Whistleblowers: The UK Perspective

19.1 Introduction

Recent years have seen an increasing focus on whistleblowing as a cornerstone of good corporate culture. By helping to uncover wrongdoing or errors within an organisation, effective whistleblowing procedures are integral to good governance and risk management. They allow problems to be identified early, providing an opportunity to rectify shortcomings and to prevent a crisis. Being aware of issues also allows businesses to manage market-notification obligations and public relations, identify poor performance and potentially avoid costly employment litigation.

The focus on whistleblowing as fundamental to good governance has been particularly evident in the financial sector, where a key feature of the Senior Managers and Certification Regime (SMCR) is a requirement for firms to appoint a ‘whistleblowers’ champion’. However, the role of whistleblowing has also been the subject of scrutiny outside the regulated sector. For example, a 2015 report into whistleblowing in the National Health Service (NHS) provoked a series of reforms aimed at ensuring that speaking up becomes ‘business as usual’ within the NHS. A principal aim of those reforms was to mirror the open reporting culture in other safety-critical sectors, most notably aviation.^[2]

While there is no general obligation on workers to disclose wrongdoing, certain categories of employee – particularly those in the regulated sector – may have specific reporting obligations to their employers or regulators. The Employment Rights Act 1996 (ERA), as amended by the Public Interest Disclosure Act 1998 (PIDA), provides protection to workers who blow the whistle by protecting them against detrimental treatment and (in the case of employees) from being dismissed for making certain specified types of ‘qualifying protected disclosures’. Compensation for successful Employment Tribunal whistleblowing claims is uncapped. Such legal protections relate only to dismissal or detriment in an employment context and do not provide immunity from criminal prosecution where a whistleblower is implicated in criminal conduct.

Outside the financial services sector, there is currently no requirement for organisations in the United Kingdom to have whistleblowing mechanisms. However, the EU Directive on the protection of persons reporting on breaches of Union law (the Whistleblower Directive) was formally adopted in October 2019. Among other measures, the Directive – which Member States have until December 2021 to implement – will require organisations with 50 or more employees to establish internal reporting channels and respond to reported concerns within three months.^[3] In addition, in July 2019 a report of the All Party Parliamentary Group (APPG) for Whistleblowing recommended the introduction of mandatory internal and external reporting mechanisms along with meaningful penalties for those who fail to meet the requirements across all sectors.^[4]

The APPG has also urged the government to ban the use of non-disclosure agreements (NDAs) in whistleblowing cases.^[5] The use of NDAs in settlements with employees has attracted considerable media attention in the wake of the #MeToo movement.^[6]

19.2 The legal framework

19.2.1 Public Interest Disclosure Act 1998 and Employment Rights Act 1996

Whistleblowing legislation was introduced in 1998 following the realisation that a number of high-profile disasters may have been prevented or their effect reduced if a worker had spoken up, or their employer had listened to them.^[7] PIDA came into force in July 1999, inserting new sections into ERA. PIDA provides two key protections: unlawful detriment (protecting employees and workers, including some LLP members^[8]) and automatically unfair dismissal (protecting employees). There is no qualifying length of service for bringing whistleblowing claims.

19.2.1.1 Unlawful detriment

Subjecting a worker to a detriment because they have made a protected disclosure is unlawful. Detriments include, but are not limited to, pay cuts, limiting career prospects and disciplinary action. Detriments after termination of employment also qualify,^[9] so employers should proceed cautiously when drafting references.

19.2.1.2 Automatically unfair dismissal

Dismissing an employee who has blown the whistle is automatically unfair if the reason, or principal reason, for the dismissal is that they have made a protected disclosure. Since compensation for successful whistleblowing unfair dismissal claims is uncapped, compensation can be high – especially if the individual encounters difficulty finding a new job because of the dismissal.

19.2.1.3 Qualifying disclosures

Six categories of disclosure are protected as ‘qualifying disclosures’. The disclosure must, in the worker’s reasonable belief, tend to show that one or more of the following failures has occurred or is likely to occur:

• a criminal offence;
• breach of a legal obligation;
• a miscarriage of justice;
• danger to the health and safety of any individual;
• damage to the environment; or
• the deliberate concealment of information about any of the above.

Since 2013, to make a qualifying disclosure the worker must reasonably believe that the disclosure is in the public interest.^[10] ‘Public interest’ is not defined, but in Chesterton Global and Verman v. Nurmohamed ,^[11] the Court of Appeal decided that the interests served by the disclosure do not have to extend outside the workplace. The Court found that four considerations are relevant:

the number of people affected by the disclosure;

• the nature of the interests affected and the extent to which those interests are affected by the wrongdoing disclosed;
• the nature of the wrongdoing disclosed; and

the identity of the alleged wrongdoer.

Anything that affects a class of people could potentially be caught, so employers should take a cautious approach. It is possible that ‘everyday’ employment disputes over contractual terms will have a public interest element, especially where these have serious implications or impact large numbers of people (for instance, remuneration issues in public limited companies and financial institutions). Issues such as discrimination or equal pay at work might also have a public interest element.

So long as the worker believes, acting reasonably, that the relevant failure has occurred or is likely to occur, they will be protected even if their belief turns out to be wrong.^[12] However, for a belief to be ‘reasonable’ it must be founded in more than unsubstantiated rumour or opinion.

