Whistleblowers: The UK Perspective

19.1Introduction

Recent years have seen an increasing focus on whistleblowing as a cornerstone of good corporate culture. By helping to uncover wrongdoing or errors within an organisation, effective whistleblowing procedures are integral to good governance and risk management. They allow problems to be identified early, providing an opportunity to rectify shortcomings and to prevent a crisis. Being aware of issues also allows businesses to manage market-notification obligations and public relations, identify poor performance and potentially avoid costly employment litigation.

The focus on whistleblowing as fundamental to good governance has been particularly evident in the financial sector, where a key feature of the Senior Managers and Certification Regime (SMCR) is a requirement for firms to appoint a ‘whistleblowers’ champion’. However, the role of whistleblowing has also been the subject of scrutiny outside the regulated sector. For example, a 2015 report into whistleblowing in the National Health Service (NHS) provoked a series of reforms aimed at ensuring that speaking up becomes ‘business as usual’ within the NHS. A principal aim of those reforms was to mirror the open reporting culture in other safety-critical sectors, most notably aviation.^[2]

While there is no general obligation on workers to disclose wrongdoing, certain categories of employee – particularly those in the regulated sector – may have specific reporting obligations to their employers or regulators. The Employment Rights Act 1996 (ERA), as amended by the Public Interest Disclosure Act 1998 (PIDA), provides protection to workers who blow the whistle by protecting them against detrimental treatment and (in the case of employees) from being dismissed for making certain specified types of ‘qualifying protected disclosures’. Compensation for successful Employment Tribunal whistleblowing claims is uncapped. Such legal protections relate only to dismissal or detriment in an employment context and do not provide immunity from criminal prosecution where a whistleblower is implicated in criminal conduct.

Outside the financial services sector, there is currently no requirement for organisations in the United Kingdom to have whistleblowing mechanisms. However, the EU Directive on the protection of persons reporting on breaches of Union law (the Whistleblower Directive) was formally adopted in October 2019. Among other measures, the Directive – which Member States have until October 2021 to implement – will require organisations with 50 or more employees to establish internal reporting channels and respond to reported concerns within three months.^[3] In addition, in July 2019 a report of the All Party Parliamentary Group (APPG) for Whistleblowing recommended the introduction of mandatory internal and external reporting mechanisms along with meaningful penalties for those who fail to meet the requirements across all sectors.^[4]

The APPG has also urged the government to ban the use of non-disclosure agreements (NDAs) in whistleblowing cases.^[5] The use of NDAs in settlements with employees has attracted considerable media attention in the wake of the #MeToo movement.^[6]

19.2The legal framework

19.2.1Public Interest Disclosure Act 1998 and Employment Rights Act 1996

Whistleblowing legislation was introduced in 1998 following the realisation that a number of high-profile disasters may have been prevented or their effect reduced if a worker had spoken up, or their employer had listened to them.^[7] PIDA came into force in July 1999, inserting new sections into ERA. PIDA provides two key protections: unlawful detriment (protecting employees and workers, including some LLP members^[8]) and automatically unfair dismissal (protecting employees). There is no qualifying length of service for bringing whistleblowing claims.

19.2.1.1Unlawful detriment

Subjecting a worker to a detriment because they have made a protected disclosure is unlawful. Detriments include, but are not limited to, pay cuts, limiting career prospects and disciplinary action. Detriments after termination of employment also qualify,^[9] so employers should proceed cautiously when drafting references.

19.2.1.2Automatically unfair dismissal

Dismissing an employee who has blown the whistle is automatically unfair if the reason, or principal reason, for the dismissal is that they have made a protected disclosure. Since compensation for successful whistleblowing unfair dismissal claims is uncapped, compensation can be high – especially if the individual encounters difficulty finding a new job because of the dismissal.

19.2.1.3Qualifying disclosures

Six categories of disclosure are protected as ‘qualifying disclosures’. The disclosure must, in the worker’s reasonable belief, tend to show that one or more of the following failures has occurred or is likely to occur:

• a criminal offence;
• breach of a legal obligation;
• a miscarriage of justice;
• danger to the health and safety of any individual;
• damage to the environment; or
• the deliberate concealment of information about any of the above.

Since 2013, to make a qualifying disclosure the worker must reasonably believe that the disclosure is in the public interest.^[10] ‘Public interest’ is not defined, but in Chesterton Global and Verman v. Nurmohamed ,^[11] the Court of Appeal decided that the interests served by the disclosure do not have to extend outside the workplace. The Court found that four considerations are relevant:

• the number of people affected by the disclosure;
• the nature of the interests affected;
• the extent to which those interests are affected; and
• the identity of the alleged wrongdoer.

Anything that affects a class of people could potentially be caught, so employers should take a cautious approach. It is possible that ‘everyday’ employment disputes over contractual terms will have a public interest element, especially where these have serious implications or impact large numbers of people (for instance, remuneration issues in public limited companies and financial institutions). Issues such as discrimination or equal pay at work might also have a public interest element.

