Whistleblowing frameworks: design, testing and culture
The FCA's whistleblowing rules in SYSC 18 apply to UK deposit-takers, insurers, and UK branches of overseas deposit-takers and insurers above a defined size threshold. These firms must appoint a Senior Manager as their whistleblowers' champion, establish and maintain internal whistleblowing channels, inform employees of the FCA and PRA's external whistleblowing services, and include specific protections for whistleblowers in their employment practices. For firms not captured by SYSC 18, the whistleblowing rules under the Employment Rights Act 1996 (as amended by the Public Interest Disclosure Act 1998) still apply, and the FCA expects all authorised firms to take the spirit of the whistleblowing rules seriously as part of their governance and culture obligations.
Effective whistleblowing channels must be accessible, confidential, and genuinely independent of operational management. A channel that routes through the direct line management chain — or where the investigating function has insufficient independence from the subject of any report — does not meet the spirit of the regulatory requirement. Many firms operate third-party hotlines, which can provide anonymity and independence, but these arrangements must be designed carefully: the firm needs to be able to respond meaningfully to reports received, which requires a defined triage process, clear ownership of investigations, and a governance mechanism for escalating serious matters to the whistleblowers' champion and, where necessary, to the FCA.
Testing the effectiveness of whistleblowing channels is an obligation that is frequently overlooked. The FCA expects firms to be able to demonstrate that their channels work in practice, not just in policy documents. This may include mystery shopping exercises, review of report volumes and outcomes against reasonable benchmarks, employee survey questions that probe awareness of and confidence in the channels, and board-level oversight of trends in speak-up data. A low volume of reports in a firm of material size is itself a risk indicator — it may reflect a culture in which concerns are genuinely absent, or one in which employees do not believe that speaking up is safe or useful.
Retaliation against whistleblowers is both a regulatory concern and a legal risk. SYSC 18 requires firms to have policies protecting whistleblowers from victimisation, and the Employment Rights Act provides enforceable rights for qualifying workers. A firm found to have taken adverse action against a whistleblower — even informally, through changed working relationships, exclusion from opportunities, or changed performance assessments — faces significant regulatory, legal, and reputational risk. Senior leaders set the tone, and boards should ensure they are receiving honest assessments of culture rather than curated presentations.
Annual reporting and board oversight
The whistleblowers' champion must report annually to the board on the effectiveness of the firm's whistleblowing framework. This report should cover: the number and nature of reports received; the outcomes of investigations; any instances of retaliation (alleged or substantiated); and the champion's assessment of cultural health. Where the report is perfunctory or contains no substantive findings, boards should probe whether the underlying framework is functioning or whether reporting is being sanitised.