Since 2013, there is no longer any requirement for the disclosure to be ‘in good faith’. However, if an employment tribunal upholds an employer’s argument that a disclosure was made in bad faith, it has the power to reduce compensation by up to 25 per cent. Case law suggests that disclosures made predominantly for personal interest or with malice are not in good faith.^[13]

19.2.1.4 Vicarious and personal liability

Vicarious liability

In June 2013, the Enterprise Regulatory and Reform Act 2013 introduced the concept of vicarious liability into whistleblowing law. It imposes vicarious liability on an employer for detriments caused to a worker by co-workers (and in some cases by agents of the employer) on grounds that the worker made a protected disclosure.^[14]

The employer will have a defence if it took all reasonable steps to prevent the detrimental treatment. Having an appropriate whistleblowing policy and providing training to support this will be key to an employer’s ability to evidence this.

Personal liability

Claimants can pursue individuals personally for liability arising from whistleblow­ing detriments. Doing so is often tactical. In Timis and another v. Osipov,^[15] the employment tribunal and Employment Appeal Tribunal held that two non-executive directors were jointly and severally liable for the losses flowing from Mr Osipov’s dismissal (totalling approximately £1.75 million).

19.2.2 EU Directive and UK implementation

In October 2019, the Council of the European Union formally adopted the Whistleblower Directive.

Since the United Kingdom already grants whistleblowers comprehensive protection, for the most part the provisions of the Whistleblower Directive do not supplement the whistleblower protection already available under the UK domestic legislation. However, the following differences should be noted:

• organisations with 50 or more employees will be required to establish internal reporting channels for the reporting of breaches of Union law, to acknowledge receipt of a report within seven days and to respond to reported concerns within three months; and
• whistleblowers will also have the right to make an external disclosure to a competent national authority or, in limited cases, a public disclosure.

Member States have until December 2021 to implement the Directive. It seems unlikely that the Directive will be implemented in the United Kingdom given its departure from the European Union. However, it is unclear whether domestic legislation will be amended to incorporate the same rights as the Directive in any event to ensure that the United Kingdom keeps pace with European workers’ rights. Protect,^[16] the whistleblowing charity, has urged the UK government to bring the new provisions into domestic law following the Brexit transition period. In addition to Protect’s proposals, two other bills proposing changes have been presented to Parliament by campaigners in 2020.^[17]

19.2.3 Non-disclosure agreements and whistleblowing

An NDA – a contractual commitment that a party (or parties) will keep certain information confidential – is a provision commonly included in settlement agreements between employers and departing employees. Under an NDA, confidentiality may attach to the terms of the settlement agreement and to the amount of any sums paid under it, as well as to the underlying complaints that the employee made. If the NDA is breached, the other party can seek damages for breach of contract.

In the wake of the #MeToo movement, the use of NDAs by employers has come increasingly under the spotlight and has been criticised, in particular, as a means of silencing whistleblowers. In July 2019, the APPG for Whistleblowing urged the government to ban the use of NDAs in whistleblowing cases.^[18]

Any NDA clause designed to prevent a worker from making a whistleblowing disclosure is void under section 43J of ERA and therefore unenforceable. Seeking to rely on an NDA to prevent whistleblowing disclosures could amount to an unlawful detriment against the employee or worker, as well as risking additional adverse publicity if the issue becomes public.

Firms authorised by the Financial Conduct Authority (FCA) are under specific obligations when it comes to settlement agreements with workers. Lawyers advising clients on NDAs must also consider their professional obligations.

19.2.4 FCA/PRA systems and controls requirements

Both the FCA and the Prudential Regulation Authority (PRA) expect firms to implement and maintain appropriate and effective internal whistleblowing arrangements as part of an effective risk management system.^[19] The FCA’s rules and guidance are contained in SYSC 18 of its Handbook, which applies to SMCR banking and insurance sector firms. SYSC 18 also serves as non-binding guidance to all other firms authorised under the Financial Services and Markets Act 2000 (FSMA). The PRA’s rules are higher level and found in section 2A of the PRA Rulebook.

The SYSC 18 requirements fall into three categories:

• maintenance of appropriate and effective arrangements for whistleblowing;^[20]
• appointment of a whistleblowers’ champion;^[21] and
• settlement agreements with workers.^[22]

19.2.4.1 Maintaining appropriate internal whistleblowing arrangements

While firms are required to establish, implement and maintain appropriate and effective arrangements for the disclosure of reportable concerns (including concerns related to suspected market abuse) by whistleblowers, neither regulator has prescribed what the arrangements should be. FCA guidance suggests that firms may choose to draw on relevant resources prepared by whistleblowing charities or recognised standards-setting organisations, such as Protect. The regulators recognise that whistleblowing arrangements may vary between firms^[23] and that firms may use third parties to provide aspects of their whistleblowing services, with appropriate quality controls and monitoring.