So long as the worker believes, acting reasonably, that the relevant failure has occurred or is likely to occur, they will be protected even if their belief turns out to be wrong.^[12] However, for a belief to be ‘reasonable’ it must be founded in more than unsubstantiated rumour or opinion.

Since 2013, there is no longer any requirement for the disclosure to be ‘in good faith’. However, if an employment tribunal upholds an employer’s argument that a disclosure was made in bad faith, it has the power to reduce compensation by up to 25 per cent. Case law suggests that disclosures made predominantly for personal interest or with malice are not in good faith.^[13]

19.2.1.4Vicarious and personal liability

Vicarious liability

In June 2013, the Enterprise Regulatory and Reform Act 2013 introduced the concept of vicarious liability into whistleblowing law. It imposes vicarious liability on an employer for detriments caused to a worker by co-workers (and in some cases by agents of the employer) on grounds that the worker made a protected disclosure.^[14]

The employer will have a defence if it took all reasonable steps to prevent the detrimental treatment. Having an appropriate whistleblowing policy and providing training to support this will be key to an employer’s ability to evidence this.

Personal liability

Claimants can pursue individuals personally for liability arising from whistleblow­ing detriments. Doing so is often tactical. In Timis and another v. Osipov,^[15] the employment tribunal and Employment Appeal Tribunal held that two non-executive directors were jointly and severally liable for the losses flowing from Mr Osipov’s dismissal (totalling approximately £1.75 million).

19.2.2EU Directive and UK implementation

In October 2019, the Council of the European Union formally adopted the Whistleblower Directive.

Since the United Kingdom already grants whistleblowers comprehensive protection, for the most part the provisions of the Whistleblower Directive do not supplement the whistleblower protection already available under the UK domestic legislation. However, the following differences should be noted:

• organisations with 50 or more employees will be required to establish internal reporting channels for the reporting of breaches of Union law, to acknowledge receipt of a report within seven days and to respond to reported concerns within three months; and
• whistleblowers will also have the right to make an external disclosure to a competent national authority or, in limited cases, a public disclosure.

Member States have until October 2021 to implement the Directive. Whether the United Kingdom remains under such an obligation will depend on the terms of its anticipated departure from the European Union. Protect,^[16] the whistleblowing charity, has urged the UK government to bring the new provisions into domestic law post-Brexit.

19.2.3Non-disclosure agreements and whistleblowing

An NDA – a contractual commitment that a party (or parties) will keep certain information confidential – is a provision commonly included in settlement agreements between employers and departing employees. Under an NDA, confidentiality may attach to the terms of the settlement agreement and to the amount of any sums paid under it, as well as to the underlying complaints that the employee made. If the NDA is breached, the other party can seek damages for breach of contract.

In the wake of the #MeToo movement, the use of NDAs by employers has come increasingly under the spotlight and has been criticised, in particular, as a means of silencing whistleblowers. In July 2019, the APPG for Whistleblowing urged the government to ban the use of NDAs in whistleblowing cases.^[17]

Any NDA clause designed to prevent a worker from making a whistleblowing disclosure is void under section 43J of ERA and therefore unenforceable. Seeking to rely on an NDA to prevent whistleblowing disclosures could amount to an unlawful detriment against the employee or worker, as well as risking additional adverse publicity if the issue becomes public.

Firms authorised by the Financial Conduct Authority (FCA) are under specific obligations when it comes to settlement agreements with workers. Lawyers advising clients on NDAs must also consider their professional obligations.

19.2.4FCA/PRA systems and controls requirements

Both the FCA and the Prudential Regulation Authority (PRA) expect firms to implement and maintain appropriate and effective internal whistleblowing arrangements as part of an effective risk management system.^[18] The FCA’s rules and guidance are contained in SYSC 18 of its Handbook, which applies to SMCR banking and insurance sector firms. SYSC 18 also serves as non-binding guidance to all other firms authorised under the Financial Services and Markets Act 2000 (FSMA). The PRA’s rules are higher level and found in Section 2A of the PRA Rulebook.

The SYSC 18 requirements fall into three categories:

• maintenance of appropriate and effective arrangements for whistleblowing;^[19]
• appointment of a whistleblowers’ champion;^[20] and
• settlement agreements with workers.

19.2.4.1Maintaining appropriate internal whistleblowing arrangements

While firms are required to establish, implement and maintain appropriate and effective arrangements for the disclosure of reportable concerns (including concerns related to suspected market abuse) by whistleblowers, neither regulator has prescribed what the arrangements should be. FCA guidance suggests that firms may choose to draw on relevant resources prepared by whistleblowing charities or recognised standards-setting organisations, such as Protect. The regulators recognise that whistleblowing arrangements may vary between firms^[21] and that firms may use third parties to provide aspects of their whistleblowing services, with appropriate quality controls and monitoring.

