Internal whistleblowing mechanisms are not new. Yet recent Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) requirements on whistleblowing have dramatically changed the landscape for relevant firms and for individuals who want to come forward with concerns. This new regime means that internal auditors should be re-focusing audits to meet the new regulatory expectations. So what are the new obligations and how can auditors respond?
Of course, many companies have had some kind of whistleblowing provisions for years. Speaking up and whistleblowing guidelines from The Advisory, Conciliation and Arbitration Service (ACAS ), Public Concern at Work (PCaW) and trade unions have provided a sound foundation for mechanisms, procedures and policies.
However, in 2013 a PCaW survey on whistleblowing in workplaces found that while 93 per cent of respondents’ firms had a whistleblowing framework in place, a third of respondents thought that arrangements were ineffective. This finding is supported by a substantial increase in the number of incident reports to the FCA, which rose from 138 in the financial year 2007-08 to 1,340 cases in the year 2014-15. This suggests a lack of trust in internal reporting mechanisms and in the ability of organisations to investigate reports.
Since September 2016, deposit-takers, PRA-designated investment firms and insurers under the Solvency II directive must fully comply with new regulatory rules on the whistleblowing regime that was introduced by both the FCA and PRA. Although the new rules are binding only on firms under the regulatory supervision, they have an immense effect across these and set a new formal standard for whistleblowing arrangements in practice. After assessing the effectiveness of the new rules, the regulatory bodies indicated that they would consider applying similar requirements to other firms under supervision, such as stockbrokers, mortgage brokers, insurance brokers, investment firms and consumer credit firms.
The new rules oblige companies to create a safe environment and an appropriate organisational culture in which employees can raise concerns internally without fear of reprisals. Increased regulatory attention and sanctions for companies that fail to comply means that regulated firms should now be auditing their whistleblowing systems. Occasional checks on whether a whistleblowing policy exists and is known to staff are not enough. Both the audit scope and the way in which policies are tested need a comprehensive review.
The key requirements are:
- Appoint a whistleblowers’ champion
The requirement to make a senior manager responsible for overseeing the firm’s whistleblowing arrangements shapes the collective responsibility of the board for effective whistleblowing mechanisms. The role of the whistleblowers’ champion should be taken seriously, since they are accountable for the operation of the whistleblowing regime. The regulators recommend this duty is given to a non-executive director, preferably the chairman. The champion’s responsibilities should be laid out clearly in a whistleblowing policy and this person must receive training to perform their duties.
- Whistleblowing arrangements
Relevant firms are expected to have internal whistleblowing policies and procedures to handle all types of disclosures from both internal and external whistleblowers. This means that firms should also deal with disclosures that are not in the public interest and do not, therefore, necessarily fall under the “protected disclosure” umbrella defined in the Public Interest Disclosure Act 1998 (PIDA).
It is essential to clarify the scope and the intended users of the whistleblowing arrangements and ensure that they are accessible not only for workers, but also for customers, suppliers and third parties who have concerns. The written policies and procedures covering the raising and handling of concerns should be clear.
Not every disclosure will lead to a full investigation, but internal audit should ensure that disclosures are taken seriously and that there is an appropriate audit trail of consideration of, and decisions made on, each disclosure. Best practice would be to have a comprehensive and up-to-date record with the number and types of disclosures raised and the outcome of investigations.
It is essential that the policies clearly name the people and bodies to be contacted with a disclosure. The list should give whistleblowers a choice over where they raise concerns, depending on circumstances. Policies should promise protection from reprisals and that whistleblowers’ identities will be confidential. Organisations should also provide feedback about who will investigate, the estimated duration of the investigation and, where appropriate, the outcome of the investigation.
Since danger, risk, malpractice and wrongdoing might be disclosed through different reporting channels, it is advisable also to include other existing reporting routes and mechanisms in the scope review. For example, while auditing whistleblowing, the audit team could look into the handling of customer and third-party complaints, health and safety reports and incident reports on risks and fraud incidents. It is crucial that staff receiving such reports can identify whistleblowing disclosures coming through alternative reporting lines and can segregate these from grievances and compliance issues.
