Whistleblower protection: High time for a change!

The importance of whistleblowers and the vital role they play in exposing misconduct and wrongdoing in organisations and our society cannot be emphasised enough. Many cases of corruption, fraud and malpractice would never have been exposed if it were not for the courage of whistleblowers. Retaliation is a very real threat, and whistleblowers that make disclosures can be vulnerable and may risk their job, reputation or even, in extreme cases, life for uncovering wrongdoing.

Legislations in a number of the Member States of the Europe Union (EU) and Australia that sought to protect whistleblowers, were historically fragmented and disharmonious. However, both the EU and Australia have recently increased protection for whistleblowers by introducing comprehensive protection regimes.

EU Directive on the protection of whistleblowers

On 16 April 2019, the European Parliament adopted a “Directive on the protection of persons reporting on breaches of Union law” (Directive). It is an EU-wide uniform common minimum standard giving a wide range of protections to whistleblowers reporting on breaches of EU law in a work-related context. The EU Member States are required to comply with the Directive no later than April 2021.

What disclosures will be protected?

Under the Directive, protection will be afforded to whistleblowers who report breaches of EU law in areas including public procurement, financial services, public health, product safety, consumer protection, prevention of money laundering, personal data protection, avoidance of corporate tax and competition rules, etc.

Reporting channels

The Directive introduced a three-tier system for reporting irregularities. Whistleblowers are allowed to report either internally within their organisations or externally to competent authorities. However, they are encouraged to use internal reporting channels first. If, after reporting internally or externally, no appropriate action was taken within the prescribed timeframe, or he/she has reasonable grounds to believe that there is an imminent danger to the public interest or a risk of retaliation, the whistleblower may report publicly (e.g. to the media) and will still be qualified to receive protection.

Who is required to set up reporting channels?

 Internal reporting

 External reporting

  • Companies (private and public sectors) with 50 or more employees are required to set up internal reporting channels.
  • Companies with 50 to 249 employees may share resources and channels for reporting.
  • Companies with less than 50 employees may be exempt from the obligation but are encouraged to establish internal channels.
  • Reporting can be written or oral.
  • Companies must give the whistleblower an acknowledgement of receipt of the report within 7 days and feedback on the progress and outcome of the investigation within 3 months.
  • Designated competent authorities of the Member States such as judicial authorities, regulatory or supervisory bodies competent in the specific areas concerned to set up external reporting channels. 
  • Designated competent authorities must acknowledge receipt of the reports to the reporting person within 7 days and feedback within 3 months.

 

Who will be protected, and what type of protection?

The Directive introduced safeguards to prevent whistleblowers from retaliation.

Protected persons

 Protection

Persons working in the private and public sector who have access to information on breaches in a work-related context, including:

  • workers
  • civil servants
  • self-employed
  • shareholders and persons belonging to management, administrative or supervisory bodies
  • volunteers
  • paid or unpaid trainees
  • contractors
  • subcontractors
  • suppliers
  • people uncovering breaches during the recruitment process
  • ex-workers
  • colleagues or relatives affected by retaliation
  • facilitator who assists the reporting person in the reporting process

Whistleblowers are protected against any form of retaliation, such as:

  • suspension, lay off, dismissal
  • withholding promotion, demotion
  • reduction of wages, change of duties and working hours
  • discrimination, harassment
  • imposition of discipline, financial penalty
  • failure to renew employment contract or convert from temporary to permanent employment
  • financial loss, loss of business and income
  • damage to reputation, particularly in social media
  • blacklisting or business boycotting
  • cancellation of licence, permit or contract for goods or services.

 

Under the Directive, whistleblowers will not incur any liability in respect of the acquisition of, or access to, the relevant information. Also, they will not be considered to have breached any duty of confidentiality in making a report or public disclosure.

Penalties for non-compliance

The Directive requires the Member States to impose effective sanctions under applicable national law on persons or entities that hinder reporting, retaliate, bring proceedings against whistleblowers, or disclose the identity of the whistleblower.

New Australian whistleblowing law

To consolidate various whistleblower protection laws, and provide more comprehensive protection and remedies for whistleblowers, on 19 February 2019, the Australian Parliament passed the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (TLAA) which will come into force on 1 July 2019.

Whistleblowing policies

Public and large proprietary companies are required to have a whistleblowing policy in place. The whistleblowing policy must contain the following information:

  • the protection available to whistleblowers;
  • how and to whom whistleblowers can make the disclosure;
  • how the company will support and protect whistleblowers from detriment;
  • how the company will investigate disclosures;
  • how the company will ensure fair treatment of employees who are mentioned in the disclosures; and
  • how officers and employees can access the policy.

