WHISTLEBLOWING IN THE FINANCIAL SECTOR
Working in the financial sector: how can I raise my concern most effectively and what help can I get?
At Protect, we work with 100s of employers who want to do the right thing when it comes to whistleblowing, by creating a safe and supported speak up culture. It is not always easy, though, when things start to go wrong.
If you work in a bank, building society, credit union, insurer or major investment firm and have witnessed some wrongdoing then you might be able to raise a whistleblowing concern.
This webpage outlines how you can do this internally and externally.
Raising a concern internally
The first step is often to speak to your line manager or look at your employer’s whistleblowing policy and raise a concern internally.
The FCA/ PRA rules regarding internal whistleblowing
All FCA-regulated entities are advised to comply with the FCA handbook which includes a chapter obliging certain types of firms to have internal whistleblowing (or ‘speak up’) channels. This includes:
- Having a designated whistleblowing champion. This will normally be a senior manager at your firm whose job it is to oversee the implementation of whistleblowing arrangements. Your firm might also have a whistleblowing champion at board level, such as a non-executive director; some will just have strategic oversight, others a more hands-on role. Look at your firm’s policy to check.
- Having up-to-date written whistleblowing procedures;
- Being able to deal with confidential and anonymous disclosures; please see here for more information about the differences between confidential and anonymous reporting;
- Enabling a range of communication methods to raise a concern, (for example, by phone, email or hotline) and stating clearly that you can raise your concerns direct with the FCA or the PRA;
- Providing feedback where this is feasible and appropriate;
- Having reasonable measures in place to prevent victimisation of whistleblowers;
- Delivering staff and management training to ensure that everyone is aware of the whistleblowing process and its rules.
Relevance for whistleblowers
If you have a concern, you can raise it through your company’s whistleblowing or ‘speak up’ channels. It is worth looking at your company’s whistleblowing policy in full and deciding who the right person to contact is and how. This may be your line manager, supervisor or a designated whistleblowing contact. Details of what your employer may have in place should be part of any ‘speak up’ or whistleblowing policy. If your company fails to comply with the FCA/PRA rules regarding whistleblowing, that itself may be a reportable concern.
The Senior Managers’ Regime
Senior managers in key roles linked to regulated business must comply with the senior managers’ regime (“SMR”). This regulates how they must act as a senior manager and discharge their responsibilities. If you have a concern about the conduct of a senior manager, it could be that they are in breach of the SMR. You can check who the Senior Managers are in your business by checking the Financial Services register. You should look at our guidance about raising whistleblowing concerns for more information, or call our Advice Line.
If you are bringing an employment tribunal claim against your employer, you may decide to settle your case.
As part of a settlement agreement, employers sometimes include clauses requiring you to keep matters confidential after you have left their employment.
While it may be reasonable to agree some matters (for example, that you will not tell everyone the amount of your settlement), the FCA/ PRA rules state that employers cannot include “gagging” clauses (attempts to prevent you from raising whistleblowing concerns) or warranties (promises that you do not know of any wrongdoing) in settlement agreements . Whistleblowing law also says that any clause that prevents a worker raising a whistleblowing concern in the public interest is void (not legally binding). These clauses cannot be included in a settlement agreement and, if they are, they have no legal effect.
The FCA takes a firm stance on this issue so if your employer tries to include a gagging clause, you can report them to the FCA. Please see our webpage on settlement agreements for more information.
More information on how to raise a whistleblowing concern can be found by clicking the link.
Raising a concern externally
If you feel unable to raise a concern internally, or have done so and it has not been resolved (this could include situations where you have been ignored, have worries while an investigation is ongoing, or are unhappy with the feedback you have received following an investigation) you may consider raising a concern externally.
An external disclosure should be made to the appropriate regulating body- a ‘prescribed person’ by law. If you are working in the financial sector, the appropriate regulating body will likely be the FCA or the PRA, but could in some cases be the Serious Fraud Office (“SFO”) or the Information Commissioner’s Office (“ICO”).
Below is an overview of what the different regulating bodies do and how to raise concerns with them. If you are unsure which regulating body to approach, contact Protect and one of our advisers may be able to assist.