The arrangements that a firm has in place should allow effective escalation of reportable concerns, including to the FCA and PRA. This requirement is aligned with PRA Fundamental Rule 7 and FCA Principle 11, according to which firms must deal with their regulators openly and co-operatively and disclose appropriately anything relating to the firm of which the regulators would reasonably expect notice. Beyond these broad principles, a firm’s arrangements should:

• allow for disclosure to be made through a variety of means (for many firms this will mean through an online system, a telephone hotline, a third-party provider or a designated team);
• handle a whistleblower’s request for confidentiality or anonymity;
• include reasonable measures to ensure whistleblowers are not victimised;
• provide feedback to whistleblowers on their concerns, where appropriate and feasible;
• include record-keeping of reportable concerns;
• include maintenance of up-to-date whistleblowing policies and procedures that are readily available to the firm’s employees;
• allow for the preparation of an annual report to the firm’s governing body on the effectiveness and operation of the firm’s processes;
• include training for employees, managers and those responsible for operating the firm’s internal arrangements;
• include reporting to the FCA and PRA if firms lose an employment tribunal claim based on detriment suffered from making a protected disclosure; and
• ensure UK employees are made aware of the FCA’s and PRA’s whistleblowing services and that they can approach either regulator direct without first raising a concern internally.^[24]

19.2.4.2 The whistleblowers’ champion

A key component of the SMCR is a requirement for firms to appoint a whistleblowers’ champion with responsibility for ensuring and overseeing the integrity, independence and effectiveness of the firm’s policies and procedures on whistleblowing. The FCA expects that this role will be filled by a non-executive director.^[25] Assignment of specific responsibility for whistleblowing to a senior person – preferably the chairman – was a recommendation of the June 2013 report of the Parliamentary Commission on Banking Standards, Changing Banking for Good, and is consistent with the broader trend towards senior management responsibility in the UK regulatory regime. This is reflected both in the fact that the whistleblowers’ champion is now a prescribed responsibility under the SMCR,^[26] and in the guidance that the whistleblowers’ champion should have a level of authority within the firm sufficient to carry out their function.^[27]

The whistleblowers’ champion is also expected to ensure that an annual report is presented to the board regarding the effectiveness of whistleblowing systems and controls.^[28] The FCA and PRA have not been prescriptive about how whistle­blowers’ champions perform their role, and have acknowledged that firms are likely to take different approaches depending on their structure and size.^[29] In smaller firms, the whistleblowers’ champion may choose to take a ‘hands-on’ role, possibly in concert with his or her support staff, receiving disclosures personally and taking responsibility for disseminating reports within the firm, tracking progress, making external reports, feeding back to whistleblowers where appropriate and reviewing settlement agreements. In larger firms, whistleblowers’ champions are more likely to perform their function by delegating day-to-day operations to a dedicated whistleblowing function while retaining an oversight role. The PRA expects the whistleblowers’ champion to have access to resources and information sufficient to carry out their role.^[30] In practice this is likely to include a regular suite of management information on the number and outcome of reportable concerns, as well as analysis or oversight of patterns in data – for example particular business units or offices in respect of which reportable concerns are more frequently raised.

19.2.4.3 Settlement agreements with workers

The FCA’s rules require a firm to include in a settlement agreement with a worker a term making clear that nothing in that settlement agreement prevents the worker from making a protected disclosure.^[31]

19.2.5 Competition and Markets Authority and whistleblowers

In exceptional circumstances, the Competition and Markets Authority (CMA) offers rewards of up to £100,000 for information about cartel activity. The rewards are provided at the discretion of the CMA subject to factors including the value of the information, the harm done to consumers and the risk the whistleblower has taken to provide the information.^[32]

The CMA also operates a leniency programme according to which businesses and individuals who have participated in cartel activity may apply for immunity or leniency from financial penalties and immunity from criminal prosecution and director disqualification.^[33] Complete immunity from sanctions might be granted provided the individual or business is the first to report and confess their involvement, they co-operate fully and there was no pre-existing investigation by the CMA.

Companies or individuals thinking about applying for leniency may, before doing so, approach the CMA for confidential guidance on a no names basis by calling the CMA’s dedicated cartels hotline.^[34] On 22 October 2018, the CMA launched its nationwide ‘Stop Cartels’ campaign, designed to encourage whistleblowing.^[35] Following its launch, tip-offs to the CMA have risen by over 30 per cent,^[36] and the CMA has taken steps to make whistleblowing easier by introducing an online reporting form and an online quiz to help prospective whistle­blowers understand if what they have seen is illegal. One challenge faced by the CMA is ensuring that prospective whistleblowers in high-risk sectors can identify anticompetitive behaviour when they see it. In January 2020, the CMA conducted research in the construction sector revealing that only 6 per cent of firms were familiar with competition law and that a general understanding of the illegality of certain business practices was low.^[37] In response, on 26 February 2020, the CMA launched a new nationwide ‘Cheating or Competing?’ campaign to educate individuals on what a cartel is and how to spot anticompetitive behaviour, to encourage greater reporting. The CMA estimates that this campaign reached over 29 million people in the United Kingdom.^[38]

19.2.6 Serious Fraud Office and online whistleblowing

The SFO launched its whistleblowing service in 2011. Originally established as a telephone hotline, reports are now made electronically to the SFO’s Intelligence Unit through its secure reporting form.^[39] The SFO reporting service enables companies’ executives, staff, professional advisers and business associates to provide information about cases of serious fraud, bribery or corruption – whether as a whistleblower or on behalf of a company making a self-report. Whistleblowers are initially encouraged to follow the whistleblowing procedures in their own organisation if they suspect wrongdoing in the workplace. If the whistleblower is not comfortable, or there are no procedures, then they should approach the SFO or another prescribed body.^[40]

Between 1 April 2018 and 31 March 2019, the SFO’s Intelligence Unit managed 137 qualifying^[41] whistleblowing disclosures. The SFO took further action in relation to 122 disclosures.^[42] However, the take-up of cases for investigation by the SFO remains low, with only five criminal investigations opened in 2019, half the number of the preceding year.^[43] In considering whether to authorise an investigation, the Director of the SFO will take into account the actual or intended harm that may be caused to the public, the reputation and integrity of the United Kingdom as an international financial centre or the economy and prosperity of the United Kingdom.^[44]

Although there are means to report online via the SFO or National Crime Agency (NCA) websites, no single centralised mechanism exists to report ­bribery offences. To address this, the Home Office has committed to launching a new reporting mechanism for allegations of bribery and corruption in line with the government’s anti-corruption strategy.^[45] How this will interact with existing reporting mechanisms remains to be seen.

