The Directive does not prohibit maintaining or creating centralised whistleblowing functions within a group. The Directive requires that, where the group comprises entities with 50 or more workers, each one of them set up and operate its own internal channels (Article 8(3)). Where a central whistleblowing function exists within a group, it will be the whistleblower’s choice to decide whether to report at that level or at the level of the subsidiary where s/he works, depending on the specific circumstances of each case. A corporate policy instilling trust in the group whistleblowing function, possibly accompanied by an information policy publicising its availability and encouraging whistleblowers to report directly to the central group whistleblowing functions may result in whistleblowers tending to report there. (EC explanatory letters JUST/C2/MM/rp/ (2021)3939215 and JUST/C2/MM/rp/ (2021)4667786)
EU Whistleblower Directive FAQs in 2022
Local vs Group reporting
Where entities are part of a group, can group central whistleblowing channels suffice or do channels need to be entity specific?
Is it sufficient to offer third parties a company is engaged in business with the possibility to Speak Up via one centralized channel?
The Directive does not differentiate between the various stakeholders who might fall under the definition of “reporting person” (whistleblower). Therefore, the general rules on reporting channels apply; Where a central group whistleblowing function exists within a group, it will be the whistleblower’s choice to decide whether to report at that level or at the level of a subsidiary. (EC explanatory letters JUST/C2/MM/rp/ (2021)3939215 and JUST/C2/MM/rp/ (2021)4667786) entity they work with/for. Additional reasons come into play where the companies of the same group are located in different Member States, as rules may differ depending on the transposition laws of the Member States concerned. It must remain the whistleblower’s choice whether to have his/her report handled only at subsidiary level (because, for example, s/he suspects the headquarters to be involved in the breach) or not. In fact, if this choice were not left in the hands of the whistleblower, s/he would directly turn to external reporting channels, thereby depriving the company of the chance to swiftly address the matter without incurring reputational and/or financial damage. (EC explanatory letters JUST/C2/MM/rp/ (2021)3939215 and JUST/C2/MM/rp/ (2021)4667786)
What is the rationale for each legal entity needing to set up their own whistleblowing channel, even if a central one exists?
Reporting channels cannot be established in a centralised manner only at group level; for all medium-sized and large companies belonging to a group, they remain obliged to each have their own channels. This is justified by the need to ensure the reporting channels’ are efficient and accessible in proximity to the whistleblower. To facilitate reporting;
i) channels must be easily accessible
ii) there must be comprehensive information available on their use and on the procedures for reporting externally to the competent authorities. This must be provided on the website and/or premises of the legal entity where the whistleblower works
iii) an impartial person/department in the legal entity where the whistleblower works must be designated to follow up on the report, give feedback to the whistleblower and maintain communication with him/her;
iv) depending on how the national law transposes the provision in Article 9(2), is that whistleblowers have the right to request a physical meeting in the company with which they have a work-related relation. Moreover, the Directive encourages legal entities to open reporting channels to external persons whom they have a work-related connection with (self-employed, contractors, sub-contractors etc. – see Article 8(2), 2nd sentence). For these persons, the proximity of internal channels and procedures would be particularly important because they are only familiar with the company
To what degree do organisations need to communicate the directive, how detailed does it need to be?
It is not the Directive itself that needs to be communicated, but the details of the organisation’s whistleblowing program. This includes providing awareness of the individual organisation’s policy and procedures on whistleblowing, how to make a report (and the options available), when to make a report (what actions constitute potential misconduct), what to expect in terms of follow-up, feedback and actions, and crucially, the importance of reporting issues and the value that the organisation places on “speak-up” culture.
These communications should be continuous and included in multiple business processes. For example, during initial training and onboarding of new employees, annual reviews, policy/procedure attestation, etc. Regular (i.e. quarterly) reminders/requests by email (preferably from senior leadership). Continuous display of awareness materials on-site – posters, videos, etc.
This applies to both internal and external communications.
Should training for employees focus on the details of the Directive itself, or can it be a training course about the importance of speaking up more generally?
It is advisable to communicate the details of people’s rights in relation to the Directive as it may help to increase trust. What is more important is communicating that the organisation’s culture aligns with the requirements of the law.
Training should be focused on ensuring that people are aware of how, when and why to make a report, in addition to their right to do so. It should also be used to raise awareness of and reinforce the organisation’s values and commitment to ethical standards – use the opportunity to build trust and confidence and encourage reporting. Why is it important for your organisation that people do “speak-up”?
It is essential that such information be clear and easily accessible, including, to persons who come in contact with the entity through their work-related activities, such as service-providers, distributors, suppliers and business partners. For instance, such information could be posted at a visible location accessible to all such persons and on the website of the entity. It could be included in welcome & onboarding information and courses, and training seminars on ethics and integrity. (Rec. 59 Directive)
The Directive talks about obligations for organizations based on numbers of employees (i.e., under 50, 50 - 249, 250 and above) do these obligations apply to all financial services firms or do credit institutions have to comply regardless of number of employees?
All financial institutions, regardless of the number of employees, must comply with the Directive. The 50 employee’s threshold does not apply to the entities falling within the scope of Union acts referred to in Parts I.B and II of the Annex of the Directive: e.g. financial services and capital markets, banking, credit, investment, insurance and re-insurance, occupational or personal pensions products, securities, investment funds, payment service. (Art 8.3 Directive)
How will the Navex platform adjust so the local reporting channel requirement imposed by the EU Directive are met?
To accommodate local reporting channel requirements the web and phone intake screens can be configured with additional intake questions that will trigger case routing to legal entity specific tiers in the EthicsPoint system. These tiers can be configured to allow access to only authorised users for that entity.
Regional legislative reporting requirements will be configured during set-up of the hotline.
WhistleB provides three standard plans, each of which has a different number of Reporting Channels (web reporting sites) available. There is also a Premium Plus plan that has been designed with the EU Directive in mind, and is designed for international organisations with many subsidiaries. This means the organisation can set up Reporting Channels for each legal entity, access to these channels can be limited to specific users/teams. Customers have the option of between 1-50 Reporting Channels.
If IVR (phone reporting) is used, the transcribed IVR messages can also be connected to a specific Reporting Channel.
Can whistleblowers use apps and technology available to inform the media or legal firms?
The reporting person can decide which medium (channel) is used to issue a report. It is the recipient’s responsibility to ensure the protection and anonymity of the reporting person as determined by relevant law. Note that if a company chooses to outsource the operation of reporting channels to an external platform provider, for example, it will have to split the two functions: the external platform provider will be responsible for receiving the reports and acknowledging receipt within 7 days, whilst the designated person/department within the company will be responsible to diligently follow up on such reports and give feedback. (EC explanatory letters JUST/C2/MM/rp/ (2021)3939215 and JUST/C2/MM/rp/ (2021)4667786)
Further updates on the Directive
How can I keep up to date on the national law transpositions of the Directive as they emerge and what it means I need to do for my company to comply?
At Navex we ensure we have the latest information from all EU Member States regarding their national law transposition of the EU Directive as it happens. Our legal team and EU Whistleblower Specialists are connected to a series of legal partners across Europe to ensure we are up to date on the latest developments. We make sure to share this information with our clients and partners through our newsletters and website as soon as possible.
If you have any questions or need further assistance, please contact us and a member of the team will be happy to help.