About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

Everything You Need to Know About the EU Whistleblowing Directive

Subscribe to our newsletter

It is widely acknowledged that employees who report misconduct within their organisations play a key role in exposing breaches and preventing similar incidents from happening in the future.

However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. In this context, the European Union deemed it necessary to provide specific whistleblower protection, with the Whistleblowing Directive providing an opportunity for capital markets firms to sharpen their investigative policies and contribute to best practice.

Individual countries have already introduced regulations that address elements of the whistleblowing process. In the UK, the Senior Managers and Certification Regime (SM&CR) makes individuals more accountable for their conduct and competence, while in France, Sapin II requires financial services firms with more than 250 staff to adopt a whistleblowing policy.

The EU Whistleblower Directive goes further by defining minimum standards of protection for anyone who speaks up about breaches of EU laws regardless of the type of business. Matt Smith, CEO of global regtech firm SteelEye, observes that the reach of the EU directive extends beyond its UK equivalent, covering individuals within an organisation such as volunteers and interns as well as board members.

According to Tori Reichman, chief customer officer of whistleblower reporting software developer Vault, the directive will potentially contribute towards a change in attitudes and reporting processes for European-based organisations and teams that want to avoid the reputational, financial and operational costs associated with misconduct issues.

“More transparency and inclusivity, and a more honest internal culture may well develop as a result of an organisation’s efforts to go beyond mere compliance, bridging the trust gap between employees and employers,” she says.

The conversation around misconduct reporting extends beyond HR to leadership and board members who must factor the organisation’s conduct into strategy meetings, investment propositions and other activities. “Capital markets firms affected by issues of retaliation against whistleblowers need to review their processes and the risks involved,” Reichman adds.

One of the key impacts of the directive will be the need for increased oversight and monitoring of digital communications to ensure there is no retaliation against whistleblowers. “This is a massive undertaking and requires automation and machine learning to ensure compliance in an efficient manner,” suggests Shaun Hurst, regulatory advisor for EMEA at archiving and compliance technology company Smarsh. “New models and rules will need to be implemented, staff will need to be trained, and existing compliance software will need to be reassessed to ensure it is up to the task.”

It is also clear that any processing carried out must comply with GDPR. The directive specifically mentions ‘breaches of GDPR’ as a reportable event. “Therefore, firms should be reassessing their data protection frameworks to ensure that all data handling processes, access rights management and other security measures are sufficient to ensure compliance with GDPR generally as well as the specific need to ensure confidentiality of a whistleblower,” says Hannah Rossiter, a managing director in the financial services compliance and regulation practice of proprietary data, technology and insights provider Kroll.

Firms must ensure they have sound record keeping and data retrieving capabilities to assess claims made months prior agrees Smith: “A lot of what is required cannot be managed systematically. It is a case of truly understanding the legislation and implementing the related processes to respond to a claim.”

This will likely be an evolution of what capital markets firms are already doing, taking into account TCF (Treating Customers Fairly) as well as SM&CR, the Public Interest Disclosure Act 1998, and MiFID II says Hurst.

“However, they will need to take a fresh approach and view of their existing compliance activities to ensure they are taking into account the scope of the directive as it pertains to areas such as procurement; corporate tax; environmental safety; consumer protection; privacy, data, security, information and network security; and criminal activity,” he continues. “The UK already takes the majority of these areas into account with its existing whistleblowing protection, but EU member states may not have had this mandate.”

At this point, it should be noted that the full effect of the directive will only be felt when it is enshrined in law across all 27 member states. Capital markets firms will likely need to review and potentially enhance their existing processes for dealing with misconduct reporting, particularly if they are using legacy solutions such as hotlines or manual processes. These incumbent solutions often lead to increased risk related to retaliation prevention and response times.

“By implementing a progressive reporting structure for data collection and monitoring incidents, software solutions will be able to support organisations in identifying problems and connecting the dots on repeated patterns, which can be a game changer,” says Reichman.

Many large financial services firms already have whistleblowing reporting structures in place. However, Rossiter observes that outsourcing to an external vendor aligns well with the directive’s explicit requirement for confidentiality and for management of alerts to be dealt with by individuals or entities who are independent from the firm’s operational activities.

Since the directive provides minimum standards for EU member states to use as a basis for the implementation of local laws it is vital that organisations are up to date and compliant with the various regulations being introduced across the countries in which their employees work and reside.

Reichman observes that one of the key stipulations is for internal channels to be available and that organisations are therefore turning their attention to internal reporting mechanisms.

“End-to-end solutions that combine the ‘human touch’ with technology are the answer,” she says. “Organisations need approaches that delve deeper into internal cultures and behaviours rather than simply relying on old methods of reporting such as legacy hotlines. Along with the issues of trust and reputation detailed above, misconduct reporting and resolution are best dealt with internally, which can greatly reduce the time between case submission and resolution.”

Whether firms manage compliance in-house or rely on vendors for support, training is a key activity – and not only for teams monitoring compliance of the directive.

“Employees need to be fully informed about the new rules and how to report violations,” says Hurst. “Beyond training, companies need to assess any areas that may be the cause of whistleblowing in the first place. In general, this is an ongoing activity but it might be an opportunity to take a fresh approach.”

Firms will already have some form of communications monitoring in place, but they will need to improve how they are doing this and also the scope. “Monitoring will need to include the protection of whistleblowers as well as alerting for language that would suggest a toxic culture against whistleblowers,” Hurst concludes.

Subscribe to our newsletter

Related content


Recorded Webinar: Perpetual KYC: compliance as the source of better business

Perpetual KYC (pKYC) opens the door for financial institutions and corporations to improve customer onboarding & monitoring processes, reduce operational costs, ensure regulatory compliance, and better understand risk exposures in real time. Unlike traditional or periodic KYC, pKYC continually reviews and updates client data in near real-time providing ongoing data accuracy and accurate risk management....


A-Team Group-Partnered Publication Looks into the FinTech Crystal Ball

Charting the digitalisation of the financial industry is the beating heart of what we do at A-Team Group. And we are delighted and proud to have had the opportunity to take our messaging further, for the first time co-producing a special supplement on the Future of Finance in a major British national newspaper. The “Future...


RegTech Summit New York

Now in its 6th year, the RegTech Summit in New York will bring together the regtech ecosystem to explore how the North American capital markets financial industry can leverage technology to drive innovation, cut costs and support regulatory change.


Regulatory Data Handbook 2022/2023 – Tenth Edition

Welcome to the tenth edition of A-Team Group’s Regulatory Data Handbook, a publication that has tracked new regulations, amendments, implementation and data management requirements as regulatory change has impacted global capital markets participants over the past 10 years. This edition of the handbook includes new regulations and highlights some of the major regulatory interventions challenging...