EU’s Whistleblower Protection Directive explained - Forvis Mazars

The best deterrent to white-collar crime is the fear of being caught. Whether it’s fraud, bribery, money laundering or tax evasion, the mere thought of detection can give a perpetrator pause for thought. Yet countries have been slow to sign up to the law. Some member states have delayed enacting national legislation for years: Germany, for example, only complied in July 2023. Such delays undermine the legislation’s credibility and send a dangerous message that compliance is optional.

Even where national laws exist, enforcement varies dramatically. Spain imposes fines of up to €1mn for breaches, while Germany’s penalties max out at a mere €50,000. This is the equivalent of a security guard turning a blind eye to shoplifting. Such small fines clearly do little to encourage firms to do the right thing.

“Whistleblowing plays a critical role in the fight against corruption. Without the right mechanisms in place, the impact and prevalence of issues such as fraud, money laundering, sanctions breaches are exacerbated and so it is crucially important that regulators and organisations ensure they have an appropriate Whistleblowing framework in place”, Luke Firmin.

Divergent approaches and a maze of reporting channels

Fragmentation persists in how whistleblower claims are handled. Some countries, like Bulgaria and Denmark, have designated their data protection authority as claims handlers, while others have multiple authorities, creating confusion about where to direct concerns. This inconsistency in reporting channels further undermines the legislation’s effectiveness, which is particularly problematic given the need for reports to be efficiently triaged and investigated.

The directive has spurred some companies, particularly regulated financial institutions (predominantly banks, who face stricter scrutiny from their national regulator) to invest insecure reporting platforms and awareness campaigns. However, smaller firms often lack the resources to meet these standards, and some have been accused of paying lip service to compliance rather than fostering a genuine culture of transparency.

The numbers behind whistleblowing

Whistleblower activity has increased in some jurisdictions, especially those with a history of corporate scandals. Germany has seen a rise in reports through hotlines addressing financial misconduct, environmental violations and workplace harassment. More broadly we have seen an increase in the implementation of whistleblower solutions across the EU, with the number of companies who have a solution in place rising from 85% to 96% over the past year.

Whistleblowing can sometimes trigger investigations and result in fines. However, the lack of transparency around these investigations means the full impact of these reports often remains invisible to the public. Without high-profile examples of whistleblower-driven enforcement, the law risks being perceived as toothless.

Another way to gauge its effectiveness is to examine whether it has led to major enforcement actions and fines. However, the present lack of a centralised regulator for supervising and measuring the performance of whistleblowing in the EU makes it difficult to accurately assess performance.

There have been notable cases in the past where reports have triggered investigations and substantial penalties.

Equally, many of these involved issues that were known but not reported on for years: think Dieselgate, Wirecard and DanskeBank. An effective whistleblowing regime could have exposed wrongdoing much earlier and saved millions in environmental damage and financial repercussions.

Lessons to be learned

It is important for EU regulators to take note and learn what other jurisdictions are doing.

In the US, the incentivisation of whistleblowers thanks to the Dodd-Frank Act — under which they can be rewarded between 10% and 30% of fines above £1m — and greater protection offered by legislation have been key drivers in bringing far more wrongdoing to light.

Meanwhile, while currently facing challenges similar to the EU, the UK’s whistleblower framework is at a pivotal point. The introduction of an “Office of the Whistleblower” could be a game-changer by putting into place a central body to oversee the national whistleblowing framework and measures to address the shortcomings of the current protective legislation, the Public Interest Disclosure Act.

However, the Whistleblower Bill has only just passed to the second reading, which is set for April 25, and will no doubt take a considerable amount of time to reach its final form.

"As a Forensic Accountant and Investigator, whistleblowing is often the catalyst for an investigation. It often uncovers concerns that might remain hidden through traditional channels, ensuring they are identified and thoroughly examined. Effective whistleblowing channels equip organisations with powerful tools to combat internal fraud, poor or dangerous practices, HR issues, and other challenges”, Peter Morgan.

Harmonisation and accountability on its way?

Adding another layer of complexity is the EU’s incoming new regulatory body, the Anti-Money Laundering Authority (AMLA). AMLA is expected to be fully up and running by 2028 and will help enforce the law in the financial services industry. Its harmonised rulebook should, in time, address many of the challenges around the supervision of whistleblowing measures at both a country and organisation level. However, the provisions around whistleblowing will not come into force until July 2027, and as with any EU rulebook, it has the potential to achieve very little but add costs and complexity.

In short, the Whistleblower Protection Directive has had little impact so far.

AMLA will play a crucial role in enforcement in time, but to realise the potential of the legislation now, national regulators must step up enforcement. They must align penalties and create clear, accessible reporting channels. Banks, too, must go beyond box-ticking and embrace a culture that genuinely values people who speak up.

The EU Whistleblower Protection Directive was designed to empower citizens and expose wrongdoing. For now, it remains a work in progress. Its success or failure hinges on whether governments and companies are willing to treat it as more than just a piece of red tape. If they don’t, the legislation risks being as effective as that poor security guard.

* Article previously published on Banking Risk & Regulation. Please note that some external links are gated and require a subscription to access.