DFSA publishes its Whistleblowing Thematic Review

How is Protection and Confidentiality to be applied?

Firms are required to have in place reasonable measures to protect a whistleblower’s confidentiality, and to protect the person from suffering any detriment as a result of submitting a whistleblowing report. The Review highlighted the lack of measures in policies and procedures setting out how a Firm will offer the requisite protection in practice. This apparent gap between reference to a protection and the absence of clear steps on how the Firm will implement it was a common theme in the Review.

Examples of good practice for protecting confidentiality included adopting a “need to know” approach to the internal disclosure of the whistleblowing report and/or the identity of the whistleblower. In terms of detriment, the DFSA highlighted the benefit of monitoring the treatment of whistleblowers following a report, particularly with respect to their performance, promotion and compensation.

What misconduct should be reported?

The type of misconduct that should fall within a whistleblowing regime can be a difficult area to navigate, as firms seek to balance encouraging a Speak Up culture whilst not overloading its whistleblowing platform with complaints perhaps more appropriately dealt with elsewhere within the business.  In this regard, the DFSA identified the need for policies and procedures to make clear to employees the “regulatory concerns” that should be reported under the whistleblowing regime, and the practical steps for doing so. Under the DFSA Rules, “regulatory concerns” include contraventions of DFSA Rules and Law, and instances of money laundering, fraud or other financial crime.

However, despite the definition in its Rules, the DFSA noted as good practice an example of firms broadening the scope of reportable misconduct to include the reporting of HR issues, employment disputes and violations of internal policies. Whilst it is vital that employees have internal mechanisms for reporting complaints such as these, it will not always be appropriate or feasible for such reports to fall under a Firm’s whistleblowing mandate (as opposed to, for example, a separate internal complaint process coordinated by HR). From a regulatory perspective, Firms should ensure that their whistleblowing regime clearly covers as a minimum the issues identified as “regulatory concerns” under the DFSA Rules.

Reliance on Group Policies

It is not uncommon for Firms that are subsidiaries or branches of a financial group to seek to rely on group whistleblowing polices. In this regard, the DFSA flagged the importance of ensuring that the Firms’ whistleblowing policies expressly align with the standard set under the DFSA regime, or where they do not, make clear that the rules and obligations in the DIFC would prevail.

External / Anonymous Reporting

Protection for whistleblowers under the Regulatory Law applies to any person who makes a relevant disclosure. Despite this, the Review found that only 39% of Firms surveyed made whistleblowing reporting available to third parties (e.g. persons other than the Firm’s employees). This is an important gap for Firms to fill as whistleblowing complaints are commonly made by third parties such as ex-employees, agents and contractors.

Conclusion

Whilst action points remain, overall the Review highlighted the strong adoption of the DFSA whistleblowing regime by Firms in the DIFC. The key for Firms moving forward will be to ensure that implementation of the regime is effective, which can measured both in terms of the ability of a person to make a whistleblowing complaint, and by monitoring the impact of a whistleblowing complaint both on the whistleblower and the Firm itself.

This article has been written by Middle East Partner and Head of Financial Services Regulatory Matthew Shanahan, Counsel Karl Masi, and International Trainee Matthew Leech.

Should you have any queries or questions, please get in touch one of with the key contacts listed below.