The arrangements that a firm has in place should allow effective escalation of reportable concerns, including to the FCA and PRA. This requirement is aligned with PRA Fundamental Rule 7 and FCA Principle 11, according to which firms must deal with their regulators openly and co-operatively and disclose appropriately anything relating to the firm of which the regulators would reasonably expect notice. Beyond these broad principles, a firm’s arrangements should:

• allow for disclosure to be made through a variety of means (for many firms this will mean through an online system, a telephone hotline, a third-party provider or a designated team);
• handle a whistleblower’s request for confidentiality or anonymity;
• include reasonable measures to ensure whistleblowers are not victimised;
• provide feedback to whistleblowers on their concerns, where appropriate and feasible;
• include record-keeping of reportable concerns;
• include maintenance of up-to-date whistleblowing policies and procedures that are readily available to the firm’s employees;
• allow for the preparation of an annual report to the firm’s governing body on the effectiveness and operation of the firm’s processes;
• include training for employees, managers and those responsible for operating the firm’s internal arrangements;
• include reporting to the FCA and PRA if firms lose an employment tribunal claim based on detriment suffered from making a protected disclosure; and
• ensure UK employees are made aware of the FCA’s and PRA’s whistleblowing services and that they can approach either regulator direct without first raising a concern internally.

19.2.4.2The whistleblowers’ champion

A key component of the SMCR is a requirement for firms to appoint a whistleblowers’ champion with responsibility for ensuring and overseeing the integrity, independence and effectiveness of the firm’s policies and procedures on whistleblowing. The FCA expects that this role will be filled by a non-executive director.^[22] Assignment of specific responsibility for whistleblowing to a senior person – preferably the chairman – was a recommendation of the June 2013 report of the Parliamentary Commission on Banking Standards, Changing Banking for Good, and is consistent with the broader trend towards senior management responsibility in the UK regulatory regime. This is reflected both in the fact that the whistleblowers’ champion is now a prescribed responsibility under the SMCR,^[23] and in the guidance that the whistleblowers’ champion should have a level of authority within the firm sufficient to carry out their function.^[24]

The whistleblowers’ champion is also expected to ensure that an annual report is presented to the board regarding the effectiveness of whistleblowing systems and controls. The FCA and PRA have not been prescriptive about how whistle­blowers’ champions perform their role, and have acknowledged that firms are likely to take different approaches depending on their structure and size.^[25] In smaller firms, the whistleblowers’ champion may choose to take a ‘hands-on’ role, possibly in concert with his or her support staff, receiving disclosures personally and taking responsibility for disseminating reports within the firm, tracking progress, making external reports, feeding back to whistleblowers where appropriate and reviewing settlement agreements. In larger firms, whistleblowers’ champions are more likely to perform their function by delegating day-to-day operations to a dedicated whistleblowing function while retaining an oversight role. The PRA expects the whistleblowers’ champion to have access to resources and information sufficient to carry out their role.^[26] In practice this is likely to include a regular suite of management information on the number and outcome of reportable concerns, as well as analysis or oversight of patterns in data – for example particular business units or offices in respect of which reportable concerns are more frequently raised.

19.2.4.3Settlement agreements with workers

The FCA’s rules require a firm to include in a settlement agreement with a worker a term making clear that nothing in that settlement agreement prevents the worker from making a protected disclosure. ^[27]

19.2.5Competition and Markets Authority and whistleblowers

In exceptional circumstances, the Competition and Markets Authority (CMA) offers rewards of up to £100,000 for information about cartel activity. The rewards are provided at the discretion of the CMA subject to factors including the value of the information, the harm done to consumers and the risk the whistleblower has taken to provide the information.^[28]

The CMA also operates a leniency programme according to which businesses and individuals who have participated in cartel activity may apply for immunity or leniency from financial penalties and immunity from criminal prosecution and director disqualification.^[29] Complete immunity from sanctions might be granted provided the individual or business is the first to report and confess their involvement, they co-operate fully and there was no pre-existing investigation by the CMA.

Companies or individuals thinking about applying for leniency may, before doing so, approach the CMA for confidential guidance on a no names basis by calling the dedicated CMA’s cartels hotline.^[30] On 22 October 2018, the CMA launched its nationwide ‘Stop Cartels’ campaign, designed to encourage whistleblowing.^[31] Following its launch, tip-offs to the CMA have risen by over 30 per cent,^[32] with approximately 22,000 people having visited the campaign page.^[33] However, the CMA’s whistleblowing statistics from 2017 to 2018 indicate that only 23 cases required initial investigation or further investigation by the CMA.^[34]

