The new Whistleblowing Law: if you think you are not in scope, think twice

But we are not in scope, are we?

Article 6 of the new law precises which entities are obliged to establish internal reporting channels. At first glance it says:

1. Public sector entities

2. Private sector entities with at least 50 employees

Yet, as so often, the devil is in the details and financial sector entities might be in for a big surprise. Because here is the thing: the threshold of 50 employees does not apply to financial sector entities.

Article 6 (2) contains this important sentence: “This obligation is without prejudice to any lower thresholds retained in special laws.” Such a “special law” is the AML Law of 2010 which was complemented by Circulars 12/552 and 18/698 as well as the EBA guidelines. These already require the implementation of whistleblowing channels with a lower threshold: none. Thus, for all financial sector entities falling under these “special laws”, the new whistleblowing law applies - and since the AML law concerns basically every financial sector entity, this includes banks, funds and ManCos even if there’s only one employee. The new law shall in fact complement existing requirements as the initial Directive stated: “to ensure consistency and legal certainty across Member States, this Directive should be applicable in respect of all matters not regulated under the sector-specific acts, and thereby should complement such acts, so that they are fully aligned with minimum standards”.

But we have time, right?

Ready for more surprises? Art. 28 of the new law says that private sector companies with 50-249 employees have until 17 December 2023 to implement internal channels. But again, following the argumentation above, this does not include financial sector entities: Implementation is therefore actually required immediately.

Thus, all public sector entities (no employee threshold), all financial sector entities (no employee threshold) as well as all other private sector entities with 250 employees or more have to implement the law since mid-May 2023.

“It is likely that many entities, especially in the financial sector, are right now effectively breaching the law” says Michael Weis, Anti-Financial Crime Leader at PwC Luxembourg. “There is a risk of sanction and reputational risks if entities do not have proper whistleblowing channels”. So you better act NOW!

Who will check?

Various competent authorities can verify if an entity has implemented internal reporting channels according to the new law and issue sanctions. The law lists a total of 22 competent authorities and the CSSF is in charge of the financial sector. Sanctions can go up to 250.000€ and twice that amount for repeating breaches within a period of 5 years. In addition, non-implementation or refusing to remedy a violation might be met with reputational damage for the entity in question or worst case, unchecked continuation of wrongdoing. 

It’s also important to remember that if internal reporting channels do not exist, are inadequate or not trusted, people are allowed to turn directly to one of the competent authorities who will then investigate. Under certain circumstances, people are even allowed to disclose information about a violation publicly. Financial sanctions are therefore maybe the least of worries. Entities should rather consider the risk that corporate wrongdoing will be published on Twitter or Facebook without having had the chance to assess and remedy the issue internally. 

But we already have something, so there’s not much to do?

Those who think that the new law will just require a quick update of existing policies established to comply with e.g. 12/552 might be surprised again. To illustrate this, 12/552 covers internal alert arrangements in two sentences, whereas the new law has 28 distinct articles. Not to mention that international entities will have to check the national laws in every single EU country they operate in and can’t simply rely on group set-ups. 

Some of the requirements and practical implications will be detailed in the following.

1. More people can report

A first important change compared to existing regulations is the personal scope, i.e. who is allowed to report. This includes employees and civil servants, paid or unpaid trainees and interns, former and prospective employees, self-employed, employees of subcontractors or suppliers, shareholders and members of the administrative management or supervisory body, including non-executive members. The law does not list clients, however, entities might want to include this group as well.

Having an internal reporting channel will therefore not suffice to capture all these people. 

The law also demands clear and easily accessible information about the use of the internal channels. As a logical consequence, this information needs to be available to all persons who are allowed to report and an internal policy is not sufficient. Instead, entities should think about publishing information on their website and potentially involving certain clauses in their contracts, e.g. with suppliers.

1. All crimes can be reported

Entities also need to clearly state what can be reported - it is important to stress that it is not a channel for complaints. Instead, the purpose is to detect or ideally prevent crimes and persons can report any violation or omission which is illegal. So, opposed to existing regulations, reporting is not limited to money laundering or internal governance, although this is clearly included. Now, reports can for instance contain information about theft, harassment, bodily harm and all types of fraud or financial crime.

