Handling whistleblowing disclosures: the challenges for FCA regulated organisations

Handling disclosures raised by whistleblowers can be a daunting process for all organisations. However, the position is particularly complex for organisations regulated by the Financial Conduct Authority (FCA). These regulated organisations not only face the usual investigation and disciplinary processes and statutory protections for whistleblowers, but also the FCA rules. This article considers the additional challenges that this presents.

Who is a whistleblower?

It's first worth noting that the FCA handbook has a wider definition of "whistleblowing" than other statutory protections in place for whistleblowers. The FCA handbook defines whistleblowing to include not only the definition of "protected disclosure" under the Employment Rights Act 1996 (ERA), but also disclosures of "reportable concerns" to the organisation concerned, the FCA or the Prudential Regulation Authority (PRA).

This captures additional disclosures such as breaches of the FCA or PRA rules, breaches of the organisation's policies and procedures, and behaviour that harms, or is likely to harm, the reputation or financial wellbeing of the organisation.

This means that for regulated organisations, a broader range of disclosure will qualify the person making the disclosure as a "whistleblower" for FCA purposes. That said, whether such disclosures fall within the scope of ERA will still need to be carefully considered. To ensure that regulated firms are dealing with whistleblowing effectively, they should aim to have one consistent policy which captures disclosures falling within both the FCA and ERA definitions, with a view to preserving anonymity, and safeguarding against whistleblower detriment.

Whistleblowers who request anonymity

For non-regulated organisations, whistleblowers do not have an absolute right to anonymity. Under employment law, when a whistleblower requests anonymity, an employer should explore the reason for the request and consider the perceived need for anonymity against the need of the employee being investigated to know details of the case against them.

In contrast, under the FCA rules, regulated organisations are required to have measures in place to protect the identity of a whistleblower where requested, but also to be able to effectively handle the disclosure made. An extreme example of how this can go wrong was seen in the Jes Staley case.

In many cases the obligation to preserve anonymity presents a practical difficulty, as effectively investigating the disclosure in a manner which is considered "fair" from an employment perspective can be challenging when the whistleblower requests to remain anonymous (for example, where the nature of the disclosure would inadvertently identify the whistleblower).

However, every effort should be made to preserve anonymity and the gender of a whistleblower where this might reveal their identity in the context of other facts disclosed. Further, if following an investigation, it's considered there's a disciplinary case for an employee to answer, the employer is expected to provide the employee with sufficient information about the alleged misconduct to enable them to meaningfully respond to the allegations and challenge the evidence against them.

This, again, presents a practical difficulty which can be difficult to navigate so it's important to carefully consider whether limited information can be disclosed and to have a paper trail documenting the rationale for disclosing any such information. If in doubt, legal advice should be sought.

Fitness and propriety, regulatory references and notifications to the regulator

Regulated organisations are under an obligation to carry out "fitness and propriety" assessments on employees in roles carrying out "regulated activities". Fitness and propriety assessments also entail regulatory references, which are the employment references that pass between and within regulated firms when an individual moves role.

FCA rules require certain information to be included on a regulatory reference, such as whether the firm has concluded an individual was in breach of any of the conduct rules and/or was not fit and proper to perform a senior manager or certified function role.

However, this should not include information that has not been properly verified, which isn't always a straightforward assessment, particularly where Question G in a regulatory reference requires disclosure of any other information that the firm giving the reference reasonably considers to be relevant to their assessment of whether the individual is fit and proper.

For significant breaches of a conduct rule, the notification must be made as soon as the organisation becomes aware of a breach or has information which "reasonably suggests" that a breach has taken place. Where a firm has information which may reasonably lead to the dismissal, suspension or resignation of a senior manager, it must also notify the FCA as soon as reasonably practicable, which may be earlier than when other notification obligations are triggered and before an investigation has concluded. In reality, the point at which this notification threshold is reached is not always clear cut.

Where an allegation has been raised by a whistleblower who requests to remain anonymous, and an employer is then presented with the practical difficulties of conducting a fair investigation and disciplinary process, the question arises as to whether the allegation should be considered as having an impact on the employee's fitness and propriety, whether it should be included on their regulatory reference and when a notification should be raised to the regulator.

Where the investigation into the allegation has been hindered by a whistleblower's request for anonymity, the risk is that they could face serious career consequences because of an unfair process and potentially unfounded allegation. In this situation, the organisation could ultimately be faced with an employment tribunal claim with potential career long loss in cases of discrimination and/or where the employee is protected by the whistleblowing protection in ERA. However, failure to comply with the FCA rules may lead to enforcement action or other intervention.

Is there an answer?

When handling any whistleblowing disclosure in a regulated business, HR and compliance teams will need to align policies and processes, and to collaborate to make sure any complaint is dealt with properly for both employment and regulatory purposes. This is particularly important in circumstances where the whistleblower requests to remain anonymous and investigations need to be handled sensitively to protect their identity. Careful consideration should also be given as to when to notify the regulator from an early stage.

In situations where investigating an allegation would inadvertently identify the whistleblower, the answer is not straightforward. The implicated employee's exit under a settlement agreement may provide a solution to some of the difficulties, provided any settlement takes into account the FCA's requirements, but this raises a further question as to at what stage this should take place.

A firm will need to balance their duty to the employee and the potential risk of costly litigation, with their duty to the new employer and the FCA and may consider that they should continue to investigate to properly verify the information in any regulatory reference which would be relevant to their assessment of an employee's fitness and propriety.

The implicated employee is likely to want to negotiate the terms of any reference in settlement negotiations, however the organisation will need to tread carefully given its regulatory reference obligations.

Handling whistleblowing disclosures is ultimately complex and sensitive. If you need advice, please contact us on the details below.