19.2.6Serious Fraud Office and online whistleblowing

The SFO launched its whistleblowing service in 2011. Originally established as a telephone hotline, reports are now made electronically to the SFO’s Intelligence Unit through its secure reporting form.^[35] The SFO reporting service enables companies’ executives, staff, professional advisers and business associates to provide information about cases of serious fraud, bribery or corruption – whether as a whistleblower or on behalf of a company making a self-report. Whistleblowers are initially encouraged to follow the whistleblowing procedures in their own organisation if they suspect wrongdoing in the workplace. If the whistleblower is not comfortable, or there are no procedures, then they should approach the SFO or another prescribed body.^[36]

Between 1 April 2017 and 31 March 2018, the SFO’s Intelligence Unit managed 102 qualifying^[37] whistleblowing disclosures. The SFO took further action in relation to 91 disclosures.^[38] However, the take-up of cases for investigation by the SFO remains low, with only 10 criminal investigations opened in 2018.^[39] In considering whether to authorise an investigation, the Director of the SFO will take into account the actual or intended harm that may be caused to the public, the reputation and integrity of the United Kingdom as an international financial centre or the economy and prosperity of the United Kingdom.^[40]

Although there are means to report online via the SFO or National Crime Agency (NCA) websites, no single centralised mechanism exists to report ­bribery offences. To address this, the Home Office has committed to launching a new reporting mechanism for allegations of bribery and corruption in line with the government’s anti-corruption strategy.^[41] How this will interact with existing reporting mechanisms remains to be seen.

19.2.7Human rights considerations

Demonstrating respect for human rights is increasingly important for businesses. In recent years, there has been a proliferation of ‘soft law’ standards encouraging companies to manage more closely their human rights risks and impacts. The key development in this area were the UN Guiding Principles on Business and Human Rights (UNGPs),^[42] around which there has been widespread business convergence since their endorsement by the UN in 2011. The UNGPs require that business enterprises ‘respect human rights’,^[43] which means that they should avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved.

While business and human rights was previously the domain of ‘soft law’ instruments, we are increasingly seeing laws that require companies to report on their human rights risks and impacts. For example, section 54 of the Modern Slavery Act 2015 requires companies with an annual turnover of £36 million or more to produce a slavery and human trafficking statement for each financial year, either illustrating the steps the organisation has taken to ensure slavery and human trafficking is not taking place in any of its supply chains and any part of its business or confirming that the organisation has taken no such steps. Similarly, section 414CA of the Companies Act 2006 ^[44] requires certain large companies to prepare a non-financial information statement containing information on a company’s respect for human rights and a description of policies pursued by a company in relation to respect for human rights.

Businesses have realised that, to fulfil their obligations to respect human rights under the UNGPs and report effectively pursuant to these disclosure regimes, they need to conduct more extensive due diligence on their operations to understand their potential human rights risks and impacts. A properly functioning whistleblower system should enable human rights impacts to be identified, managed and (hopefully) remediated early and completely, preventing harm from escalating. Many companies have implemented whistleblowing policies to support the management of human rights and supply chain risk, which is recommended in Home Office guidance.^[45]

While whistleblowing can serve as a tool for identifying potential human rights risks and impacts, it is important to recognise the potential human rights consequences if the whistleblowing procedures do not contain sufficient protections for the whistleblower. This includes impacts on the rights to privacy and freedom of speech, which are protected under Articles 8 and 10 of the European Convention on Human Rights. These human rights are qualified, in that they need to be balanced against the public interest (or indeed the corporate interest) in identifying where human rights impacts have occurred and where laws may have been broken. The regulatory regimes governing the design and implementation of whistleblowing procedures are designed to balance these competing interests. However, human rights considerations should underpin the design and operation of an effective whistleblowing regime and used to resolve any ambiguity in the regulation.

19.3The corporate perspective: representing the firm

When representing a regulated firm involved in a whistleblowing investigation, regard must be had both to the firm’s compliance with the systems and controls requirements outlined above and to individual managers’ personal obligations under the SMCR.

The SMCR requires most individuals employed in the UK banking and insurance sectors to adhere to the FCA’s and PRA’s Individual Conduct Rules.^[46] Senior managers must also comply with the Senior Manager Conduct Rules, while non-executive directors (who are not themselves senior managers) are subject to Senior Manager Conduct Rule 4 as well as the Individual Conduct Rules. At the time of writing, the SMCR was due to be extended to certain other financial services firms, including asset management firms and non-bank mortgage lenders, from 9 December 2019.

Certain individual rules may require the relevant individuals to disclose information to the regulators. In the context of whistleblowing, this means that information received via internal whistleblowing channels may, in turn, need to be escalated to the appropriate regulator.

19.3.1.1Individual Conduct Rules

The FCA/PRA Individual Conduct Rule 3 stipulates that relevant individuals must be open and co-operative with the FCA, the PRA and other regulators with appropriate jurisdiction. The FCA’s Code of Conduct Handbook (COCON) provides specific guidance as to what this rule requires.