19.2.7 Human rights considerations

In recent years, demonstrating respect for human rights has become increasingly important for businesses. Since 2011 when the UN endorsed the UN Guiding Principles on Business and Human Rights (UNGPs),^[46] ‘soft law’ standards encouraging companies to manage more closely their human rights risks and impacts across their operations and supply chains have proliferated. Of these standards, it is around the UNGPs, which require that business enterprises ‘respect human rights’,^[47] that there has been the most widespread business convergence. The UNGPs require businesses to avoid infringing the human rights of others and to address adverse impacts on human rights impacts that they are involved with. The frequent adoption by companies of the UNGPs has led to ever increasing NGO, investor and other stakeholder and civil society scrutiny.

Beyond the soft-law instruments that previously dominated the business and human rights space, we have increasingly seen laws introduced that require companies to report on human rights. For example, section 54 of the Modern Slavery Act 2015 requires in-scope companies to produce a slavery and human trafficking statement each financial year on the steps they have taken to ensure slavery and human trafficking are not taking place in their supply chains and business.^[48] Similarly, section 414CA of the Companies Act 2006^[49] requires certain large companies to prepare a non-financial information statement containing information on their respect for human rights and a description of their policies in this regard.

Most recently, this trend towards ‘hard law’ has taken another turn, as several European Member States have witnessed calls, including from businesses themselves, for mandatory regimes with substantive requirements on conducting due diligence rather than mere reporting obligations.^[50]

Against this backdrop, businesses have realised that, to fulfil their obligations to respect human rights under the UNGPs and comply with the various applicable legislative regimes, they need to review their existing policies, processes and procedural frameworks to ensure that they understand their potential human rights risks and impacts. A properly functioning whistleblower system can enable human rights impacts to be identified, managed and remediated early and completely, preventing harm from escalating. Many companies have implemented whistleblowing policies to support the management of human rights and supply-chain risk, which is recommended in Home Office guidance.^[51] It is best practice for a whistleblowing mechanism or ‘speak up’ hotline to be open to all workers (including contractors) rather than just employees. In light of this, companies have increasingly opened up their processes to workers of suppliers in their supply chain, particularly where the supply chain involves high-risk activities or jurisdictions.

While whistleblowing can identify potential human rights risks and impacts, it is also important to recognise the potential human rights consequences if the whistleblowing procedures do not contain sufficient protections for the whistleblower. This can include the rights to privacy and freedom of speech, which are protected under Articles 8 and 10 of the European Convention on Human Rights (ECHR), or, in the worst case, the right to life as protected under Article 1 of the ECHR. Privacy and free-speech rights are qualified, in that they need to be balanced against the public interest (or indeed the corporate interest) in identifying where human rights impacts have occurred and where laws may have been broken. The regulatory regimes governing the design and implementation of whistleblowing procedures seek to balance these competing interests. However, human rights considerations should underpin the design and operation of an effective whistleblowing regime, and companies should ensure that, in implementing procedures to identify human rights impacts and risks in their operations and supply chain, they are not creating new ones.

19.3 The corporate perspective: representing the firm

19.3.1 Responsibility for whistleblowing among senior managers under SMCR

When representing a regulated firm involved in a whistleblowing investigation, regard must be had both to the firm’s compliance with the systems and controls requirements outlined above and to individual managers’ personal obligations under the SMCR.

The SMCR requires most individuals employed in the UK banking and insurance sectors to adhere to the FCA’s and PRA’s Individual Conduct Rules.^[52] Senior managers must also comply with the Senior Manager Conduct Rules, while non-executive directors (who are not themselves senior managers) are subject to Senior Manager Conduct Rule 4 as well as the Individual Conduct Rules. On 9 December 2019, the SMCR was extended to certain other financial services firms, including asset management firms and non-bank mortgage lenders. In response to expected delays caused by the coronavirus pandemic, the FCA has agreed an extension to the deadline for solo-regulated firms to have undertaken the first assessment of the fitness and propriety of their certified persons, from 9 December 2020 to 31 March 2021.^[53] Certain individual rules may require the relevant individuals to disclose information to the regulators. In the context of whistleblowing, this means that information received via internal whistleblowing channels may, in turn, need to be escalated to the appropriate regulator.

19.3.1.1 Individual Conduct Rules

The FCA/PRA Individual Conduct Rule 3 stipulates that relevant individuals must be open and co-operative with the FCA, the PRA and other regulators with appropriate jurisdiction. The FCA’s Code of Conduct Handbook (COCON) provides specific guidance as to what this rule requires.

COCON 4.1.10 provides guidance that there is no duty on a person to report information directly to the regulator concerned unless they are one of the persons responsible in the firm for reporting matters to the regulator (although if a person takes steps to influence the decision not to report or acts in a way that is intended to obstruct the reporting of the information to the regulator, they will be treated as if they had taken on responsibility for deciding whether to report that matter).

