Navigating the world of whistleblowing and complaints channels can be challenging for businesses aiming to maintain compliance and foster a culture of transparency.
In this article, we'll explore the ins and outs of mandatory reporting channels, from understanding what a mandatory reporting channel is, to identifying which companies are required to have one. We'll also delve into the types of violations that can be reported, and the essential requirements for an effective whistleblowing channel, while also providing actionable insights to help organizations excel in their compliance efforts.
A mandatory reporting channel in whistleblowing is a designated, mandatory pathway through which employees or individuals can report concerns or suspected misconduct, such as fraud, corruption, or illegal activities, within an organization.
It is often a legal requirement in specific industries or countries to ensure transparency, accountability, and compliance with relevant regulations. For example, in Europe, it is the EU Whistleblowing Directive that introduced requirements for companies in member states to have a mandatory reporting channel in place. According to the Directive, all countries need to develop a legal framework according to which companies will set internal reporting channels.
According to the EU Whistleblowing Directive, companies and public sector organizations in all member countries are required to establish a mandatory reporting channel, depending on their size and nature. This is applicable for:
•Private sector companies with 50 or more employees. However, some member states may decide to extend this obligation to smaller companies, especially those operating in high-risk sectors.
•Public sector organizations, including state, regional, and local organizations. The Directive provides some flexibility for smaller municipalities with fewer than 10,000 inhabitants, allowing member states to determine whether these municipalities should be exempted from the requirement.
It is important to note that EU member states can set more stringent requirements than those outlined in the Directive, meaning that the specific implementation rules may vary across different countries.
In Spain, for example, Congress approved the Directive (Ley de Protección de Informantes) in February 2023. Thus, all companies with 250 or more employees and public sector entities must implement a whistleblowing channel within a period of 3 months after the entry into force of Law 2/2023. In the case of municipalities with less than 10,000 inhabitants and companies with 50 to 249 workers, the deadline is extended until the 1st of December, 2023.
In the European Union, the deadline for the transposition of the Whistleblower Protection Directive into national law was the 17th of December, 2021. However, some countries are still in the implementation process or have recently completed it.
In Spain, the whistleblowing law came into force on the 13th of March, 2023. Organizations have a maximum period of 3 months from the law's entry into force to establish internal systems. This deadline was set following the law's publication in the Official State Gazette on 21st February 2023, which marked the commencement of the 20-day period leading up to its enforcement.
The HinSchG was adopted by the Bundesrat and Bundestag in mid-May 2023. It was then signed by the Federal President on the 2nd of June 2023 and entered into force on the 2nd of July 2023.
France initially adopted a whistleblower protection law in 2013, followed by a second law in 2016, known as the "Sapin 2" law, which furthered the protective mechanisms for whistleblowers. In September 2022, France enacted new whistleblower protection legislation to transpose the EU Directive on whistleblowing. This new legislation reforms the existing "Sapin 2" law and goes beyond the minimum standards required by the Directive.
In January 2023, the Netherlands adopted a new whistleblowing law to transpose the Directive. While the EU Commission considered the Netherlands to be among the 9 EU Member States with comprehensive whistleblower protection, some changes were still necessary to comply with the Directive. The existing protection was provided under The House for Whistleblowers Act (Wet Huis voor klokkenluiders), which required amendments to fully align with the Directive and ensure compliance with Dutch law.
In general, whistleblowing reporting channels are designed to address a wide range of misconduct, unethical behavior, and illegal activities, including:
Financial fraud and violations in financial services;
Bribery, corruption, and money laundering;
Employment law violations;
Public health and safety violations;
Animal health and welfare violations;
Product safety and compliance violations;
Theft or misuse of company assets;
Data privacy breaches;
The process of setting up a reporting channel may differ depending on the size and industry of the organization. However, it usually comprises the following steps:
Reporting the concern. Employees or stakeholders can report suspected misconduct, violations, or unethical behavior through accessible, secure reporting channels;
Assessment and further investigation. Once a report is received, designated personnel or a specialized committee will review and assess the concern to determine its credibility, severity, and the need for further internal or external investigation;
Providing support. This may include offering support services, such as legal advice, counseling, or other forms of assistance, to help whistleblowers address any concerns or challenges they may face;
Resolution and remediation. Once the investigation is complete, the committee or designated personnel will review the findings, determine whether the reported concern is substantiated, and decide on the appropriate course of action;
Feedback and follow-up. Depending on the organization's policy and legal requirements, whistleblowers shall receive updates on the outcome of their report within a set period of time.
