About a-team Marketing Services
The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

Everything You Need to Know About the EU Whistleblowing Directive

Subscribe to our newsletter

It is widely acknowledged that employees who report misconduct within their organisations play a key role in exposing breaches and preventing similar incidents from happening in the future.

However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. In this context, the European Union deemed it necessary to provide specific whistleblower protection, with the Whistleblowing Directive providing an opportunity for capital markets firms to sharpen their investigative policies and contribute to best practice.

Individual countries have already introduced regulations that address elements of the whistleblowing process. In the UK, the Senior Managers and Certification Regime (SM&CR) makes individuals more accountable for their conduct and competence, while in France, Sapin II requires financial services firms with more than 250 staff to adopt a whistleblowing policy.

The EU Whistleblower Directive goes further by defining minimum standards of protection for anyone who speaks up about breaches of EU laws regardless of the type of business. Matt Smith, CEO of global regtech firm SteelEye, observes that the reach of the EU directive extends beyond its UK equivalent, covering individuals within an organisation such as volunteers and interns as well as board members.

According to Tori Reichman, chief customer officer of whistleblower reporting software developer Vault, the directive will potentially contribute towards a change in attitudes and reporting processes for European-based organisations and teams that want to avoid the reputational, financial and operational costs associated with misconduct issues.

“More transparency and inclusivity, and a more honest internal culture may well develop as a result of an organisation’s efforts to go beyond mere compliance, bridging the trust gap between employees and employers,” she says.

The conversation around misconduct reporting extends beyond HR to leadership and board members who must factor the organisation’s conduct into strategy meetings, investment propositions and other activities. “Capital markets firms affected by issues of retaliation against whistleblowers need to review their processes and the risks involved,” Reichman adds.

One of the key impacts of the directive will be the need for increased oversight and monitoring of digital communications to ensure there is no retaliation against whistleblowers. “This is a massive undertaking and requires automation and machine learning to ensure compliance in an efficient manner,” suggests Shaun Hurst, regulatory advisor for EMEA at archiving and compliance technology company Smarsh. “New models and rules will need to be implemented, staff will need to be trained, and existing compliance software will need to be reassessed to ensure it is up to the task.”

It is also clear that any processing carried out must comply with GDPR. The directive specifically mentions ‘breaches of GDPR’ as a reportable event. “Therefore, firms should be reassessing their data protection frameworks to ensure that all data handling processes, access rights management and other security measures are sufficient to ensure compliance with GDPR generally as well as the specific need to ensure confidentiality of a whistleblower,” says Hannah Rossiter, a managing director in the financial services compliance and regulation practice of proprietary data, technology and insights provider Kroll.

Firms must ensure they have sound record keeping and data retrieving capabilities to assess claims made months prior agrees Smith: “A lot of what is required cannot be managed systematically. It is a case of truly understanding the legislation and implementing the related processes to respond to a claim.”

This will likely be an evolution of what capital markets firms are already doing, taking into account TCF (Treating Customers Fairly) as well as SM&CR, the Public Interest Disclosure Act 1998, and MiFID II says Hurst.

“However, they will need to take a fresh approach and view of their existing compliance activities to ensure they are taking into account the scope of the directive as it pertains to areas such as procurement; corporate tax; environmental safety; consumer protection; privacy, data, security, information and network security; and criminal activity,” he continues. “The UK already takes the majority of these areas into account with its existing whistleblowing protection, but EU member states may not have had this mandate.”

At this point, it should be noted that the full effect of the directive will only be felt when it is enshrined in law across all 27 member states. Capital markets firms will likely need to review and potentially enhance their existing processes for dealing with misconduct reporting, particularly if they are using legacy solutions such as hotlines or manual processes. These incumbent solutions often lead to increased risk related to retaliation prevention and response times.

“By implementing a progressive reporting structure for data collection and monitoring incidents, software solutions will be able to support organisations in identifying problems and connecting the dots on repeated patterns, which can be a game changer,” says Reichman.

Many large financial services firms already have whistleblowing reporting structures in place. However, Rossiter observes that outsourcing to an external vendor aligns well with the directive’s explicit requirement for confidentiality and for management of alerts to be dealt with by individuals or entities who are independent from the firm’s operational activities.

Since the directive provides minimum standards for EU member states to use as a basis for the implementation of local laws it is vital that organisations are up to date and compliant with the various regulations being introduced across the countries in which their employees work and reside.

Reichman observes that one of the key stipulations is for internal channels to be available and that organisations are therefore turning their attention to internal reporting mechanisms.

“End-to-end solutions that combine the ‘human touch’ with technology are the answer,” she says. “Organisations need approaches that delve deeper into internal cultures and behaviours rather than simply relying on old methods of reporting such as legacy hotlines. Along with the issues of trust and reputation detailed above, misconduct reporting and resolution are best dealt with internally, which can greatly reduce the time between case submission and resolution.”

Whether firms manage compliance in-house or rely on vendors for support, training is a key activity – and not only for teams monitoring compliance of the directive.

“Employees need to be fully informed about the new rules and how to report violations,” says Hurst. “Beyond training, companies need to assess any areas that may be the cause of whistleblowing in the first place. In general, this is an ongoing activity but it might be an opportunity to take a fresh approach.”

Firms will already have some form of communications monitoring in place, but they will need to improve how they are doing this and also the scope. “Monitoring will need to include the protection of whistleblowers as well as alerting for language that would suggest a toxic culture against whistleblowers,” Hurst concludes.

Subscribe to our newsletter

Related content

WEBINAR

Recorded Webinar: Leveraging NLP for regulatory compliance

As regulatory compliance becomes more complex, requires larger volumes of data – both structured and unstructured, and comes under greater scrutiny by regulators, financial institutions are looking for RegTech solutions that can help them increase efficiency, reduce costs, and improve the accuracy of regulatory data. One such solution is natural language processing (NLP), which can...

BLOG

Surveillance Platform Operator Shield Raises $15 Million to Fund Sales Expansion

Tel Aviv-based surveillance system provider Shield has raised $15 million to expand its global sales teams and expand its capabilities. The series A funding round was led by Macquarie Capital and OurCrowd. Founded in 2018, Shield uses artificial intelligence (AI) and natural programming language (NPL) to identify market abuse and conduct issues. Its platform monitors...

EVENT

RegTech Summit APAC

Now in its 2nd year, the RegTech Summit APAC will bring together the regtech ecosystem to explore how capital markets in the APAC region can leverage technology to drive innovation, cut costs and support regulatory change. With more opportunities than ever before for RegTech to add value, now is the time to invest for the future. Join us to hear from leading RegTech practitioners and innovators who will share insights into how they are tackling the challenges of adopting and implementing regtech and how to advance your RegTech strategy.

GUIDE

ESG Data Handbook 2022

The ESG landscape is changing faster than anyone could have imagined even five years ago. With tens of trillions of dollars expected to have been committed to sustainable assets by the end of the decade, it’s never been more important for financial institutions of all sizes to stay abreast of changes in the ESG data...