On October 7th, 2019, the European Parliament published the Directive on the Protection of Persons who Report Breaches of Union Law, most commonly known as the Protection of Whistleblowers directive, which requires member states to implement it fully by May 15th, 2021.
The new rules were created to ensure the safety of those who report breaches of the law that may be harmful to the public interest. According to the directive, fear of retaliation may discourage whistleblowers and thus promote –or, at the very least, allow– the harm they intended to prevent in the first place.
The implications of the directive go deep and bring significant change to the way organizations prevent and manage issues from money laundering to consumer and data protection. Although some companies in EU member countries had already established channels to report wrongdoing, few of them follow up on the process and ensure there’s no professional or personal retaliation for the whistleblower.
The directive has three main takeaways that must be understood by all affected organizations and their members.
1. The growing scope of regulations
First, the directive applies to all private organizations with over 50 employees or with an annual turnover in excess of EUR 10 million, whatever their activity. This showcases a larger trend in terms of compliance, which is slowly shifting away from the financial sector –which has to comply even if they don’t meet the aforementioned thresholds– and into economic activity as a whole.
As the scope of regulations and regulations themselves continue to grow, businesses should stay one step ahead by creating compliance areas, enforcing all policies they can afford to even when they’re not obligated to do so, and keeping track of regulatory trends to prepare for what’s coming. Ensuring good practices before they’re regulated is a good practice in itself.
2. The basics of whistleblowing
Article 13 of the directive states that in order to be protected, whistleblowers must fulfill two conditions: to act in good faith and to use internal reporting channels before going to the public.
The first one refers, essentially, to the fact that those who report must have reasonable grounds to assume the sensitive information in question is actually related to a breach of EU law that can cause harm to the public interest.
The second one establishes that going to the public or the media is the last resort, to be used only if internal channels (the first option) and going to the competent authorities (the fall-back option) fail. This condition leads to the next takeaway: that companies must create effective internal channels for reports to be made.
3. The likely need for a new committee –and the technology to manage it
The third takeaway stems from the second and has a more practical focus for organizations, as it’s about the governance implications of the directive. Article 4f of the directive establishes that they must set up the internal reporting channel in a way that ensures independence and absence of conflict of interest.
While in smaller entities one person is enough to handle the reporting channel and all its functions, larger organizations will need to set up a committee to process reports, and a carefully selected and dutifully observed one at that, since the obligations don’t stop at taking in the report.
The team or committee in charge must follow up on reports within seven days, and provide a response to the reporter within three months. They also must keep a thorough and easily accessible record of the procedures in case it’s necessary to report to competent authorities –meaning the Member States themselves, who must ensure the second stage reporting channels.
Ensuring the proper operation of reporting committees is no easy feat, as the inquiry into the reports will likely require a series of meetings and actions to be completed, followed-up on and documented, and which will then prompt further actions. To do this while complying with the documentation requirements of the directive, the committee’s activity must be handled through tools that allow to set the proper agenda for each meeting and keep track of all previous and resulting tasks, as well as recording the decision-making process that leads to the resolution of the case.
This directive is not the only one that requires such strict record-keeping, with committees related to AML or crime prevention, ethics, and internal audit must also tackle those demands through technology. And as the amount of requisite committees continues to grow, so will the need for organizations to have a tool prepared to manage their increasingly complex governance structures.