Guide to Whistleblowing

Contributing Editors

In this new age of accountability, organisations around the globe are having to navigate a patchwork of new laws designed to protect those who expose corporate misconduct. IEL’s Guide to Whistleblowing examines what constitutes a protective disclosure, the scope of regulations across 21 countries, and the steps businesses must take to ensure compliance with them.

Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

07. Should employers manage the reporting channel itself or can it be outsourced?

07. Should employers manage the reporting channel itself or can it be outsourced?

Flag / Icon

Australia

  • at Lander & Rogers

ASIC Regulatory Guide 270 notes that it is good practice but not mandatory that an entity has mechanisms in place for monitoring the effectiveness of its whistleblower policy.

ASIC suggests an entity could set up:

  • oversight arrangements for ensuring its board, audit or risk committee are kept informed about the effectiveness of the policy;
  • a mechanism to enable matters to be escalated to the entity's board or the audit or risk committee; and
  • periodic reporting to the board, audit or risk committee.

The guide also notes that entities may consider involving an independent whistleblowing service provider authorised to receive their internal disclosures. This is especially so for smaller entities. Using an outside service provider may encourage more disclosures since disclosers can:

  • make their disclosure anonymously, confidentially and outside business hours;
  • receive updates on the status of their disclosure while retaining anonymity; and
  • provide additional information anonymously.
Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

The reporting channel can be outsourced to a third party (eg, to a payroll provider, compliance experts or lawyers). However, the employer will remain legally responsible for the implementation and use of the system.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

There is no statutory requirement in this regard. Accordingly, employers can manage the reporting channel directly or outsource it to an external supplier.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

Under the WBP Act, the internal reporting channel is a WBP officer and their deputy, as appointed by the company. This officer and deputy are solely authorised to receive the whistleblowing reports and conduct investigations (ie, the conduct of these actions cannot be outsourced to any third person).

However, the WBP Act does not preclude companies from appointing individuals employed or hired by an external service provider as a WBP officer or deputy (noting, however, that the company may make such appointment at its own discretion only if these appointments have not been proposed by either the works council, or, if there is no works council, the union trustee, or if there is no works council or union trustee, by at least 20% of the  company’s employees).

Even if the company appoints individuals employed or hired by an external service provider, the appointed persons must keep confidential the identity of any whistleblowers and any information contained in the whistleblowing report, and will not be able to directly involve external service providers in the investigation without express consent from each whistleblower. However, the  company may engage an external service provider to indirectly assist these appointed persons (regardless of whether the individuals appointed are employed by the  company or by the external service provider, and regardless of whether the whistleblower provides express consent for disclosure of his or her identity and the content of the report), if such assistance will not lead to disclosure to that provider of the identity of the whistleblower and any information contained in the whistleblowing report.

Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

The whistleblowing channel can be outsourced wholly or partly to an external third party (for example a specialised platform, lawyer, or auditor).

Companies can outsource the whistleblowing channel but will remain fully responsible for complying with the Whistleblowing Act. For that reason, written declarations must be drafted with the provider to make sure that the requirements relating to impartiality, confidentiality, data protection, etc, are satisfied.

Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

Employers can subcontract the management of the whistleblowing procedure to an external supplier, which will be in charge of:

  • setting up the reporting channel available;
  • receiving complaints; and
  • investigating the reported facts.

In practice and as an example, the external supplier can set up a telephone hotline or an email address for the collection of reports. These are then transmitted to the employer to decide on any action to be taken.

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

In principle, the draft bill of the Whistleblower Protection Act intentionally does not specify which persons or organisational units are best qualified to carry out the tasks of the internal reporting office or to manage the corresponding reporting channel. However, the internal reporting office may not be subject to any conflicts of interest and it also must be independent. The EU Whistleblower-Directive mentions, for instance, the head of the compliance department or the legal or data protection officer as possible internal reporting offices.

If, in addition to the (internal) persons responsible for receiving and processing internal reports, other (external) persons have to be involved in a supporting activity, this supporting activity is legally only permissible to the extent that is necessary for the supporting activity. This applies, for example, to IT service providers that provide technical support for reporting channels.

