It is now generally accepted that a corporate is taking a significant risk if allegations that are made – by whistleblowers, by current or former employees, by auditors, by the media, or which emerge through other means – are not taken seriously and, usually, investigated. While an internal investigation may not lead to a self-report,1 the introduction in February 2014 of deferred prosecution agreements (DPAs) in the UK means that the incentive to investigate and potentially self-report has increased. Any US nexus for the company or the problem adds to the incentive to conduct an investigation and self-report if appropriate, so as to mitigate any penalty in due course, assuming the conduct merits prosecution.
The increasing role of whistleblowers in bringing potential misconduct to the attention of authorities can create a powerful incentive for companies to self-report wrongdoing – knowing that, if they do not, the authorities may receive the information from someone else. This certainly appears to be true in the US.2
In the US, under the Dodd-Frank Act in 2010, the US Securities and Exchange Commission (SEC)3 created an Office of the Whistleblower, which is able to provide rewards (ranging between 10 and 30 per cent of the money collected) to individuals who come forward with information that leads to a penalty of over US$1 million. As a result, the number of reports has increased by more than 20 per cent: in 2014, the SEC received over 3,600 tips and issued more awards to more people for more money than in any previous year.4
In the UK, the Serious Fraud Office (SFO) launched a whistleblowing ‘hotline’ in 2011 – SFO Confidential – but despite receiving 2,508 reports in the 12 months to 30 June 2014, it only accepted 12 cases for investigation.5 The UK’s Financial Conduct Authority (FCA) received 1,367 reports in 2014 – reflecting a year-on-year increase – from which it produced over 1,100 intelligence reports; furthermore, the FCA expects to see an increase in the proportion of reports that lead directly to FCA enforcement action or other intervention, or which provide intelligence of significant value.6
Questions concerning how to deal with internal disclosures made by whistleblowers and, in those circumstances, whether, when and how to self-report matters to authorities are also issues which frequently go hand in hand, the decisive and effective management of which may help to bring about a swift conclusion to damaging and disruptive action by investigating authorities, or pre-empt any such investigation, and typically involves balancing complex questions of fact and law – criminal, regulatory and employment.
In terms of self-reporting, DPAs underline the benefits that may potentially be derived from proactively self-reporting historic misconduct, but they remain untested and it will take time for important questions to be resolved.
This article examines how authorities are using and interpreting self-reporting and whistleblowing frameworks and identifies key considerations for corporate organisations and their advisers. Although many of the points made are equally applicable in other jurisdictions, it focuses primarily on the whistleblowing and self-reporting frameworks in place in the UK. The extraterritorial reach of several pieces of key legislation (most notably the Bribery Act 2010) and the comparatively aggressive stance of UK investigating and prosecuting authorities (principally the SFO) mean that developments there are of interest to corporate organisations operating around Europe and the Middle East, even if they are based, or undertake most of their activities, outside the UK.
The current legal landscape
Whistleblowing and self-reporting are both increasingly considered to be fundamental to the ‘culture’ of an organisation. An organisation’s ‘culture’ has itself emerged as a key theme around the globe, as regulators and enforcement authorities seek to promote cultural change across organisations and businesses in the aftermath of the corporate scandals that have been headline news over recent years.
Authorities and regulators emphasise the importance of challenge; hand in hand with which are appropriate whistleblowing procedures, which are expected to be utilised by employees without any reprisal.
The SEC has recently stated that in the US it has been told by in-house lawyers, compliance professionals and law firms representing companies that since the implementation of the Whistleblower Programme, companies have reviewed and enhanced their internal compliance functions to further encourage employees to view internal reporting as an effective means to address potential wrongdoing without fear of reprisal or retaliation.7
In the UK, the FCA encourages firms to consider adopting appropriate internal procedures that will encourage workers with concerns to blow the whistle internally about matters that are relevant to the functions of the FCA or Prudential Regulatory Authority (PRA).8 Furthermore, in response to recommendations by the Parliamentary Commission on Banking Standards in 2013 that banks put in place effective mechanisms to allow their employees to blow the whistle, the FCA and the PRA have proposed a package of measures9 to formalise firms’ whistleblowing procedures which aims to ensure that all employees are encouraged to report suspected misconduct, ‘confident that their concerns will be considered and that there will be no personal repercussions’.10 One such measure is for firms to allocate responsibility for whistleblowing under the Senior Managers Regime and Senior Insurance Managers Regime to a ‘whistleblowers’ champion’ with responsibility for overseeing the effectiveness of internal whistleblowing arrangements, including arrangements for protecting whistleblowers against detrimental treatment, preparing an annual report to the board about their operation and reporting to the FCA where, in a case before an employment tribunal contested by the firm, the tribunal finds in favour of a whistleblower. On the basis that these proposals are adopted, the important role of whistleblowers is only likely to increase.
