Here in Luxembourg, the transposition of EU Directive 2019/1937 on the protection of persons who report breaches of Union law (whistleblowers) is still in progress. EU member states have until 17 December 2021 to implement this directive into their national legislations.
Until today, Luxembourg law has provided limited protection to whistleblowers (unless they are CSSF-regulated entities). At EU level, whistleblowers have had to rely on the European Court of Human Rights (ECHR) to for legal protection. On 11 May, the ECHR ruled that a €1,000 fine against LuxLeaks whistleblower Raphaël Halet didn’t violate his freedom of expression. This recent decision shows that, even if the penalty was low, protection is far from being absolute at EU level.
Still, the Directive makes it clear that member states will have to expand whistleblower protection. While Luxembourg companies could consider waiting for the final text, they should aim to be ready by the end of the year. Whistleblower retaliation is perceived by the public as unfair, and reputation damage can be serious if cases go public. What’s more, studies show that the number of employees who would consider using a whistleblowing hotline increases significantly when a clear non-retaliation policy is implemented and duly communicated.
According to the Association of Certified Fraud Examiners (ACFE), 43% of fraud within organizations is detected through tips. So yes, whistleblowing is effective, but companies are always looking to avoid two things:
- Good faith whistleblowers who don’t speak up because they think the cost of whistleblowing is too high. Indeed, some examples show that, in some occasions, speaking up can unfortunately get people into serious trouble
- Malicious whistleblowers who report fake tips
Striking the right balance between whistleblower protection and sanctions against malicious tips is therefore crucial. The Directive calls for penalties against persons who knowingly disclose false information to deter malicious reporting. The whistleblowing policy should state very clearly that sanctions will apply against fake reporting.
The dark side of whistleblowing
I remember a case a few years ago (at an oil and gas company) where an employee was accused of hosting child pornography on his professional laptop. The whistleblower went to a junior internal auditor to report this. The junior auditor escalated the issue to the head of Internal Audit who decided to conduct an internal investigation. The young auditor, however, shocked by what he had heard, thought that the internal investigation was not moving fast enough and decided to go public by calling local newspapers. The outcome? Well, after an internal investigation and forensic technology analysis, it turned out the allegations were false, that the internal auditor had been manipulated by an employee of the company to defame another colleague.
The whistleblower was dismissed and faced criminal prosecution. The accused employee, however, could have seen his life ruined if the newspapers had not been cautious and had decided to reveal his name and pursue the story.
Whistleblower protection is essential, but experienced forensic professionals know that some dark personalities use this channel for their own interest or to defame someone. Fortunately, cases like this are rare and most tips turn out to be true (and some to be taken more seriously than others). And these are the whistleblowers who need to be protected.
It’s worth noting that protection applies only to reports of wrongdoing related to EU law – e.g. tax fraud, money laundering or public procurement offences. The EU is encouraging national legislators to extend this to cover wrongdoing related to national laws.
Ultimately, private and public organizations will not implement two different processes, meaning that the content of the Directive will automatically apply to all reports.
Key points in the directive
- Clear definition of a whistleblower. First, it describes who a whistleblower can be, and states that not only employees should be able to file reports. The whistleblowing hotline should be open to third parties such as suppliers, contractors and subcontractors. This comes with its fair share of difficulties in terms of confidentiality, data protection and assessment of seriousness of allegations. Private and public companies will have to communicate to their third parties about the whistleblowing hotline and how to use it. For internal communication, all employees should have access to the information. For companies with operations overseas, it is better to communicate in the local language. For external communication, the information can be included in contracts or terms of business, for example.
- Confidentiality must be ensured both during and after the internal assessment of the report. Confidentiality means that the identity of both the whistleblower, as well as any third party mentioned, must be protected. Access to the information must be limited to authorized and relevant people, whether internal or external if the hotline is outsourced to a third party. With such sensitive data, GDPR should also be taken into account.
- Any report must be acknowledged within seven days of receipt and feedback on potential action to be taken must be given within three months following the seven-day deadline. These deadlines might seem reasonable, but they are in fact tight. Giving feedback on all reports is essential for the credibility of the process and for employee trust. As we’ve seen, without feedback, some employees might get frustrated and decide to go public. Moreover, the directive states that going public when no feedback is given is acceptable. These deadlines imply that enough resources should be allocated to comply with the Directive. It also means that each report should be monitored closely. For bigger companies, a case management tool is highly recommended.
- Avoiding retaliation. Once there are reasonable grounds for the allegations, the company must ensure that there will be no retaliation against the whistleblower.
Let’s take a closer look at retaliation:
- Internal or external retaliation. Internal retaliation can be avoided with appropriate procedures and controls, but avoiding external retaliation can be much more difficult. Something worth noting is the presumption of retaliatory nature of acts detrimental to a whistleblower. In case of actions perceived to be negative by the whistleblower, the employer would have to demonstrate that the actions were justified and unrelated to the reported breaches.
- What is retaliation?
- Suspension, lay-off, dismissal or equivalent measures
- Demotion or withholding promotion
- Transfer of duties, change of location of work, reduction in wages
- Withholding of training
- Coercion, intimidation and harassment
- The extension of protection to facilitators, colleagues and relatives of the whistleblower, or companies owned by them, or companies they are working for. As for protection from external retaliation, the company may have difficulties to ensure such extended protection.
Time to act
The 2020 KPMG Whistleblowing Survey, involving private and public companies in Belgium, France, the Netherlands and other EU countries, shows that if 76% of the companies surveyed implemented some kind of reporting line, only 22% would actually be compliant with the Directive. The deadline is approaching and there is no doubt that Luxembourg authorities will issue a text in the next few months.
The transposition of the Directive is at the crossroads of many laws: labor, business, competition, criminal etc. Even if the transposition into Luxembourg law takes time, private companies and public organizations should use this time to prepare themselves and strengthen their whistleblowing policy.. At this stage, we do not know what penalties Luxembourg organizations will face in the event of non-compliance. But whistleblower protection is a serious matter as it presents a major challenge and is under scrutiny from both regulators and the public.
Are you on track to meet the deadline? More questions about the whistleblower protection directive? KPMG Luxembourg can help. Get in touch with Cyril Magnien and our Forensic & AML team.