United Kingdom: whistleblowers and self-reporting
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
It is now generally accepted that a corporate is taking a significant risk if allegations that are made – by whistleblowers, by current or former employees, by auditors, by the media, or which emerge through other means – are not taken seriously and, usually, investigated. While an internal investigation may not lead to a self-report,1 the introduction in February 2014 of deferred prosecution agreements (DPAs) in the UK means that the incentive to investigate and potentially self-report has increased. Any US nexus for the company or the problem adds to the incentive to conduct an investigation and self-report if appropriate, so as to mitigate any penalty in due course, assuming the conduct merits prosecution.
The increasing role of whistleblowers in bringing potential misconduct to the attention of authorities can create a powerful incentive for companies to self-report wrongdoing – knowing that, if they do not, the authorities may receive the information from someone else. This certainly appears to be true in the US.2
In the US, under the Dodd-Frank Act in 2010, the US Securities and Exchange Commission (SEC)3 created an Office of the Whistleblower, which is able to provide rewards (ranging between 10 and 30 per cent of the money collected) to individuals who come forward with information that leads to a penalty of over US$1 million. As a result, the number of reports has increased by more than 20 per cent: in fiscal year 2015 the SEC received almost 4,000 tips and issued more awards to more people for more money than in any previous year.4 Other US regulators operate similar programmes under the Dodd-Frank legislation. For example, the Commodities and Futures Trading Commission announced an award of over US$10 million to a whistleblower in April 2016, its largest to date.5 The US Department of Justice is piloting its own whistleblower programme in relation to Foreign Corrupt Practices Act enforcement cases.
In the UK, the Serious Fraud Office (SFO) launched a whistleblowing ‘hotline’ in 2011 – SFO Confidential – but press reports indicate that the take-up of cases has been low. For example, despite receiving 2,508 reports in the 12 months to 30 June 2014, it is only reported to have accepted 12 cases for investigation.6 The UK’s Financial Conduct Authority (FCA) received 1,367 reports in 2014 (the most recent period for which published data is available) – reflecting a year-on-year increase – from which it produced over 1,100 intelligence reports. The FCA has previously indicated that it expects to see an increase in the proportion of reports that lead directly to enforcement action or other intervention, or which provide intelligence of significant value.7
Questions concerning how to deal with internal disclosures made by whistleblowers and, in those circumstances, whether, when and how to self-report matters to authorities are issues that frequently go hand in hand. The decisive and effective management of these issues can help to bring about a swift conclusion to damaging and disruptive action by investigating authorities, or pre-empt any such investigation. They typically involve balancing complex questions of fact and law – criminal, regulatory and employment.
In terms of self-reporting, DPAs underline the benefits that may potentially be derived from proactively self-reporting historic misconduct. Although the first concluded DPA in the UK, approved in November 2015, has been held up by prosecution as a model of how corporates should self-report and cooperate, significant practical questions remain about what exactly corporations must do to benefit from these arrangements, and the limits of permissible challenge to the demands of prosecuting authorities.
This chapter examines how authorities are using and interpreting self-reporting and whistleblowing frameworks and identifies key considerations for corporate organisations and their advisers. Although many of the points made are equally applicable in other jurisdictions, it focuses primarily on the whistleblowing and self-reporting frameworks in place in the UK. The extraterritorial reach of several pieces of key legislation (most notably the Bribery Act 2010) and the comparatively aggressive stance of UK investigating and prosecuting authorities (principally the SFO) mean that developments there are of interest to corporate organisations operating around Europe and the Middle East, even if they are based, or undertake most of their activities, outside the UK.
The current legal landscape
Whistleblowing and self-reporting are both increasingly considered to be fundamental to the ‘culture’ of an organisation. Regulators and enforcement authorities remain preoccupied with promoting cultural change across organisations and businesses in the aftermath of the corporate scandals that have been headline news over recent years.
Authorities and regulators emphasise the importance of challenge; hand in hand with which are appropriate whistleblowing procedures, which employees are expected to be able to use without fear of reprisal.
