OFAC Sanctions and Ransomware Payments: A World of Issues
Regulatory & Investigations
The Covid-19 pandemic has had a significant impact on the way businesses operate and most importantly, the location of the workforce on a day to day basis. After 18 months, many companies still report ongoing remote working and hybrid working models, for some or all of their workforce. This has had a particular impact on a company’s culture and has increased the risk of undetected employee wrongdoing. Given the reduced ability of managers within a business to spot issues or concerns as they happen, the implementation of a whistleblowing policy and hotline is more imperative than ever.
The importance of companies putting in place a well-engineered and effective whistleblowing mechanism cannot be overstated – it can be a really important facet of good corporate governance and act as an early warning system for adverse behaviours and activities which could expose a business to regulatory, legal or litigation risks. It helps identify workplace issues such as bullying, harassment, conflicts of interest, ethical lapses, fraud, corruption and money laundering and can highlight examples of non-compliance with company policies and procedures earlier than they might otherwise be discovered.
However, in the same way that a motor vehicle consists of multiple components engineered in such a way that they work smoothly together, a whistleblowing mechanism has interdependencies with other components which, when well-integrated, will help make it operate more effectively.
These components include:
A suite of clear and unambiguous policies underpinning the whistleblowing mechanism should be developed and put in place to cover a range of areas including how and when a whistleblowing hotline should be used, anonymity, how it should be managed, who it applies to and relevant roles and responsibilities. Other areas to consider would include an anti-retaliation policy, a grievance procedure and a clearly articulated code of conduct.
Training is another essential component which needs to be regularly revisited and refreshed. Training should cover areas including how and when to use the whistleblowing hotline and provide reassurance about whistleblower protections and anonymity. Where applicable, it should equip employees to identify red flag indicators – this should be role based wherever possible - and relevant legal and regulatory updates should be made available to employees. Material should also cover fraud and corruption awareness and include communications that reinforce and encourage the development of a strong compliance culture.
The actual mechanism that employees use to make a report should be capable of receiving information either anonymously or on an attributable basis. The decision regarding anonymity should be left to the employee making the disclosure. It should have functionality that allows the whistleblower to provide evidence. For example, on a web-based reporting platform, employees should be able to upload documents or other electronic files and it should be secure and confidential. Consideration should also be given to outsourcing the hotline mechanism to an independent third-party. This can help give employees comfort that their disclosure is anonymous and their identity can’t be tracked by their employer. It’s vital that your employee population trust any hotline mechanism – if they don’t, they’re less likely to use it.
There should be a strong investigations capability to follow up, review or investigate any whistleblowing disclosures that are received via the hotline. Investigations should be underpinned by clear parameters as to when a full investigation should take place and who has the authority to approve it. The investigations framework should define when an independent third party should be involved– examples of such scenarios include cases where there are serious allegations against the Board, allegations that involve the investigations team or any issues that hinge around potential conflicts of interests when it may be difficult to guarantee impartiality in an investigation. Further examples include complex technical or legal matters and issues where the required skills or knowledge do not exist in-house. Investigation metrics should be published so that employees can take comfort that the whistleblowing hotline is an effective mechanism and disclosures are followed up and taken seriously.
Developing a strong corporate compliance culture is a vital component that requires consistent and continual effort. The tone of the company should be set from the top and strong compliance-based behaviours and ethical values should be consistently reinforced. Employees should genuinely feel that ‘this is the way we do things around here’ and they should be encouraged to “speak up” when they have concerns. Messaging around the importance of compliance should form part of internal communication campaigns and should be visibly and actively demonstrated by senior management.
Governance structures vary from company to company but it is vital that any whistleblowing hotline mechanism is subject to senior management oversight. The Board should have direct line of sight so that any issues or trends receive their attention and they’re in a better position to fulfil their corporate accountability responsibilities, including helping to ensure that there is no retaliation against whistleblowers and that they are not disadvantaged as a result of making a disclosure. Metrics regarding the performance of the whistleblowing hotline mechanism should be reported regularly to the Board.
For more information about managed whistleblowing services or for specialised support in any of the areas discussed in this paper, please contact any of the authors listed below.