DFSA & Whistleblowing: Merely lip service to speak up will not be enough

On 7 April 2022, the DFSA became the first financial regulator in the UAE to implement a regulatory regime for whistleblowing (WB Regime). In doing so, the DFSA has moved on from ad-hoc protections found in fragmented provisions to a regime that is closely related in substance to those operated by its contemporaries in the UK and the US. The DFSA’s announcement comes at a time when, globally, investigations into regulatory misconduct prompted by whistleblowing reports are at an all-time high and regulators, both national and supra-national, are increasingly focussed on encouraging transparency and effectiveness in the way Firms handle reports of regulatory and financial misconduct.

The premise of the DFSA’s WB Regime is twofold: (i) enhanced protection for individuals who report relevant misconduct internally or directly to the DFSA; and ii) a requirement for regulated Firms to introduce appropriate and effective policies and procedures to facilitate such reporting.

In practice, this means that individuals with a “reasonable suspicion” that a regulated entity or authorised person has broken a law or rule administered by the DFSA, or otherwise committed financial crime, must be able to report their concerns internally on a confidential and/or anonymous basis, and not be subject to reprisals for having done so (note that employees can now also bypass their employee and report matters directly to the DFSA). In turn, Firms must have in place effective policies and procedures to facilitate and manage whistleblowing reports, including measures to document how those reports are assessed, handled, and if necessary escalated – including, if required, by the Firm self-reporting the misconduct to the DFSA.

What then, in practice, must a Firm do to comply with the WB Regime? Unsurprisingly, a superficial whistleblowing policy is unlikely to cut it and the focus must be on ensuring that procedures operate effectively throughout the life of a whistleblowing investigation. While the Guidance provided by the DFSA in GEN 5.4.3. provides a helpful checklist of areas that Firms should cover in their internal policy documents, the real-life issues spinning out of a whistleblowing report are myriad and the more prepared a Firm is to deal with them the more effective the protection will be for whistleblowers.

By way of example, Firms will need to consider how an individual within their organisation will make a whistleblowing report. Traditionally, Firms have set up a dedicated email address, or even a telephone hotline. But, given the need to offer confidentiality and anonymity, how and by whom are these mediums to be monitored and managed? How will a whistleblower wishing to remain anonymous be contacted for further information or provided with feedback on the outcome of their report? If previous experience is anything to go by, most whistleblowing reports will not contain allegations of serious regulatory wrongdoing, but will still need to be responded to and dealt with appropriately. Does, in that case, the Firm have in place a mechanism for WB reports to be appropriately assessed, triaged and investigated while avoiding any potential conflicts of interest? Are individuals tasked with assessing whistleblowing reports trained to distinguish between a purely regulatory matter, and one involving potentially criminal offences that may trigger ancillary reporting obligations? Importantly, how and when does a Firm decide to report a matter to the DFSA or other law enforcement authority? When should external legal advice be sought? The list of potential landmines for Firms goes on.

While each Firm must adopt an approach proportionate to the size and the nature of the work it undertakes, it is important to keep in mind that the core purpose of the DFSA’s WB regime is to: change the culture, deter wrongdoing and encourage greater reporting by enhanced protections for individuals. As a result, Firms, however large or small, must do more than merely pay lip service to its obligations.

To appreciate how seriously regulators take breaches of whistleblowing rules, one only needs to recall the scale of the fine imposed by the FCA on Barclays’ CEO Jess Staley in 2016 for attempting to unmask a whistleblower (£642,000). Consistent with this, the DFSA have included the treatment of a whistleblower to their list of aggravating and mitigating factors which could increase or decrease the amount of any financial penalty applied. It is not a far stretch to see, in the most egregious cases, the treatment of a whistleblower calling into question the fitness and propriety of a Firm or relevant members of its staff.

As for the DFSA, it will be interesting to see how it develops and enforces the WB Regime going forward. It may move closer to the FCA’s SYSC 18 by requiring Firms to appoint a “Whistleblowing Champion” with responsibility for overseeing its approach to whistleblowing, and/or follow the path of the SEC in the United States by providing financial incentives for individuals reporting the most egregious breaches. A review of the implementation of the WB Regime is scheduled for mid-2023, so we may know how the DFSA intends to deal with these sorts of issues sooner rather than later.

In terms of the wider impact, the WB Regime is likely to assist the UAE’s substantive response to its recent FATF grey-listing, and it appears inevitable that other regulatory bodies within the UAE will soon look to adopt similar measures to encourage the reporting of regulatory and financial misconduct.