Those operating a whistleblowing function will not therefore automatically assume direct responsibility for escalating reportable concerns to the regulator. However, firms should ensure that appropriate arrangements are in place so that those responsible for regulatory reporting are informed on a timely basis of issues likely to be of interest to the regulator identified through the whistle­blowing channels.

19.3.1.2 Senior Manager Conduct Rules

The FCA/PRA Senior Manager Conduct Rule 4 requires senior managers and non-executive directors to disclose appropriately any information of which the FCA, PRA or other regulator with appropriate jurisdiction would reasonably expect notice (even where the regulator has not requested such information). While there is overlap between FCA/PRA Senior Manager Conduct Rule 4 and Individual Conduct Rule 3, COCON 4.2.26 makes clear that these are distinct obligations requiring proactive disclosure rather than just accurate responses to regulatory enquiries. COCON 4.2.28 clarifies that senior managers (or non-executive directors) need not report information outside the scope of their responsibility. However, once they become aware of the information (including through whistleblowing) they should make enquiries to satisfy themselves that it is being dealt with by the appropriate individual.

19.3.1.3 Approved persons

Since December 2019, solo-regulated firms previously governed by the approved persons regime have been governed by the SMCR. The FCA has stated that Senior Managers and Certification Staff will need to abide by the Conduct Rules from the start of the new regime, but that firms will have until December 2020 to train their other staff on the conduct rules.^[54]

19.3.2Whistleblowing as part of adequate or reasonable systems and controls

19.3.2.1 Bribery Act 2010 and adequate procedures

Under section 7 of the Bribery Act 2010, a company can be criminally liable for failing to prevent bribery committed for its benefit by one of its associated persons.

It is a defence for a company to show that it had adequate procedures in place designed to prevent bribery by its associated persons.^[55] Guidance published by the Ministry of Justice suggests that such procedures are likely to include, among other measures, procedures for the reporting of bribery including ‘speak up’ or ‘whistleblowing’ procedures.^[56]

19.3.2.2 Criminal Finances Act 2017 and reasonable procedures

Under sections 45 and 46 of the Criminal Finances Act 2017, a company can be criminally liable for failing to prevent the facilitation of UK or foreign tax evasion offences by its associated persons.

It is a defence for a company to show that it had reasonable prevention procedures in place. Guidance issued by HM Revenue and Customs (HMRC) suggests that such procedures are likely to include, among other measures, protection for whistleblowers (with no retribution).^[57] In February 2019, HMRC launched an online reporting form for authorised representatives to self-report a failure to prevent the facilitation of tax evasion on the part of their organisation.

19.3.3 Changing regulatory expectations

In November 2018, following its review of firms’ whistleblowing arrangements in the retail and wholesale banking sector, the FCA published examples of good practice and areas for improvement with respect to policies and procedures, the role of the whistleblowers’ champion and the annual whistleblowing report and training.^[58]

The FCA noted that some firms had a clear policy and other arrangements for ensuring whistleblowers were protected against victimisation, both during and following an investigation. For example, one firm monitored employment records for 12 to 18 months after a reportable concern had been investigated, to identify victimisation. The FCA also commended firms that had a variety of reporting channels for employees to raise concerns, with one firm providing whistleblowers the option of giving their contact details to a third-party hotline provider instead of to the firm. In contrast, the FCA was concerned by incorrect statements on the part of some firms that employees must raise whistleblowing concerns internally before contacting the FCA.

Good practice observed in respect of the whistleblowers’ champion and annual report included senior individuals being able clearly to articulate the importance of a ‘speak up’ culture; champions having a good understanding of their roles and responsibilities, including providing independent oversight; one champion contacting whistleblowers to determine whether they had suffered adverse consequences or victimisation; reviews of effectiveness of whistleblowing arrangements by either the second or third line of defence or through third-party whistleblowing organisations; and staff surveys to ensure that employees knew how to raise concerns. The FCA did, however, find firms whose annual reports lacked detail or were still under development.

Good practices observed by the FCA with respect to training included the provision by some firms of separate training for managers and investigation teams. In the FCA’s view, this approach helped to ensure that managers were equipped to provide the necessary management and support to those raising concerns. Good firms also provided training to senior leadership teams, especially where they were involved in assessing reportable concerns. At the same time, the FCA noted that most firms needed to improve the content of their training.

In May 2019, the FCA published its industry feedback with respect to wholesale banking.^[59] It identified several practices as examples of ‘encouraging’ whistleblowing initiatives implemented by firms, including:

• engagement by managers and staff directly with a whistleblower to understand fully what he or she would like to achieve and make a sustained effort to manage appropriately the whistleblower’s expectations;
• outsourcing of analysis on all whistleblowing cases to ensure fair and confidential treatment;
• detailed end-to-end reviews of the process for whistleblowing events involving all disciplines (e.g., HR, legal, compliance, business heads) to make it more transparent, fairer and quicker;
• creation of a 24-hour, multilingual hotline for anonymous escalations; and
• discreet monitoring for a minimum of three years following a whistleblowing event, to ensure a whistleblower was not treated badly as a consequence of their disclosure.