Under the Bribery Act 2010 (under section 7 of which a relevant commercial organisation commits an offence where a person associated with it bribes another person intending to obtain or retain business or a business advantage for the organisation, unless it can show that it had in place adequate procedures to prevent such bribery), the Ministry of Justice’s statutory guidance on adequate procedures also recommends that companies have in place procedures for the reporting of bribery “including ‘speak up’ or ‘whistleblowing’ procedures”.11
There is no doubt that the effect of the adequate procedures defence under the Bribery Act 2010 has been to prompt many companies to adopt or enhance anti-corruption compliance programmes. In addition, in discussing self-reporting, the SFO has been keen to emphasise in its speeches the various avenues through which it may come to hear of alleged criminal conduct including ‘from whistleblowers and disgruntled business rivals. […] Any such source can give us, or more particularly the Director, reasonable grounds to suspect the commission of an offence involving serious fraud, bribery or corruption and, with it, the power to open a criminal investigation.’12
The DPA Code of Practice sets out public interest factors for and against prosecution, which, the Director of the SFO has stated, were designed to incentivise self-reporting and effective compliance controls and encourage corporates to demonstrate that they are ‘serious about behaving ethically’. Consistent with the emphasis on good corporate governance is the fact that a self-report, among other things, is relevant at later stages in the criminal justice process: sentencing guidelines on the sentencing of corporates introduced in October 2014 (to which regard will be had in determining a financial penalty under a DPA) refer to a corporate’s culture as relevant to determining its sentence in the event of a conviction for bribery offences, among others, in the UK: a culture of wilful disregard for the commission of offences will lead to a corporate being branded at the most culpable end of the spectrum and facing the heaviest fines available.13 Further, new Public Contracts Regulations, which were introduced on 26 February 2015, allow blacklisted companies to bid for public contracts if they prove, among other things, that they have ‘clarified the facts and circumstances in a comprehensive manner by actively collaborating with the investigating authorities’.14
For corporate organisations, the benefits of proactively bringing matters to the attention of enforcement authorities are potentially significant. While there can never be any guarantee that notifying issues to enforcement authorities will elicit a forgiving approach, where disclosures by whistleblowers or previously undiscovered documents reveal credible concerns, doing so will usually maximise the chances of forging as favourable an outcome as possible.
Arrangements for self-reporting are relatively well developed in the UK although, as noted below, it is less clear than it once was that the SFO will necessarily look favourably upon approaches by corporate organisations. In February 2014, the UK was the first jurisdiction in Europe and the Middle East (and indeed anywhere outside the US) to enshrine in statute arrangements enabling cooperating corporate organisations to enter into DPAs with prosecuting authorities.15 These arrangements allow for investigations to be concluded without an immediate prosecution provided the corporate organisation concerned abides by particular conditions, which will usually include the payment of a substantial fine and the implementation of remedial measures, often including the potentially costly appointment of a monitor. Although the concept of DPAs originates from the US, the versions of these agreements that will in time be seen in the UK will differ importantly from their US cousins. The principal difference is that even where prosecuting authorities are prepared to enter into negotiations and agree proposed terms, those terms will require the approval of senior judges. Judicial comments in pre-DPA cases in the UK indicating dissatisfaction at perceived attempts to encroach on the judicial functions of deciding the appropriate level of penalties to be imposed suggest that they will subject proposed DPAs to close scrutiny.16
Although the UK criminal courts can in some (very rare) circumstances recognise cooperation by individuals with criminal investigations by granting immunity or imposing reduced sentences,17 there are no equivalent provisions enabling individuals to enter into such negotiated settlements with prosecuting authorities. Indeed, it is likely that prosecuting authorities will make the provision of assistance by cooperating corporate organisations against individuals directly involved in misconduct a condition of entering into DPAs.