What the FCA do
- The FCA acts as watchdog for the conduct of all regulated and authorised firms and individuals.
- You should consider contacting the FCA if you have witnessed, or are aware of, wrongdoing happening in the workplace, by an individual or a firm that the FCA regulate.
How to raise a concern with the FCA
You can make a report to the FCA by:
- Calling their adviceline on +44 (0)20 7066 9200 (open 9am-12pm and 2-5pm) or leaving a message;
- Emailing them at email@example.com;
- Making an online report through their webform;
- Writing to them: Intelligence Department (Ref PIDA), Financial Conduct Authority, 12 Endeavour Square, London, E20 1JN
The FCA offer
- – complete confidentiality (the FCA state that they always protect the identity of their whistleblowers, and while they might have to share the information provided, they would not disclose that this originated from a whistleblower, unless they are legally obliged to);
- a dedicated case officer to be assigned to a whistleblower’s case;
- meetings with your case officer in person or over the phone;
- the option to receive updates every 3 months regarding your concerns.
The FCA’s recent whistleblowing campaign, ‘In confidence, with confidence’, encourages those working within the financial sector to raise any concerns they have of wrongdoing. The FCA say that they are committed to protecting the identity of those they advise and have increased the size of their specialist whistleblowing team, who are trained to deal directly with whistleblowers.
The FCA deal with concerns regarding many different issues, including: mis-selling; treating customers fairly; money laundering; fitness and propriety; systems and controls, unauthorised business and sexual harassment.
Sexual harassment can also amount to a breach of conduct rules and allegations of sexual harassment can be raised with the FCA directly. If raised internally, firms are obliged to notify the FCA within 7 days.
Our sexual harassment webpage has further guidance on raising such a concern.
More information can be found on the FCA website (from which the above information was collected).
What the PRA do
- The PRA is responsible for the prudential regulation and supervision of banks, building societies, credit unions, insurers and major investment firms. It ensures stability of the UK financial system by creating policies for firms to follow, setting standards and promoting safety and soundness through supervision of financial institutions at the level of the individual firm. Not all firms will be regulated by the PRA.
- You should consider contacting the PRA if you work, or used to work, in the financial services industry and have concerns relating to your employer or other firms or individuals.
How to raise a concern with the PRA
You can make a report to the PRA by:
- Calling their adviceline on +44 (0)203 461 8703 during office hours or leaving a callback message;
- Emailing them at firstname.lastname@example.org;
- Writing to them: Confidential reporting (whistleblowing) IAWB team, Legal Directorate, Bank of England, Threadneedle Street, London, EC2R 8AH.
The PRA offer
- complete confidentially (unless they are legally obliged to disclose a whistleblower’s identity);
- a dedicated whistleblowing team case officer to be assigned to a whistleblower’s case to look at the information provided and any other supporting information;
- to contact you if they need more information (unless you have asked them not to or they think it is unsafe to do so);
- to decide if they will take further action.
The PRA can provide only ‘very limited feedback’ to whistleblowers.
More information can be found on the PRA website (from which the above information was collected).
What the SFO do
- The SFO investigates and prosecutes serious or complex fraud, bribery and corruption.
- You should approach the SFO if you believe that your concern falls within this remit; be aware that the SFO can only take on a very small number of serious cases.
How to raise a concern with the SFO
You can make a report to the SFO:
- using their secure online reporting form on their website (they cannot take reports over the telephone).
- The SFO offer confidentiality and say that they do not normally disclose the identity of individuals who contact them; however, there are rare situations where a judge may order them to to do so, in which case, they will consider all available options and consult with you where reasonable to do so.
More information can be found on the SFO website (from which the above information was collected).
What the ICO do
- The ICO is responsible for upholding information rights in the public interest.
- You should consider contacting the ICO if your concern relates to issues of data protection and/or freedom of information.
How to raise a concern with the ICO
You can make a report to the ICO by:
- Calling their helpline on 0303 123 1113 and selecting the option for whistleblowing complaints. The ICO ask that you make clear to the person you speak to that you consider yourself to be making a protected disclosure under the whistleblowing provisions. Their staff will then be able to guide you to an online reporting tool where you can submit your protected disclosure.