It is also legally permissible to appoint a third party to carry out the tasks of an internal reporting office, including the reporting channel (section 14 (1) HinSchG-E). Third parties may include lawyers, external consultants, trade union representatives or employee representatives.

However, engaging a third party does not relieve the employer of the obligation to take appropriate action to remedy a possible violation. In particular, for follow-up actions to check the validity of a report, there must be cooperation between the commissioned third party and the employer.

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

While the reporting channel may be outsourced, in respect of Covered Companies, the mechanism should be overseen by the Audit Committee or Board of Directors, as applicable.

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

The business operator may outsource the establishment of a point of contact to a third party, such as a subcontractor or parent company[1].


[1]   Id, Section 3 II (1)(i)(c), at p.7.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

The Whistleblowing Act allows employers to use third-party services for whistleblowing procedures. Therefore, the management of a reporting channel can be organised by outsourcing management service providers. On the other hand, such outsourcing cannot be used to implement group whistleblowing procedures (eg, to use a reporting channel established at a group level or in a related company).

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

Companies may outsource internal channel administration services to other companies providing such services or external third parties, provided that they ensure that the principles of independence, confidentiality and data protection are observed. Administrative services provided by third parties do not include the investigation of information about the breach and any subsequent decision-making.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

The legal entity may subcontract the monitoring of reports (articles 6 and 7 of Bill 7945).

Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

In theory, the Directive states that the reporting channel may be operated internally or externally by a third party. The Act requires the employer to designate an officer from within the company (whistleblowing reporting officer – WRO), who may or not be the same person receiving reports, to follow up on reports.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

The reporting channel can either be internally managed or outsourced for transparency and objectivity.

Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

Employers may outsource maintaining reporting channels (as part of ICT solutions) and receiving reports.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

The internal reporting channels may be operated internally or externally, and independence, impartiality, confidentiality, data protection, secrecy and the absence of conflicts of interest must be guaranteed.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

Both options are available for companies. At first glance, internal channels controlled by its own employees (auditors or compliance officers, in-house legal counsel or even an internal hotline) may be more effective for companies, since this ensures that potential wrongdoings are checked internally and do not compromise the image of the company. However, whistleblowers may not trust internal channels that allow easy identification of the individual whistleblower and are usually established to act in the best interest of the company (and not necessarily the whistleblower). Groups of companies must give more thought to the organisation; in many cases, outsourcing to third parties (eg, a recognized law firm) may be a better and more cost-effective solution.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

Yes, the management of internal reporting channels can be outsourced as established in section 6 of the Draft. However, a third party managing the reporting channel must provide adequate guarantees of respect for independence, confidentiality, data protection and secrecy. This third party would be considered a “data processor”, whereas the person or persons appointed by the company as “responsible for the system” will still be responsible for the reporting channel, even when it is outsourced.

Management of an internal information system by a third party should not undermine the guarantees and requirements established for this system in the Draft.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

Businesses may choose to manage reporting channels in-house or to outsource the management of reporting channels to third parties. Regardless, businesses should designate independent and impartial persons or departments (including third-party entities) to receive reports, maintain communication with whistleblowers, follow-up on reports and provide feedback to whistleblowers.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

The reporting channel can be outsourced. Where an employer’s whistleblowing policy or procedure authorises disclosure to a third party (eg, an external hotline), UK law will treat a disclosure to the third party the same as a disclosure to the employer.

The Department for Business Innovation and Skills guidance on whistleblowing identifies that larger UK organisations may have a designated team who can be approached to make a disclosure. The guidance recommends that smaller organisations should have at least one senior member of staff as a point of contact for whistleblowers. However, the guidance also acknowledges that there are commercial providers who can manage a whistleblowing process on behalf of the employer.

Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

A reporting channel can be managed internally or outsourced.

Advantages of an internal reporting channel include:

  • better understanding of the organisation; and
  • better understanding of the context in which complaints may arise and be escalated.

Advantages of a third-party reporting channel include:

  • increased independence and transparency; and
  • broader expertise in handling whistleblower reports.
Last updated on 29/07/2022

11. Are there special whistleblowing procedures applicable to specific economic sectors or professional areas?

11. Are there special whistleblowing procedures applicable to specific economic sectors or professional areas?

Flag / Icon

Australia

  • at Lander & Rogers

The Taxation Administration Act 1953 is tax specific. The Public Interest Disclosure Act 2013 (Cth) is also specific to public officials.