Protection for whistleblowers
So far as the whistleblowers themselves are concerned, as alluded to earlier, they are generally protected from reprisals. In the UK, whistleblowers are protected by statute. Specifically, the Public Interest Disclosure Act 1998 (PIDA 1998) gives workers making ‘protected disclosures’ the right to complain to an employment tribunal where they are dismissed or suffer any other type of detriment as a result of doing so.18 It also provides that clauses purporting to prevent workers from making ‘protected disclosures’ are void.19 However, this protection is not automatic. In contrast to arrangements in place in the US, disclosures made to parties other than the worker’s employer do not fall within this definition if they are made for the purposes of personal gain. In order to benefit from the protection of PIDA 1998, it is usually necessary for the worker to have sought to resolve the matter internally prior to making a disclosure to an external agency. Under the FCA and PRA’s proposals, regulated firms’ whistleblowing arrangements would need to offer the same protections to any disclosures, including those that do not qualify as protected disclosures under PIDA.20
In other jurisdictions around Europe and the Middle East, although statutory protection for whistleblowers is in place to varying degrees, it is not as broad as that in place in the UK. Indeed, in some jurisdictions, the relatively rigid interpretation of EU data protection legislation and cultural mores has inhibited the development of whistleblowing frameworks and the extent to which they are used in practice. In some instances, disparities in the level of protection available to employees making disclosures have given rise to (hitherto unsuccessful) attempts by non-UK nationals employed under contracts governed by the laws of other jurisdictions to bring claims for unfair dismissal in the UK based upon whistleblowing disclosures.21
As noted above, the factors influencing whether or not a DPA may be considered appropriate were designed to incentivise self-reporting. However, in the DPA Code of Practice and the SFO’s public pronouncements concerning the circumstances in which DPAs will be considered appropriate,22 the SFO has sought to perform a delicate balancing act. It remains keen to encourage corporate organisations to come to it voluntarily with details of historic misconduct (not least owing to sustained pressure on the relatively modest resources available to it). However, it has been careful to make clear that it considers its primary role to be the prosecutor of the ‘top slice’ of economic crime in the UK.23 During his tenure, its Director, David Green QC CB, has made it abundantly clear that the SFO is not prepared for negotiated settlements to become the norm or for corporate organisations to expect that they will automatically follow self-reports.
Adding colour to the SFO’s expectations and, in the eyes of many defence practitioners, exceeding the parameters of what the SFO may reasonably require, other senior figures have suggested that the SFO will only consider self-reporting corporate organisations to be genuinely cooperating where they provide unfettered access to witnesses’ first accounts. They have also made clear that the SFO will not consider itself constrained from enquiring into the circumstances in which internal investigations have been conducted prior to a self-report being made.24
Notwithstanding statements by the SFO that nothing in their guidance or public statements of policy is intended to alter the law on legal professional privilege, which safeguards the confidentiality of communications between lawyers and clients in the UK, the relatively narrow definition of cooperation it has committed itself to will, in many cases, inevitably require waivers of this privilege. This may have the knock-on effect of deterring corporate organisations from coming forward in many cases, particularly where there are concerns about the potential for details of matters informing the commencement of or discovered in the course of internal investigations to become disclosable in follow-on litigation pursued by third parties claiming that they have sustained losses as the result of alleged misconduct. Many corporate organisations considering self-reporting historic misconduct harbour concerns that such a robust stance on the part of the SFO may limit the chances of a self-report leading to the negotiation of a proposed DPA to be placed before a court. They also remain troubled at the prospect that information provided during negotiations may form the basis for the construction of a case against them should negotiations fail. Until further guidance is provided, and other open questions such as the attitudes of judges towards proposed DPAs are resolved, they are likely to remain cautious.
In the UK (as is the case in other jurisdictions around Europe and the Middle East), whistleblower reports account for a proportion, although by no means the majority, of the investigations commenced by the SFO. They have led to some relatively high-profile successful prosecutions, although to date these have largely concerned individuals rather than corporate organisations.25 More, including some of the SFO’s current flagship investigations and prosecutions into large corporates, are expected to follow. In September 2013, the SFO commenced criminal proceedings against Gyrus Group Limited, the UK subsidiary of Olympus Corporation in connection with a worldwide fraud valued at approximately US$1.7 billion. That investigation flowed from the widely publicised whistleblowing disclosure made by Michael Woodford, the former CEO of Olympus. This in turn followed the commencement in December 2012 of an investigation by the SFO into Rolls-Royce, which remains ongoing and has not, at the time of writing, yielded any criminal charges.