The SEC has recently stated that it has been told by US in-house lawyers, compliance professionals and law firms representing companies that since the implementation of the Whistleblower Programme, companies have reviewed and enhanced their internal compliance functions to further encourage employees to view internal reporting as an effective means to address potential wrongdoing without fear of reprisal or retaliation.8
In the UK, the FCA encourages firms to consider adopting appropriate internal procedures that will encourage workers with concerns to blow the whistle internally about matters that are relevant to the functions of the FCA or Prudential Regulatory Authority (PRA).9 In October 2015, in response to recommendations by the Parliamentary Commission on Banking Standards in 2013, the FCA and the PRA published new rules which in-scope firms must comply with by 7 September 201610 to formalise whistleblowing procedures which aim to ensure that all employees are encouraged to report suspected misconduct, ‘confident that their concerns will be considered and that there will be no personal repercussions’.11 With effect from 7 March 2016, under these new rules, in-scope firms must allocate responsibility for whistleblowing under the Senior Managers Regime and Senior Insurance Managers Regime to a ‘whistleblowers’ champion’ (who must be a non-executive director).12 The champion has responsibility for overseeing the effectiveness of internal whistleblowing arrangements, including arrangements for protecting whistleblowers against detrimental treatment, preparing an annual report to the board about their operation and reporting to the FCA where, in a case before an employment tribunal contested by the firm, the tribunal finds in favour of a whistleblower. As a result of this new whistleblowing regime, the important role of whistleblowers is only likely to increase.
Under the Bribery Act 2010 (under section 7 of which a relevant commercial organisation commits an offence where a person associated with it bribes another person intending to obtain or retain business or a business advantage for the organisation, unless it can show that it had in place adequate procedures to prevent such bribery), the Ministry of Justice’s statutory guidance on adequate procedures also recommends that companies have in place procedures for the reporting of bribery ‘including “speak up” or “whistleblowing” procedures’.13
There is no doubt that the effect of the adequate procedures defence under the Bribery Act 2010 has been to prompt many companies to adopt or enhance anti-corruption compliance programmes. In addition, in discussing self-reporting, the SFO has been keen to emphasise in its speeches the various avenues through which it may come to hear of alleged criminal conduct including ‘from whistleblowers and disgruntled business rivals. […] Any such source can give us, or more particularly the Director, reasonable grounds to suspect the commission of an offence involving serious fraud, bribery or corruption and, with it, the power to open a criminal investigation.’14
The DPA Code of Practice sets out public interest factors for and against prosecution, which, the Director of the SFO has stated, were designed to incentivise self-reporting and effective compliance controls and encourage corporates to demonstrate that they are ‘serious about behaving ethically’. Consistent with the emphasis on good corporate governance is the fact that a self-report, among other things, is relevant at later stages in the criminal justice process: sentencing guidelines on the sentencing of corporates introduced in October 2014 (to which regard will be had in determining a financial penalty under a DPA) refer to a corporate’s culture as relevant to determining its sentence in the event of a conviction for bribery offences, among others, in the UK: a culture of wilful disregard for the commission of offences will lead to a corporate being placed at the most culpable end of the spectrum and facing the heaviest fines available.15 Further, the amended Public Contracts Regulations 2015 introduced on 26 February 2015 allow blacklisted companies to bid for public contracts if they prove, among other things, that they have ‘clarified the facts and circumstances in a comprehensive manner by actively collaborating with the investigating authorities’.16
For corporate organisations, the benefits of proactively bringing matters to the attention of enforcement authorities are potentially significant. While there can never be any guarantee that notifying issues to enforcement authorities will elicit a forgiving approach, where disclosures by whistleblowers or previously undiscovered documents reveal credible concerns, doing so will usually maximise the chances of forging as favourable an outcome as possible.
Arrangements for self-reporting are relatively well developed in the UK although, as noted below, it is less clear than it once was that the SFO will necessarily look favourably upon approaches by corporate organisations. In February 2014, the UK enshrined in statute arrangements enabling cooperating corporate organisations to enter into DPAs with prosecuting authorities.17 These arrangements allow for investigations to be concluded without an immediate prosecution provided the corporate organisation concerned abides by particular conditions, which will usually include the payment of a substantial fine and the implementation of remedial measures, sometimes including the potentially costly appointment of a monitor. Although the concept of DPAs originates from the US, the versions of these agreements introduced in the UK differ importantly from their US cousins. As amply demonstrated by developments in March 2016 in the US appeal courts, which confirmed the relatively limited role of judges in determining the contents of DPAs in the US,18 the principal difference is that even where prosecuting authorities are prepared to enter into negotiations and agree proposed terms, those terms require the approval of senior judges in the UK.
