There is a constant obligation on all of us to do the right thing in a society where we are faced with continuous issues relating to corruption, fraud, and general wrongdoings. But are we comfortable reporting these types of misconduct? In most cases, employees and individuals fear that there will be some sort of retribution and do not wish to be put in a situation that may lead them to suffer any consequences, including putting their own job at risk. In fact, based on a recent study conducted by Transparency International, 56% of Maltese residents believe corruption cannot be reported without fear of retaliation. Transparency Internal also indicated that other reasons for not reporting a wrongdoing may include the belief that nothing will be done, that it will not make any difference and, due to the uncertainty on how, where and to whom does one report such wrongdoings.

Therefore, several governments globally, including the EU and Malta, have developed and implemented whistleblower protection regulations and legislation, with the main purpose to protect whistleblowers, also known as reporting persons.

The Maltese Government introduced this legislation in 2013 (Protection of the Whistleblower Act (CAP. 527) of 2013) and with the implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23rd October 2019 on the protection of persons who report breaches of Union law (also known as the "Whistleblower Protection Directive"), the EU is sending a strong message that those employees seeking protection or retribution from exposing and disclosing wrongdoing, will receive it.

What is whistleblowing?

Whistleblowing is the term used when an individual passes on information concerning wrongdoing within an organisation. In some instances, this is also called “making a disclosure” or “blowing the whistle”.

In general, whistleblowing forms part of the larger risk management and fraud prevention framework within an entity, and empowering individuals to safely voice their concerns – and have the proper control measures in place to deal with such concerns – is the foundation of good governance and an open culture.

A study conducted by Marcia P.Miceli and Janet P.Near from Indiana University indicates that whistleblowing usually takes place in the following phases:

  1. an incident involving questionable, unethical, or illegal activities occurs that triggers the reporting person to consider whether he/she should disclose this information to the entity;
  2. the employee uses all the available information to decide whether to proceed with the disclosure by looking at the available reporting options, discussing this with other individuals, and personal introspection;
  3. the employee then either decides to blow the whistle, leave the entity or remain silent due to fear of retaliation; and
  4. the entity reacts against the decision being made, by either protecting the individual or retaliating against him/her.

In the perfect scenario, one would like and expect the whistleblower to be aware of his/her rights and to report the wrongdoing confidently and safely.

Why should you implement whistleblowing procedures?

Currently, in Malta, only certain entities have a legal obligation to set up and implement whistleblowing structures and procedures within their organisation. These entities include the following:

  1. Each ministry of the Government of Malta;
  2. Any organisation within the private sector which, according to its last annual or consolidated accounts, meets at least two of the following criteria:
    • an average number of employees, during the financial year, of more than 250;
    • a total balance sheet exceeding €43,000,000; and
    • an annual turnover exceeding €50,000,000.
  3. Any voluntary organisation which annually raises more than €500,000 from public collections and other donations.

On the other hand, the EU Whistleblower Protection Directive, which is to be implemented by way of local transposition by 17th December 2021, states that legal entities in the public sector, municipalities of more than 10,000 inhabitants, and legal entities in the private sector with more than 50 workers should implement whistleblowing procedures following local legislation and the new directive.

Other than the legal obligation and requirements to implement whistleblowing procedures, there are other benefits for including this in the corporate governance structure of your entity. These include the following non-exhaustive list:

  • Whistleblowing is one of the largest forms of fraud prevention and detection. The ACFE Report to the Nations for the 2020 Global Study on Occupational Fraud and Abuse states that 43% of all occupational fraud is initially detected through tip-offs from employees, suppliers, customers, and even anonymous individuals;
  • Having a whistleblowing policy in place allows employers and entities to educate staff and management and reinforces the standards expected in their organisation. The policy may also set the tone of the entity and create a culture where wrongdoing can be addressed before any legal action or reputational damage is necessary;
  • The proper procedures can protect a firm from reputational damage if false or malicious accusations are being made by current or former employees as the procedures and legislation addresses such claims; and
  • Establishing whistleblowing procedures may improve the internal efficiency within an organisation by providing access and confidential support to everyone. This is done by streamlining and simplifying the process to report and investigate any allegations within an organisation and to easily identify any actual wrongdoings, grievances, and false allegations safely and confidently.

Not only does whistleblowing increase the transparency within entities, but it also has advantages for the nation and the community as well. Information or disclosures made by the reporting persons is highly critical for a democratic and free society. These disclosures assist in the fight against corruption and commercial crime in public and private entities can save lives by revealing potentially dangerous wrongdoing in the environment or health sector, as well as puts faith in the rule of law and justice in the country.

What should you do to implement these procedures?

Even though the implementation of an effective whistleblowing programme starts with the tone at the top by establishing a risk awareness culture, entities can start by implementing the following steps to be compliant with relevant legislation with the objective of increasing business integrity.

1. Appoint a Whistleblowing Reporting Officer (WRO) or Unit (WRU)

Each entity that falls under the remit of the Whistleblowing Protection Directive must appoint an impartial person or department for the management of the internal reporting process. This role will be responsible for maintaining communication and feedback with the reporting persons, ensuring the procedures and controls are in place, and provide support as much as possible.

In most instances, the WRO or WRU will be the only person or team who will see the allegations and should decide whether to investigate, refer or stop the allegation in its tracks.

2. Establish Whistleblowing procedures

Put in place internal whistleblowing arrangements where the entity can receive various types of reports of wrongdoing in a safe and confidential manner. These reports can be received verbally or in writing and the procedures must be easily understandable by the different stakeholders. The procedures for reporting and following-up of reports shall include an acknowledgment of receipt to the reporting person within no more than seven (7) days. The law also sets a time limit of three (3) months from the receipt of the report to provide feedback to the reporting person about any follow-up aspects.

The procedures should also provide for individuals who wish to report wrongdoings externally or publicly. External and public disclosures are only permitted in certain circumstances such as if internal disclosures were made but no feedback had been received and/or no action was taken, immediate attention from an authority is required, or if the employee will be subjected to immediate occupational detriment.

3. Create awareness across all levels of staff regarding whistleblowing

All reporting procedures must be clear and easily accessible. It is also in the best interest of the organisation that all staff members know their rights and are aware on how to make a disclosure.

One of the ways that the entity can ensure this is by providing awareness training and distribute the contact details for the WRO/WRU with all within entity.

4. Keep record of all reports and disclosures  

All entities and authorities should keep proper records of every report received, in compliance with the confidentiality requirements. Reports shall be stored for no longer than is necessary and proportionate.

In all instances, when storing the reports, the WRO or WRU will ensure that the identity of the reporting person is not disclosed beyond the authorised persons (without the consent of the reporting person).

5. Compliance with other legislation

The Maltese Whistleblower Act and the EU Whistleblower Protection Directive’s sole purpose is to ensure protection to reporting persons and provide guidance in the establishment of whistleblowing procedures. It is however important to note that as the employer will be working with sensitive and personal data, they should at all times, when processing data, be compliant with the General Data Protection Regulation (GDPR).

It should also be noted, that blowing the whistle does not provide the whistleblower with immunity if he/she was the perpetrator or an accomplice as such agreements fall under the remit of other legislation.

How can you ensure that the correct procedures are followed?

At RSM Malta, we firmly believe that implementing prevention and pre-emptive measures now is better than re-acting to undetected fraudulent activity at a later stage. As professionals in compliance and risk management, our staff at RSM Malta can assist you with various services including the establishment of the governance structure and the underlying policy and procedures.

For more insights, support, and additional information on the application of the Whistleblower Protection Directive and how we can assist you, you may reach out to us by contacting [email protected] or [email protected].