The New FCA Whistleblower Rules: What You Need to Know
In October 2015 the Financial Conduct Authority (FCA), alongside the Prudential Regulation Authority (PRA), published new rules in relation to whistleblowing channels in banks and other financial institutions to encourage a culture in which individuals feel empowered to raise concerns and challenge poor practice and behaviour.
Whilst these rules have been put in place specifically for the financial services industry, they are a sign of things to come in other industries across the UK.
This paper summarises:
- What the new FCA whistleblower rules are and why they were introduced
- How the rules will impact your company’s ethics and compliance efforts
- What actions to take both before and after the rules are fully enforced
FCA WHISTLEBLOWER REQUIREMENTS: A SNAPSHOT OF THE NEW RULES
The rules’ first requirement—that financial companies in the UK “appoint a senior person to take responsibility for the effectiveness of these arrangements”—took effect on 7 March 2016, the same date as the rest of the Senior Managers Regime came into place.
These so-called “Whistleblowers’ Champions” are now responsible for overseeing the steps the firm takes to prepare for the new regime and ensuring that, by 7 September 2016, their organisations:
- Implement internal whistleblowing capabilities and channels for all types of disclosure from all types of persons
- Explain in settlement agreements that workers have a legal right to blow the whistle
- Inform UK-based employees about FCA and PRA whistleblowing services
- Keep appropriate records of cases and report, at least annually, on whistleblowing to the board
- Provide appropriate feedback to whistleblowers about their case
- Protect the confidentiality of whistleblowers and allow employees to make disclosures anonymously; prevent ‘victimisation’ of whistleblowers
- Inform the FCA if they lose an employment tribunal with a whistleblower
- Require their appointed representatives and tied agents to tell their UK-based employees about the FCA whistleblowing service
The new rules affect all UK deposit-takers with assets of £250m or more (including banks, building societies and credit unions), all PRA-designated investment firms, all insurance and reinsurance firms within the scope of Solvency II, and the Society of Lloyd’s and its managing agents.
Why did we need new rules?
The new whistleblower rules were born out of a desire for transparency and improved accountability in the wake of a series of scandals that rocked Britain’s financial industry. The changes follow recommendations in 2013 by the Parliamentary Commission on Banking Standards (PCBS) that banks put in place formal mechanisms to allow—and encourage—employees to raise concerns internally when they believe they’ve seen wrongdoing at their firms, and that they appoint a senior person to take responsibility for the effectiveness of these arrangements.
It is widely believed that employees of financial institutions are sometimes reluctant to speak out about wrongdoing in their organisations for fear of suffering personal consequences. So the FCA and PRA specifically designed the new rules to encourage employees to speak up by offering them confidentiality and making it easier for them to report and thereby to “encourage a culture in which individuals raise concerns and challenge poor practice and behaviour.”
It is important to emphasise that many UK firms already instil a working culture that encourages employees to speak up about potential wrongdoing, and have done for some time, with or without regulatory requirements.
However, by following the new rules, UK companies will find it even easier to uncover potential violations early so they can address them before they escalate into major problems.
IMPLEMENTING THE RULES—MOVING BEYOND A TICK-BOX APPROACH
There are several things financial organisations should know about the new rules, and several practices we recommend that firms and their compliance managers put in place to ensure effectiveness.
In essence, the impact that the rules will have on improving transparency in the financial industry depends much more on the overall culture that transcends through organisations than it does on simply “ticking boxes” to comply with the basic regulations.
So whilst responsibility for overseeing the implementation of the rules rests with the Whistleblower Champions, there must be a fundamental adoption of the right company culture at board and senior manager level in order for it to work effectively.
Step One: Review Your Existing Whistleblower Channels and Incident Management Processes
In recent years we have seen increasing pressure on companies to make it easier for employees to ‘speak up’ when they suspect wrongdoing in their firm. The new FCA whistleblower rules build on that pressure, with companies now required to provide reports on whistleblowing to their boards at least once a year, and the responsibility for implementing that resting on the shoulders of the individual Whistleblower Champions.
- Review and, if necessary, update your call-intake, incident management and investigation programmes and processes. Ensure that whistleblowing cases are routed properly and receive the appropriate attention. Ideally cases should be received through a hotline run by a neutral third party, thus removing potential conflicts of interest and ensuring whistleblowers remain anonymous. This is especially relevant in branch offices where anonymity can be difficult to achieve. Be sure to include an escalation procedure that can help resolve internal issues that may be delaying an investigation.
