More OECD countries have put in place dedicated whistleblower protection laws in the past five years than in the previous quarter century, according to analysis by the Organization for Economic Cooperation and Development. But what’s a compliance officer to do when whistleblower protection laws in foreign countries directly contradict whistleblower protections in the United States?
“Multinational companies want a single global Code of Conduct,” says Cynthia Jackson, a partner in the compliance group at law firm Baker & McKenzie. “They don’t really want to have to propound different versions for different countries.”
Creating a separate Code of Conduct that incorporates different whistleblower policies for each country might be a bit extreme, but inserting certain language specific to each country may be necessary, depending on the company’s geographic footprint. Compliance officers who are in the best position to timely and effectively respond to a whistleblower report are those who are thoroughly familiar with whistleblower protections in each country where the company operates.
At the national level, whistleblower protections come in one of two forms: Either from laws specifically dedicated to whistleblower protections, or (most commonly) from legal provisions that fall under the umbrella of one or more laws—such as employment, anti-corruption, competition, or other laws. According to the OECD, at least 27 out of the current 34 member countries have enacted either a dedicated whistleblower protection law or related legal provisions.
Whistleblower laws, however, don’t always protect both public- and private-sector employees. Nor do they always protect the reporting of all forms of misconduct, including corruption.
“The United States has the best model for robust whistleblowing protections.”
Michael Sheehan, Partner, DLA Piper
Thirteen OECD countries, for example, have passed laws specifically dedicated to whistleblower protections. Of these countries, eight—United Kingdom, New Zealand, Japan, Hungary, Ireland, Israel, Korea, and the Slovak Republic—have a single whistleblower protection law that applies to both public- and private-sector employees. The remaining five—United States, Canada, Australia, Belgium, and Netherlands—provide dedicated public-sector whistleblower protections laws, according the OECD.
Another 14 OECD countries have varying degrees of whistleblower protection under the umbrella of one or more laws that protect whistleblower reporting or prohibit retaliation. These countries are Austria, Chile, Estonia, France, Germany, Greece, Iceland, Italy, Mexico, Norway, Portugal, Slovenia, Switzerland, and Turkey.
The degree of protection afforded under these provisions, however, tends to be less comprehensive than those within laws specifically dedicated to whistleblower protections, “which often provide more clarity and streamline the processes and mechanisms involved in disclosing a wrongdoing,” the OECD said.
Five OECD countries have no legal provisions that providing public-sector whistleblower protections. These countries are Finland, Poland, Spain, Sweden, and the Czech Republic, according to the OECD.
To further facilitate whistleblowing in the public sector, eight OECD countries have adopted incentive measures for whistleblowers to report wrongdoing. These countries are the United States, Australia, Belgium, Canada, Israel, Japan, Korea, and Slovak Republic.
What distinguishes the United States, in particular, from most other countries in the world is the extent of legal protections afforded to whistleblowers. “The United States has the best model for robust whistleblowing protections,” says Michael Sheehan, a partner with law firm DLA Piper and global co-chair of its employment group.
Under the Securities and Exchange Commission’s Whistleblower Program, for example, whistleblowers may be eligible for financial rewards not only in situations where they first report misconduct directly to the SEC, but also when they make reports internally, so long as the whistleblower also reports the information to the SEC within 120 days of the internal report, the SEC said on its website.
Below is an excerpt from the Organization for Economic Cooperation and Development's executive summary on effective whistleblower protections.
The decision to disclose wrongdoing is often difficult. Assuring employees that their concerns are being heard and that they are supported in their choice to come forward is paramount to the proper functioning and integrity of an organization, and society, as a whole. There are multiple measures organizations can take to encourage the detection and disclosure of wrongdoing. These measures would contribute to an open organizational culture and help to reinforce trust, working relationships and boost staff morale.
Providing explicit protection through the clear delineation of protection coverage enables those working for an organization, irrespective of their role, to recognize their positioning concerning whistleblower protection. Furthermore, by clearly identifying the subject matter that constitutes a protected disclosure, as well as the relevant reporting channels to pursue, employees will have certainty about the types of disclosures that warrant protection, to whom they should be reported, and in which order. Eliminating the element of uncertainty from this process can result in more people coming forward with the wrongdoing they have detected.
