The New Financial Services Whistleblowing Regime: The impact for all regulated firms
The FCA and PRA have responded to public demand for greater banking accountability with new whistleblowing rules. These came into force on 7 September 2016 for banks, building societies, credit unions and some investment and insurance firms. They are part of a range of new accountability measures including the Senior Managers Regime and changes to remuneration structures, conduct rules and market abuse protection. We look at what it means for the wider sector.
The new rules are in the handbook now and are already applicable to all 600,000 authorised firms on a non-binding basis. The regulators are starting consultation in 2016 on the details for extending these rules to all firms. The Treasury has confirmed that it will be extended and set a target implementation date for early 2018. One of the aspects of the consultation will be proportionality on applying a regime across such a wide variety of firms. There are concerns over an increase in bad faith whistleblowing for personal rather than public interests. Currently all political parties want to hold financial and health services accountable and we can expect not let up for whistleblowing.
Although non-binding, the handbook it is now part of firms’ dialogue with both whistleblowers and regulators. For example, the new rules are already having an effect on termination and settlements. For firms with past whistleblowing problems and dialogue with the regulator over implementing governance of policy improvements more widely, change now is something the regulator expects. Many firms are already engaging with the future implementation of the senior managers regime (of which whistleblowing is a part) prior to it becoming mandatory.
Most firms will consider matters now, make some adjustments and diarise forward the introduction of a new full policy and the training and new Whistleblowing Champion to a time after the regulations for all firms has been finalised and the 2018 deadline set. Here are some points for all firms to consider now:
The board should be proactive now
It would be sensible for all firms to document the making of a positive board decisions about when they will go about implementing changes and that they will consider the handbook guidance on all whistleblowing investigations and on all terminations from now on. A positive statement board about an open culture should be made and a timetable set for a review and gap analysis of the current position compared to the new rules. Although not appearing in a firm wide policy, some decisions around who should be having an eye on the new changes and ensuring compliance and better risk management can be made now.
Amend very out of date policies
It might also be sensible for firms to amend any already out of date policies some of which have not been updated for a long time. For example: policies that attempt to forbid or discipline those who do not come to the firm first with concerns; policies that apply sanctions for those making disclosure that do not match the confines of protected disclosures. Also it might be sensible for firms to ensure that they have a channel for disclosures who are as independent as possible now. Many firms will have this already, through hotlines for example. This interim change will not be a difficult adjustment for some.
Tool up for whistleblowing investigations
A careful eye needs to kept on the new self-certification and the referencing regimes which will also apply to all firms. Firms’ deadline for first issuing certificates for individuals under the certification regime is 7 March 2017. The final rules on this were due now but are stuck in consultation on key points. If, as seems likely, firms are required to keep records for 6 years which will include investigations into any whistleblowing investigations into any authorised individual, how those investigations are handled and documented is relevant now. It could directly affect the ability of authorised individuals to be certified, promoted or move from firm to firm. Whistleblowing investigations can often be complex, time-critical and labour intensive. They can sometimes do considerable harm by themselves if mismanaged, regardless of the outcome. Training up on new skills will be needed including how in house or outside counsel can make use of privilege in their advice.
Termination and settlement
New approaches to termination technique and settlement terms for whistleblowers are needed now. Firms are finding it increasingly hard not to use the handbook template wording for settlement agreements so that employees are not be required to warrant that they have not gone to the FCA and have told the firm all they are worried about. Not only is the new template for agreements gaining traction for many firms already, the landscape of claims, reputation and regulatory risk has also changed.
Tribunal claims handling
Firms need to adjust how they defend as reference to the new handbook and the question of reports to the regulators, certification and referencing are now all factors.
The same goes for these. One eye needs to be on who did or who should have come forward with concerns raised to the regulator and how they were treated.
Consider early reporting
There is no direct regulatory duty to blow the whistle but there the conduct rules (also updated in the Senior Managers Regime) do include a duty to “disclose appropriately any information of which the FCA or PRA would reasonably expect notice" (rule 4). For very serious issues firms need to consider the SFO guidance on Deferred Prosecution Agreements for those making early reports.
Watch for an increase in whistleblowing
The increased regulatory protection is available now. The common law has increased protection from those victimised for coming forward. The bounty concept in US securities whistleblowing is relevant to many firms with US operations. Although rejected by government and FCA in the UK, bounty is going to return to the debate. Some are going to see the new rules as a trouble makers charter. Others will see the increased volume of concerns being raised as a sign of a positive culture so that issues can be resolved at an earlier stage.
Currently many firms refer concerns raised to HR or compliance as they are not strictly covered by the whistleblowing policy which limits itself to what is protected by law. Even if firms are not yet required to extend protection, it is prudent to apply the fuller rigour of a whistleblowing investigation to issues that it is apparent at the filter stage could have significant ramifications.
Data protection review
Many firms have data policies are under constant review. For example those firms with US head office are well advised to address whistleblowing policy from the data protection point of view given the strict rules, wide extend of confidential information/data cover by US whistleblowing protection, compulsory hotline and an litigious response to the slightest adverse reaction from firms, called retaliation claims. Global data policy changes need to see the UK changes coming.
These are also under constant review. The degree to which whistleblowers can and cannot reveal confidential or proprietary information outside the firm is a potential cyber risk. The pattern of whistleblowers hiding themselves from detection to reveal very large amount of evidence in public is likely to be on the increase.
Consider changing roles
Overall responsibility rests with the board and then also with the Senior Managers (including Whistleblowers' Champion). Day-to-day responsibility can be delegated to the board committees, HR, internal audit, legal or compliance functions. The banks are finding that there was a great deal of confusion over who is responsible for various functions and indeed the new regimes are changing these functions. Firms needs to see this coming from an overall governance and management point of view. The regulators are soon to publish their decision on whether general counsel can be Senior Managers.
There is a great deal of noise about the new changes and confusion not least because of overlapping global regulations, a slow release of many and outcomes based approach to the drafting some consider imprecise. Some commentary has been scaremongering. Some risks exaggerated. Many firms will already have a good culture when it comes to internal alerts as to problems. The whistleblowing policy is rarely used because issues are spotted early and dealt with. It is worth reminding ourselves that the new regime could have gone a lot further. The independent Whistleblowing Commission recommendations have not all been implemented. Public Concern at Work published a five year review in August which recommended that the Commission’s 2013 Code of Practice become a legal requirement and identified views that, until the law can protect whistleblowers more effectively, many will continue to feel unable to come forward. It is still remains hard for whistleblowers to come forward internally let alone externally with the evidence needed for an effective investigation. In many circumstances the FCA will not act without the information yet the act of giving might be a serious breach by the employee. Anonymity cannot be guaranteed as in some cases investigation cannot work without knowing the source. Firms can and should protect their proprietary information from misuse.
Employment law does not extended to protect the wider disclosures the handbook requires firms to address. The FCA will not fully protect individuals, their sanctions are against firms and approved persons.
News & Insights
Tackling the risks of the FinTech boom - AML considerations
While FinTech services like cryptoassets can create significant opportunities, they also pose considerable regulatory challenges.
Employer vicariously liable for deliberate data breach by rogue employee
The High Court’s decision in WM Morrison Supermarkets plc v Various Claimants that an employer was liable for a data breach has been upheld