Part 3 – Requirements for General Counsels and Chief Compliance Officers
In part 1 and part 2 of this series of three blogs, we looked at what the new EU Whistle Blowing Directive (EU 2019/1937) (“the Directive” or “EUWBD”) has changed – and what hasn’t changed. We also looked at the behaviours to be expected from whistle blowers in light of the Directive.
Below we go a little deeper into the actions required from General Counsels and Chief Compliance Officers in meeting the Directive. We’ll also outline the practical next steps required to meet the Directive.
Creativity of GCs and CCOs
Legal & Compliance functions will appreciate the clarity of parts of the Directive, and will also be able to see several advantages offered by it.
The Directive allows for internal reporting first. This is not a requirement, but there is a duty on Member States to “encourage” this (Article 7(2)). This is an acknowledgement that complaints are often best handled by organisations themselves, and as close to the issues as possible. Authorities, I hope, will be brave in passing back cases that have not been through an adequate internal process first, assuming a problem could have been fixed there. In short – we get a clear shot at handling issues properly before the authorities are involved and before there is public scrutiny. How exactly this will develop is unclear at present, given that Member States are yet to detail how they will implement the Directive.
Organisations must “acknowledge” receipt of a report within seven days (Article 9(1)(b)) and then “provide feedback” to the reporter within a relatively short timeframe of three months (Article 9(1)(f)). This is fine for the majority of issues, but incredibly short for complex cases, which can take well over a year of careful work to come to fruition. Even if “feedback” simply means ‘staying in touch’ with the whistle blower, such communications need to be incredibly carefully managed.
All the efforts behind the Directive are presumably aimed at complex cases, not the run of the mill reports that simply need processing. Onlookers will have to acknowledge the flexibility behind the phrase “feedback” and its inclusion of “action envisaged” (Article 5(13)).
General Counsels (GCs) and Chief Compliance Officers (CCOs) will need to continue to show creativity in revealing issues naturally through the course of business. Perhaps through regular audits, reviews or risk assessments, there will be other means of establishing findings and dealing with them whilst not revealing a reporter’s identity (or even the fact that there is a report).
GCs and CCOs also need to show creativity in ensuring that accountability remains in the line, where issues are handled best. Better use by managers of case handling tools or central compliance resources is really challenging administratively, but might be needed if we are truly to capture and properly process all cases arising in the organisation.
Culturally, we need employees to work together with their managers to handle issues and not make them bigger than needed. Of course there is a valve for releasing pressure that cannot be handled locally, either by poor-performing managers or because they’re too big to be handled properly. Training of managers in handling issues should remain a priority for compliance teams.
What next?
Organisations will need to assess the Directive according to their own circumstances, risks and needs. Below are a few examples of what we see as the priorities:
- The basics
- Make sure you have the right misconduct reporting system in place. Don’t feel afraid of changing system – it can be a liberating experience. Do enough to meet the requirements of the Directive and think about whether you want to go further, for example based on what your organisation might need in the future.
- Governance & Policies
- Get the ‘nuts and bolts’ in place formally through policies, and ensure your systems are set up to match these decisions.
- Discussions are needed around complex issues such as – anonymity, whistle blower and subject (accused) rights, formal steps protecting reporters against retaliation, data protection and tensions with other legal requirements. There should be crystal clear procedures for escalation to management, the CEO, the Audit Committee and the Board.
- Ensure alignment early on to avoid surprises, perhaps in the middle of a tense investigation. Ownership and accountability should be decided sooner rather than later.
- Think strategically about self-preservation. When do you need to protect your own organisation? Defamation is the flip side of whistle blowing – when do you need to take a stance? And when does taking a stance lose you goodwill?
- Like all policies, controls are needed to ensure they’re operating as intended. What can be added to your compliance controls framework? Think escalation, approvals, segregation of duties, etc. You may also want to ensure that communications teams are actively monitoring the public domain for emerging cases.
- Collaborate
- Involve the people who matter in the whistle blowing process and aspects of non-retaliation. Work closely with all leaders and managers in your organisation, HR, Data Protection Officers, works councils and unions. Bringing employees and their representatives into the discussion is perhaps the most effective means of getting ahead of issues.
- Awareness
- Training programs should include details on the Directive, which is rather prescriptive on what information should be made available.
- Likewise, communications programs should meet the formal requirements and probably go further, according to your organisation’s individual culture and risks.
- Dilemma-based training for key groups such as executive management (or risk-exposed functions) can really get people thinking about the challenges that lie ahead.
- Past cases
- The Directive isn’t retroactively applicable. But one can see the potential to drag up old cases (Article 4.2 allows for whistle blowing from past work relationships). You need to ensure that you have handled matters credibly and thoroughly, also in the past.
- A review of past significant cases in light of the Directive could help to get ahead of such a risk.
- Observe
- There are some uncertainties outlined above, and the need for research and observation is clear.
- What remains to be seen is whether national measures will (or already do) go further than the Directive. The UK’s unique position remains to be seen.
- The tensions between data protection and whistle blower rights will be more keenly felt in some jurisdictions than others.
- Another piece of legislation – the GDPR – has been seen by some as over-optimistic, impractical and partly unenforceable. DPAs have been swamped with useless information, without the resources to address all of it. The Directive could face the same charges unless well implemented and enforced.
- Case law will need to develop and guide the practical use of the Directive. Especially for enforcement and how great a deterrent will be seen in the form of penalties.