“Blowing the Whistle” in the Financial Services Industry: What Changes does the new EU Whistleblowing Directive Bring?
Liemertje Sieders (*), Donato Vozza (**)
The past few years have seen whistleblowing cases of undeniable significance filter into the European dimension, LuxLeaks, Panama Papers, Football Leaks and Cambridge Analytica to name a few, making calls for the adoption of common whistleblower protections across the European Union increasingly difficult to ignore. Despite their crucial role in revealing financial crimes or unethical behaviours affecting the public interest, no answer to the protection of whistleblowers had yet been established at EU level, leading whistleblowers to feel widely discouraged from reporting their suspicions for fear of retaliation and other adverse consequences. To address this gap, on 23 October 2019, the Council of the European Union and the European Parliament adopted Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the “Whistleblowing Directive”), which came into force on 17 December 2019.
Setting out common minimum standards providing for “a high level of protection” of persons who reports breaches of EU law in both the public and private sector, the Directive explicitly covers, among others, the areas of financial services, products and markets, and prevention of money laundering and terrorist financing. Three reporting channels can be used by whistleblowers seeking to report breaches, each one bearing its own specific requirements:
- internal reporting within a legal entity (Articles 7–9),
- external reporting to the competent authorities (Articles 10–14), and
- public disclosures (Article 15).
Pursuant to the Directive, EU Member States must ensure that public and private legal entities adopt internal reporting channels and procedures, and that whistleblowers are adequately protected. Notably, the Directive bestows protection on a wide range of so-called “reporting persons” (i.e. whistleblowers), defined in Article 4 to include, among others, workers as well as persons whose work-based relationship has ended or is yet to begin, provided they acquire information on breaches in a work-related context.
This is not the first time that the EU is legislating whistleblowing in the financial sector. On the contrary, this sector is, in many ways, the most advanced when it comes to whistleblowing protection, with several Union acts obliging competent authorities and certain legal entities to establish internal reporting channels. The existence of such legislation begs the question whether, and if so to what extent, the new EU Directive alters the duties of financial service operators when it comes to whistleblowing.
The body of pre-existing EU legislation on whistleblowing in the financial services sector consists more of a mosaic, characterized by the kind of fragmentation which the Directive aims explicitly to address by introducing common standards. Some of the relevant whistleblowing provisions contained in Union acts are:
- Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (Article 71)
- Directive 2014/65/EU on markets in financial instruments (Article 73)
- Regulation (EU) No 909/2014 on improving securities settlement in the European Union and on central securities depositories (Article 65)
- Regulation (EU) No 1286/2014 on key information documents for packaged retail and insurance-based investment products (PRIIPs) (Article 28)
- Regulation (EU) No 596/2014 on market abuse (Article 32). Notably, the Market Abuse Regulation (MAR) provides that Member States can provide, under certain conditions, for financial incentives to persons who report. The Commission Implementing Directive (EU) 2015/2392 provided further guidance on the MAR as regards reporting infringements to competent authorities.
- Regulation (EU) 2015/2365 on transparency of securities financing transactions and of reuse (Article 24)
- Regulation (EU) 2015/847 on information accompanying transfers of funds (Article 21)
- Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (Article 61)
- Directive (EU) 2016/97 on insurance distribution (Article 35)
- Regulation (EU) 2017/1129 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market (Article 41).
These provisions vary only slightly among one another. Most (though not all) include the following main elements:
- an obligation on Member States to ensure competent authorities establish effective mechanisms to encourage reporting of “potential or actual infringements” of the transposing national legislation to them;
- the necessary components of such external reporting mechanisms, namely: specific procedures for receipt and follow-up of reports, appropriate protection for employees of the service provider subject to the relevant Regulation or Directive who report infringements “at least against retaliation, discrimination or other types of unfair treatment”, and protection of the personal data and identity of the whistleblower and the person concerned by the report;
- an obligation on Member States to require service providers, as employers, subject to the relevant Regulation or Directive to have in place appropriate procedures for their employees to report such infringements internally through a “specific, independent and autonomous channel”.
The relationship between the new Whistleblowing Directive and such pre-existing EU legislation is, by the will of the Directive, one of complementarity. The latter shall apply to the extent that a matter is not mandatorily regulated in the sector-specific Union acts listed in Part II of the Annex to the Directive (Article 3). At the same time, where whistleblowing is already regulated in a particular area, this Directive should complement such acts and, in particular, “provide further detail as to the design of the internal and external reporting channels, the obligations of competent authorities, and the specific forms of protection to be provided at national level against retaliation.” (Recital 20).