Consequently, entities should have persons to deal with the variety of topics or ensure that legal external support can be consulted quickly. Also, entities should have certain crisis management measures in place in case of reports about serious wrongdoing.

1. A designated person or department to assess reports

The law does not detail who should be in charge of the whistleblowing channel but it does require an impartial person or service. Internal setups could involve Compliance, Internal Audit or HR but it will depend on each entity's set-up whether these can be considered truly impartial. 

The law also explicitly mentions the option of an external party to manage the channels. This might be seen as a more objective and thus trusted way to receive and handle reports and to prevent retaliation. 

Whatever the setup, the law demands a “suivi” for each case, that is assessing the accuracy of the allegations, e.g. through internal investigations and, if necessary, to remedy the violation. Entities should check beforehand what kind of information they are allowed to investigate and how this can be done operationally, e.g. if and how corporate emails can be reviewed.

Externals might be able to help with assessing allegations, including forensic investigations. Their early involvement could speed up the process in case there is a serious report. 

1. Communication with the whistleblower

Existing regulations do not mention any requirement to keep a whistleblower informed. Under the new law, reporting persons need to be provided with a “retour d’information”, i.e. feedback, after a maximum of three months. This implies that the report needs to be investigated within this timeframe, yet it does not need to be closed by that time. In practical terms, this requires sufficient staff to meet the deadlines, adequate staff training to investigate allegations and/or external support. 

“Especially for smaller entities, the required effort to maintain the channels might be significant”, says Boris Rohwedder, Director in Forensic Services at PwC Luxembourg, “If you only have a handful of people, running an effective whistleblowing system on your own might be impossible.”

1. Protection against retaliation and burden of proof

Both the report and subsequent investigations fall under strict confidentiality and the identity of the reporting person needs to be protected. In addition, the law prohibits any form of retaliation and establishes a reverse burden of proof. Anything that could constitute a retaliation against a reporting person will be considered as such unless the entity proves otherwise. This means that each investigation step needs to be properly documented for a potential trial. 

1. Intake and case management

The law does not prescribe how exactly entities should handle their whistleblowing systems. So far, common solutions involved an internal mailbox handled e.g. by Compliance. Yet, this limits the communication with the whistleblower who might want to stay anonymous. Different people would have to have access to comply with the timeframes but this might breach the confidentiality requirements. Documentation within a mailbox and possibly different folders for notes and meeting minutes might be inadequate to quickly present an audit trail. 

Different software providers, such as EQS Group, Europe’s leading provider of digital Whistleblowing solutions, already offer tools for receiving and managing reports, confidential communication with the whistleblower, different access rights for cases and documentation and reporting options within the tool. Implementation is customizable and different languages (incl. Luxembourgish) are already built in. With EQS, we are also offering our managed service support for entities that would like to outsource part of their whistleblower-line activities in order to avoid a too heavy inhouse set-up; this includes optional support for investigations..

What now?

Implementation will require a review of policies and procedures, governance, training, communications and possibly software selection. Various people and departments need to be involved, including Compliance, Legal, IT, HR, communications and the DPO. Other policies and training might have to be adapted, e.g. the code of conduct, the privacy policy or compliance training. Also, anonymised information from reports on control weaknesses should be fed into control reviews, internal audits and the compliance monitoring plan.

“Whistleblowing channels are one of the best ways to detect and remedy wrongdoings, having a strong speak-up culture can be an important information source and competitive advantage for entities if handled properly” says Tamara Czetto, Manager in Forensic Services at PwC Luxembourg. 

To get started, entities should first establish who will be in charge of the whistleblowing tool (internally or externally) and ensure that an adequate channel is immediately available. Then a project team should be composed, potentially with external support, to check compliance but also to ensure effectiveness of the channel - because after implementing all the requirements of the law, the real challenge will be to make people actually trust the system.