Make your Whistleblowing system work (for you)

More than one year after the deadline for transposing the Directive, parliament voted on the Bill on Whistleblower Protection on 2 May 2023. While the legislator can now move on, the work for entities in scope—which are many—only begins. There is a lot to do.

The “Directive on the protection of persons who report breaches of Union law” sets EU standards for implementing reporting channels. Whistleblower protection is, at its core, to ensure persons feel comfortable to come forward. Whistleblowing is also an effective detection method for misconduct and allows organisations to remediate cases internally and early which limits financial and reputational damage.

Luxembourg allows reporting of anything ‘illicit’. The variety of possible reports is thus huge, ranging from petty crime to bodily harm, harassment, financial crime and more.

Entities in scope are many: in principle, all financial sector entities due to the associated link of money laundering, private sector ones with min. 50 employees and all public sector entities. The law also foresees sanctions for non-implementation—and implementation is required immediately upon publication (except for private entities with less than 250 employees: they have until 17 December 2023).

In comparison, current regulations e.g. Circular 12/552, speak little of whistleblowing. Existing systems will require an upgrade or new systems must be implemented. Both will, in practice, require the implication of various stakeholders, e.g. Compliance, HR, Legal, DPO and staff delegations. The most important stakeholders are however the potential whistleblowers themselves—ultimately, they must ‘approve’ of the system, or will take their grievances elsewhere.

A tool can address many needs

Acquiring a software can be tedious and a first impulse might be that an internal set-up can do the job. “In theory, you can also do transaction monitoring manually under certain conditions,” says PwC Luxembourg’s Director, Forensic and AML/Anti-Financial Crime, Boris Rohwedder, “but this is not recommended for effective compliance.”

Having an internal mailbox—a common set-up so far—does not suffice anymore since externals, e.g. suppliers, need access also. Even with a mailbox on the website, one might lose overview or breach the law’s strict timeframes; drawing up reports is potentially time consuming and communication with whistleblowers might be limited, as many create fake accounts and delete them directly.

However, various providers have already developed tools for the management of reports. , Europe’s leading provider of digital whistleblowing systems and is using its tool when assisting clients with implementing a system or with managed services for their alert management.

Such tools allow reporting in various languages, different case managers can be assigned, reminders for deadlines set and all steps are duly recorded for a complete audit trail. The tools allow confidential communication with the whistleblower to ask for more details. All those features support compliance with key requirements of the law.

What makes a whistleblowing system effective is not (only) in the law

The technical part is however only the starting point.

You need to have sufficient and trained staff to monitor incoming reports. Alert analysis and resulting investigations require trained experts and potentially legal or external support. Especially for smaller organisations, making the system operate might be tough, given the number of dedicated employees needed.

In order to be effective, you also need continuous communication. It is key that people understand how they are protected and what the consequences for knowingly spreading false information are. This starts with a policy but should follow a long-term communication plan with regular training to raise awareness, information to staff on actions taken or surveys to assess the knowledge about and trust in the system. It is crucial that the robustness of the approach is generally accepted and that it is important to prevent and detect issues.

The number and type of reports should also be analysed. If many reports relate to a specific topic or area, maybe this calls for a control review or targeted audit. If you receive many complaints that do not relate to criminal matters, training might need to be adapted.

“The biggest warning sign for me would be not to have any reports at all.” says Tamara Czetto, Manager at PwC. “This might represent a lack of trust in the system and worst case, you will read about the case in the press”.

Want to know more?