Whistleblowing remains a key tool for the Financial Conduct Authority (FCA) to identify actual or potential harm to consumers, markets, the UK economy and wider society. On 4 May 2023, it published its latest whistleblowing data for the final quarter of 2022 (for the months October to December 2022) (Q4 2022). During this quarter, the FCA received 276 new whistleblowing reports (containing 785 allegations of wrongdoing), slightly down from 291 in Q3 2022. As in the prior quarter, most of the reports were received via the online reporting form and again the majority of whistleblowers provided their contact details, rather than seeking to remain anonymous.
In line with earlier data, the top four areas of concern for whistleblowers reporting to the FCA during the period were: (i) fitness and propriety; (ii) compliance; (iii) treating customers fairly; and (iv) culture. The number of allegations relating to systems and controls also remained relatively high with 59 relevant reports for this period, following 55 for the previous quarter. In terms of less frequent areas of concern, November saw data security and pressure selling enter the top ten and in December 2022 the FCA received four reports in relation to bribery and corruption.
In addition to the latest data, the FCA has recently set out a number of planned actions to improve the confidence of whistleblowers as further detailed here, and in July the FCA intends to publish data about the disclosures it has received and details of how these have been handled in a standalone Prescribed Person report (so far this data has been included in the FCA Annual Report and Accounts).
Individuals can of course, and often do, raise their concerns directly via their firm’s internal whistleblowing systems which may have the advantage for the firm of enabling the firm to consider and address any issues proactively and promptly. There may be an advantage to the whistleblower too, in that a disclosure to a regulator only attracts protection if the employee reasonably believes that the allegations are “substantially true”, a requirement not applicable to disclosures made to employers. Given the continued regulatory focus on whistleblowing, to assist firms in managing effectively any whistleblowing reports received, we set out below ten key practical steps for firms to consider taking when a whistleblowing report is received:
- Initial risk assessment: When a whistleblowing report is received, firms should carry out an initial risk assessment of the concerns to enable them to identify: (i) the appropriate case management approach; (ii) whether the concerns raised have the potential to significantly impact the business; and (iii) the potentially affected or relevant stakeholders. The assessment should consist of initial inquiries and include consideration of whether an exploratory review should be performed to determine if there is any merit in any of the concerns. From the outset firms must ensure that they record all steps and decisions taken with respect to handling the whistleblowing report, including any follow-up actions.
- Managing the reporter: Firms should maintain contact with the reporter when the channel of reporting allows and should ensure that no actions are taken against them which may be perceived as retaliation or victimisation. It is also prudent to record the reasons for decisions affecting the whistleblower in order to show such decisions, such as variable remuneration, are not influenced by the disclosure made by the whistleblower. The FCA takes retaliation in this context very seriously and an adverse employment tribunal decision on this issue would need to be reported to the FCA. Firms should also: (i) consider the employment law position regarding the whistleblower in the relevant jurisdiction and ensure that any whistleblower protections are complied with; (ii) invite the reporter to share more information and evidence to assist the firm’s initial review; and (iii) manage expectations with the reporter about the upcoming process and timeline. As a general point, firms must ensure confidentiality where the whistleblower has requested confidentiality or chosen not to reveal their identity, and only reveal information relating to the report and the concerns on a ‘need-to-know’ basis. Firms should also consider the extent to which legal privilege may apply to certain related communications.
- Communication plan: Firms should create a communication plan for credible sensitive concerns, and for concerns that reach the investigation stage. The plan should take into account potential developments relating to the concerns and possible media exposure, and it should assign a responsible person(s) for managing internal and external communications. Firms should also consider how to manage internal communications with employees, and any guidelines that should be placed around those communications.
- Reporting: Firms should consider any external reporting obligations that they may have, including any self-reporting obligation to any regulator, external auditor or insurer which has been triggered by the whistleblowing report. In the absence of an obligation, firms should consider whether it may otherwise be in the firm’s interests to self-report. In addition, firms should consider any internal reports which should be made with respect to the concerns raised, for example, to the management board or relevant subsidiaries.
- Data: To ensure that material potentially relevant to the concerns is not destroyed or altered, firms should consider whether steps should be taken to preserve it, including: (i) suspension of routine data deletion; (ii) freezing of servers; and (iii) issuance of a data preservation notice to employees who may have information relevant to the concerns. Consideration should also be given to the capture of data on personal devices such as texts and WhatsApp messages.
- The initial review: Firms should consider setting up a review team when there are reports that justify a follow-up after the initial risk assessment inquiries. The review should seek to obtain a thorough understanding of the key concerns in the whistleblowing report and determine whether there are any relevant regulatory requirements or reporting obligations to the relevant authorities. The output of the initial review may be a decision that either no further action is required by the firm, or that further investigation is needed.
- Investigation: Credible concerns of misconduct generally will trigger the need for further investigation. Initially, the business will want to determine if the whistleblowing complaint is to be investigated under the whistleblowing complaint policy or if the grievance procedure is more appropriate. If it is not clear which procedure should be followed there should be engagement with the employee/worker regarding the issue to ensure agreement where possible. The main goals of the investigation are to: (i) efficiently gather all relevant facts concerning the potential irregularities, thereby enabling the firm to effectively manage any legal or regulatory exposure and allowing it to be on the front-foot with regulators and deal with any emerging issues; and (ii) determine any required remediation and/ or disciplinary actions that the firm needs to carry out in light of any findings. Even when investigations are being led internally, for higher profile issues firms may want to consider engaging an external law firm to support and enhance that investigation, for example for reasons of independence or consideration of any concerns involving possible legal or regulatory breaches.
- Remediation: In many cases, it may not be advisable for firms to wait until the completion of the entire investigation to implement remediation. Firms should be proactive and consider what can be applied and when, in particular where the concerns raised relate to customers. For regulated entities, regulators will expect to see this and such an approach is likely to be seen by regulators in a positive light.
- Investigation reporting: At each phase of the investigation firms should consider how best to convey findings to the relevant stakeholders, what will be communicated to the board and how the findings will be recorded in the minutes. A report may be oral or written and consideration should be given to whether any report is protected by legal privilege. Once the investigation is complete, its results should be reviewed and verified and any further remediation actions should be decided upon. Timely feedback should be given to the reporter. Following the completion of remediation, internal stakeholders and relevant regulators should be consulted before closing the case.
- Lesson learned: Firms should consider any lessons learned from the process, in respect of both the underlying concerns raised by the whistleblowing report, as well as the way in which the process surrounding the whistleblowing report was managed. These lessons should be shared across the business. Any failures in the control system should be identified, and where flagged, remedial actions should be taken to ensure that they do not reoccur.
We have a menu of investigation support that we can provide in connection with whistleblowing reports and investigations, ranging from advice on regulatory and/ or insurance notifications to interview support to advice in connection with any report recommendations. For further information on this, or if you have any other queries on the issues raised in this blog, please do contact any of the authors.