Introduction 

Whistleblowing is on the rise – both within organisations and to authorities. An increase in whistleblowing is positive: it shows employees feel able to speak up, allows issues to be escalated, investigated and where necessary remediated. However, the increase in whistleblowing also presents challenges for companies to ensure that they are dealing effectively and appropriately with the concerns raised and continuing to encourage a speak-up culture.

In addition to the increase in whistleblowing, companies face additional complexities arising from both developments in legislation and enforcement. Notably: (i) a growing number of jurisdictions have introduced or are considering (potentially significant) financial incentives for whistleblowers, which is a long-standing practice in the US; (ii) in the UK, following various high-profile matters, both regulators and legislators have been proposed further scrutiny of how companies are handling whistleblower complaints; and (iii) in the EU, transposition of the Whistleblower Directive into member state law has led to complexities arising from inconsistent interpretations by states of the Directive’s requirements.

These developments mean that it is it is crucial organisations have clear procedures in place to ensure whistleblowing reports are handled effectively, appropriately and in compliance with applicable laws, particularly given the increased media and regulatory scrutiny of how internal investigations are conducted.

In this article we consider the latest developments in whistleblowing legal regimes in the UK, US, and the EU, the broader challenges and risks companies face when conducting investigations triggered by whistleblowing reports, and provide practical tips on how organisations can prepare themselves to respond to whistleblower reports. 

Evolving global whistleblowing framework

UK:

The approach of UK authorities to whistleblowers is evolving. There are currently only two regimes in the UK that provide financial incentives to whistleblowers: a Competition and Markets Authority mechanism to reward individuals providing information about unlawful cartel activity and a scheme by HMRC to allow for discretionary rewards for providing evidence of tax fraud. In February 2024, the new Director of the Serious Fraud Office (SFO), Nick Ephgrave, proposed that the SFO financially compensate whistleblowers for providing information. Mr Ephgrave noted that on average it takes five or six years to conclude cases. He said that cases may be concluded more quickly if the SFO was privy to “smoking gun” evidence provided by incentivised whistleblowers. The FCA also pledged to improve its whistleblowing framework in late 2023, and following Mr Ephgrave’s comments confirmed that they will also liaise with the SFO to align on proposals to introduce financial incentives for whistleblowers.

Against this backdrop, in March 2023 the UK government launched a review of the UK’s whistleblowing framework, led by the Department for Business and Trade (DBT), examining its effectiveness in providing a route for employees to blow the whistle, to protect those employees from “detriment and dismissal”, and to drive wider cultural change.

Separately, a private members’ bill was introduced to the House of Commons to enhance whistleblower protections. Amongst other things, the bill made provision for an Office of the Whistleblower to be established to set and monitor standards for the management and investigation of whistleblowing cases – and also investigate whistleblower complaints.

As with any private members’ bill, its prospects of success would, in large part. depend on the level of government support. In light of the dissolution of Parliament on 30 May 2024, the bill will make no further progress. However, both the bill and DBT review indicate a desire to increase scrutiny of how companies handle complaints. In this regard, it is noteworthy that the Labour Party, has indicated that, if elected to government, it will strengthen protection for whistleblowers (including by updating protection for women who report sexual harassment at work) but no further details have been given.

US:

In the US, the practice of financially compensating whistleblowers is commonplace and is expanding.  For example, in March 2024, the DOJ announced a pilot programme to provide financial incentives to whistleblowers who assist the DOJ in investigating corporate misconduct. The DOJ is also trying to provide significant non-monetary awards to whistleblowers: in April 2024, the DOJ’s Criminal Division  launched its Pilot Program on Voluntary Self-Disclosure for Individuals (VSD), which grants immunity and non-prosecution agreements (NPAs) to individuals who voluntarily disclose certain types of corporate criminal conduct. While immunity and NPAs have long been tools used by prosecutors, the VSD seeks to incentivise individuals to disclose alleged misconduct by offering greater assurance that it will not prosecute and providing more transparency into who is eligible for relief.  

EU:

In 2019, the EU Whistleblower Directive was adopted in an attempt to the create a minimum level of protection for whistleblowers across the EU, which was previously uneven and fragmented. 25 out of the 27 Member States have so far implemented the Directive into their national laws, with Poland and Estonia still to take steps to do so.

The Whistleblower Directive requires EU Member States to implement rights and obligations in relation to whistleblowers including requirements for organisations to design and implement internal reporting channels and to provide clear information on how to report externally to competent authorities. It extends protection to a very wide group of persons such as to current, former or future workers, paid and unpaid volunteers, shareholders and any person working under the supervision and direction of contractors, subcontractors and suppliers.