While, as noted above, the SFO receives substantial numbers of direct whistleblower reports through its dedicated SFO Confidential hotline, constraints on resources, among other factors, mean that only the minority of these progress to formal investigations and prosecutions.
Investigating complaints by whistleblowers internally
There is no one ‘correct’ approach to investigating complaints by whistleblowers. What is necessary and appropriate when following up on disclosures will vary significantly depending upon factors including the jurisdictions, personnel and business areas involved or implicated. It is possible though to identify several key principles to help corporate organisations respond decisively and consistently and to protect their interests when they receive reports of alleged misconduct.
Clear communication underpins a successful response to a whistleblowing disclosure. It is crucial to have in place carefully delineated channels to enable staff responsible for receiving disclosures (whether through a dedicated hotline or other less formal channels) to escalate them quickly and to the right people. In particular, policies and procedures should name a designated member of the senior management of the corporate organisation (probably in its legal or compliance function) who should have a direct reporting line to the board or audit committee. Provision should also be made for how to deal with disclosures naming members of the board or the designated senior manager responsible for handling whistleblowing reports.
Not every whistleblowing report will justify the expenditure of time and resources on comprehensive internal investigations or will involve reports to authorities. When evaluating complaints made by whistleblowers, it is clearly important to guard against complacency or undue cynicism. However, level-headedness and even-handedness pay dividends. Allegations should be viewed dispassionately and, where possible, empirically tested by reference to readily available documents or by means of interviews with relevant individuals (who should be reminded of the importance of confidentiality).
Where initial enquiries show disclosures to be well founded, organisations’ responses should be guided by clear protocols. These should set out the circumstances in which external legal counsel should be instructed (which will usually be necessary at an early stage in order to preserve any applicable privileges). They may also deal with how and when other external specialist resources such as forensic IT consultants or accountants may be sourced. Appropriate senior individuals within the organisation’s human resources function should be identified to coordinate its approach towards the whistleblower and to deal with any disciplinary action in relation to other employees that may be necessary.
Once notified of the fact of serious allegations made in a whistleblowing report, it is of particular importance that the senior management of the organisation are kept appraised of the progress of enquiries into the matters disclosed by the whistleblower. As alluded to elsewhere in this article, once evidence emerges establishing that complaints appear to be well founded, the window within which corporate organisations may receive maximum credit for self-reporting actual or suspected misconduct to the appropriate authorities is relatively short.
As noted above, if the proposals of the FCA and PRA are adopted, some regulated firms’ whistleblowing procedures will require enhancement and firms would need to consider who should be appointed into the role of whistleblowers’ champion, bearing in mind that individual’s responsibility for ‘ensuring and overseeing the integrity, independence and effectiveness of the firm’s policies and procedures on whistleblowing and for ensuring staff who raise concerns are protected from detrimental treatment’.
Deciding whether, when and how to self-report
In many jurisdictions, corporate organisations (and, in some circumstances, individuals) are under regulatory obligations positively to self-report actual or suspected misconduct or allegations of such misconduct. However, where there is no obligation to self-report, deciding whether to do so voluntarily is among the most critical decisions to be taken upon receipt of a whistleblowing disclosure or discovery of material suggesting historic wrongdoing.
When determining whether self-reporting is appropriate, corporate organisations and their advisers have to balance a series of risk and other factors. There will be times when a self-report is likely to be the only sensible approach – particularly where a whistleblower has made serious allegations. In other, less clear-cut cases, while self-reporting may help to establish or maintain a favourable dialogue with authorities should a formal investigation follow or confer benefits should the matter be deemed suitable for a negotiated outcome, doing so is not without risk. Bringing matters to the attention of authorities voluntarily may prompt scrutiny that may otherwise have been legitimately avoided or may result in long and costly investigations and negotiations.
Before making a self-report, it will usually be necessary to conduct an internal investigation to test the information giving rise to concerns and to ensure that any report made to authorities is as complete and accurate as possible. How long this takes will be a function of factors including when the alleged conduct took place, how many individuals are alleged to have been involved and the availability of relevant documents and individuals for interview. It is crucial, however, to ensure that steps are taken immediately to preserve all relevant documents and that such investigations are carefully scoped and proceed expeditiously.
