Guide to Whistleblowing

Contributing Editors

In this new age of accountability, organisations around the globe are having to navigate a patchwork of new laws designed to protect those who expose corporate misconduct. IEL’s Guide to Whistleblowing examines what constitutes a protective disclosure, the scope of regulations across 18 countries, and the steps businesses must take to ensure compliance with them.

Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

02. Which companies must implement a whistleblowing procedure?

02. Which companies must implement a whistleblowing procedure?

Flag / Icon

Australia

  • at Lander & Rogers

According to the Australian Securities and Investment Commission (ASIC), public companies, large proprietary companies, and corporate trustees of Australian Prudential Regulation Authority (APRA)-regulated superannuation entities must now have a whistleblower policy. Among other things, the law requires the whistleblower policy to include information about the legal protections available to whistleblowers, and how a company will investigate whistleblower disclosures and protect whistleblowers from detriment.

ASIC Regulatory Guide 270, Whistleblower Policies was created to help companies and other entities establish a policy in line with their legal obligations.

Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

All legal entities, including companies, with 50 or more employees (ie, full-time equivalents (FTEs)) will have to implement an internal reporting channel. This threshold of 50 FTEs will be calculated in the same way as the rules for social elections prescribe. This means that they will look at the average employment over a reference period.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

Private companies are not legally required to have a whistleblowing procedure, but having one is an element that may benefit them in lessening the severity of sanctions imposed in anti-corruption investigations.

The only exception is financial institutions and companies subject to the authority of the Central Bank of Brazil. Such companies must set up a whistleblower channel due to administrative ordinance 4859/2020. Please refer to question 11 as regards financial institutions and other companies subject to the authority of the Central Bank of Brazil.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

Under the WBP Act, a whistleblowing procedure must be implemented by:

  • any company falling within the scope of EU acts referred to in Part I.B and Part II of the Annex to the Directive, regardless of the number of employees employed by the  company; and
  • any company employing 50 or more employees.

Under unofficial interpretations by the officials of the Croatian Ministry of Justice and Public Administration (the Ministry), where applicable, the headcount threshold should take into account only persons employed with the company (ie, persons engaged by the company based on an employment contract) and ordinarily working for the company anywhere in the world (ie, it does not include persons engaged otherwise, such as temporary agency workers or persons engaged by the company’s group company).

To implement the whistleblowing procedure, the company must adopt a whistleblowing policy establishing procedural rules and appoint a person competent for receiving and following up on whistleblowing reports, communicating with the whistleblowers and conducting the protection procedure in connection with the whistleblowing report (WBP officer) and their deputy.

Last updated on 29/07/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

The scope of the whistleblowing procedure is very broad. Companies with more than 50 employees, public-sector institutions, authorities and municipalities with 10,000 or more inhabitants must set up internal reporting channels for whistleblowers. 

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

In principle, companies that regularly employ 50 or more employees are obliged to set up an internal reporting system by the time the Whistleblower Protection Act will become effective, (section 12 (1), (2) HinSchG-E). For companies with between 50 and 249 employees, this obligation will only apply from 17 December 2023 (section 42 HinSchG-E).

For certain employers, particularly in the financial and insurance sectors or for data provision companies, the obligation to set up an internal reporting office applies irrespective of the number of employees as of the entry into force of the Act (section 12 (3) HinSchG-E).   

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

As per the Companies Act, the following types of companies are required to establish a vigil mechanism and adopt a “whistleblower policy” for directors, employees, stakeholders and any other individuals (such as auditors) to report concerns about unethical behaviour, actual or suspected fraud or violation of the company’s code of conduct or ethics policy:

  • listed companies;
  • companies that accept deposits from the public; and
  • companies that have borrowed money from banks and public financial institutions totalling more than 500 million Indian rupees.

The abovementioned companies will be hereinafter referred to collectively as “Covered Companies”.

The vigil mechanism or whistleblower policy must provide adequate safeguards against the victimisation of persons who use it. The Companies Act also requires auditors to report an offence of fraud in the company by its officers or employees if they identify or note such instances during the performance of their duties.

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

Any business operator[1] that continuously employs more than 300 workers must implement a whistleblowing procedure. Any business operator that continuously employs 300 or less workers must endeavour to implement a whistleblowing procedure. (article 11, paragraph 3 of the Act).

This applies to the questions below regarding the implementation of a whistleblowing procedure.

 

[1]   “business operator” means a corporation or other organizations and an individual who engages in business.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

Companies with 50 or more employees must establish an internal whistleblowing policy and an internal reporting channel. Companies with less than 50 employees can establish an internal whistleblowing policy and reporting channels at their own discretion or implement a group reporting channel.