COCON 4.1.10 provides guidance that there is no duty on a person to report information directly to the regulator concerned unless they are one of the persons responsible in the firm for reporting matters to the regulator (although if a person takes steps to influence the decision not to report or acts in a way that is intended to obstruct the reporting of the information to the regulator, they will be treated as if they had taken on responsibility for deciding whether to report that matter).

Those operating a whistleblowing function will not therefore automatically assume direct responsibility for escalating reportable concerns to the regulator. However, firms should ensure that appropriate arrangements are in place so that those responsible for regulatory reporting are informed on a timely basis of issues likely to be of interest to the regulator identified through the whistle­blowing channels.

19.3.1.2Senior Manager Conduct Rules

The FCA/PRA Senior Manager Conduct Rule 4 requires senior managers and non-executive directors to disclose appropriately any information of which the FCA, PRA or other regulator with appropriate jurisdiction would reasonably expect notice (even where the regulator has not requested such information). While there is overlap between FCA/PRA Senior Manager Conduct Rule 4 and Individual Conduct Rule 3, COCON 4.2.26 makes clear that these are distinct obligations requiring proactive disclosure rather than just accurate responses to regulatory enquiries. COCON 4.2.28 clarifies that senior managers (or non-executive directors) need not report information outside the scope of their responsibility. However, once they become aware of the information (including through whistleblowing) they should make enquiries to satisfy themselves that it is being dealt with by the appropriate individual.

19.3.1.3Approved persons

Until the SMCR is extended in December 2019, relevant individuals employed by firms outside the banking and insurance sectors will continue to be governed by the approved persons regime. Statement of Principle 4 of the Statements of Principle and Code of Practice for Approved Persons broadly reflects Senior Manager Conduct Rule 4, although the accompanying guidance differs slightly.^[47]

19.3.2Whistleblowing as part of adequate or reasonable systems and controls

19.3.2.1Bribery Act 2010 and adequate procedures

Under section 7 of the Bribery Act 2010, a company can be criminally liable for failing to prevent bribery committed for its benefit by one of its associated persons.

It is a defence for a company to show that it had adequate procedures in place designed to prevent bribery by its associated persons.^[48] Guidance published by the Ministry of Justice suggests that such procedures are likely to include, among other measures, procedures for the reporting of bribery including ‘speak up’ or ‘whistleblowing’ procedures.^[49]

19.3.2.2Criminal Finances Act 2017 and reasonable procedures

Under sections 45 and 46 of the Criminal Finances Act 2017, a company can be criminally liable for failing to prevent the facilitation of UK or foreign tax evasion offences by its associated persons.

It is a defence for a company to show that it had reasonable prevention procedures in place. Guidance issued by HM Revenue and Customs (HMRC) suggests that such procedures are likely to include, among other measures, protection for whistleblowers (with no retribution).^[50] In February 2019, HMRC launched an online reporting form for authorised representatives to self-report a failure to prevent the facilitation of tax evasion on the part of their organisation.

19.3.3Changing regulatory expectations

In November 2018, following its review of firms’ whistleblowing arrangements in the retail and wholesale banking sector, the FCA published examples of good practice and areas for improvement with respect to policies and procedures, the role of the whistleblowers’ champion and the annual whistleblowing report and training.^[51]

The FCA noted that some firms had a clear policy and other arrangements for ensuring whistleblowers were protected against victimisation, both during and following an investigation. For example, one firm monitored employment records for 12 to 18 months after a reportable concern had been investigated, to identify victimisation. The FCA also commended firms that had a variety of reporting channels for employees to raise concerns, with one firm providing whistleblowers the option of giving their contact details to a third-party hotline provider instead of to the firm. In contrast, the FCA was concerned by incorrect statements on the part of some firms that employees must raise whistleblowing concerns internally before contacting the FCA.

Good practice observed in respect of the whistleblowers’ champion and annual report included senior individuals being able clearly to articulate the importance of a ‘speak up’ culture; champions having a good understanding of their roles and responsibilities, including providing independent oversight; one champion contacting whistleblowers to determine whether they had suffered adverse consequences or victimisation; reviews of effectiveness of whistleblowing arrangements by either the second or third line of defence or through third-party whistleblowing organisations; and staff surveys to ensure that employees knew how to raise concerns. The FCA did, however, find firms whose annual reports lacked detail or were still under development.

Good practices observed by the FCA with respect to training included the provision by some firms of separate training for managers and investigation teams. In the FCA’s view, this approach helped to ensure that managers were equipped to provide the necessary management and support to those raising concerns. Good firms also provided training to senior leadership teams, especially where they were involved in assessing reportable concerns. At the same time, the FCA noted that most firms needed to improve the content of their training.