While the specifics may vary depending on the jurisdiction, industry, and organization size, the key requirements for an internal whistleblowing channel generally include:
Confidentiality. The whistleblowing channel should maintain the confidentiality of the whistleblower's identity and any information included in the report unless otherwise required by law;
Anonymity. Across the EU, providing anonymity is highly recommended, as many member countries have regulations that require it. For example, in the context of Spain, anonymity is a mandatory requirement for internal whistleblowing channels. Employees must be given a choice between submitting their reports anonymously or maintaining confidentiality.
Accessibility. The internal whistleblowing channel should be easily accessible to all employees and stakeholders, offering multiple reporting methods.
Procedural clarity. The organization should establish and communicate clear policies and procedures for the whistleblowing process, including guidelines on what can be reported, how to submit a report, and what to expect during the investigation process.
GDPR-compliance and maximum IT security. By adhering to the data protection standards set forth by the GDPR, organizations can safeguard the personal information of whistleblowers and maintain trust in the system. Additionally, implementing IT security measures such as end-to-end encryption helps protect sensitive data from unauthorized access or breaches.
Flexible, secure case management allows organizations to adapt their processes to the unique needs and complexities of each reported concern.
24/7 availability and multilingual support. The service should be available around the clock and in various languages, allowing whistleblowers to report their concerns at any time and from any location.
Reporting and feedback. The service should provide flexibility in setting reporting pages, reminders to follow up, and provide feedback.
Assess the legal requirements. Ensure that the whistleblowing channel complies with industry-specific requirements that govern whistleblowing in your jurisdiction. At this stage, it can be worth consulting a legal expert to ensure your company knows all legal requirements for a mandatory reporting channel;
Develop a policy. Draft a comprehensive whistleblowing policy that outlines the purpose, scope, and procedures of the whistleblowing reporting channel;
Establish reporting channels. Set up multiple, accessible reporting channels through which employees and stakeholders can submit concerns;
Train and educate employees. Provide training and educational materials to employees and stakeholders on the whistleblowing channel, the reporting process, and their rights and responsibilities as whistleblowers;
Investigate and resolve reports. Implement a structured process for receiving, sorting, and investigating reports received through the whistleblowing channel;
Monitor the process and report the outcomes. Regularly review the effectiveness of the whistleblowing channel and identify improvement areas. Share the outcome with relevant stakeholders, including the number of reports received, the types of misconduct identified, and the actions are taken.
A well-implemented whistleblowing channel will:
Foster a culture of integrity. Encouraging employees to report misconduct and unethical behavior reinforces a culture of transparency, integrity, and accountability within the organization.
Identify and address issues early. A reporting channel can help organizations identify potential problems or risks early and resolve issues before they escalate, preventing potential financial or reputational harm.
Ensure improved compliance. A whistleblowing channel can help organizations identify gaps in their compliance programs, allowing them to implement corrective measures and improve overall adherence to regulations.
Protect from legal and reputational damage. By addressing and resolving concerns raised through the reporting channel, organizations can mitigate the risk of legal actions and fines.
The cost of non-compliance can be significant for companies that fail to implement a compliant whistleblowing reporting channel. Key consequences can include high fines and penalties. For example, in Spain, fines for non-compliance range from €1,001 to €1,000,000. Besides fines, non-compliance can also result in reputational damage, legal actions, and liability, loss of business and partnership opportunities, as well as reduced employee morale and engagement.
Check out our state-of-the-art reporting platform by taking part in an online guided tour to experience first-hand its user-friendly interface, and powerful features and also discover how our platform can make a difference for your business.