Otherwise, most other companies are covered under the Corporations Act as section 1317AAB outlines what is a regulated entity. It includes:

  • a Company;
  • a Corporation to which paragraph 51(xx) of the Constitution applies;
  • an authorised deposit-taking institution;
  • a general insurer;
  • a life company;
  • a superannuation entity or trustee; or
  • an entity prescribed by the regulations.
Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

The Act provides for an extra strict enforcement mechanism for companies active in financial services, products and markets and for rules for the prevention of money laundering and terrorist financing. So the financial and banking sector is under additional scrutiny. However, the procedures stay mostly the same.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

Yes. As a result of the Brazilian Anti-Money Laundering law, the Central Bank has issued an administrative ordinance (4859/2020) that determines that financial institutions and other businesses subject to its authority have a whistleblower channel. Among other obligations, they must inform the Central Bank of operations that may indicate potential money laundering conduct. Non-compliance with such obligations will expose the companies and their officers to penalties such as warnings, fines, temporary bans from working as an officer of a company subject to the Central Bank’s authority or even closing of the business.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

Yes, the WBP Act specifically excludes its application in the matters of defence and national security, except where such matters are covered by Union acts listed in Part I of the Annex to the Directive. Furthermore, the governmental bodies competent for matters of defence and national security must regulate the protection of whistleblowers and the reporting procedure in the areas of key security and defence interests (specifically the protection of key security and defence interests). To our knowledge, there are still no adopted or publicly available regulations covering WBP and reporting procedures in the areas of key security and defence interests.

In addition, if the Union acts listed in Part II of the Annex to the Directive provide for separate rules on reporting irregularities, the WBP Act restricts its application only to matters that have not been regulated by such separate rules.

Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

Yes, sector-specific regulations may impose additional procedures and obligations. This namely concerns the financial sector and may follow from special rules such as the Danish Anti-Money Laundering Act or the Danish Payment Act (see question 1).

Moreover, breaches of statutory secrecy obligations may result in sanctions if the matter being reported is excluded from the scope of the Whistleblowing Act.

Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

There are special whistleblowing procedures for some areas, including banking and insurance; these industries which may offer additional advantages, such as a simplified reporting procedure.

For instance, the Financial Market Authority (FMA) has deployed a whistleblowing system reserved for persons looking to provide the FMA with strictly confidential information concerning infringements of European legislation, the Monetary and Financial Code or the FMA General Regulation. 

A whistleblower who has learned of such events in his or her working life or business relationships can report them in writing (in electronic format or on paper), verbally by phone, or by meeting in person with specialist members of the staff in the offices of the AMF.

An acknowledgement of receipt is sent within seven days.

Guarantees apply to whistleblowers who report infringements accurately:

  • the originator of the report, the person targeted and the information collected are strictly confidential during receipt and processing; and
  • the whistleblower would also not be subject to dismissal, punishment or discriminatory measures, whether direct or indirect, notably concerning compensation or career development, or any other unfavourable measure, for having in good faith reported an infringement to the FMA.

(DOC-2018-13 – Procedures for whistleblowers reporting infringements of the regulations to the FMA; Act 2016-1691 of 9 December 2016 on transparency, anti-corruption and economic modernisation, article L.634-1 of the Monetary and Financial Code)

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

The draft bill of the Whistleblower Protection Act itself does not distinguish between different sectors regarding the internal reporting process. However, it contains an enumerative list of regulations from other statutes that take precedence over the Whistleblower Protection Act for the reporting of information on violations; these regulations are therefore lex specialis compared to the Whistleblower Protection Act (section 4 (1) HinSchG-E). Priority special provisions are, among others, regulated by the Money Laundering Act, the Banking Act, the Insurance Supervision Act and the Stock Exchange Act.    

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

The Whistle Blowers Act of 2014 targets public servants and is intended to prevent corruption, misappropriation of assets and misuse of power in the public sector. Further, provided a whistleblower makes full and true disclosure of all material facts, the settlement commissions established under the Income Tax Act 1961 and the Goods and Services Tax Act 2016 have the power to grant them immunity from those statutory penalties. Similarly, the Competition Commission of India established under the Competition Act 2002 possesses the power to award a reduced penalty to an informant who is a part of an anticompetitive cartel and makes a full, true and vital disclosure.  The Securities Exchange Board of India also rewards whistleblowers who are themselves guilty of violating securities law by granting anonymity and a pardon for their complete cooperation.