Throughout OECD countries, hotlines and, in some cases, the option to report anonymously, have been provided as a mechanism to encourage individuals to come forward. While measures affording anonymous reporting and incentives are not widely applied by OECD countries, the overarching mechanism that is in place by most whistleblower protection systems is confidentiality. Being certain that the information provided remains confidential, along with one’s identity, is an essential factor in disclosing wrongdoing. Maintaining confidentiality is the first element of a whistleblower protection system, when this fails, reprisals may ensue.
Furthermore, the SEC last year issued new guidance affirming that a person is not required to report misconduct to the SEC to qualify for anti-retaliation protections under the Dodd-Frank Act; misconduct reported to the compliance officer or through similar internal channels also protects the employee.
More progress is needed to protect private-sector whistleblowers, the OECD said. One of the first steps companies can take toward implementing an effective private sector whistleblower protection framework is to establish a reporting mechanism, such as a hotline.
Out of 69 respondents to the 2015 OECD survey on business integrity and corporate governance, 59 said their companies had established such a mechanism for employees to report suspected instances of serious corporate misconduct. Twenty-one percent of respondents, however, said they did not have a written anti-retaliation policies and place, whereas another 18 percent did not know if such a policy existed.
Twenty percent of respondents whose companies have a written whistleblower protection policy said that retaliation against disclosures was grounds for discipline, including termination. Others indicated that their corporate Code of Conduct prohibited retaliation against employees who report misconduct.
A non-retaliation policy with no teeth behind it, however, is not enough to foster an open-door policy. “By using open channels of communication and support, employers and managers can give employees the confidence to discuss concerns or alleged wrongdoing and help create a workplace guided by the tenets of integrity,” the OECD said.
At least 16 OECD countries allow anonymous reporting in the public sector, but 11 do not. Countries that do not guarantee anonymity are Belgium, Canada, Chile, Estonia, France, Iceland, Ireland, Israel, Italy, Korea, and Norway.
Only two countries—Spain and Portugal—have laws that expressly forbid the adoption of an anonymous whistleblower hotline. “That’s a hurdle when you’re talking about whistleblowing in the United States,” says Sheehan.
Under Section 301 of the Sarbanes-Oxley Act, audit committees of issuers listed on U.S. exchanges are required to establish procedures, including the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. Such a requirement, however, directly contradicts certain foreign laws.
In France, for example, you have to get your whistleblower procedures and hotlines approved through the French Data Protection Authority. Germany has similar requirements in place.
Although countries like France and Germany may allow anonymity, they often highly discourage it. “I don’t see France and Germany coming around any time soon in embracing the upside of anonymous complaints,” says Sheehan.
In countries that discourage—or altogether prohibit—anonymous whistleblowing, multinational companies need to tailor their whistleblower programs in such a way that encourages employees to identify themselves. Jackson suggests including language in your whistleblower policy that states, for example, “‘Reports will be treated in a confidential manner to the maximum extent possible,’ and that ‘We encourage you to identify yourself, as it allows the investigation to be more thorough. If you’re not comfortable identifying yourself, then you may report anonymously.’”
Including such language in your whistleblower policy will satisfy countries like France and Germany, because you’re effectively encouraging self-identification over anonymity, Jackson adds. For whistleblower policies pertaining to Spain and Portugal, simply leave that last sentence out and, instead, consider including a footnote that states, “Anonymity is not permitted in Spain and Portugal,” she says.
“That way, you’re writing a single global code of reporting policies that allows the most robust reporting possible while recognizing local data privacy and employment rules,” says Jackson.
“Every country around the world encourages employees to report internally to their supervisor and local management,” Jackson adds. Some types of reports such as anti-corruption, antitrust, internal accounting controls, and more recently discrimination, harassment, and significant workplace safety and environmental issues can also be reported directly to legal, compliance, the audit chair or other alternative channels, provided the company is data privacy compliant. “Where alternative channels are permitted, it is important to keep that door open,” she says.
Internal reports of misconduct, provided they are reported in good faith, are “one of the most important compliance tools a company has,” says Jackson. Anything and everything you can do to encourage internal reporting is better than being alerted to a problem by a government prosecutor. By then, you’re too late.