Compliance & Investigations
Attempts to uncover the identity of a whistleblower may lead to a fine as well as enhanced monitoring and scrutiny
The British Financial Conduct Authority (“FCA”) and Prudential Regulation Authority (“PRA”) recently fined the Chief Executive Officer of Barclays Group GBP 642,430 (approx. EUR 732,000). The reason for this was the CEO’s attempts to identify a whistleblower. In the opinion of the financial regulators, the CEO had breached the standard of care required and an investigation against him was therefore launched. As a consequence of the incident, Barclays is now subject to special monitoring and scrutiny by the British financial regulators and must report annually to them about its internal whistleblower systems and controls. This is the first time that the British financial regulators have taken such measures against a regulated company in connection with whistleblowing.
In June 2016, Barclays received an anonymous letter from a whistleblower. The letter contained information and allegations concerning, among other things, the recruitment by Barclays’ CEO of an employee and former colleague at JP Morgan Chase & Co. Because of “irregularities” at his last job at JP Morgan Chase & Co, this colleague was supposedly not a suitable candidate for the position of senior executive.
The CEO then tried repeatedly to uncover the identity of the whistleblower, also with the help of the bank's internal security unit.
Reaction of the financial regulators
According to the British financial regulators, the CEO had a conflict of interest. They argued that, because of this conflict of interest, he should have maintained an appropriate distance from the internal investigation and in particular should not have attempted to identify the whistleblower. Instead, he should have obtained explicit confirmation of the permissibility of his behaviour from those with responsibility for whistleblowing at Barclays. The CEO had not done this.
Based on the investigation, the regulators concluded that his behaviour represented a serious misjudgement, and that given the crucial role of the CEO, the standard of due skill, care and diligence was more demanding than for other employees.
They found that the CEO had breached this standard of care in a way that risked undermining confidence in Barclays’ whistleblowing procedures. According to the regulators, whistleblowers play a vital role in exposing poor practice and misconduct in the financial services sector. Protection for them is an essential part of keeping the financial system safe and sound, and it is therefore critical for individuals to be able to speak up anonymously and without fear of retaliation if they want to raise concerns.
While the CEO ultimately made no personal gain through his conduct, the FCA and the PRA considered a fine of 10% of his annual income (!) to be appropriate. They therefore set the total fine at GBP 917,800. Given that the CEO had reached agreement with the regulators at an early stage in the process and was prepared to settle, the fine was reduced by 30%, in the end totalling GBP 642,430.
The regulators decided that he could continue to serve as CEO of Barclays. This is due in particular to the fact that the whistleblower was not a Barclays employee. A breach of the much stricter regulations regarding internal whistleblowing would have had even more far-reaching legal consequences for the CEO.
Given what had happened, however, the British financial regulators felt it was justified to make Barclays subject to enhanced monitoring and scrutiny in terms of how it handles whistleblowing cases. From now on, Barclays must report to the FCA and PRA annually on its internal whistleblower systems and controls, with a special focus on cases involving allegations made against Senior Managers at Barclays or in which Barclays has considered identifying a whistleblower. In addition, the Barclays Senior Managers responsible for the whistleblowing systems and controls (so-called Whistleblower’s Champions) are obliged to attest personally to the soundness of these systems and controls on an annual basis.
This is the first time that the financial regulators have taken these kinds of measures against a regulated company in relation to whistleblowing.
And there are still further legal consequences of the CEO’s actions to come. Although the British regulators have already imposed their penalties, the US authorities are still investigating the matter and have not yet issued a response.
Impact on German companies
The decision of the British financial regulators defines the scope of the independence and anonymity of internal whistleblower systems. Nevertheless, its impact on German companies is limited. This is primarily because the protection afforded to whistleblowers in England is greater than in Germany. The UK Bribery Act, for example, requires an effective “compliance defence”, for which channels must also be created that allow the submission of confidential and unconstrained information that can lead to the early discovery of irregularities.
The Act applies not only to companies with registered office in the United Kingdom, as well as their subsidiaries and sub-subsidiaries, but also to all natural and legal persons associated with the company concerned. According to the Explanatory Notes to the UK Bribery Act, the term “associated person” is to be interpreted broadly, which is why mere entrepreneurial activity in the United Kingdom, for example as an agent, with or without the authority to represent the company concerned, is sufficient. This means that pure export business could also fall under this.
In Germany, a similar provision can be found in the form of a recommendation in section 4.1.3 of the German Corporate Governance Code. Under German law, companies that do not have a relevant link to the United Kingdom do not currently run any risk of incurring such a fine. In addition, section 6(5) German Money Laundering Act and section 25a(1), no. 3 German Banking Act are geared towards the introduction of a process “that makes it possible for employees to report violations while keeping their identity confidential”, which at least implies the introduction of an (anonymous) whistleblower system.
Nevertheless, restraint should be exercised when it comes to applying “detective” methods, as this may not only lead to negative reports in the press, but also have an adverse impact on the effectiveness of the compliance programme.
Increase in whistleblower protection at European level
Because of the different statutory requirements that whistleblower systems have to meet in the respective EU Member States, the European Union issued a proposal on 23 April 2018 to give whistleblowers better protection EU-wide by means of a directive. In this way, whistleblowers who report violations against EU law will be guaranteed a high level of protection based on minimum standards applicable across the EU. These minimum standards are to include so-called “secure channels” for reporting irregularities, both within an organisation and to the authorities. Provision is made in this regard for EU-wide protection when reporting violations of EU law to be explicitly guaranteed in the financial services sector as well. All companies with more than 50 employees or annual turnover in excess of EUR 10 million are to be obliged to introduce an internal procedure for dealing with information from whistleblowers. The protective mechanisms required include clear reporting channels inside and outside the organisation in order to ensure confidentiality.
As a necessary consequence of the strict confidentiality of the identity of the reporting person and the content of his information, any form of retaliation is to be prohibited and sanctioned