In November 2015, Leveson LJ approved the first DPA to be concluded in the UK, agreed between Standard Bank and the SFO in respect of conduct which could have been prosecuted using the section 7 offence.19 Since then, senior figures at the SFO have held the case up as a template to be followed by corporates in relation to self-reporting and cooperation. In doing so, they have referred to factors including the short period of time between the discovery of the relevant conduct and it being reported to the SFO, the extent to which the SFO was allowed to influence the company’s internal investigation and access the material derived from that investigation.20 Conversely, they have drawn attention to the prosecution of Sweett Group for the same offence, which followed swiftly after the conclusion of this DPA (and indeed other prosecutions involving other offences) as indications of its continuing ability and readiness to prosecute where it does not consider that corporates are sufficiently cooperative. Without commenting on specific cases, they have previously made clear that assertions of privilege which they regard as exaggerated or false and refusals to make available witnesses’ first accounts or to allow access to witnesses prior to interviews during internal investigations are unlikely to enable them to conclude that a corporate is acting sufficiently cooperatively for a negotiated outcome to be appropriate.
In reality, these cases, and in particular the SFO’s first DPA, do not provide substantial guidance to corporates as to how to approach discussions with the SFO having self-reported apparent historic misconduct. As was recognised by the SFO and the Court in the first DPA, the bank in that case provided an extremely high level of cooperation. Discussions and settlements in future cases will show whether this case is reflective of the SFO’s expectations and where there is scope for challenge to its stated expectations.
Although the UK criminal courts can in some (very rare) circumstances recognise cooperation by individuals with criminal investigations by granting immunity or imposing reduced sentences,21 there are no equivalent provisions enabling individuals to enter into such negotiated settlements with prosecuting authorities. Indeed, it is likely that prosecuting authorities will make the provision of assistance by cooperating corporate organisations against individuals directly involved in misconduct a condition of entering into DPAs.
Protection for whistleblowers
So far as the whistleblowers themselves are concerned, as alluded to earlier, they are generally protected from reprisals. In the UK, whistleblowers are protected by statute. Specifically, the Public Interest Disclosure Act 1998 (PIDA 1998) gives workers making ‘protected disclosures’ the right to complain to an employment tribunal where they are dismissed or suffer any other type of detriment as a result of doing so.22 It also provides that clauses purporting to prevent workers from making ‘protected disclosures’ are void.23 However, this protection is not automatic. In contrast to arrangements in place in the US, disclosures made to parties other than the worker’s employer do not fall within this definition if they are made for the purposes of personal gain. In order to benefit from the protection of PIDA 1998, it is usually necessary for the worker to have sought to resolve the matter internally prior to making a disclosure to an external agency. Under the FCA and PRA’s rules, regulated firms’ whistleblowing arrangements must offer the same protections to any disclosures, including those that do not qualify as protected disclosures under PIDA.24
In other jurisdictions around Europe and the Middle East, although statutory protection for whistleblowers is in place to varying degrees, it is not as broad as that in place in the UK. Indeed, in some jurisdictions, the relatively rigid interpretation of EU data protection legislation and/or cultural mores have inhibited the development of whistleblowing frameworks and the extent to which they are used in practice. In some instances, disparities in the level of protection available to employees making disclosures have given rise to (hitherto unsuccessful) attempts by non-UK nationals employed under contracts governed by the laws of other jurisdictions to bring claims for unfair dismissal in the UK based upon whistleblowing disclosures.25
As noted above, the factors influencing whether or not a DPA may be considered appropriate were designed to incentivise self-reporting. However, in the DPA Code of Practice and the SFO’s public pronouncements concerning the circumstances in which DPAs will be considered appropriate,26 the SFO has sought to perform a delicate balancing act. It remains keen to encourage corporate organisations to come to it voluntarily with details of historic misconduct (not least owing to sustained pressure on the relatively modest resources available to it). However, it has been careful to make clear that it considers its primary role to be the prosecutor of the ‘top slice’ of economic crime in the UK.27 During his tenure, its Director, David Green QC CB, has made it abundantly clear that the SFO is not prepared for negotiated settlements to become the norm or for corporate organisations to expect that they will automatically follow self-reports.