- Review the mechanisms you have in place to communicate with the whistleblower—even with those whistleblowers who prefer to remain anonymous. In all cases, you will want to reassure the whistleblower that their allegation has been received, that their report is being taken seriously and that action, if appropriate, will be taken.
- Consider what your annual whistleblowing report to the board will contain. Although the FCA currently gives no precise guidance on what should be contained within annual whistleblowing board reports, in practice the reports should include, at a minimum: updates on the types and number of whistleblowing reports; information about subsequent investigations into those reports; the status of the company’s relationships with regulators; emerging risks or other insight into what’s coming in the future; and KPIs to work against.
Step Two: Train Managers at All Levels
Under the regulations the responsibility for implementing the new rules sits with a single Whistleblower Champion. However, the system will work best if other senior managers within the firm also take responsibility for ensuring the success of the speak-up process so it essential that they are clear about what is required of them.
Common problems that arise if senior managers are not involved are that managers—wary of the new whistleblowing capabilities—may be inclined to tell employees that they must “follow the chain of command” if they have a concern; they may be unaware of the range of negative actions that might be considered reprisals; or the Whistleblower Champion may be located in a different office from some employees, making them seem remote.
It is therefore important that all managers—including front-line managers—should receive clear training explaining:
- The purpose of the whistleblowing mechanisms
- That raising concerns is to be encouraged, not squashed
- That employees do not have to follow the chain of command
- The range of negative actions that managers must avoid once an employee has raised an issue
- How to maximise the effectiveness of the company’s whistleblower and reporting channels
- What “victimisation” is and how to protect the anonymity of whistleblowers
- The consequences to them if they violate the process
- Prepare a briefing package for all personnel who may be in a position to receive questions or allegations from employees. The key is to arm them with information so that they feel comfortable answering employee questions—or so they can refer employees to the right internal resource.
- Bring leadership on board. In responding to the new FCA whistleblower rules, senior leadership can be your biggest ally or worst obstacle. Scepticism and incomplete information can trickle down and negate all your best efforts. Leadership needs to hear from you about the new rules and the steps you are taking to respond to them. They also need to understand the critical role that they play in shaping employee opinion and the culture of the organisation. Remind them of the advantages of encouraging employees to use your reporting channels first.
- Remember that potential whistleblowers are not limited to your employees. The FCA programme may increase the likelihood that third parties including suppliers, customers, business partners, employee family members and former employees will use your whistleblower hotline or other reporting channels. Be sure that your call-intake and incident management systems—and the personnel responsible for them—are prepared.
- Build a support network for your Whistleblower Champion. It is important that your Whistleblower Champion does not become overly burdened or pressured, nor that responsibility for the whistleblowing channels rests on their shoulders alone. Whistleblower Champions need to have the support of the wider company leadership but also a team around them to support with the day to day running of the channel mechanisms, particularly if a case is escalated or if the case falls within the remit of a particular department. For example, an HR issue may be best dealt with directly by the HR department.
Step Three: Build a Strong “Speak-Up” Culture
Setting up whistleblowing channels is just the beginning; offering a whistleblowing hotline and reporting website to employees will achieve little if employees don’t use them. The goal of the new rules is to encourage employees to raise concerns so that employers can address them before they become larger problems.
But while the new FCA rules are receiving a lot of attention from those in the ethics and compliance business, most employees know nothing about them or they may have misinformation. By being proactive, you can provide accurate information whilst taking the opportunity to explain how the new rules allow—and even encourage—employees to use your reporting channels first.
The top two reasons that employees do not report concerns are: fear of retaliation if their identity becomes known; and a lack of trust that the company will act on a report. [IP1] If employees believe that they will suffer reprisals for speaking up, the vast majority, if not all of them, will keep their concerns to themselves. Similarly, if employees do not understand how the process will work once they raise issues, they again will be reluctant to step forward, and instead will “keep their head below the parapet.”
The companies that have the most to fear from the new rules are therefore those where employees don’t understand or don’t trust the company’s whistleblower hotline and the ethics and compliance programme.
Determining if your company is at risk of this requires that you regularly listen to employee opinions and that you identify factors that may be contributing to mistrust and fear of retaliation for reporting allegations of misconduct.
A critical complement to establishing the whistleblower mechanisms, therefore, is to ensure that employees feel that their company supports a “speak-up” culture. Staying on top of the changing risk profile of your company, and identifying the many cultures and subcultures that support—or undermine—your efforts requires regular on-going effort.
