In December 2019, the European Union’s Whistleblower Protection Directive came into force – guaranteeing protection against retaliation for whistleblowers. The idea behind the directive was for organizations to finally have a single, unified standard to meet. And to better protect employees who report potential misconduct in the workplace.

The goals of the directive were threefold:

• Prevent breaches of laws and regulations
• Establish effective, confidential, and secure reporting channels to protect whistleblowers from fear of retaliation
• Enable whistleblowers to raise concerns anonymously

To comply with the directive, organizations with more than 50 employees, public sector institutions, and municipalities with 10,000 or more inhabitants must set up internal reporting channels – enabling whistleblowers to submit reports in writing or by telephone.

Countries in the EU had until December 2021 to enforce the directive. Yet today, six months later, most member states have yet to pass local legislation detailing their plans to comply. In fact, only Denmark, Sweden, Slovakia, and Portugal have developed comprehensive plans to do so.

I recently had the opportunity to chat with friend and compliance expert, Tom Fox. Fox is a lawyer, author, speaker, and founder of The Compliance Podcast Network. Known as the Voice of Compliance, Fox had some valuable insight to share on why it has been so challenging for the EU to implement the directive.

He said, “Each country in EU is supposed to enact its own whistleblower regulations in accordance with the larger EU Whistleblower Protection Directive. However, there has been some confusion in some countries about what their specific obligations are. The ambiguity makes it difficult to comply.”

Here are just a few of the implementation questions that have been raised.

How can countries treat reports that are not included under the directive?

GDPR and other regulations require that global organizations that do business in some countries must keep any proprietary data they receive within that country. That means they cannot share data with the U.S., for example, unless they are a U.S. company.

So, the question then becomes, can a U.S. company investigate a whistleblower report that stems from another country without breaking relevant data privacy laws?

Should countries process anonymous reports?

“If someone makes a report,” Fox told me, “you might have to get their permission to use that information for a whistleblower investigation.” In the EU, countries expect written consent from whistleblowers to ensure that they understand what will happen next with the data they provide. Implied consent is simply not the same.

Fox pointed to an example from 2018 where the CEO from Barclays was fined $1.5 million for trying to unmask a whistleblower. He was widely criticized for setting the wrong tone from the top.

He said, “In many EU countries, making an anonymous report is not yet accepted. It is a cultural limitation brought about by a storied political history. In the U.S., we tend to feel that anonymous reporting is a given right – and for better or worse, this is causing some pause in reporting.”

How many channels, specifically, does each country need to provide for whistleblower reporting?

“Where the directive gets really tricky is in global organizations,” explained Fox. “Should companies create a global whistleblower program for all employees to report information into one channel, or should they create a reporting infrastructure for each of their business units across the globe?”

Because there are different regulations by each country, this is so far an unregulated decision.

We know that a thoughtfully constructed workplace compliance program includes seven elements:

• Policies and Procedures: Employees must understand what is expected of them, and why, and they must be able to easily reference this information if they have questions or concerns.
• Designating a Compliance Officer: Putting a specific person in charge of compliance ensures that your organization has sufficient resources to promote and enforce specific standards of conduct.
• Training and Education: Providing your team with access to the information they need about workplace safety and legal/ethics compliance when they need it is key to establishing a culture of compliance within your organization.
• Effective Communication: Every organization needs to determine the safest, most transparent way for employees to report suspected non-compliance – this could include the creation of an anonymous hotline, surveys, confidential meetings, and more.
• Monitoring and Auditing: Use data and information to continually monitor and improve your corporate compliance program.
• Discipline! Publish your organization’s compliance standards and include detailed disciplinary guidelines to ensure these standards are followed continuously and consistently by all employees.
• Detection of Offenses: Track and respond to compliance issues and act immediately when someone from the organization acts outside of your organization’s specific objectives.

Workplaces across the globe have different reporting policies and procedures and, the European Union’s Whistleblower Protection Directive aside, there are not many safeguards in place to ensure that employees will be protected from retaliation if they decide to speak up about misconduct at work.

Kenneth Polite, Jr., assistant attorney general for the criminal division at the U.S. Department of Justice, recently gave a keynote at Compliance Week 2022. He talked about whistleblowing as a key indicator of a positive corporate culture. Beyond the initial step of reporting misconduct, Polite said that doing the right thing is all about what happens next.

What does your organization do with the information you receive from a whistleblower? How do you treat the employees who shared the data with you?

Fox is confident that organizations will be incentivized to do the right thing because of the feedback they are getting from current world events.

“We are on the cusp of a whistleblower explosion,” Fox told me. He laid out three trends that are finally coming together to give whistleblowing its time in the spotlight.

1. The Dodd-Frank Wall Street Reform and Consumer Protection Act was passed to improve accountability and transparency in the financial system.
   
   Enacted in July 2010, this law expanded protections for whistleblowers and broadened the prohibitions against retaliation. Following the passage of Dodd-Frank, the Securities and Exchange Commission (SEC) implemented rules that enabled it to take legal action against employers who have retaliated against whistleblowers.
   
   Fox explained, “Dodd-Frank essentially established a bounty program for whistleblowers – if you bring a claim against an organization, the SEC files enforcement action and fines the organization, you are eligible for up to 30% of the monetary award. Over a billion dollars has been paid out by SEC because of this initiative.”
2. The Senate voted to override the National Defense Act of 2020, incentivizing reporting violations.
   
   After the Senate voted to override the National Defense Act of 2020, which included the Anti-Money Laundering (AML) Law of 2021. This was the first update of AML laws since the passage of the Patriot Act in the wake of 9/11. It included protections for and bounty payments to whistleblowers who report AML violations.
   
   “This made it clear that whistleblower protections apply to contractors and subcontractors whether or not they have signed a nondisclosure agreement,” explained Fox. “It expanded protections for a class of workers that had not previously been protected – emphasizing the importance of the role of whistleblowers.”
3. Russia invaded Ukraine and whistleblowers became a force for good.
   
   One of the most ubiquitous images of the Ukraine War were the superyachts belonging to Russian oligarchs fleeing to avoid impoundment by the US. The United States went so far as to launch a task force called “KleptoCapture” to further this effort. The term, KleptoCapture, is derived from the word “kleptocracy,” which describes corrupt individuals who misuse their powers to accumulate wealth at others’ expense.
   
   The U.S. Treasury Department then announced a new tool for the recovery of stolen assets. It agreed to pay whistleblowers up to $5 million for information leading to the restraining, seizure, forfeiture, or repatriation of stolen funds that are linked to kleptocracy and held at a financial institution in the United States.

Said Fox: “With this announcement, the U.S. government has established a program that proactively engages whistleblowers to help it reach its goals. This has caused an explosion of publicity; it sends a powerful message. Moreover, it made whistleblowing both sexy and a part of the fight for democracy”

Together, these trends will help normalize the idea of whistleblowing by:

• Improving organizations’ accountability and transparency with respect to whistleblowing
• Incentivizing employees and contractors to report potential violations more widely
• Casting whistleblowers as a force for good

It might seem that there are more questions than answers around effective whistleblowing practices. But what we do know is that whistleblowers have a clear place in any effective compliance program – we simply have to make room for them.