Whistleblowing functions should be independent of management and have resources and staff proportionate to the size and complexity of the business.
Although the new provisions do not state the timeframe for internal investigations and issue resolution, it is important to address concerns quickly. Companies should define timelines for dealing with whistleblowing reports and these should help to monitor and assess the operational effectiveness of whistleblowing mechanisms.
Internal auditing should ensure that an internal investigation and issue resolution plan defining the investigation framework and initial steps is in place. This could demonstrate use of effective procedures if the regulator asks how an investigation was performed.
- Settlement agreements
The requirement to state in settlement agreements that workers have a right to blow the whistle aims to remove gagging clauses that prevent workers from speaking up about wrongdoing, malpractice or risk. This right is already provided in Section 43J of PIDA, but it is a vital obligation as public interest lies at the heart of whistleblowing disclosures. The FCA has issued a useful sample text in its guidance “Policy Statement 15/24”.
Internal audit could view a master draft of a settlement agreement and get a formal commitment from the legal and HR departments to reflect this point in all future settlement agreements.
- Report on whistleblowing
The regulator requires relevant firms to prepare a report on whistleblowing for the board of directors at least annually. It does not specify what information this should contain, but the report should be made available to the FCA or PRA on request. Beyond recording information on the number and type of whistleblowing disclosures received, and the progress of investigations, companies could consider including information about internal grievances from individuals who have previously blown the whistle. Even if internal grievances are on different matters and subject to different policies and procedures, they may be linked to whistleblowing issues in a broader context – for example, if a whistleblower complains their identity was not kept confidential or that they were victimised after a disclosure. Failure to protect whistleblowers from reprisals could culminate in questions from the regulator and lead to further financial penalties for the whistleblowers’ champion.
- Notification of employment tribunal cases lost
The new obligation to report to the regulator if a firm loses an employment tribunal (ET) case with a whistleblower puts pressure on companies to avoid tribunal proceedings entirely. Besides the negative publicity and regulatory scrutiny, firms may face financial losses, since there is no cap on the compensation that a tribunal can award in whistleblowing claims. Organisations’ costs for legal services are likely to increase, since more firms will seek initial legal advice so they can decide whether to settle the case early.
Auditors performing a whistleblowing audit should examine spending on such assessments and litigations, the number of compromise agreements reached and the level of compensation paid.
- Educate about the regulator’s whistleblowing services
Regulated organisations, their appointed representatives and tied agents must inform their UK-based employees about the regulators’ whistleblowing services. It is important to the regulator that employees are aware of their legal right to approach regulatory bodies directly, regardless of whether they have made an internal disclosure. Organisations can publicise the FCA’s and PRA’s whistleblowing services as part of compulsory training, internal whistleblowing policy and induction sessions. The principal firms might also consider adjusting the service agreement with appointed representatives and related agents to oblige them to inform UK-based workers about the regulator’s whistleblowing service.
Exit interviews are often overlooked as a tool to pre-empt external whistleblowing. Ideally, these should be performed by an independent third party rather than a direct superior. Companies should make staff aware of whistleblowing arrangements and provide appropriate training at all levels. Those that perform an annual employees’survey might include questions about confidence in whistleblowing systems.
Audit work can make internal auditors a communication channel for employees’ concerns about risks or wrongdoing. Auditors should be educated about how best to deal with disclosures made in their audit activities and how to maintain the confidentiality of a whistleblower.
Effective whistleblowing arrangements are vital for good governance. By auditing whistleblowing, internal audit can help organisations meet regulatory requirements, build a transparent culture, avoid bad publicity and maintain best practice.
Alexander Glebovskiy is a CFE, CIA and CRMA . Visit bit.ly/FCAregs for details of the FCA regulations. For more from the Chartered IIA on whistleblowing visit