The importance of ensuring that a firm’s systems and controls afford protection to whistleblowers was highlighted in the FCA and PRA final notices issued to Mr James Staley, Chief Executive of Barclays Group, in May 2018. Mr Staley was fined £642,430 following his attempts to identify the author of an anonymous letter received by Barclays. The regulators concluded that Mr Staley had made serious errors of judgement and had not acted with integrity or due skill, care and diligence as required by the Individual Conduct Rules. They also found that he had acted unreasonably and risked undermining confidence in Barclays’ whistleblowing policy and the protections it afforded. Before the final notices were issued, Barclays voluntarily and successfully applied to be subject to special requirements until the end of 2020, made under section 55L and 55M(5) of FSMA. Under these requirements, Barclays was required to report annually to the FCA and PRA detailing any whistleblowing cases involving allegations made against its senior managers and any cases where Barclays had sought to identify any anonymous whistleblowers. It was also required to provide attestations about the soundness of its whistleblowing systems and controls and senior managers’ completion of annual whistleblower training.

As part of its continued focus on culture in financial services, the FCA is particularly interested where whistleblowing allegations are raised against those designated as senior managers or material risk takers, being those with the greatest potential to cause harm to a firm’s customers or the markets in which it operates. A number of firms have undertaken to notify the FCA of such allegations immediately on receipt and before investigation.

Megan Butler, FCA Executive Director of Supervision – Investment, Wholesale and Specialists Division,^[60] in correspondence with the Chair of the Women and Equalities Committee of the House of Commons, set out her views on firms’ approach to handling of ‘#MeToo’ or sexual harassment allegations. She confirmed that sexual harassment and other forms of non-financial misconduct (such as racial or homophobic harassment or bullying) can amount to a breach of the FCA’s conduct rules, including the requirement to act with integrity, and that firms’ whistleblowing arrangements should be able to deal appropriately with escalation of such concerns. She noted that the FCA would be ‘especially interested if firms were systematically mishandling allegations or incubating a culture of sexual harassment’. Since the letter, the FCA has engaged directly with some firms to request that it be notified of whistleblowing allegations of sexual harassment or other forms of non-financial misconduct promptly – even before investigation. This raises challenges for firms in terms of how to ensure fairness towards senior individuals where as yet unsubstantiated allegations are received.

More recently, the FCA has made clear that it views a lack of diversity and inclusion and non-financial misconduct as obstacles to creating an environment in which it is safe to speak up.^[61] Whistleblowing acts as an important barometer for the FCA and PRA to test an organisation’s culture and purpose.

In the wake of the ‘Black Lives Matter’ protests in the summer of 2020, the incoming chief executive of the FCA, Nikhil Rathi, noted at his first Treasury committee session that there were ‘deep’ diversity issues in the financial services industry.^[62] He acknowledged that these issues were prevalent within the FCA, as well as the industry at large. Although Mr Rathi revealed plans to increase diversity within the FCA, it remains to be seen how the FCA will treat allegations concerning systemic issues in firms relating to diversity and inclusion, particularly where unconscious bias plays a feature.

Outside the financial regulatory sector, listed companies are required under the UK Corporate Governance Code 2018 to ensure that members of the workforce can raise concerns in confidence (and anonymously if they wish). The board should ensure that arrangements are in place for the proportionate and independent investigation of such matters and for follow-up action.

Also of wider relevance, in July 2019 the APPG for Whistleblowing published its report on the UK whistleblowing regime. Among its ten recommendations for what it calls a ‘radical overhaul’ were the introduction of mandatory internal and external reporting mechanisms across all sectors, greater legal protections for whistleblowers and the creation of an Independent Office for the Whistleblower.^[63] In January 2020, the APPG put forward a formal bill to establish an Independent Office of the Whistleblower to oversee the administration of arrangements to facilitate whistleblowing.^[64] The duties of the Office of the Whistleblower would include:

• giving direction to and monitoring the activities of relevant bodies;
• acting as a point of contact for individuals that wish to make a disclosure;
• forming and maintaining a panel of accredited legal firms and advisory bodies to advise and support whistleblowers;
• maintaining a fund to support whistleblowers;
• providing financial redress to individuals whose disclosure is deemed by the Office to have harmed their employment, reputation or career; and
• publishing a report regarding its activities to be put before both Houses of Parliament each year.

19.3.4 Practical considerations

19.3.4.1 Effective reporting channels and protecting anonymity

A whistleblowing policy should detail the process of making internal disclosures and should be disseminated across the organisation through regular communications and training that encourage a ‘speak up’ culture. Small and medium-sized organisations might consider appointing a dedicated whistleblowing officer in order to foster an open working culture, whereas in larger organisations an anonymous whistleblowing hotline is likely to be more practical. Ideally there should be a range of channels through which disclosures can be made.

It is often the case that workers report concerns anonymously out of fear that they will be victimised should they be identified as raising such concerns. This raises broader considerations in relation to how employers foster a culture in which workers feel ‘psychologically safe’ to raise concerns openly. However, a 2013 report by the Whistleblowing Commission on the effectiveness of existing arrangements for workplace whistleblowing suggested that, if a worker raises a concern anonymously, the organisation should assess the anonymous information as best it can to establish whether there is substance to the concern and whether it can be addressed.^[65] Employers should also be aware that attempts to identify whistle­blowers may constitute a breach of the employer’s obligations under the Data Protection Acts of 1998 and 2018 or the General Data Protection Regulation (GDPR).^[66]

In June 2020, Protect published its second edition of ‘Silence in the City’, an analysis of the experience of whistleblowing in the financial services sector. The study found that steps taken in the sector to embed trust in internal whistleblowing arrangements were working, with 93 per cent of whistleblowers raising their concerns internally (a significant increase from the findings of their first report, which found 78 per cent of whistleblowers raised their concerns internally).^[67] Despite this progress, there is significant work to be done in the sector to embed processes that protect the identity of whistleblowers. Protect found that 70 per cent of whistleblowers were either victimised, dismissed or felt that resignation was the only option available to them.^[68]

19.3.4.2 Conduct of the investigation

Internal investigations involving whistleblower allegations require particularly careful handling because of the reputational and employment law consequences that may follow if a whistleblower is not afforded the required legal protections. No investigation is the same, and the right approach will depend on the circumstances and facts. Isolated incidents of minor misconduct may be capable of investigation internally by a combination of the legal, human resources and internal audit functions, whereas allegations of systematic or potentially criminal conduct are more likely to require the assistance of external counsel. Where there is a whistleblower involved, it is often advisable to interview them at the start of the process – particularly if they are relatively junior. Consideration should be given as to whether to offer them independent legal representation.