- Consider publishing an announcement to all employees updating them on the new rules. If you choose this proactive step, take the opportunity to explain the provisions of the rules that allow them to use company reporting channels and still remain anonymous. This would also be a good time to remind employees of why it’s important for them to speak up and what steps the company will take to protect them from retaliation.
- De-mystify the process and remove employee doubts. While most employees are aware of their company’s whistleblower hotlines, where they exist, few are clear about how the process works: “Who answers the phone? What type of questions will they ask? Will I need to give my name? What happens after the call?” Use all the training and communications tools at your disposal to encourage employees to come to you first.
- Give clear, ongoing communication to all employees about:
- The existence of the whistleblowing channels and the ability to report anonymously
- The fact that speaking up is a good thing and is encouraged
- What happens after an issue is raised
- The fact that there will be no tolerance for retaliation against those who raise concerns and that there are potential punishments for those who retaliate
- When it comes to potential violations of the law, employees do not need to inform managers about the issue first but can, if they choose, use whistleblowing channels as a first step
While the new rules have elicited some concerns, they are backed by sound logic: a strong ethical corporate culture, supported by robust whistleblower processes, will help protect organisations and their employees from the devastating financial and reputational consequences of corporate scandals.
And complying with the rules could make authorities more likely to be lenient in imposing penalties when something does go wrong. In that regard, the new rules could instead give financial executives one less thing to worry about if they are confident that the first time they hear about a problem it will be from an internal source rather than a regulator.
Under these new regulations, if a company is accused of wrongdoing, the FCA will scrutinise a company’s whistleblowing policies and procedures closely. They are more than simply a “tick box” exercise, and must be enforced effectively at all levels and through the culture of the organisation. Indeed, research shows that a better speak-up culture improved business performance, too.
Supporting a strong ethical culture is important for firms across all industries and the new FCA and PRA rules are likely to be the first of many new whistleblowing regulations to come into force in other industries in the UK in the near future.
To learn more about how NAVEX Global’s whistleblower hotlines, incident management systems and other software tools and expertise can help your organization meet UK whistleblower requirements, contact us at firstname.lastname@example.org, or give us a call at +44(0)20 8939 1650 (UK) or +1 (866) 297-0224 (US).
RELATED NAVEX GLOBAL SOLUTIONS
Whistleblower Hotline Solutions
Incident Management Solutions
Compliance Training Solutions
ABOUT THE AUTHORS
Daniel Kline has more than 14 years of experience in management consulting and business development in helping global organizations establish and evolve their compliance, ethics and risk management architecture. Previously, he served as Managing Director of CMS Cameron McKenna, Europe’s largest law and tax firm, and at LRN, a leading online training and ethics and cultural consultancy company. While at LRN, he consulted with leading companies on how to best safeguard and enhance the reputations of companies—drafting policies, conducting risk assessments, designing internal communication strategies, setting up whistleblowing systems, designing and delivering live and online training across a wide range of risk areas globally. Daniel began his career at the Corporate Executive Board which included responsibilities of overseeing the supply chain and procurement consulting business in EMEA. A Fulbright Scholar, Dan spent time in Buenos Aires developing a new social and economic policy aimed at supporting Argentina’s indigenous populations. He earned a B.A. in Latin American Studies from Connecticut College.
Andrew Foose, J.D., vice president of NAVEX Global's Advisory Services team, is a former senior trial attorney in the US Department of Justice's Civil Rights Division. Andy is recognized among the country's leading experts on conducting lawful and effective internal investigations and has trained thousands of attorneys, compliance officers, auditors and human resource professionals on best-practice investigative techniques and on how to write effective, comprehensive investigative reports. He currently works with organizations ranging from large multi-national companies to smaller non-profits to assess their ethics and compliance programs and to provide guidance on ways to enhance program effectiveness and efficiency.
ABOUT NAVEX GLOBAL
NAVEX Global’s comprehensive suite of ethics and compliance software, content and services helps organizations protect their people, reputation and bottom line. Trusted by more than 12,500 clients, our solutions are informed by the largest ethics and compliance community in the world.
[IP1] Footnote: https://www.hreonline.com/HRE/view/story.jhtml?id=534357555
About NAVEX Global, Inc.
NAVEX Global is the worldwide leader in integrated risk and compliance management software and services. Trusted by more than 14,500 customers, our solutions help organisations manage risk, address complex regulatory compliance requirements and foster an ethical, highly productive workplace culture.