- Writing to them, making clear that you consider yourself to be making a protected disclosure under the whistleblowing provisions.
- Their head office is: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
- The ICO offer complete confidentiality (unless they are legally obliged to disclose a whistleblower’s identity).
More information can be found on the ICO website (from which the above information was collected).
The FCA is one of the very few regulators that investigates whistleblower victimisation. If you are a whistleblower who has been victimised, you can tell the FCA who may decide to take action against the person victimising you, particularly if they are a senior manager.
It is therefore advisable to talk to the FCA if you are afraid of being victimised or have been victimised as a result of raising a concern. As appropriate, the FCA can either keep the risk of victimisation in mind and offer you protection while investigating a concern, or sanction anyone who victimises you at work because you have raised a concern.
Template – Disclosure to the Financial Conduct Authority or the Prudential Regulation Authority
If you work in the financial services sector, you may want to make an external disclosure to your firm’s regulator, which will generally be either the Financial Conduct Authority (“FCA”) or Prudential Regulation Authority (“PRA”).
To contact the FCA, you can:
- call: +44 (0)20 7066 9200 between 10am to 3pm, or leave a message
- email: email@example.com
- write to: Intelligence Department (Ref PIDA), Financial Conduct Authority, 12 Endeavour Square, London, E20 1JN
- use the FCA’s online form to make a report
To contact the PRA, you can:
- call: +44 (0)203 461 8703 during office hours
- email: firstname.lastname@example.org
- write to: IAWB (Legal Directorate), Bank of England, Threadneedle Street, London, EC2R 8AH
If emailing or writing to the FCA or PRA, you can use this template to help you.
Which regulator you contact should be determined by which is responsible for your firm. You can find this out by searching for your firm on the Financial Services Register.
We are always happy to help so if you are unsure about how the rules apply to you please speak to us.
This is only a guide. Please edit or adapt it to suit you.
The Public Interest Disclosure Act
As a whistleblower, you have legal rights protecting you from detriment and dismissal for whistleblowing
The Public Interest Disclosure Act 1998, shortened to PIDA, is the law that protects whistleblowers from negative treatment or unfair dismissal. It is part of the Employment Rights Act 1996 (“ERA”).
PIDA makes it unlawful to subject a worker to negative treatment or to dismiss them because they have raised a whistleblowing concern. Raising a whistleblowing concern is also known as a making a ‘protected disclosure’.
Will any disclosure I make to the FCA/PRA be kept confidential?
The FCA states that it always protects the identity of its whistleblowers. While it may have to share the information you have provided, it would not disclose that this originated from a whistleblower, unless it is legally obliged to.
Any contact details (e.g. an email address) which you share with the FCA will be stored securely, and access to this information will be limited to the Whistleblowing team.
If you want to remain anonymous, the FCA will still accept and process your information. Whistleblowers who choose to remain anonymous via email or telephone will receive a reference number which they can use when contacting the FCA anonymously again. Indeed, whistleblowers choosing to remain anonymous is quite common for the FCA: for instance, in Q3 2022, 110 out of 291 FCA whistleblowers opted to report anonymously (see here).
The FCA can also arrange to speak with you or meet you in person.
Instances where the FCA might share information with others (but not disclose your identity unless legally obliged to do so) are as follows:
- When you share information with the FCA, the Whistleblowing team create and record a report of your concerns. This report focuses on concerns, not the person who reported them. It is then shared with the FCA colleagues who need the information to work out the next steps and held on file as intelligence, which can be reviewed again by its teams.
- Other regulators and organisations. If you directly report wrongdoing to the FCA, it may share this information with relevant organisations. It has agreements in place with many regulators and organisations so it can share information with them. This includes (for example) the PRA, as the FCA and PRA jointly regulate many firms.
- Law enforcement. The FCA also has agreements in place with the police and other law enforcement offices. It shares information with them on a frequent basis, if legally allowed to do so. The FCA may encourage you to contact these other organisations directly.
Similar principles apply to firms which are regulated by the PRA rather than the FCA. Details of the PRA’s approach (as part of the Bank of England) can be found here: https://www.bankofengland.co.uk/whistleblowing.