In May 2019, the FCA published its industry feedback with respect to wholesale banking.^[52] It identified several practices as examples of ‘encouraging’ whistleblowing initiatives implemented by firms, including:

• engagement by managers and staff directly with a whistleblower to understand fully what he or she would like to achieve and make a sustained effort to manage appropriately the whistleblower’s expectations;
• outsourcing of analysis on all whistleblowing cases to ensure fair and confidential treatment;
• detailed end-to-end reviews of the process for whistleblowing events involving all disciplines (e.g. HR, legal, compliance, business heads) to make it more transparent, fairer and quicker;
• creation of a 24-hour, multilingual hotline for anonymous escalations; and
• discreet monitoring for a minimum of three years following a whistleblowing event, to ensure a whistleblower was not treated badly as a consequence of their disclosure.

The importance of ensuring that a firm’s systems and controls afford protection to whistleblowers was highlighted in the FCA and PRA final notices issued to Mr James Staley, Chief Executive of Barclays Group, in May 2018. Mr Staley was fined £642,430 following his attempts to identify the author of an anonymous letter received by Barclays. The regulators concluded that Mr Staley had made serious errors of judgement and had not acted with integrity or due skill, care and diligence as required by the Individual Conduct Rules. They also found that he had acted unreasonably and risked undermining confidence in Barclays’ whistleblowing policy and the protections it afforded. Before the final notices were issued, Barclays voluntarily and successfully applied to be subject to special requirements until the end of 2020, made under section 55L and 55M(5) of FSMA. Under these requirements, Barclays must report annually to the FCA and PRA detailing any whistleblowing cases involving allegations made against its senior managers and any cases where Barclays has sought to identify any anonymous whistleblowers. It is also required to provide attestations about the soundness of its whistleblowing systems and controls and senior managers’ completion of annual whistleblower training.

As part of its continued focus on culture in financial services, the FCA is particularly interested where whistleblowing allegations are raised against those designated as senior managers or material risk takers, being those with the greatest potential to cause harm to a firm’s customers or the markets in which it operates. A number of firms have undertaken to notify the FCA of such allegations immediately on receipt and before investigation.

Megan Butler, FCA Executive Director of Supervision – Investment, Wholesale and Specialists Division,^[53] in correspondence with the Chair of the Women and Equalities Committee of the House of Commons, set out her views on firms’ approach to handling of ‘#MeToo’ or sexual harassment allegations. She confirmed that sexual harassment and other forms of non-financial misconduct (such as racial or homophobic harassment or bullying) can amount to a breach of the FCA’s conduct rules, including the requirement to act with integrity, and that firms’ whistleblowing arrangements should be able to deal appropriately with escalation of such concerns. She noted that the FCA would be ‘especially interested if firms were systematically mishandling allegations or incubating a culture of sexual harassment’. Since the letter, the FCA has engaged directly with some firms to request that it be notified of whistleblowing allegations of sexual harassment or other forms of non-financial misconduct promptly – even before investigation. This raises challenges for firms in terms of how to ensure fairness towards senior individuals where as yet unsubstantiated allegations are received.

Outside the financial regulatory sector, listed companies are required under the UK Corporate Governance Code 2018 to ensure that members of the workforce can raise concerns in confidence (and anonymously if they wish). The board should ensure that arrangements are in place for the proportionate and independent investigation of such matters and for follow-up action.

Also of wider relevance, in July 2019 the APPG for Whistleblowing published its report on the UK whistleblowing regime. Among its ten recommendations for what it calls a ‘radical overhaul’ were the introduction of mandatory internal and external reporting mechanisms across all sectors, greater legal protections for whistleblowers and the creation of an Independent Office for the Whistleblower.^[54]

19.3.4Practical considerations

19.3.4.1Effective reporting channels and protecting anonymity

A whistleblowing policy should detail the process of making internal disclosures and should be disseminated across the organisation through regular communications and training that encourage a ‘speak up’ culture. Small and medium-sized organisations might consider appointing a dedicated whistleblowing officer in order to foster an open working culture, whereas in larger organisations an anonymous whistleblowing hotline is likely to be more practical. Ideally there should be a range of channels through which disclosures can be made.

It is often the case that workers report concerns anonymously out of fear that they will be victimised should they be identified as raising such concerns. This raises broader considerations in relation to how employers foster a culture in which workers feel ‘psychologically safe’ to raise concerns openly. However, a 2013 report by the Whistleblowing Commission on the effectiveness of existing arrangements for workplace whistleblowing suggested that, if a worker raises a concern anonymously, the organisation should assess the anonymous information as best it can to establish whether there is substance to the concern and whether it can be addressed.^[55] Employers should also be aware that attempts to identify whistleblowers may constitute a breach of the employer’s obligations under the Data Protection Acts of 1998 and 2018 or the General Data Protection Regulation (GDPR).^[56]

19.3.4.2Conduct of the investigation

Internal investigations involving whistleblower allegations require particularly careful handling because of the reputational and employment law consequences that may follow if a whistleblower is not afforded the required legal protections. No investigation is the same, and the right approach will depend on the circumstances and facts. Isolated incidents of minor misconduct may be capable of investigation internally by a combination of the legal, human resources and internal audit functions, whereas allegations of systematic or potentially criminal conduct are more likely to require the assistance of external counsel. Where there is a whistleblower involved, it is often advisable to interview them at the start of the process – particularly if they are relatively junior. Consideration should be given as to whether to offer them independent legal representation.

