It is a vital element of good governance and risk management for a regulated firm to review its suite of policies and procedures and keep them up to date so that they reflect the latest legislation and market developments.
This article concentrates on one element in particular, the whistleblowing policy, and sets out why it is especially important that it is kept up to date, and that staff and management are familiar with its key principles.
Getting it wrong
“You know how to whistle don’t you Steve? You just put your lips together and blow.”
Lauren Bacall “To Have and Have Not” (1944)
Whistleblowing matters. It matters to the Financial Conduct Authority (FCA), and to the Prudential Regulation Authority (PRA). If you don’t believe me, ask Jes Staley, the former CEO of Barclays, whose first significant problem – and the bank’s - was his handling of a whistleblower.
In 2018 the FCA and PRA fined Mr Staley £642k for failing to “act with due, care and diligence…in response to an anonymous letter” and, as a result, Barclays was placed in special requirements under which it has to report annually to the regulators detailing how it handles whistleblowing, with personal attestations required from those senior managers responsible for the relevant systems and controls around whistleblowing. In short, Mr Staley’s error was that he tried to identify the writer of the anonymous letter.
That is one of the reasons why having a clear and robust whistleblowing policy is so important. It provides clarity as to process and procedures to be followed and it establishes parameters as to what should and, perhaps more importantly, what should not happen once a complaint is raised.
Public Interest Disclosure Act 1998
Whistleblowing also matters because it is protected by law under the Public Interest Disclosure Act 1998. The stated objective of the Act is ‘to protect individuals who make certain disclosures of information in the public interest; to allow such individuals to bring action in respect of victimisation; and for connected purposes.’ The act applies to people at work raising genuine concerns about crimes, civil offences (including negligence, breach of contract, breach of administrative law), miscarriages of justice, dangers to health and safety or the environment and the cover-up of any of these.
Furthermore, any UK based firms also operating in the EU should familiarise themselves with the EU Directive on whistleblowing which, while sharing some features with UK requirements, also has a number of differences. To take a couple of examples, while the UK legislation does not require firms to set up a “hotline” for whistleblowers the EU Directive does. Also, there is not explicit requirement to keep records in the UK (although in practice most firms do), whereas the EU directive has an obligation.
What does the FCA expect ?
The FCA (and indeed the PRA, where relevant) expects regulated firms to implement and maintain appropriate internal whistleblowing arrangements, as part of an effective risk management system. Regulated firms are also obliged to act in accordance with the whistleblowing rules as defined in the FCA Handbook.
The FCA rules on whistleblowing are contained in the ‘Systems and Controls’ section of the FCA Handbook which contains a chapter on whistleblowing (SYSC 18). These rules apply to all financial services firms generally, although various elements are specific to particular categories of firm.
Examples of the things that the FCA says that it has received whistleblowing reports about are: mis-selling; money laundering; systems and controls; unauthorised business; and fitness and propriety.
Policy? What policy?
The FCA also expects firms to have a whistleblowing policy and, if you applied for your FCA license recently, you will doubtless remember it is a requirement of the application pack. But whether a firm is new to market or an incumbent, it should ask what has happened to that policy since it was first written?
Has it been updated regularly (ideally annually) or is it, rather like those plans in Hitchhikers Guide to the Galaxy, “in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying, 'Beware of the Leopard”? If it is, then do something about it. As with all policies and procedures it doesn’t matter how well it is written, if no one reads it. And, if no one’s reading it, it’s unlikely being followed. So, make sure that: a) the policy is up-to-date and reflects the latest developments in thinking and new requirements; and, b) that the policy is easily accessible and that staff know where to find it.
If you have an existing policy you do not necessarily need to “reinvent the wheel” but, as a matter of good corporate governance, not to mention good risk management, you should be reviewing the policy regularly (and evidencing that review, especially if you feel there is no need for any changes: remember if you can’t evidence something, then the FCA will take the view it didn’t happen).
However, on the other hand if you feel your policy is lacking in key essentials then perhaps start again with a blank piece of paper. Do not try to write the policy you think the FCA wants to see, write a policy that works for the firm and its staff, and cover the following points:
- responsibilities;
- the types of protected disclosures that employees can make;
- protections under the act; and
- how to raise a concern.
The policy should also make it clear that employees have the option to report disclosable concerns to the firm, the FCA or both. While ideally, any whistleblower will feel confident enough that they can approach the firm first (thus allowing the firm to address the issue before it escalates), it is also important that they know that it is not a requirement that reports are made to the firm before reporting to the FCA. The policy should also make it clear that reports to the FCA can be made in confidence and that many are. Additionally, the firm may feel it is prudent to offer guidance or FAQs to support the policy.
Nothing to fear but fear itself
Getting to grips with whistleblowing is not something a firm should be afraid of. Far from it. A clear and unambiguous whistleblowing policy that has been widely socialised is a sign of a healthy corporate culture - it provides clarity both to the employees and the management as to what the process is.
Moreover - and this can’t be repeated often enough – whistleblowing procedures are part and parcel of good risk management. Indeed, whistleblowing can provide a helpful way in which firms ensure that inappropriate practice and behaviour is dealt with before it becomes a bigger more existential issue.
If you would like any further support with your whistleblowing policy or indeed policies and procedures more generally, please do contact us below.
Contact Us
Related resources
All resourcesIdentifying the weaknesses in firms’ transaction reporting governance and control frameworks
Bitesize webinar: Establishing a robust prudential monitoring framework
Operational Resilience: regulatory guidelines for critical third parties aim to avoid systemic disruption
Multi-firm findings for the payments industry – is Consumer Duty a cause for concern?