Which regulator should I go to and why is it important?
In order to qualify for protection, the law requires you to have a reasonable belief that the concern you are disclosing falls within the regulatory remit of the regulator. It also requires you to believe that the information you disclose is substantially true. See ‘What type of concerns can I raise to be protected?’ and ‘Raising concerns externally’ for further information.
As a starting point, you can check whether your financial services firm is regulated (and by which regulator) by searching for your firm on the Financial Services Register. It is also important to understand whether your concerns are within the relevant regulator’s remit before attempting to make a protected disclosure to them.
Various financial services regulators are prescribed under Schedule 1 of the Public Interest Disclosure (Prescribed Persons) Order 2014/2418, including:
- the FCA;
- the PRA (part of the Bank of England);
- the Bank of England; and
- the Payment Systems Regulator (which can be contacted via the FCA).
The full list of prescribed persons can be found here, as well as corresponding descriptions of matters within each regulator’s remit. If you are unsure whether the concern you want to raise falls within the regulator’s remit, we recommend that you call them informally to discuss the nature of the concern in order to establish whether it is within the regulator’s remit. You can do this on an anonymous hypothetical basis.
In cases where a matter is in the remit of the US Securities Exchange Commission (the SEC), whistleblowers sometimes prefer to disclose to the SEC. This is due to the rewards system which exists where such cases lead to enforcement action. Further detail on this system can be found here: https://www.sec.gov/whistleblower.
What are the risks of gathering evidence?
Proactively obtaining information further to what is already in your possession could lead you to inadvertently break the law (for example, by putting you in breach of confidentiality obligations). For that reason, the FCA and PRA do not encourage whistleblowers to proactively obtain any more information from any source, whatever the circumstances.
How much evidence will the regulator want to see?
To start the process, an email or phone call is enough.
Types of information it would be helpful to provide to the regulator include:
- the firm or individual’s name
- what is the suspected wrongdoing?
- who is involved?
- how long it has been going on?
- where is this happening?
- what is the impact?
- if you have any supporting documents or evidence you can share with the FCA/PRA
As stated above, the FCA and PRA do not encourage whistleblowers to proactively obtain any more information from any source, whatever the circumstances, as they might break the law. However, they may ask whistleblowers to clarify the information already provided.
How do I find out if something is a breach of financial services law or regulation?
Please refer to Am I protected from being dismissed if I raise concerns with the regulator? for guidance in assessing whether a complaint is within the relevant regulator’s remit.
As set out in section 43B of the Employment Rights Act 1996, a disclosure will be a “qualifying disclosure” if, in your reasonable belief, it tends to show one or more of the following:
- that a criminal offence has been committed, is being committed or is likely to be committed,
- that a person has failed, is failing or is likely to fail to comply with any legal obligation to which he is subject,
- that a miscarriage of justice has occurred, is occurring or is likely to occur,
- that the health or safety of any individual has been, is being or is likely to be endangered,
- that the environment has been, is being or is likely to be damaged, or
- that information tending to show any matter falling within any one of the preceding paragraphs has been, is being or is likely to be deliberately concealed.
In financial services, you are most likely to be concerned with point (b) above (though (a) and (f) can also be relevant, depending on the circumstances).
It is not always straightforward to ascertain whether something is a breach of a firm’s legal obligations under financial services law and regulation. Generally, the FCA’s rules for firms can be found in the FCA Handbook, and the PRA/Bank of England’s rules can be found in the PRA Rulebook. However, these are both lengthy publications and determining whether something is a breach of law is not necessarily a simple exercise.
The important point is that you “reasonably believe” that there is actual or potential failure to comply with a legal obligation. Generally you can tell whether something in the FCA Handbook or PRA Rulebook is a legal obligation, as follows:
- In the FCA Handbook, the letter R next to a provision stands for “rule” and is therefore binding on firms (see for example SYSC 18.3.1.R). By contrast, the letters G (as in SYSC 18.3.2G) and E (SYSC 18.5.2E) stand for “guidance” and “evidence” and indicate that the provision is not binding on firms.