Therefore, the Directive could imply changes that go beyond the requirements envisioned in pre-existing legislation and that significantly broaden the measures financial service entities will have to take to be fully compliant with EU legislation. Here are some of the changes brought by the Directive that seem most impactful on the financial sector:
- Obligation to establish internal reporting channels: all financial service entities
Pre-existing EU legislation on whistleblowing in the financial sector generally requires that the relevant entities put in place an internal reporting channel, but this is not invariably the case. Under Regulation (EU) No 1286/2014 Member States are given the option, rather than obligation, of requiring employers engaged in activities that are regulated for financial services purposes to have in place internal reporting mechanisms for their employees. Directive (EU) 2016/97 does not even refer to such internal tools.
Under the new Whistleblowing Directive, all financial service entities subject to the Directive must establish an internal reporting channel. Article 8(1) requires Member States to ensure that internal reporting channels are established by legal entities in the private and public sector that have 50 or more workers. However, when it comes to “entities falling within the scope of Union acts referred to in Parts I.B and II of the Annex” — namely, financial services, products and markets, and prevention of money laundering and terrorist financing -, this threshold does not apply (Article 8(4)). Financial service entities will be obliged to establish such a channel irrespective of their number of workers. This even applies to those subjects to the more discretionary Regulation (EU) No 1286/2014 (Recital 20).
It is worth noting that Article 8(2) creates an obligation to establish internal reporting channels only for the entity’s “workers”: discretion is left to the entity to decide whether to open such channels up to the wide array of other individuals contemplated in Article 4 of the Directive.
- Design of internal reporting channels
The Directive delineates the necessary elements of such internal reporting procedures (Article 9). In this regard, the Directive contains far greater detail than pre-existing legislation. The requirements — in sum — are as follows:
- the channels must be ensuring the confidentiality of the identity of the reporting person and any third party mentioned in the report;
- the procedure must acknowledge receipt of the report to the reporting person within seven days of receipt;
- the entity must designate an impartial person or department competent for following-up on the reports and providing feedback;
- such designated person or department must diligently follow-up;
- a reasonable timeframe for feedback must be provided, not exceeding three months from the acknowledgement of receipt or, if no acknowledgement was sent, three months from the expiry of the seven days;
- clear and easily accessible information regarding external reporting procedures must be provided.
- No mandatory reporting sequences
The Directive provisions introducing optional reporting channels are arguably the most controversial, with prior versions of the Directive envisioning the hierarchization of reporting channels and thus an obligation first to exhaust internal reporting channels. As a result of complex institutional negotiations at EU level, the Directive no longer envisages a mandatory reporting sequence, providing the whistleblower with the choice to report internally or directly externally (Article 10). The whistleblower can also choose to directly make a public disclosure, provided certain conditions listed in Article 15 are met.
- Protection and support measures to be provided to the whistleblower
In pre-existing EU legislation, the protection measures (such as the prohibition of retaliation and other unfair treatment) were cited mostly, if not exclusively, in relation to external reporting channels (i.e. to competent authorities), and not in relation to internal mechanisms (required only to be “specific, independent and autonomous”). The new Directive provides extensive protection measures, chief among which the prohibition of retaliation contained in Article 19 (referring to a wide array of prohibited retaliatory acts), measures of support under Article 20 (including the provision of information and advice on the whistleblowers’ rights and legal aid), as well as penalties for hindering reporting or retaliating under Article 23, that must all be adopted by Member States. Protection is uniquely provided against retaliatory measures taken not only directly against the whistleblower but also indirectly against facilitators, colleagues, relatives or other third persons connected with the whistleblower and who suffer retaliation in a work-related context.
In conclusion, all financial service companies and institutions operating in the EU, and subject to applicable EU legislation, will be obliged to adopt an internal whistleblowing channel that meets, at the very least, the standards of the EU Directive, if not more stringent standards are adopted by the respective EU Member State. The required components of such internal channels are significantly more detailed, and more onerous than those provided in pre-existing EU legislation governing whistleblowing in the financial services sector.
Transposition of the Directive into national legislation must take place by 17 December 2021. Notably, by way of derogation from this ordinary transposition deadline, as regards legal entities in the private sector with 50–249 workers, the deadline for transposition by the Member States falls on 17 December 2023.
With the deadline for national transposition in mind, it would be wise to begin assessing whether one’s internal whistleblowing channel already meets these standards and what measures must be taken to bring one’s policies in line therewith (including by starting to undertake initiatives and training that promote an open and transparent workplace culture). Where a financial service entity is yet to set up an internal whistleblowing channel, it should do so, in light of the complementarity principle, and thus in consideration both of the new Whistleblowing Directive and of other Regulations or Directives applicable to it, so as to be in full compliance with the entire corpus of applicable EU and implementing national legislation.
(*) Compliance and Sanctions Specialist with Eni SpA.
(**) Research Associate at the Centre for Financial and Corporate Integrity of Coventry University.
The views presented in this article are the personal views of the authors, who bear sole responsibility for the opinions expressed herein.