Under the Directive, companies with 50 or more workers are required to establish internal reporting channels and to implement procedures for following up reports. Whilst it is up to the EU Member States to designate national authorities that will establish independent and autonomous external reporting channels, companies must provide clear and easily accessible information internally on the procedures that apply to reporting externally. There is no obligation for a reporter to report internally before reporting externally to an authority and retaliatory measures of any kind against reporting persons and those who advised or supported the reporter are strictly prohibited.

However, the implementation of the EU Whistleblower Directive has been slow. While harmonisation was the goal, in many respects the opposite has been achieved as national laws implementing the Directive still differ significantly. This uneven implementation process has created real issues for multinational organisations in ensuring consistency in their whistleblowing procedures across different entities within the corporate group. For instance, some national laws require each local entity to have its own whistleblowing channel while other countries allow group reporting channels. As another example, some laws require criminal offences reported to the company to be reported to the local authorities, while in other jurisdictions there is no equivalent requirement.

As a result, complying with national whistleblower laws in one Member State does not guarantee compliance in another. Companies need to be prepared for the challenge of navigating various different laws when designing their internal whistleblowing systems.

Trends in investigating whistleblowing complaints

The continual evolution of global whistleblowing laws and regulatory requirements is likely to increase the number of whistleblowing complaints further, as well as scrutiny of how reports are investigated.

We see four main trends:

  1. Whistleblowers’ expectations have increased. The handling of investigations is paramount to ensuring a culture in which individuals are encouraged to come forward within an organisation.Many whistleblowers expect investigations to be conducted quickly and to have transparency over the investigation process and results – and companies need to be alive to providing whistleblowers the support they need whilst conducting the investigation, as a result.  It is also worth noting that companies should be conscious of the risks of challenge to the approach taken in investigations to data privacy and employment law issues, including in the UK data subject access requests – and ensure that these issues are dealt with sensitively and appropriately from the outset.
  2. Confidentiality vs. integrity of the investigation: Where companies are taking reasonable steps to keep whistleblower complaints confidential, this may raise challenges for example when interviewing the subjects of the investigation and acting on its findings. Those conducting the investigation will need to take care not to reveal the identity of the whistleblower (including inadvertently) when a confidentiality undertaking has been given to them, whilst still investigating the allegations as fully as possible.
  3. There may be ongoing media coverage (and scrutiny) of the investigation. Whistleblower investigations (particularly where they involve personal conduct issues) make front page news and missteps in how investigations are conducted can receive adverse coverage. Organisations need clear media strategies, balancing the desire for transparency with respecting individuals’ confidentiality and protecting the company and individuals’ positions moving forwards.
  4. Increased civil litigation risk and the risk of whistleblowers going to authorities. We are seeing an increase in civil litigation and regulatory investigations arising out of whistleblower investigations. Organisations should consider how to best protect themselves in the event an investigation results in such adversarial proceedings. This will mean thinking carefully about, amongst others, confidentiality and privilege, ensuring the investigation methodology is carefully documented, and considering forensic data collection where appropriate.

Important learnings in dealing with whistleblowing reports:

From our experience, the following practical points are important:

  1. Have in place an effective whistleblowing process. Having a clear process in place (with strong communication ensuring a high level of awareness) will ensure not only compliance with the relevant legal frameworks, but also that individuals feel they can raise issues and that those issues will be dealt with properly.
  2. Ensure that a risk-based investigation plan is in place and is followed. This will assist with ensuring the appropriate investigative steps are taken, that key decisions are documented, and assist in preserving privilege where necessary. We would recommend having in place a clear internal investigations protocol (which amongst other things deals with consideration of whistleblowers, relevant employment laws and applicable legal requirements in terms of handling reports). This will assist in maintaining consistency in how complaints are dealt with, and making sure that the appropriate factors are considered and the right people are involved.
  3. Assess relevant whistleblowing, employment and data privacy laws. Make sure that you have a clear picture of all relevant laws and the steps you need to take (and pitfalls to avoid) from an employment and data privacy perspective. Seek external legal advice where necessary.
  4. Where possible, make contact with the whistleblower and try and ensure that they feel heard. This will ensure the whistleblower is more likely to feel comfortable sharing information which will assist the investigation and avoid a scenario where the whistleblower chooses to report externally as they feel their report is being ignored or not taken seriously.
  5. Continuous improvement. At the end of investigations, consider what could have worked better with a specific lens on how the report was handled, processed and managed; document those decisions and think about how the process could be improved as a result.