Companies have a 6-month transitional period to put in place a whistleblowing policy by 1 January 2020.

Who is eligible to make a protected disclosure?

The definition of an eligible whistleblower includes current and former:

  • officers and employees;
  • suppliers, contractors and their employees (paid or unpaid);
  • an individual who is an associate of the entity; and
  • spouses, dependants and relatives of any of the above.

To make a protected disclosure, whistleblowers must have reasonable grounds to suspect that the information concerns misconduct or an improper state of affairs concerning an entity.

To whom can an eligible whistleblower make the disclosures?

Eligible whistleblowers can make protected disclosures to:

  • the Australian Securities and Investment Commission or the Australian Prudential Regulation Authority;
  • a prescribed Commonwealth authority;
  • an eligible recipient in relation to an entity such as an officer, senior manager or an auditor; or
  • a person authorised by an entity to receive disclosures.

A whistleblower who has reasonable grounds to believe that the disclosure would be in the public interest, or concerns a substantial and imminent danger to the health or safety of persons or the natural environment, can make protected disclosures to a journalist or a member of Parliament of the Commonwealth.

Protection to whistleblowers

A range of remedies are available to whistleblowers who suffer detriment.

 Detriment

Compensation and remedies

  • dismissal
  • injury in employment
  • alteration of position or duty to the whistleblower’s disadvantage
  • discrimination
  • harassment or intimidation
  • harm or injury
  • damage to property
  • a claim may be brought against an individual or company who engaged in the detrimental conduct
  • whistleblowers may seek court orders for compensation, injunction, apology, reinstatement of employment or exemplary damages
  • whistleblowers will not be ordered by the court to pay costs incurred by another party to the proceedings, except where they institute the proceedings vexatiously or without reasonable cause, or their unreasonable act or omission caused the other party to incur the costs

 

The TLAA also allows whistleblowers to make anonymous disclosures and have their identities protected.

Penalties for breaches

Under the TLAA, significant penalties will be imposed on companies and individuals who fail to comply with the new law. Failure to have a compliant whistleblower policy in place, breach of confidentiality of the identity of a whistleblower or victimization of whistleblower can result in civil penalties and/or criminal offences.

Employers: plan ahead!

In recent years, incidents of high profile leaks have motivated local legislators and the financial services sector to call for more protection for whistleblowers. Two Legislative Council members submitted a Member’s Bill entitled “Public Interest Disclosure Bill 2016” in 2016, and moved a motion on “Legislating for the protection of whistleblowers” in the Legislative Council in October 2018 respectively, urging the government to enact a whistleblower protection legislation.

Acknowledging this as a pressing issue, the financial services sector took steps to recommend a whistleblower protection mechanism for the industry. In the Securities and Futures Commission’s (SFC) May 2017 newsletter “Enforcement Reporter”, the SFC identified corporate fraud and misfeasance as the highest risk to Hong Kong’s markets and investors, and recommended directors and senior management of listed companies establish effective whistleblowing policies to safeguard against corporate misconduct. Further to its recommendation, the SFC announced on 18 October 2018 that an online reporting system had been established for the public to report suspected corporate fraud and market misconduct. Such reports can also be made anonymously by whistleblowers to better protect their identities.

On 21 December 2018, the Hong Kong Monetary Authority (HKMA) issued a circular drawing the attention of Registered Institutions (RIs) to misconduct risks in the financial industry and recommending to them the expected standards for the prevention and management of misconduct risks. Among these, the HKMA expects RIs to provide:

(i)

an effective feedback mechanism, including whistleblowing and escalation policy, to encourage reporting of misconduct or malpractice by employees;

(ii)

an environment that protects and supports their employees in reporting any misconduct or malpractice; and

(iii) 

training programmes to cultivate a sound culture within the organisation which discourages misconduct and encourages internal reporting of misconduct by employees.

It remains to be seen whether or not the Hong Kong government would introduce a more comprehensive legislation for the protection of whistleblowers in the future. Nevertheless, employers should expect the unexpected and get ready now for change by:

  • fostering a top-down culture of support so that employees feel safe to raise concerns about fraud and misconduct;
  • developing a whistleblowing policy that contains measures to protect against retaliation;
  • establishing independent and easily accessible reporting channels;
  • providing appropriate training for employees to understand the reporting procedures and for managers and supervisors to understand how to deal with disclosures; and
  • providing an effective system for feedback to whistleblowers.