- If there is mandatory wording, such as “a firm must[…]”, then this might be grounds for reasonable belief that the provision constitutes a legal obligation (per Daniel v United National Bank Ltd and Mr B Firth , ).
For an idea of the types of allegations the FCA receives, you can view its quarterly data on whistleblowing. This list is not conclusive and should not be relied on as a source of “legal obligations” (as they are different for every firm); however, it may give you an idea of the sorts of issues the FCA is used to dealing with:
- Fitness and Propriety. Broadly, under the Senior Managers and Certification Regime (“SMCR”) firms must assess the fitness and propriety of both senior managers within a firm and certified individuals, at least once a year.
- Systems and Controls. Firms are subject to the rules in the SYSC handbook, which covers obligations such as outsourcing, conflicts of interest, risk management, remuneration, and many other issues including the SMCR.
- Unauthorised Business. Under section 19 of the Financial Services and Markets Act 2000, no person may carry on a regulated activity in the UK, or purport to do so, unless they are either authorised or exempt. So, a firm without any authorisation cannot carry on a regulated activity; similarly, a firm which is already FCA/PRA authorised carrying on regulated activities outside the scope of its authorisation would also be in breach of section 19.
- Money Laundering. This might include how a firm implements its anti-money laundering processes and procedures.
- Mis-selling. The FCA has published a short whistleblowing case study relating to insurance mis-selling, but this could also be relevant to other areas such as mortgages and investments.
There are many other issues the FCA hears about, including (but not limited to) compliance, treating customers fairly, organisational culture, consumer detriment, crime, fraud, data security, client assets, and pressure selling.
For an idea of the types of allegations the Bank of England/PRA receives, you can check its whistleblowing annual report for 2022. Examples (based on cases managed by the Bank’s whistleblowing team) come from, but need not be limited to, the following types of firms:
- Data policy breaches, IT system failures and inadequacy of technical support, and poor speak up culture with staff unable to voice concerns through fear of detriment.
- Conflicts of interest that resulted in wrongdoing by senior management, poor governance and risk/controls, and inadequate whistleblowing function.
- Credit Union. Poor governance, where key information provided to the board misrepresented the firm’s capital position, and a culture of bullying and intimidation.
- Insurance Firm. Systemic underestimation of the firm’s capital/solvency position in regulatory reporting requirement, and a deliberate lack of action by senior management to resolve this issue.
Can or should I speak to the press, and what are the implications if I do so?
There are a number of risks associated with using the press as a channel for whistleblowing such as: personal reputational harm; career damage; potential breach of fiduciary duty to your employer; and risk of other civil action against the whistleblower such as defamation or breach of privacy.
Importantly, going to the press could also undermine any good faith in the whistleblowing, in the event that the case goes to a Tribunal.
Additionally, in some cases (such as money laundering), disclosing wrongdoing to the press could put the whistleblower at risk of “tipping off”. “Tipping off” is a criminal offence under section 333A of the Proceeds of Crime Act 2002: it occurs where a person discloses information likely to prejudice an investigation, where that information came to the person in the course of business in the “regulated sector”.
Speaking with the press about wrongdoing will also have different protections from an employment law perspective compared with speaking to your employer or to a regulator. See ‘Raising concerns externally, the legal test’ for further detail.
Are the FCA/PRA interested in bullying/widespread cultural concerns?
Broadly, both regulators deal with cultural concerns regularly and both regulators require firms to have appropriate internal arrangements for whistleblowers to disclose behaviour that harms or is likely to harm the reputation of the firm. However, for the purposes of the Employment Rights Act 1996 (“ERA”), a disclosure of cultural concerns might not cover a breach of a “legal obligation” (and therefore might not be a “protected disclosure”).
From the perspective of the whistleblower, the FCA states that “culture” is one of the five overarching themes of allegations from reports it typically receives. In particular, in Q3 2022 it received 99 allegations relating to “culture of organisation” (from a total of 291 reports received over that period). In terms of the PRA, the Bank of England’s whistleblowing annual report for 2022 cites several case studies based on matters managed by the Bank’s whistleblowing team. These include one case of a bank with poor ‘speak up’ culture where staff were unable to voice concerns through fear of detriment, and another case of a credit union with a culture of bullying and intimidation.