Adding colour to the SFO’s expectations and, in the eyes of many defence practitioners, exceeding the parameters of what the SFO may reasonably require, other senior figures have suggested that the SFO will only consider self-reporting corporate organisations to be genuinely cooperating where they provide unfettered access to witnesses’ first accounts. They have also made clear that the SFO will not consider itself constrained from enquiring into the circumstances in which internal investigations have been conducted prior to a self-report being made.28 Its statements in connection with and since the conclusion of the Standard Bank and Sweett cases show that this remains its position.
Notwithstanding statements by the SFO that nothing in their guidance or public statements of policy is intended to alter the law on legal professional privilege, which safeguards the confidentiality of communications between lawyers and clients in the UK, the relatively narrow definition of cooperation to which it has committed itself will, in many cases, inevitably require waivers of this privilege. This may have the knock-on effect of deterring corporate organisations from coming forward in many cases, particularly where there are concerns about the potential for details of matters informing the commencement of or discovered in the course of internal investigations to become disclosable in follow-on litigation pursued by third parties claiming that they have sustained losses as the result of alleged misconduct. Many corporate organisations considering self-reporting historic misconduct harbour concerns that such a robust stance on the part of the SFO may limit the chances of a self-report leading to the negotiation of a proposed DPA to be placed before a court. They also remain troubled at the prospect that information provided during negotiations may form the basis for the construction of a case against them should negotiations fail. Until further guidance emerges from cases featuring more contentious issues, they are likely to remain cautious.
In the UK (as is the case in other jurisdictions around Europe and the Middle East), whistleblower reports account for a proportion, although by no means the majority, of the investigations commenced by the SFO. They have led to some relatively high-profile successful prosecutions, although to date these have largely concerned individuals rather than corporate organisations.29 More, including some of the SFO’s current flagship investigations and prosecutions into large corporates, are expected to follow. In September 2013, the SFO commenced criminal proceedings against Gyrus Group Limited, the UK subsidiary of Olympus Corporation in connection with a worldwide fraud valued at approximately US$1.7 billion. That investigation flowed from the widely publicised whistleblowing disclosure made by Michael Woodford, the former CEO of Olympus although the investigation has since been discontinued following a Court of Appeal judgment in February 2015, which ruled that English law does not criminalise the misleading of auditors by the company under audit. Separately, in December 2012 the SFO started an investigation into Rolls-Royce following a whistleblower report, which remains ongoing and has not, at the time of writing, yielded any criminal charges.
While, as noted above, the SFO receives substantial numbers of direct whistleblower reports through its dedicated SFO Confidential hotline, constraints on resources, among other factors, mean that only the minority of these progress to formal investigations and prosecutions.
Investigating complaints by whistleblowers internally
There is no one ‘correct’ approach to investigating complaints by whistleblowers. What is necessary and appropriate when following up on disclosures will vary significantly depending upon factors including the jurisdictions, personnel and business areas involved or implicated. It is possible though to identify several key principles to help corporate organisations respond decisively and consistently and to protect their interests when they receive reports of alleged misconduct.
Clear communication underpins a successful response to a whistleblowing disclosure. It is crucial to have in place carefully delineated channels to enable staff responsible for receiving disclosures (whether through a dedicated hotline or other less formal channels) to escalate them quickly and to the right people. In particular, policies and procedures should name a designated member of the senior management of the corporate organisation (probably in its legal or compliance function) who should have a direct reporting line to the board or audit committee. Provision should also be made for how to deal with disclosures naming members of the board or the designated senior manager responsible for handling whistleblowing reports.
Not every whistleblowing report will justify the expenditure of time and resources on comprehensive internal investigations or will involve reports to authorities. When evaluating complaints made by whistleblowers, it is clearly important to guard against complacency or undue cynicism. However, level-headedness and even-handedness pay dividends. Allegations should be viewed dispassionately and, where possible, empirically tested by reference to readily available documents or by means of interviews with relevant individuals (who should be reminded of the importance of confidentiality).