Where possible the whistleblower should be kept informed about the progress of the investigation, although extreme care should be taken not to take any steps that might result in a loss of privilege or confidentiality. Expectations should be effectively managed and care taken not to promise outcomes that may not be deliverable. For example, there may be circumstances in which a whistleblower’s desire to remain anonymous places constraints on the extent to which the allegations can be investigated.

19.3.4.3 Data protection

A whistleblowing process will inevitably involve the processing of personal data and so must comply with the GDPR. The United Kingdom takes a more relaxed approach to this issue than many other European jurisdictions, in part because of the statutory framework set out in PIDA. However, it is still important to ensure that the whistleblowing process, and any subsequent investigation, complies with the GDPR. Particular issues to consider include keeping the whistle­blowing information secure and limiting access to it, setting an appropriate retention period, not collecting excessive amounts of personal data, being alert to the right of individuals to access a copy of their personal data and, at least in general terms, being transparent about the operation of the whistleblowing process.

19.3.4.4Interaction with regulatory obligations

Principle 11 / Fundamental Rule 7

Firms must deal with their regulators in an open and co-operative way and proactively disclose anything relating to the firm of which the regulators would reasonably expect notice. Information that comes to light via a whistleblowing report may therefore have to be escalated to the relevant authority. In accordance with the FCA’s Supervision manual (SUP), firms must notify the FCA of matters having a serious regulatory impact. This includes, for example, any matter that could have a significant adverse impact on the firm’s reputation.^[69] As noted above, in the current regulatory climate there may be a regulatory expectation that whistleblowing reports against senior managers or allegations of serious sexual harassment or other forms of serious non-financial misconduct will be disclosed immediately. In other situations, it may be more appropriate for a firm to undertake an internal investigation before deciding whether notification to the regulator would be proportionate.

Proceeds of Crime Act 2002 (POCA)

Depending on the subject matter of the allegation, those in receipt of whistleblower reports will need to consider whether the information disclosed raises potential money laundering issues such that the reporting obligations under POCA are triggered (for those in the regulated sector) or it is otherwise necessary to seek a defence against money laundering from the NCA to deal with certain property.

Particular considerations for listed companies

When receiving whistleblowing reports, listed companies should also have regard to their disclosure obligations under the Disclosure Guidance and Transparency Rules (DTR) and the Market Abuse Regulation (MAR).^[70] In accordance with Section 2.2 DTR and Article 17(1) MAR, for example, listed companies must disclose inside information to the market as soon as possible. To determine whether the information constitutes ‘inside information’ for the purposes of DTR and MAR, however, it is likely that the firm will first have to undertake an internal investigation into the allegations.

19.3.4.5 Cross-border considerations

Exchange of information in relation to whistleblowers or disclosures

Data protection issues will need to be considered in the context of any transfer of data overseas.

Territorial application of UK whistleblower legislation

Recent case law has determined that a tribunal can only hear a whistleblowing claim against a British employer brought by an employee working abroad if there is a stronger connection with Britain or British employment law than with the country in which they are working. In Foreign and Commonwealth Office (FCO) v. Bamieh,^[71] the Court of Appeal held that an employment tribunal had no territorial jurisdiction to hear whistleblowing detriment claims brought by an FCO employee working in Kosovo against co-workers who were also employed by the FCO and working in Kosovo. The tribunal held that the focus should be on the relationship between the claimant and the co-workers rather than on the relationship between the co-workers and the employer. Moreover, the fact that the individuals concerned have a common employer is not sufficient to give the tribunal jurisdiction.

19.4 The individual perspective: representing the individual

19.4.1 Legal risks associated with whistleblowing

A decision to make a whistleblowing disclosure can have far-reaching consequences and requires a careful assessment of the legal risks. Despite the protections afforded by PIDA, whistleblowers may be exposed to the risk of criminal investigation or prosecution if they are personally implicated in the conduct disclosed. Those in regulated professions may be vulnerable to regulatory or disciplinary action by their regulators or professional bodies. Where the matter potentially spans more than one jurisdiction, individuals will need to bear in mind that different jurisdictions apply different standards in the protection of whistleblowers. Advice on local employment and possibly criminal laws should be sought where necessary.

Whistleblowers might also commit criminal offences in the course of obtaining information to support their disclosures. Such offences might include securing unauthorised access to computer material,^[72] unlawfully obtaining personal data,^[73] unlawful interception of communications,^[74] theft or even fraud. Whistleblowers may also be vulnerable to civil actions for breach of confidence.

19.4.2Serious Organised Crime and Police Act 2005: immunity and leniency

Where an individual faces criminal liability, they may be able to obtain immunity from prosecution. Section 71 of the Serious Organised Crime and Police Act 2005 (SOCPA) empowers most criminal prosecutors to offer an individual immunity from prosecution by issuing a written immunity notice. However, this power is used rarely and only in very exceptional circumstances.