Where possible the whistleblower should be kept informed about the progress of the investigation, although extreme care should be taken not to take any steps that might result in a loss of privilege or confidentiality. Expectations should be effectively managed and care taken not to promise outcomes that may not be deliverable. For example, there may be circumstances in which a whistleblower’s desire to remain anonymous places constraints on the extent to which the allegations can be investigated.

19.3.4.3Data protection

A whistleblowing process will inevitably involve the processing of personal data and so must comply with the GDPR. The United Kingdom takes a more relaxed approach to this issue than many other European jurisdictions, in part because of the statutory framework set out in PIDA. However, it is still important to ensure that the whistleblowing process, and any subsequent investigation, complies with the GDPR. Particular issues to consider include keeping the whistle­blowing information secure and limiting access to it, setting an appropriate retention period, not collecting excessive amounts of personal data, being alert to the right of individuals to access a copy of their personal data and, at least in general terms, being transparent about the operation of the whistleblowing process.

19.3.4.4Interaction with regulatory obligations

Principle 11 / Fundamental Rule 7

Firms must deal with their regulators in an open and co-operative way and proactively disclose anything relating to the firm of which the regulators would reasonably expect notice. Information that comes to light via a whistleblowing report may therefore have to be escalated to the relevant authority. In accordance with the FCA’s Supervision manual (SUP), firms must notify the FCA of matters having a serious regulatory impact. This includes, for example, any matter that could have a significant adverse impact on the firm’s reputation.^[57] As noted above, in the current regulatory climate there may be a regulatory expectation that whistleblowing reports against senior managers or allegations of serious sexual harassment or other forms of serious non-financial misconduct will be disclosed immediately. In other situations, it may be more appropriate for a firm to undertake an internal investigation before deciding whether notification to the regulator would be proportionate.

Proceeds of Crime Act 2002 (POCA)

Depending on the subject matter of the allegation, those in receipt of whistleblower reports will need to consider whether the information disclosed raises potential money laundering issues such that the reporting obligations under POCA are triggered (for those in the regulated sector) or it is otherwise necessary to seek a defence against money laundering from the NCA to deal with certain property.

Particular considerations for listed companies

When receiving whistleblowing reports, listed companies should also have regard to their disclosure obligations under the Disclosure Guidance and Transparency Rules (DTR) and the Market Abuse Regulation (MAR).^[58] In accordance with Section 2.2 DTR and Article 17(1) MAR, for example, listed companies must disclose inside information to the market as soon as possible. To determine whether the information constitutes ‘inside information’ for the purposes of DTR and MAR, however, it is likely that the firm will first have to undertake an internal investigation into the allegations.

19.3.4.5Cross-border considerations

Exchange of information in relation to whistleblowers or disclosures

Data protection issues will need to be considered in the context of any transfer of data overseas.

Territorial application of UK whistleblower legislation

Recent case law has determined that a tribunal can only hear a whistleblowing claim against a British employer brought by an employee working abroad if there is a stronger connection with Britain or British employment law than with the country in which they are working. In Foreign and Commonwealth Office (FCO) v. Bamieh,^[59] the Court of Appeal held that an employment tribunal had no territorial jurisdiction to hear whistleblowing detriment claims brought by an FCO employee working in Kosovo against co-workers who were also employed by the FCO and working in Kosovo. The tribunal held that the focus should be on the relationship between the claimant and the co-workers rather than on the relationship between the co-workers and the employer. Moreover, the fact that the individuals concerned have a common employer is not sufficient to give the tribunal jurisdiction.

19.4The individual perspective: representing the individual

19.4.1Legal risks associated with whistleblowing

A decision to make a whistleblowing disclosure can have far-reaching consequences and requires a careful assessment of the legal risks. Despite the protections afforded by PIDA, whistleblowers may be exposed to the risk of criminal investigation or prosecution if they are personally implicated in the conduct disclosed. Those in regulated professions may be vulnerable to regulatory or disciplinary action by their regulators or professional bodies. Where the matter potentially spans more than one jurisdiction, individuals will need to bear in mind that different jurisdictions apply different standards in the protection of whistleblowers. Advice on local employment and possibly criminal laws should be sought where necessary.

Whistleblowers might also commit criminal offences in the course of obtaining information to support their disclosures. Such offences might include securing unauthorised access to computer material,^[60] unlawfully obtaining personal data,^[61] unlawful interception of communications,^[62] theft or even fraud. Whistleblowers may also be vulnerable to civil actions for breach of confidence.

