Financial Services Compliance and Regulation
Local and global compliance expertise for the financial services industry.
Today, the overwhelming majority of financial organizations acknowledge that whistleblowing programs play a necessary role. Nearly three-quarters (73 percent) of firms represented in our survey have whistleblowing programs in place. A strong majority (86 percent) of this year’s survey respondents at least somewhat agree that whistleblowing programs should be mandatory, and even more (93 percent) at least somewhat agree that regulators should have whistleblowing programs. Two-thirds believe that whistleblowers whose actions help uncover violations should be compensated (see Figure 6).
There are good reasons for these attitudes. In financial services, the potential risks posed by ineffective controls or misaligned incentives is high, and a comprehensive whistleblowing program can be an effective early warning system that allows management to get out in front of these or other problems before they become true crises, with the legal and reputational problems that follow. Indeed, recent research confirms that companies that actively use their internal reporting mechanisms face fewer material lawsuits and pay smaller settlements.1
However, just because a firm has implemented a whistleblowing program that meets legal and regulatory requirements does not mean that the program will be strategically useful. For a whistleblowing program to be a true asset, it must be operationally effective and supported by the culture of the firm. Our survey shows that for any given component of a whistleblowing program, between roughly one-fifth (19 percent) and one-quarter (28 percent) of respondents feel their firm is less than effective; the whistleblowing programs of 32 percent of the firms surveyed have at least one component that is less than effective (see Figure 7).
Furthermore, it is interesting to note that the percentage of respondents with whistleblowing programs in place (73 percent) lags behind the percentage of those who at least somewhat agree that whistleblowing programs should be mandatory (86 percent). Clearly there remains work to be done.
While legal and regulatory requirements may not be sufficient to create an effective whistleblowing program, they are a necessary starting point. Many financial services institutions are covered by multiple whistleblowing regimes, depending on the jurisdictions in which they operate and the products they offer, and these regimes may differ significantly from one another. France’s Sapin II law, for example, requires whistleblowers to follow certain predefined escalation steps. In the United States, whistleblowers are protected by various regulations depending on the nature of the violation being reported.
Beyond the various legal requirements governing whistleblowing programs and the protections offered to whistleblowers, firms must also consider two other factors. First, the escalation strategy of the whistleblowing program must align with the various governance duties bestowed upon management and board members–duties that may be defined differently from jurisdiction to jurisdiction. Second, whistleblowing programs must handle data from and about the whistleblower in accordance with the applicable data privacy laws, such as the GDPR.
Firms thus must begin by ensuring that their whistleblowing program meets these various requirements. Furthermore, given that whistleblowing regulations and best practices continue to evolve, it is important for firms to stay actively informed of changes and developments.
Most whistleblowing programs offer both phone-based and online channels for reporting incidents. While whistleblowing may not seem to exist within a competitive marketplace, in most cases potential whistleblowers have the option of turning instead to regulatory authorities, trade associations, or the media with their allegations. Because of this, whistleblowing platforms should meet the same best practices for usability and accessibility as consumer products are expected to. In addition, because of the sensitivity of the information involved, both the portals and the associated data handling should be highly secure.
Organizations implementing whistleblowing programs for the first time are often surprised by the number of alerts that are generated.
Behind the public face of the whistleblowing program lie the mechanics: the ability to take in and prioritize alerts, validate information, manage cases, and make decisions regarding escalation and the appropriate response. And all of this must be done while maintaining the confidentiality–if not anonymity–of whistleblowers in order for them to feel comfortable coming forward and then cooperating during the investigative phase.
While every possibility cannot be foreseen, it is critical that each of these elements be governed by pre-established guidelines so the program is effective and fair in the eyes of employees and is able to withstand scrutiny in the face of any subsequent internal or external investigation. Those guidelines will provide a solid foundation from which management and the board, acting with the firm’s general counsel and outside lawyers and consultants, can make what may be difficult decisions. Each whistleblowing case needs to be appropriately documented and reviewed to identify trends and systemic weaknesses and to preserve the rationale for cases where no action was deemed to be necessary.
Organizations implementing whistleblowing programs for the first time are often surprised by the number of alerts that are generated. Because one of the quickest ways to undermine confidence in a whistleblowing system is to have a perpetual backlog of cases waiting to be addressed, it is essential for companies to carefully monitor their whistleblowing case flow to be sure that allegations are addressed in a timely manner.
The most extensive whistleblowing program will be ineffective if employees do not sense that it has the support of the firm’s senior leadership. Management needs to regularly communicate not just that whistleblowing is supported, but also that it is an important control to ensure a culture of integrity.
It is also important that employees receive regular training in whistleblowing procedures. To be most effective, this training should be part of ongoing education covering ethics, transparency, and compliance. Employees should feel that, while the whistleblowing procedure is an option at their disposal, it is a fairly serious course of action and should be reserved for when there is a reasonable belief that normal reporting channels are inadequate. Having employees who can make that distinction in an informed way under real-world conditions will improve the whistleblowing “signal-to-noise ratio” so that resources can be focused where they are most needed.
Every line item in a firm’s expenditure must justify its existence, and whistleblowing programs are no exception. This constraint, in fact, is what prevents many firms from making their whistleblowing programs more than effective. But adequate resource allocation should be seen as an investment rather than an expense; our survey found that firms that spend 6 percent or more on regulatory compliance give higher ratings to the components of their whistleblowing programs than firms that spend 5 percent or less. Firms that make that investment can expect to be rewarded with stronger capabilities in managing regulatory compliance, firm culture, and reputation.
1 “Research: Whistleblowers Are a Sign of Healthy Companies,” by Stephen Stubben and Kyle Welch, Harvard Business Review, November 14, 2018.
Local and global compliance expertise for the financial services industry.
Advising investment companies in setting out and implementing governance, risk management, compliance and internal controls.
Assistance to develop, implement, and manage global compliance and regulatory consulting programs.