As an alternative, section 73 of SOCPA provides that if an offender pleads guilty and offers assistance to an investigator or prosecutor, the sentencing court may pass a reduced sentence to reflect that assistance.

The historic reluctance by the SFO to invoke these statutory tools may be set to change following the appointment of Lisa Osofsky as Director of the SFO in August 2018. Ms Osofsky has publicly expressed an intention to make greater use of the powers contained in SOCPA,^[75] though it remains to be seen whether this is achievable. The level of co-operation required to qualify for leniency is onerous and the risks to the individual are significant, particularly in cross-border investigations where there remains a risk of prosecution overseas.

19.4.3 Professional obligations

Those in regulated professions may have a duty to report certain information to the appropriate regulator. For example, FCA/PRA Senior Manager Conduct Rule 4 requires senior managers and non-executive directors to disclose appropriately any information of which the FCA, PRA or other regulator with appropriate jurisdiction would reasonably expect notice.

In March 2018, the Solicitors Regulatory Authority (SRA) issued a warning notice to legal professionals in relation to the use of NDAs,^[76] which sets out the obligations that exist when a law firm is considering an NDA with a person who has made a complaint about misconduct within a law firm, or when legal professionals are advising clients on NDAs with individuals. The warning notice recognises that NDAs, including with employees, can legitimately be used to protect commercial interests and confidentiality and, in some circumstances, reputation. It also recognises that NDAs can operate to the mutual benefit of both parties and that the warning notice and the SRA’s Standards and Regulations (replacing the SRA Handbook) should not be taken to prohibit the use of NDAs. However, it states that legal professionals (and those responsible for managing complaints within law firms) should ensure that they do not:

• use NDAs in circumstances in which the subject of the NDA may, as a result of its use, feel unable to notify the SRA or other regulators or law enforcement agencies of conduct that might otherwise be reportable;
• fail to notify the SRA of misconduct, or a serious breach of regulatory requirements, by any person or firm, including wrongdoing by the firm or harassment or other misconduct towards others such as employees or clients; or
• use NDAs as a means of improperly threatening litigation or other adverse consequences, or otherwise exerting inappropriate influence over people not to make disclosures which are protected by statute, or reportable to regulators or law enforcement agencies.

Inappropriate use of NDAs may constitute a breach of the SRA’s Standards and Regulations and lead to disciplinary action.

The SRA’s warning notice of March 2018 has since been supplemented with guidance from the SRA to help legal professionals understand and comply with their obligations in relation to NDAs.^[77] In particular, the guidance reiterates the SRA’s previous warning that those regulated by the SRA must not attempt to prevent anyone from making a complaint or providing information to the SRA, or any other body exercising regulatory, investigatory or prosecutorial functions in the public interest. It also states that those regulated by the SRA are under an obligation to ensure that no individual suffers adverse consequences as a result of speaking up about an issue because they consider that it is in the public interest to do so, and that the SRA will take reports of adverse treatment of an individual in this context extremely seriously.

The 2018 warning notice was echoed in the Law Society’s practice note on ‘Non-disclosure agreements and confidentiality clauses in an employment law context’ published in January 2019.^[78] In addition to reiterating that NDAs cannot be used to prevent protected disclosures from being made to relevant bodies, this practice note explains that whistleblowing in the public interest is complex and that parties who wish to blow the whistle will often need professional help. To this end, in June 2020 the Law Society published guidance on NDAs and how to seek related legal advice.^[79] ACAS (a non-departmental public body of the UK government that offers free advice on employment matters) also published advice in February 2020 to help employers and workers understand what NDAs are and how to prevent their misuse.^[80]

19.4.4 Practical questions

19.4.4.1 To whom to blow the whistle

An individual will need to give careful consideration to a decision to blow the whistle externally because this may result in the loss of statutory protection. To be a protected disclosure, the whistleblower must make a qualifying disclosure to an appropriate person or organisation.

In most cases, disclosures should be made to the employer. However, in some circumstances individuals may be protected if they disclose information externally.

Parliament has approved a list of ‘prescribed persons’ to whom a worker or an employee can make a disclosure, provided they believe the information is substantially true and concerns a matter within that person’s area of responsibility. They include (but are not limited to) the FCA, the PRA, the SFO, the NCA, HMRC, the Health and Safety Executive and the CMA. There is no requirement to alert the employer beforehand.

Where the worker or employee reasonably believes a third party (such as a client or supplier) is responsible for the wrongdoing, they can report it to that third party without telling the employer.

Disclosure to other external sources (e.g. the media) is protected only if the individual believes that the information is substantially true and they do not act for gain. So, an individual who receives payment for a story to a newspaper will not be protected. Unless the matter is ‘exceptionally serious’, they must have already disclosed it to the employer or a prescribed person (or believe that, if they did, evidence would be destroyed or they would suffer reprisals). Disclosure to that person must also be reasonable.

19.4.4.2 Requests to sign an NDA

Any request to sign an NDA purporting to prevent an individual from raising whistleblowing concerns should be resisted and will be unenforceable.

19.4.4.3 Challenges to unfair treatment of whistleblowers

An individual who is a worker or employee and who is subjected to unfair treatment by their employing or engaging entity or by other employees or co-workers may have a claim in the employment tribunal against individuals and the entity.

Footnotes