Where initial enquiries show disclosures to be well founded, organisations’ responses should be guided by clear protocols. These should set out the circumstances in which external legal counsel should be instructed (which will usually be necessary at an early stage in order to preserve any applicable privileges). They may also deal with how and when other external specialist resources such as forensic IT consultants or accountants may be sourced. Appropriate senior individuals within the organisation’s human resources function should be identified to coordinate its approach towards the whistleblower and to deal with any disciplinary action in relation to other employees that may be necessary.
Once notified of the fact of serious allegations made in a whistleblowing report, it is of particular importance that the senior management of the organisation are kept appraised of the progress of enquiries into the matters disclosed by the whistleblower. As alluded to elsewhere in this chapter, once evidence emerges establishing that complaints appear to be well founded, the window within which corporate organisations may receive maximum credit for self-reporting actual or suspected misconduct to the appropriate authorities is relatively short.
The FCA and PRA’s new whistleblowing rules may require some regulated firms to enhance existing whistleblowing procedures. Such firms should have appointed a whistleblowers’ champion before 7 March 2016. When selecting a whistleblowers’ champion due consideration should be given to that individual’s responsibility for ‘ensuring and overseeing the integrity, independence and effectiveness of the firm’s policies and procedures on whistleblowing and for ensuring staff who raise concerns are protected from detrimental treatment’.
Deciding whether, when and how to self-report
In many jurisdictions, corporate organisations (and, in some circumstances, individuals) are under regulatory obligations positively to self-report actual or suspected misconduct or allegations of such misconduct. However, where there is no obligation to self-report, deciding whether to do so voluntarily is among the most critical decisions to be taken upon receipt of a whistleblowing disclosure or discovery of material suggesting historic wrongdoing.
When determining whether self-reporting is appropriate, corporate organisations and their advisers have to balance a series of risk and other factors. There will be times when a self-report is likely to be the only sensible approach – particularly where a whistleblower has made serious allegations. In other, less clear-cut cases, while self-reporting may help to establish or maintain a favourable dialogue with authorities should a formal investigation follow or confer benefits should the matter be deemed suitable for a negotiated outcome, doing so is not without risk. Bringing matters to the attention of authorities voluntarily may prompt scrutiny that may otherwise have been legitimately avoided or may result in long and costly investigations and negotiations.
Before making a self-report, it will usually be necessary to conduct an internal investigation to test the information giving rise to concerns and to ensure that any report made to authorities is as complete and accurate as possible. How long this takes will depend on a range of factors including when the alleged conduct took place, how many individuals are alleged to have been involved and the availability of relevant documents and individuals for interview. It is crucial, however, to ensure that steps are taken immediately to preserve all relevant documents and that such investigations are carefully scoped and proceed expeditiously.
Where corporate organisations determine that it is necessary to make a report to authorities, the challenges facing them are to demonstrate that any self-report has been made in a timely fashion, has been made genuinely voluntarily (ie, not simply because public disclosure or a regulatory or criminal investigation is imminent) and contains enough meaningful information to enable the authority concerned to make an informed assessment as to how to proceed. In some jurisdictions, self-reporting before others secures immunity or leniency under statute. Even in jurisdictions where this is not specifically provided for, corporate organisations contemplating self-reporting should aim to be the first to do so to maximise credit. Generally, authorities will acknowledge that internal investigations into complex matters which may have occurred many years ago take time, and give credit for initial notifications once key facts have been established accompanied by indications that a fuller report will follow the completion of a more thorough investigation. In some instances, authorities will insist on being involved in internal investigations and may make provision of witnesses’ full first accounts a condition of their being prepared to entertain the prospect of a negotiated settlement.
Self-reports to authorities are not generally made in a set format, but instead usually take the form of a preliminary notification (normally verbal) soon after receiving notice of potential wrongdoing followed by a more detailed written or oral report after further investigation. The nature and scope of disclosures to authorities vary significantly between, and often within, jurisdictions and may depend on whether the issues cross borders. Specifically, whether it is possible to preserve any applicable privileges by providing reports orally rather than in writing will depend on the circumstances.
