1. Home
  2. |Insights
  3. |Whistleblowing – A Guide to Compliance: Part 5

Whistleblowing – A Guide to Compliance: Part 5

Client Alert | 6 min read | 12.02.21

Crowell & Moring LLP’s 2021 series of client alerts: Whistleblowing – A Guide to Compliance is intended to provide companies with a practical guide to help them comply with their obligations under the EU Whistleblower Directive. Via a monthly alert, Crowell & Moring LLP will explain the different steps that companies need to take for compliance and emphasize various points for consideration.

STEP #5: Can your company implement a centralized, group-wide whistleblowing scheme or must each separate legal entity implement its own reporting channels and procedures?

1. What does the European Commission say?

The European Commission recently issued two statements[1] confirming that, in its view, the requirement in the EU Whistleblower Directive that all legal entities with 50 or more workers must set up channels and procedures for internal reporting means that it is not enough for reporting procedures to be established only in a centralized manner – in other words, allmedium-sized and large companies belonging to a group must have their own reporting channels in place as well.

The Commission justifies this interpretation on the basis of two main reasons: the need for proximity of the reporting channels to the whistleblower and the likelihood that there will be some differences in the implementation of the EU Whistleblower Directive at national level. Furthermore, although a centralized whistleblower scheme should ensure the consistent processing of whistleblower reports across the whole group, the Commission does not consider this to be sufficient reason to accept group-wide reporting schemes only. It points out that consistent processing across the group can also be achieved through appropriate “upstream” knowledge-sharing between group companies, relevant trainings and exchange of good practices.

2. What flexibility is there regarding a centralized procedure?

The Commission did emphasize that the EU Whistleblower Directive does not prohibit companies from setting up a group whistleblowing scheme if they so wish, in addition to their schemes at subsidiary level. Furthermore, parent companies are permitted to open their reporting channels to workers of their subsidiaries, thus allowing those workers to report through parent company channels should they so wish (e.g., if they feel safer reporting in this way, or if they think that the breach is most likely to be effectively resolved by the parent company). However, this should be an additional possibility that may not be turned into an obligation to report to the parent company.

The Commission put it as follows: “a corporate policy instilling trust in the group whistleblowing scheme, possibly accompanied by an information policy publicizing its availability and encouraging whistleblowers to report directly to the central group whistleblowing scheme may result in whistleblowers tending to report there. However, the possibility to report to the subsidiary where the whistleblower works must remain effectively available.

3. Are there other flexibilities allowed by the EU Whistleblower Directive?

a)Reporting channels may be provided externally by a third party

Companies may decide to outsource the operation of reporting channels to an external platform provider. In such case, the external platform provider is responsible only for receiving the reports and acknowledging receipt; the designated person/department within the company remains responsible for the necessary follow up as regards investigating and addressing the breach, and providing feedback. 

b)Medium-sized companies can join forces or benefit from the parent company’s investigative resources

Companies with 50 to 249 workers, whether they belong to the same group of companies or have no link to each other, are allowed to share resources to receive reports and conduct subsequent investigations. The responsibility to maintain confidentiality, to give feedback, and to address the reported breach remains with each individual company concerned.

Specifically for medium-sized subsidiaries, the Commission underlines that where compliance programs are organized at group level the subsidiary should be able to benefit from the investigative resources of the parent company provided that:

  1. reporting channels exist and remain available at the level of the subsidiary;

  2. clear information is provided to the whistleblowers as to the fact that a designated person/department at headquarters' level would be authorized to access the report for the purpose of carrying out the necessary investigation, and the reporting person has the right to object to that and to request that the reported conduct is only investigated at the level of the subsidiary. According to the Commission, it should remain the whistleblower’s choice whether to have his/her report handled only at subsidiary level or not. It is emphasized that if this choice is not left with the whistleblower, s/he would directly turn to external reporting channels, thereby depriving the company of the chance to swiftly address the matter without incurring reputational and/or financial damage; and

  3. any other follow up measure is taken and feedback to the reporting person is given at subsidiary level.

Companies with 250 workers or more do not benefit from the above flexibility.

c)What if there is a structural problem, or if a report affects two or more entities within a company group?

According to the European Commission, there is some flexibility where a report reveals a structural problem or affects two or more entities within the same group. In this case, if the problem can only be effectively addressed by a cross-border approach that goes beyond the power of the subsidiary where the report was made, it would be compatible with the EU Whistleblower Directive for the person/department designated to follow up on the report to inform the reporting person of this problem and ask for her/his agreement to report the facts to the appropriate company within the group.

However, the Commission does insist that the reporting person be informed at the same time that if s/he does not agree s/he may withdraw the internal report and report externally to the relevant competent authority. In our opinion, it is arguable that this is the correct approach. By giving the whistleblower the possibility to withdraw his/her report in these circumstances and submit an external report directly to the competent authorities, the European Commission appears effectively to deprive the company of the opportunity to first deal with the report internally. This is in contradiction with the EU Whistleblower Directive itself, which emphasizes that reporting through internal reporting should be encouraged above reporting externally.

d)Possibility to share the outcome of a given case at group-level

The EU Whistleblower Directive does not prohibit sharing the outcome of a given case at group-level, provided the confidentiality requirements of the Directive are respected.

4. Critical remarks and conclusion

By stating that it is not sufficient for group companies to establish a centralized, group-wide whistleblowing scheme, and by insisting that each separate entity have their own channels in place, the European Commission ignores the fact that it is common practice for groups to centralize their reporting channels and takes, in our view, a position that lacks pragmatism and is even unrealistic. The Commission also fails to acknowledge the significant advantages of centralized reporting channels, which promote efficiency and ensure the consistent processing of whistleblower reports and uniform application of compliance standards across the group. An obligation on each subsidiary to implement separate internal reporting channels would not only augment costs, it would also result in the need for additional administrative resources. Furthermore, the Commission fails to take into consideration the fact that a centralized scheme may better protect a whistleblower, for example, where there is a risk of immediate identification if a report is made at subsidiary level, or where the subsidiary’s management is involved in the breach.

If the Commission’s current position is followed, the EU Whistleblower Directive will have a significant impact on many group companies. To date, Denmark has decided to allow companies to continue using their existing centralized, group-wide whistleblower schemes. It remains to be seen how other Member States will cope with this issue.

As regards Belgium, there is a high chance that the Belgian legislator will follow the Commission’s position as closely as possible, even though it’s interpretation is not binding. In any event, companies should keep in mind that any derogation from the Directive’s requirements could result in whistleblowers reporting directly through available external reporting channels, and this could put at risk the legitimate interests and reputation of the company concerned.

Our team assists client with the complete whistleblowing implementation process.

[1] European Commission – JUST/C2/MM/rp/(2021)3939215 – June 2nd, 2021 and European Commission – JUST/C2/MM/rp/(2021)4667786 – June 29, 2021.

Insights

Client Alert | 3 min read | 03.28.24

UK Government Seeks to Loosen Third Party Litigation Funding Regulation

On 19 March 2024, the Government followed through on a promise from the Ministry of Justice to introduce draft legislation to reverse the effect of  R (on the application of PACCAR Inc & Ors) v Competition Appeal Tribunal & Ors [2023] UKSC 28.  The effect of this ruling was discussed in our prior alert and follow on commentary discussing its effect on group competition litigation and initial government reform proposals. Should the bill pass, agreements to provide third party funding to litigation or advocacy services in England will no longer be required to comply with the Damages-Based Agreements Regulations 2013 (“DBA Regulations”) to be enforceable....