Where corporate organisations determine that it is necessary to make a report to authorities, the challenges facing them are to demonstrate that any self-report has been made in a timely fashion, has been made genuinely voluntarily (ie, not simply because public disclosure or a regulatory or criminal investigation is imminent) and contains enough meaningful information to enable the authority concerned to make an informed assessment as to how to proceed. In some jurisdictions, self-reporting before others secures immunity or leniency under statute. Even in jurisdictions where this is not specifically provided for, corporate organisations contemplating self-reporting should aim to be the first to do so to maximise credit. Generally, authorities will acknowledge that internal investigations into complex matters which may have occurred many years ago take time, and give credit for initial notifications once key facts have been established accompanied by indications that a fuller report will follow the completion of a more thorough investigation. In some instances, authorities will insist on being involved in internal investigations and may make provision of witnesses’ full first accounts a condition of their being prepared to entertain the prospect of a negotiated settlement.
Self-reports to authorities are not generally made in a set format, but instead usually take the form of a preliminary notification (normally verbal) soon after receiving notice of potential wrongdoing followed by a more detailed written or oral report after a detailed investigation. The nature and scope of disclosures to authorities vary significantly between, and often within, jurisdictions and may depend on whether the issues cross borders. Specifically, whether it is possible to preserve any applicable privileges by providing reports orally rather than in writing will depend on the circumstances.
Whichever format is used to report matters to authorities, corporate organisations and their advisers should assume that information provided to one enforcement authority will be passed to others and that referrals may be made where they have parallel jurisdiction over some or all aspects of the organisation’s activities. They should also not assume that disclosure to one means that others are aware of the matter and full assessments should be made of whether it is necessary to make separate notifications to other specific authorities (whether in the same jurisdiction or elsewhere) who may expect to be told of the alleged misconduct or the fact of other investigations by or at the behest of enforcement authorities.
- It may depend, for example, on the nature and seriousness of the offence, whether it is a one-off or systemic issue and whether it can be remediated swiftly.
- Speech by Mary Jo White, ‘The SEC as the Whistleblower’s Advocate’, 30 April 2015.
- Other authorities such as the Internal Revenue Service have had whistleblower programmes for many years.
- Speech by Mary Jo White, ‘The SEC as the Whistleblower’s Advocate’, 30 April 2015.
- ‘Questions over SFO funding as whistleblowers not followed up’, The Times, 7 April 2015.
- Speech by Mary Jo White, ‘The SEC as the Whistleblower’s Advocate’, 30 April 2015.
- SYSC 18.2.2 [G].
- With the consultation due to close on 22 May 2015, following which the FCA and the PRA will consider and discuss the responses to the questions, and thereafter publish policy statements containing their respective final rules.
- Ministry of Justice Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing, at paragraph 1.7.
- Speech by Alun Milford, General Counsel SFO, ‘The Use of Information to Discern and Control Risk’, 2 September 2014.
- Sentencing Council’s definitive guidelines for fraud, bribery and money laundering offences, October 2014.
- The Public Contracts Regulations 2015, Regulation 57(15).
- Crime and Courts Act 2013, section 45 and Schedule 17.
- See, for example, the sentencing remarks of Thomas LJ (as he then was) in R v Innospec  Crim LR 665.
- Serious Organised Crime and Police Act 2005, sections 71 and 73.
- Employment Rights Act 1996, section 43B.
- Employment Rights Act 1996, section 43J.
- www.fca.org.uk/static/documents/consultation-papers/cp15-04.pdf at paragraph 2.15.
- See, for example, Smania v Standard Chartered Bank  I.C.R. 436.
- Deferred Prosecution Agreements Code of Practice, published jointly with the Crown Prosecution Service (February 2014), www.sfo.gov.uk/media/264623/deferred%20prosecution%20agreements%20cop.pdf.
- See, for example, speech by David Green QC CB, Director of the SFO given to the Fraud Lawyers Association in London on 26 March 2013, www.sfo.gov.uk/about-us/our-views/director’s-speeches/speeches-2012/inaugural-fraud-lawyers’-association.aspx.
- See, for example, speech by Alun Milford, General Counsel of the SFO, to the Global Investigations Summit in London on 15 October 2014, www.sfo.gov.uk/about-us/our-views/other-speeches/speeches-2014/alun-milford’s-speech-to-the-global-investigations-summit.aspx.
- See, for example, prosecutions of individuals associated with Torex Retail PLC, www.sfo.gov.uk/press-room/latest-press-releases/press-releases-2013/final-conviction-in-torex-retail-false-accounting-case.aspx.