19.4.2Serious Organised Crime and Police Act 2005: immunity and leniency

Where an individual faces criminal liability, they may be able to obtain immunity from prosecution. Section 71 of the Serious Organised Crime and Police Act 2005 (SOCPA) empowers most criminal prosecutors to offer an individual immunity from prosecution by issuing a written immunity notice. However, this power is used rarely and only in very exceptional circumstances.

As an alternative, section 73 of SOCPA provides that if an offender pleads guilty and offers assistance to an investigator or prosecutor, the sentencing court may pass a reduced sentence to reflect that assistance.

The historic reluctance by the SFO to invoke these statutory tools may be set to change following the appointment of Lisa Osofsky as Director of the SFO in August 2018. Ms Osofsky has publicly expressed an intention to make greater use of the powers contained in SOCPA,^[63] though it remains to be seen whether this is achievable. The level of co-operation required to qualify for leniency is onerous and the risks to the individual are significant, particularly in cross-border investigations where there remains a risk of prosecution overseas.

19.4.3Professional obligations

Those in regulated professions may have a duty to report certain information to the appropriate regulator. For example, FCA/PRA Senior Manager Conduct Rule 4 requires senior managers and non-executive directors to disclose appropriately any information of which the FCA, PRA or other regulator with appropriate jurisdiction would reasonably expect notice.

In March 2018, the Solicitors Regulatory Authority (SRA) issued a warning notice to legal professionals in relation to the use of NDAs,^[64] which sets out the obligations that exist when a law firm is considering an NDA with a person who has made a complaint about misconduct within a law firm, or when legal professionals are advising clients on NDAs with individuals. The warning notice recognises that NDAs, including with employees, can legitimately be used to protect commercial interests and confidentiality and, in some circumstances, reputation. It also recognises that NDAs can operate to the mutual benefit of both parties and that the warning notice and the SRA’s Standards and Regulations (replacing the SRA Handbook) should not be taken to prohibit the use of NDAs. However, it states that legal professionals (and those responsible for managing complaints within law firms) should ensure that they do not:

• use NDAs in circumstances in which the subject of the NDA may, as a result of its use, feel unable to notify the SRA or other regulators or law enforcement agencies of conduct that might otherwise be reportable;
• fail to notify the SRA of misconduct, or a serious breach of regulatory requirements, by any person or firm, including wrongdoing by the firm or harassment or other misconduct towards others such as employees or clients; or
• use NDAs as a means of improperly threatening litigation or other adverse consequences, or otherwise exerting inappropriate influence over people not to make disclosures which are protected by statute, or reportable to regulators or law enforcement agencies.

Inappropriate use of NDAs may constitute a breach of the SRA’s Standards and Regulations (replacing the SRA Handbook) and lead to disciplinary action. The SRA’s warning notice of March 2018 was echoed in the Law Society’s practice note on ‘Non-disclosure agreements and confidentiality clauses in an employment law context’ published in January 2019.^[65] This reiterates that NDAs cannot be used to prevent protected disclosures from being made to relevant bodies. It notes that whistleblowing in the public interest is a complex matter and that parties who wish to blow the whistle will often need professional help.

19.4.4Practical questions

19.4.4.1To whom to blow the whistle

An individual will need to give careful consideration to a decision to blow the whistle externally because this may result in the loss of statutory protection. To be a protected disclosure, the whistleblower must make a qualifying disclosure to an appropriate person or organisation.

In most cases, disclosures should be made to the employer. However, in some circumstances individuals may be protected if they disclose information externally.

Parliament has approved a list of ‘prescribed persons’ to whom a worker or an employee can make a disclosure, provided they believe the information is substantially true and concerns a matter within that person’s area of responsibility. They include (but are not limited to) the SFO, the NCA, HMRC, the Health and Safety Executive and the CMA. There is no requirement to alert the employer beforehand.

Where the worker or employee reasonably believes a third party (such as a client or supplier) is responsible for the wrongdoing, they can report it to that third party without telling the employer.

Disclosure to other external sources (e.g. the media) is protected only if the individual believes that the information is substantially true and they do not act for gain. So, an individual who receives payment for a story to a newspaper will not be protected. Unless the matter is ‘exceptionally serious’, they must have already disclosed it to the employer or a prescribed person (or believe that, if they did, evidence would be destroyed or they would suffer reprisals). Disclosure to that person must also be reasonable.

19.4.4.2Requests to sign an NDA

Any request to sign an NDA purporting to prevent an individual from raising
whistleblowing concerns should be resisted and will be unenforceable.

19.4.4.3Challenges to unfair treatment of whistleblowers

An individual who is a worker or employee and who is subjected to unfair treatment by their employing or engaging entity or by other employees or co-workers may have a claim in the employment tribunal against individuals and the entity.

Footnotes