Companies with 50-249 employees may develop a joint internal whistleblowing system and reporting channels. This applies to private entities registered and operating in Latvia. This does not extend to entities operating abroad, including group entities (eg, two companies operating in Latvia can establish one joint reporting channel).

Companies, operating in the finance sector, the area of prevention of money laundering, terrorism and proliferation financing, and the areas of transport security or environmental protection must also establish an internal whistleblowing system if they have less than 50 employees.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

The whistleblowing procedure relating to the implementation of an internal channel must be implemented by:

  • state or municipal institutions (with certain exceptions);
  • private legal entities, other organisations, divisions of foreign legal entities or organisations (regardless of the nature of the activity) employing 50 or more employees;
  • private legal entities, other organisations, divisions of foreign legal entities or organisations, whose activity is included in the list of Acts of the European Union and Acts of the Republic of Lithuania, as approved by the minister of justice.
Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

To date, only companies in the financial and insurance industries are required to implement a whistleblowing procedure. According to the Bill, all legal entities in the private or public sector will be subject to the obligation to set up channels and procedures for internal reporting and monitoring:

  • public legal entities include any entity owned or controlled by the public sector, including municipalities with more than 10,000 residents;
  • private legal entities will only be subject to this obligation if they have at least 50 employees.
Last updated on 29/07/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

The NCCG applies to all public companies (whether a listed company or not), all private companies that are holding companies of public companies or regulated entities, all concessioned or privatised companies, and all regulated private companies (private companies that file returns to any regulatory authority other than the Federal Inland Revenue Service (FIRS) and the Corporate Affairs Commission (CAC)).

Last updated on 29/07/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

Legal persons, including the state and other legal persons governed by public law that employ 50 or more employees must implement a whistleblowing procedure. Regardless of the number of employees, entities operating in the sectoral areas referred to in Part I.B and II of the Annex to the EU Directive, including financial services, products and markets, the prevention of money laundering and terrorist financing, transport safety and protection of the environment must also introduce a process. Finally, in the public sector, local governments with 50 or more employees but with less than 10,000 inhabitants are excluded.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

As a general rule, companies with 50 to 249 employees must establish internal reporting procedures from 17 December 2023. Article 8 paragraphs 3 and 4 of the Whistleblowing Directive provides that such a threshold of 50 employees does not apply for companies acting on the capital markets, in banking, credit, investment, insurance and re-insurance, occupational or personal pensions products or securities, meaning that they will have to organise reporting channels irrespective of their number of employees. The Romanian transposition seems to have misunderstood this stricter rule, hence (even if probably irrelevant in most cases in practice) companies from these sectors with less than 50 employees do not need to establish internal channels.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

According to section 10 of the Draft, in the private sector, natural and legal persons with 50 or more workers must establish internal information systems.

Moreover, irrespective of the number of employees, legal entities falling within the scope of European Union law regarding financial services, products and financial markets, the prevention of money laundering or terrorist financing, transport safety and environmental protection, referred to in parts I.B and II of the Annex to the Directive, will be governed by their specific regulation. In these cases, the Draft will only apply to matters not covered by said specific regulations.

Political parties, trade unions, employers' organisations and foundations created by them, insofar as they receive or manage public funds, may also implement whistleblowing procedures.

Private-sector entities that do not need to establish internal information systems but decide to do so anyway must also respect the content of the Draft.

According to section 13 of the Draft, all public-sector entities must establish internal reporting channels.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

The Whistleblowing Act requires businesses (within both the private and public sector) that at the beginning of the calendar year employ 50 or more employees to establish internal reporting channels and procedures. Internal reporting channels and procedures must be implemented by:

  • 17 July 2022, where the business employs 250 or more employees; and
  • 17 December 2023, where the business employs between 50 and 249 employees.

The Whistleblowing Act also requires competent authorities to establish external reporting channels by 17 July 2022.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

There is no legal requirement in the UK for companies to implement a whistleblowing procedure or policy or any requirements as to the content or form of any procedure or policy if one is adopted. However:

  • The Department for Business Innovation and Skills has published guidance entitled Whistleblowing: Guidance for Employers and Code of Practice which identifies that it is best practice for an employer to have a whistleblowing policy or appropriate written procedure. The guidance can be found here.
  • The UK Corporate Governance Code set by the Financial Reporting Council recommends public-listed companies implement a whistleblowing procedure.
  • Financial services firms regulated by the Financial Conduct Authority or the Prudential Regulation Authority will be subject to regulatory requirements that require the operation of applicable whistleblowing procedures.
Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

Section 301 of SOX requires the audit committee of publicly traded companies to establish procedures for the receipt, investigation and treatment of confidential, anonymous complaints regarding questionable accounting or auditing practices. Section 301 allows for flexibility in developing appropriate procedures in light of a company’s circumstances, so long as the required parameters are met.

Last updated on 29/07/2022