was based on "duly justified grounds". Although, in practice, firms defending claims of retaliation may already (where applicable) submit evidence to demonstrate that there were good reasons for the action that was taken, the reversal of the burden of proof will no doubt affect the risk profile of such cases going forward.
- Penalties: The Directive provides that Member States must provide for penalties to be available, including for retaliation and breach of confidentiality10. In addition, penalties must be provided in respect of whistleblowers who knowingly report, or publicly disclose, false information.
- Rights of the "person concerned": The preamble to the Directive notes that the rights of the "person concerned" (i.e. the subject of the whistleblowing report) should also be protected, including protection by Member States of the confidentiality of the person concerned and ensuring rights of defence in any subsequent legal proceedings11. Article 9 of the Directive further provides that internal reporting channels must ensure that the confidentiality of the identity of the reporting person and any third party mentioned in the report12 is protected. It is not completely clear whether "any third party" includes a "person concerned", but the natural meaning of those words would tend to suggest that it does. In any event, firms will need to ensure that their whistleblowing channels are set up to provide confidentiality not only as to the identity of the whistleblower, but also that of any third parties. This could lead to practical difficulties in taking forward investigations.
Steps UK financial institutions need to take
Although there are almost two years before the deadline for Member States to implement the Directive, firms should start assessing the steps they need to take to prepare for its introduction, including:
- mapping the provisions of the Directive against firms' current whistleblowing frameworks and deciding how to approach the implementation of the new requirements – this could, for example, be on a country-by-country basis or by incorporating updates to a global framework;
- addressing practical considerations, such as assessing whether the firm would be able to comply with the time frames provided for in the Directive and maintain confidentiality as to the identity of whistleblowers and third parties mentioned in whistleblowing reports; and, if not, considering how to adjust the handling of whistleblowing reports from at least those countries where the Directive will be in effect;
- reinforcing the absolute prohibition on retaliation, with targeted – and ongoing – training of staff;
- monitoring the impact of Brexit, in particular to see whether any of the Directive's provisions will be incorporated into English law;
- monitoring the implementation of the Directive by EU Member States, in particular to assess whether any of the Member States implement measures that go above the provisions of the Directive.
Hogan Lovells can help you assess your current frameworks and prepare for the implementation of the Directive, so please contact us if you have any questions on any of the points raised in this article or for more information on how we can help.
1. This period is extended to 17 December 2023 in relation to the obligation to establish internal reporting channels for private entities with between 50 and 249 workers.
2. See further "Applicability" below
3. Article 8
4. Article 9
5. External authorities may take six months, in "duly justified cases". Member States may also provide that competent authorities, after having duly assessed the matter, can decide that a reported breach is clearly minor and does not require further follow-up other than closure of the procedure. This "de minimis" exception is not available for legal entities in the private and public sector.
6. Preamble (57)
7. Article 19
8. Article 21(3)
9. Article 21(5)
10. Article 23
11. Preamble (100)
12. My emphasis
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.