From the perspective of the firm, the FCA requires firms to have appropriate and effective arrangements for the disclosure of “reportable concerns” by whistleblowers (SYSC 18.3.1R(1)). As part of this duty, firms must ensure the effective assessment and escalation of reportable concerns by whistleblowers where appropriate, including to the FCA and PRA (SYSC 18.3.1R(2)(b)). The PRA has similar duties around “reportable concerns” (including for firms which are CRR firms, Solvency II firms, credit unions, and third country branches).
The meaning of a “reportable concern” is broad, covering “a concern held by any person in relation to the activities of a firm, including:
- anything that would be the subject-matter of a protected disclosure, including breaches of rules;
- a breach of the firm’s policies and procedures; and
- behaviour that harms or is likely to harm the reputation or financial well-being of the firm.”
In some cases, bullying and widespread cultural concerns might fall within limb (a) above (namely where there is a breach of a legal obligation, for example the SMCR conduct or fitness and propriety rules). However, in other cases, it would fall within (c) above.
It the subject matter of the disclosure purely falls within “behaviour that harms or is likely to harm the reputation” of the firm, then you should bear in mind that (while the FCA/PRA may be interested in hearing about this and will still uphold confidentiality) such disclosures may not be covered by s 43B of the ERA and therefore may not provide you with protection against dismissal and detriment.
Will I still be protected if I raise a breach not of a legal obligation but of regulation?
As long as you can show that you “reasonably believe” there is a breach of legal obligation, then you can still qualify for protection if you disclose a breach of regulation (not legislation) to the FCA/PRA or to your employer.
Generally, the FCA’s rules for firms can be found in the FCA Handbook, and the PRA/Bank of England’s rules can be found in the PRA Rulebook. These are both lengthy publications and determining whether something is a breach of law in these rules will often be heavily fact-dependent.
However, some general guidance is as follows:
- You should try to understand the exact rule you think has been breached.
- If the provision has mandatory wording (such as “a firm must […]”), then this could support a reasonable belief that there is a legal obligation involved (Daniel v United National Bank Ltd and Mr B Firth , ).
- In the FCA Handbook, the letter R next to a provision stands for “rule” and is therefore binding on firms (see for example SYSC 18.3.1.R). By contrast, the letters G (as in SYSC 18.3.2G) and E (SYSC 18.5.2E) stand for “guidance” and “evidence” and indicate that the provision is not binding on firms.
- If, within the firm, you are responsible for the area you are reporting a breach against, this may support your claim of “reasonable belief”. For example, a Chief Risk Officer whose role is partly to identify regulatory breaches and the threat posed by them will be better placed to evidence reasonable belief of a breach than “an uninformed, non-expert, who was raising minor, perceived imperfections” (Daniel v United National Bank Ltd and Mr B Firth , -).
Will I be protected if I raise something that could impact the reputation of the firm?
“Behaviour that harms or is likely to harm the reputation of the firm” is one of the three types of “reportable concern” as defined in the FCA Handbook and PRA Rulebook. However, in many cases such behaviour may not be a breach of a “legal obligation” for the purposes of section 43B of the Employment Rights Act 1996 (“ERA”).
Therefore, if you disclose such matters to the FCA/PRA then you should bear in mind that (while the FCA/PRA may be interested in hearing about this) such disclosures may not be covered by s 43B of the ERA and therefore may not provide you with protection against dismissal and detriment.
However, it is a separate matter if your firm does not have appropriate and effective arrangements for you to disclose “reportable concerns” such as reputationally damaging behaviour, as the lack of appropriate and effective arrangements could amount to a breach of the FCA/PRA rules on the part of the firm.
In particular, the FCA requires firms to have appropriate and effective arrangements for the disclosure of “reportable concerns” by whistleblowers (SYSC 18.3.1R(1)). As part of this duty, firms must ensure the effective assessment and escalation of reportable concerns by whistleblowers where appropriate, including to the FCA and PRA (SYSC 18.3.1R(2)(b)). The PRA has similar duties around “reportable concerns” (including for firms which are CRR firms, Solvency II firms, credit unions, and third country branches).