As compliance professionals, management, and the board of directors in financial services prepare for the final quarter of a challenging year, a last-minute legislative item to plan for now is the EU bloweWhistler Directive (the Directive) which must be transposed into Luxembourg law by 17 December 2021. Legal entities in the private sector with between 50 and 249 workers can benefit from an extension until 17 December 2023 to put in place internal reporting channels. The new legislation will apply broadly across all sectors and will increase the protections for whistleblowers interacting with banks, asset managers, insurers, professionals of the financial sector (PFS), and fintechs, among others. For more information on the Directive, see our detailed assessment: here. All financial sector entities are already subject to mandatory regulation on whistleblowing which is found in the Luxembourg criminal law, AML laws and regulations, as well as sector-specific regulations such as CSSF Circular 12/552, as amended.
However, there is a need between now and December to:
- understand the requirements under the Directive and Luxembourg’s implementing legislation;
- conduct a gap analysis against existing policies and procedures;
- upgrade and approve existing procedures at board level; and
- implement any technical changes to existing whistleblower arrangements.
Technical changes may include the implementation of new reporting software, the designation of different individuals responsible for handling reports, and deciding how confidentiality and anonymous reports are handled. Luxembourg has not yet published implementing legislation while most other EU countries have. Given the different impacts firms will need to consider, this does not leave much time for implementation ahead of the deadline. Financial sector participants will therefore need to monitor this particular legislative initiative closely over the next few months and have their policies and procedures reviewed to effectively respond to the deadline. Observers are keen to understand how the Luxembourg implementing legislation will calculate employee numbers for internal reporting channels, given the high number of Luxembourg entities which are part of larger European groups.
Beyond regulatory compliance: communicating to employees and stakeholders
In addition to the short timeframe to comply with the new legislation, firms should also consider how that timing will impact employee communication plans and broader stakeholder communication. Most organisations are likely to prefer that whistleblowing reports are dealt with internally, thus avoiding the potential reputational damage which can occur when whistleblowers access external reporting channels. Complying with a legislative deadline will be the focus for most firms in December. It is equally important that firms take the time to ensure the revised policies are rolled out to staff effectively, ensuring clear understanding of the available options and how they work. This is critical as it is also expected that the availability of whistleblowing mechanisms will become more prominent as the Directive is implemented, increasing accessibility, both inside and outside of the firm. Developing a strong internal culture will improve the effectiveness of internal mechanisms and ultimately reduce risk.