Ready for the whistleblowers?

Reporting system mandatory by the end of 2021

At the end of this year, Belgium must transpose the European directive on whistleblowers into national law. The directive regulates how companies and public authorities can report violations of certain EU regulations and how they can protect the reporter or whistleblower. The related reporting system must meet specific conditions and takes a considerable amount of time to set up.

Jean-François Bernard, Partner BDO Forensic & Litigation Support

On 23 October 2019, the European Parliament approved European Directive 2019-1937 on the protection of whistleblowers. Belgium must transpose the directive into national law by 17 December 2021. From then on, the new law will apply to all legal entities of the government, or organisations under the supervision of the government, and to all private companies with 250 or more employees. Companies with 50 to 249 employees are granted a 2-year postponement.

What does the directive require?

The organisations (companies or public authorities) involved must set up a reporting system. In concrete terms, this means they must establish specific internal communication channels and procedures for reporting infringements and for ensuring that the reports are handled anonymously and correctly.

In addition, the Directive stipulates that the competent authority (i.e. the Belgian State) must also set up an external reporting channel. The whistleblower can call on the external channel in the absence of an internal procedure. However, this means that the organisation no longer has control over crucial information that is shared.

Your reporting system sends out a clear message that illegal or unethical behaviour is not tolerated.

The whistleblower who makes the fraud public – for example, by going to the press – is not protected, unless he or she previously reported the fraud via an internal channel, or via the reporting channel of the competent authority, but was not adequately heard within the set period of 3 months.

Finally, the directive imposes the following obligations:

  • The identity of the whistleblower must be protected.

  • The whistleblower must receive proof of receipt of his/her report within 7 working daysor he or she must be informed of the action to be taken regarding the report within a maximum period of 3 months.

Anyone who does not comply with the obligations can be sanctioned. Europe leaves how that happens up to the Member States. Belgium had not yet communicated on this matter when this article was published.

What is a whistleblower?

A whistleblower is a person who, in a professional context, has information about misconduct or fraud and wishes to report this in the interest of the company and the general public in order to prevent further damage to the business. The protection of whistleblowers is currently fragmented. Only 10 EU countries have a comprehensive law on the protection of whistleblowers; Belgium does not (yet). At the EU level, only a very limited number of sectors (mainly in the field of financial services) have legislation with whistleblowing measures in place.

What can you report?

The directive focuses on infringements of EU regulations. Examples include the rules on money laundering, public procurement, environmental protection, public health, consumers or privacy. However, many companies extend the scope of application and include reports of fraud or unethical behaviour in their internal regulations.

Our survey (2019) on fraud in companies shows that 21% of the companies surveyed were victims of fraud over the past 5 years, with an average loss of about 200,000 EUR. When asked how the fraud was discovered, the majority of the respondents revealed that it was as a result of a declaration or report.

By introducing a code of conduct and a hotline, managers send out a clear message that illegal or unethical behaviour is not tolerated. At the same time, they protect themselves, and they try to limit financial losses in the event of fraud.

Which reporting channels?

The reporting channels can take different forms – ranging from an internal employee or service that receives the reports verbally or in writing, to more sophisticated forms, such as a hotline, voicemail service or online platform. In any event, the channels must guarantee the confidentiality of the reporter’s identity and that of each third party mentioned, and only authorised persons may have access to the reports.

“Rolling out a compliant reporting system often takes months.”

The disadvantage of appointing a person or internal service is that complete anonymity of the whistleblower is impossible. As a result, it is more difficult to disclose the content of the report, and access to the information must be closely monitored. Thanks to the more sophisticated channels, the whistleblower can communicate anonymously. He/She is allocated a case number and password when submitting the initial report, which allows him/her to log in anonymously to the external platform to monitor the handling of the report.

The directive stipulates that the organisation can alert its employees when a report is submitted. However, you can also inform other stakeholders as well (customers, suppliers, shareholders, etc.).

Should you manage a reporting system internally or outsource it?

You can roll out and manage the reporting system yourself or outsource it to an external provider. Outsourcing has various advantages:

  • You are provided with a tool that ensures reports are followed up correctly and within the imposed deadlines and that the confidentiality of the reported information is respected.

  • An external provider also offers a better guarantee of anonymity, and cases are handled by neutral professionals.

  • Outsourcing is often more cost-effective. After all, you do not have to train someone to be the reporting point and provide him/her with the necessary time to handle the report. Moreover, in the case of illness or absence of that reporting point, you must also provide a trained back-up. And what do you do if the person serving as the reporting point is also involved in the reported case? All these concerns are addressed by the external provider.

  • An external provider can process a report in multiple languages, which is more difficult if an internal employee serves as the reporting point.

  • Finally, the content of the report related to the persons involved (including the whistleblower) must be stored in compliance with GDPR rules. That, too, is specialist work.

BDO’s compliant reporting system

The specialists of our Forensics & Litigation Services have developed a compliant reporting system, which includes the following features:

  • The introduction of one or more communication channels in the language or languages used in the company (online platform, telephone line, etc.);

  • A standard policy for reports, to be adapted to the organisation’s requirements regarding the information to be reported, contact person, etc.;
  • Management of reports in all common company languages, thanks to our worldwide ‘Whistleblowing group’;
  • If you wish, a presentation of the system to staff, the works council, or a trade union delegation.

Our solution is based on the ‘You pay for what you use’ principle. In other words, if a company or organisation opts for the BDO reporting system, it only pays for the services provided.