Whichever format is used to report matters to authorities, corporate organisations and their advisers should assume that information provided to one enforcement authority will be passed to others and that referrals may be made where they have parallel jurisdiction over some or all aspects of the corporate’s activities. They should also not assume that disclosure to one means that others are aware of the matter and full assessments should be made of whether it is necessary to make separate notifications to other specific authorities (whether in the same jurisdiction or elsewhere) who may expect to be told of the alleged misconduct or of the fact of other investigations by or at the behest of enforcement authorities.
- It may depend, for example, on the nature and seriousness of the offence, whether it is a one-off or systemic issue and whether it can be remediated swiftly.
- Speech by Mary Jo White, ‘The SEC as the Whistleblower’s Advocate’, 30 April 2015.
- Other authorities such as the Internal Revenue Service have had whistleblower programmes for many years.
- SEC Office of the Whistleblower 2015 Annual Report on the Dodd-Frank Whistleblower Programme, www.sec.gov/whistleblower/reportspubs/annual-reports/owb-annual-report-2015.pdf.
- ‘Questions over SFO funding as whistleblowers not followed up’, The Times, 7 April 2015.
- Speech by Mary Jo White, ‘The SEC as the Whistleblower’s Advocate’, 30 April 2015.
- SYSC 18.2.2 [G].
- FCA Policy Statement PS15/24 containing its rules applicable to deposit takers with assets over £250 million. The rules are set out in the FCA Handbook at: SYSC 18.1, SYSC 18.3, SYSC 18.4 and 18.5. The PRA rules are set out in its Policy Statement PS24/15, the PRA General Organisational Requirements Rulebook (applicable to CRR Firms) and its Whistleblowing Rulebook (applicable to solvency II firms) and PRA Supervisory Statement SS 39/15 (applicable to deposit takers with assets greater than $250 million, PRA designated investment firms and insurers).
- FCA Handbook SYSC 18.3 and PRA SS 39/15 – paragraph 2.1.
- These new rules also require UK-based employees to be told about the PRA and FCA whistleblowing services.
- Ministry of Justice Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing, at paragraph 1.7.
- Speech by Alun Milford, General Counsel SFO, ‘The Use of Information to Discern and Control Risk’, 2 September 2014.
- Sentencing Council’s definitive guidelines for fraud, bribery and money laundering offences, October 2014.
- The Public Contracts Regulations 2015, Regulation 57(15).
- Crime and Courts Act 2013, section 45 and Schedule 17.
- See United States of America v Fokker Services BV.
- For full details and links to the Statement of Facts, judgments and formal agreement, see www.sfo.gov.uk/2015/11/30/sfo-agrees-first-uk-dpa-with-standard-bank/.
- See, for example, a speech given by Alun Milford, SFO General Counsel on 29 March 2016, www.sfo.gov.uk/2016/03/29/speech-compliance-professionals/.
- Serious Organised Crime and Police Act 2005, sections 71 and 73.
- Employment Rights Act 1996, section 43B.
- Employment Rights Act 1996, section 43J.
- www.fca.org.uk/static/documents/consultation-papers/cp15-04.pdf at paragraph 2.15.
- See, for example, Smania v Standard Chartered Bank  I.C.R. 436.
- Deferred Prosecution Agreements Code of Practice, published jointly with the Crown Prosecution Service (February 2014), www.sfo.gov.uk/media/264623/deferred%20prosecution%20agreements%20cop.pdf.
- See, for example, speech by David Green QC CB, Director of the SFO given to the Fraud Lawyers Association in London on 26 March 2013, www.sfo.gov.uk/about-us/our-views/director’s-speeches/speeches-2012/inaugural-fraud-lawyers’-association.aspx.
- See, for example, speech by Alun Milford, General Counsel of the SFO, to the Global Investigations Summit in London on 15 October 2014, www.sfo.gov.uk/about-us/our-views/other-speeches/speeches-2014/alun-milford’s-speech-to-the-global-investigations-summit.aspx.
- See, for example, prosecutions of individuals associated with Torex Retail PLC, www.sfo.gov.uk/press-room/latest-press-releases/press-releases-2013/final-conviction-in-torex-retail-false-accounting-case.aspx.