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

No, there are no special whistleblowing procedures applicable to specific economic sectors or professional areas.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

Latvian law does not provide for special whistleblowing procedures. Whistleblowing is subject to special procedures only in cases where such special procedures are established specifically in law.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

No.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

There are special procedures currently in place in the financial sector or for state and municipal employees.

In such cases, the provisions of the Bill will supplement the less favourable provisions of these existing procedures.

Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

Sector-specific rules on reporting may be found in legislation relating to the financial services sector. Professionals or institutions carrying out a relevant activity or financial business may be subject to rules on reporting knowledge or suspicions of money laundering or the funding of terrorism.

Reports relating to the activities of persons operating within certain sectors are received and processed by the regulator, as set out in a schedule to the Act. For example:

  • the Financial Intelligence Analysis Unit is the authority responsible for the receipt of reports from any employee of a natural or legal person, subject to the Prevention of Money Laundering Act (Chap. 373 of the laws of Malta – the PMLA) or the Prevention of Money Laundering and Funding of Terrorism Regulations (Subsidiary Legislation 373.01 – the PMLFTRs), of improper practices linked to the PMLA/PMLFTRs; and
  • the Malta Financial Services Authority (the MFSA) is the authority in Malta responsible for the receipt of reports from any employee of a person or company that provides the business of credit and financial institutions, the business of insurance and the activities of insurance intermediaries, the provision of investment services and collective investment schemes, pensions and retirement funds, regulated markets, central securities depositories, the carrying out of trustee business either in a professional or a personal capacity, and any other areas of activity or services as may be under the supervisory and regulatory competence of the MFSA.

Where specific rules on the reporting of improper practices or breaches are provided for in sector-specific legislation, those laws will apply and the provisions of the Act will apply to the extent that a matter is not expressly regulated by that legislation.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

Yes. Some of the Codes and Guidelines with whistleblowing procedures that are industry-specific have been stated in question 1.

Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

Regarding the internal reporting procedure, the Bill itself does not differentiate between different industries. However, sectoral whistleblowing regulations cover the banking and financial sector, insurance sector, and civil aviation sector, combating unfair competition and AML-obliged entities.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

According to article 116-AA of the Legal Framework of Credit Institutions and Financial Companies, credit institutions must implement specific, independent and autonomous means for receiving, processing and filing reports of serious irregularities related to their administration, accounting organisation and internal supervision, and any serious signs of breaches of the duties provided for in the Legal Framework or Regulation (EU) No. 575/2013 of the European Parliament and the Council.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

Appendix 1 to the Draft Law contains references to the special procedures applicable both EU-wide and at a national level (ie, stock-listed companies, the insurance sector, managers of alternative investment funds and offshore oil businesses). Specialists have particularly drawn attention to the fact that the vague wording of article 1 paragraph 4 of the Draft Law may exclude a large spectrum of companies involved in national defence and security from the mandatory protection of whistleblowers.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

Yes, for example in the finance sector (anti-money laundering) and antitrust.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

Yes, there are sector-specific regulations that have precedence over the Whistleblowing Act, such as within the financial services sector.

Also, certain professionals can be held liable for any wilful breach of qualified secrecy applicable by law.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

The UK Corporate Governance Code recommends public-listed companies implement whistleblowing procedures.

Financial services firms regulated by the Financial Conduct Authority or the Prudential Regulation Authority will be subject to regulatory rules and requirements that govern the terms and operation of their whistleblowing procedures.

Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

Different whistleblower statutes employ different procedures. For example, an employee cannot file a SOX whistleblower claim in a federal district court before filing a complaint with the Occupational Safety and Health Administration (OSHA) and exhausting all administrative remedies. An employee alleging retaliation under Dodd-Frank, by contrast, need not first file a complaint with OSHA; they may proceed directly to court. Similarly, many state whistleblower statutes do not erect any administrative hurdles.

Last updated on 29/07/2022