Building an effective whistleblower framework is a little more complex than setting up a complaint hotline for employees. CGj takes a look at a critical component of such frameworks that has received too little attention in Hong Kong – whistleblower protection.

The collapse of the German payments processor Wirecard AG in June 2020, with EU1.9 billion missing from its accounts, was the final act in a long-running drama that should be required viewing for governance professionals wanting to understand the value of whistleblowing. 

For years, the company was the darling of the markets. Its books, according to its auditors, were clean. Its prospects, according to the analysts, were spectacular and the regulators were pursuing critics of the company for possible shorting of the stock. As is often the case, however, many employees of the company were under no illusion about what was going on and the process that ended with the company filing for insolvency, and the Chief Executive and two high-ranking managers being charged with accounting fraud and market manipulation, was instigated by a whistleblower. 

‘The establishment of a whistleblowing policy and framework is core to maintaining high ethical standards and good corporate governance,’ says William Tam ACG HKACG, Partner, Deloitte China. He emphasises that employees are usually the first to sniff out corruption. ‘They are one of the key elements in detecting and successfully pursuing misconduct within a company. The rate of success is significantly higher compared to traditional governance lines of defence. An internal audit exercise in a multinational corporation, for example, is less likely to uncover misconduct than information from a well-placed whistleblower,’ he says. 

But there is another lesson to learn from the Wirecard debacle. There are significant risks to reporting fraud, particularly of course, as was the case with Wirecard, when it goes all the way to the top of the company. Whistleblowers risk either being dismissed or finding their job not tenable and having to resign. They may also face a real risk of damage to their future career prospects. Integrity and fearlessness is a daunting combination to ask of any employee, at all rungs of the employment ladder. 

If you want to maximise the benefits of whistleblowing, therefore, you need to create an environment that is conducive to it. Napoleon Bonaparte is famously credited with saying that ‘the world suffers a lot, not because of the violence of bad people but because of the silence of good people’. Companies therefore need to look at the cost-benefit calculation of potential whistleblowers. 

‘The holy grail of any whistleblowing initiative is to get employees to the point where they feel comfortable enough to expose corporate fraud,’ says Mohan Datwani FCG HKFCG(PE), Institute Deputy Chief Executive. ‘The question to ask is whether, at the end of the day, the employee feels safe.’ 

Regulatory regimes around the world have been focusing on this all-important question and whistleblower protections are becoming a standard part of the legislative and regulatory approach to whistleblowing – but what is the situation in Hong Kong? Let us look at recent developments.

Is Hong Kong lagging behind?

Global regulatory developments have increasingly reinforced the protective shield around the whistleblower, from as far back as the Public Interest Disclosure Act (PIDA) 1998 in the UK to the Whistleblowing Directive implemented by the European Union (EU) in 2019 (the Directive (EU) 2019/1937). In the US, retaliatory measures against a whistleblower can potentially result in jail time. 

In 2013, lawmaker Cyd Ho Sau-lan, a member of the Legislative Council of Hong Kong, unsuccessfully proposed whistleblower legislation which would protect individuals from retaliation for exposing malfeasance. A decade on, and it appears little has changed in the regulatory sphere. 

Mr Tam points to four key elements a potential whistleblower is looking for. Firstly, will my identity be protected? Secondly, will I be protected from retaliation? If at the end of the day they are going to suffer, very few employees will come forward as whistleblowers. Thirdly, will I be compensated if I suffer ill treatment? And fourthly, will I be protected from any civil or criminal action for my disclosures? He adds that, while many companies in Hong Kong have adopted good practices in this area, from the regulatory perspective, the above four elements are noticeably absent.  

In Hong Kong, whistleblower protection is only provided for implicitly in piecemeal provisions that are spread over various ordinances. There have been no new developments on what constitutes retaliatory conduct for instance, although one can draw inferences as to what would constitute such acts. For example, a very narrowly defined provision in the Employment Ordinance states that ‘an employer shall not dismiss an employee by reason of his giving evidence or information in any proceedings and inquiry in connection with the enforcement of the Employment Ordinance, work accidents or breach of work safety legislation’. The potential whistleblower is on shaky ground here, given the inference that only dismissal counts as retaliation, but other potential action by the employer may be considered. 

With such fragmented provisions and essential elements left undefined, key concerns for potential whistleblowers remain unanswered. None of the statutes mentioned above prescribe any specific legal remedies for the whistleblower in the event of retaliation. This is hardly reassuring when viewed in contrast with the EU’s Whistleblowing Directive for example, which clearly lays out the definition of what constitutes retaliation. Clearer statutory definitions and remedies may ultimately be what tips the balance in providing that elusive ‘comfort’ for the whistle to be blown. 

The question then arises, would soft regulation make a difference where statutory provisions fail to deliver?

New Code requirements

Hong Kong Exchanges and Clearing Ltd (HKEX) recently upgraded the Recommended Best Practice in the Corporate Governance Code (the Code) regarding the need for issuers to have whistleblowing policies to the status of a Code Provision (CP). With effect from 1 January 2022, CP D.2.7 requires issuers, subject to comply or explain, to establish a whistleblowing policy, a system for employees and those dealing with the company to be able to raise concerns about possible improprieties. The policy should ensure whistleblowing is anonymous and in confidence. 

Moreover, the audit committee, or other designated committee comprising only independent non-executive directors, should be responsible for handling whistleblowing complaints. Information related to anti-corruption and whistleblowing policies is already required to be disclosed on a comply-or-explain basis in issuers’ ESG reports. 

This explicit requirement for companies to have a whistleblowing policy is a timely development, says Mr Tam, but he emphasises that it is important to avoid a copy-and-paste approach in implementing the new requirement. He reiterates that any whistleblowing framework must have building trust as the primary focus since it will only be effective if employees feel safe to come forward. He adds that there is an increasing demand for whistleblowing frameworks that involve independent third parties. Deloitte’s independent whistleblowing service, Conduct Watch, for example, has greater take-up in some instances than internal reporting procedures. 

Regardless of whether the framework is developed internally or by an external provider, a forward-thinking approach where individuals are comfortable to use the framework is essential in developing an effective whistleblowing mechanism. Having a mechanism that is formally in place but not used when it is needed is pointless. It could potentially result in disgruntled employees turning to the regulators, with far more public consequences. 

To be effective, emphasises Mr Tam, a whistleblowing framework needs to have two layers. Firstly, there should be internal procedures and policies in place that will articulate all the necessary information that a whistleblower should provide. Just as crucially, the procedures and policies should clearly lay out the escalation procedures, the step-by-step process that will be taken once a complaint has been received, and the expected turnaround time. The second layer is awareness training, to explain how employees can file a complaint. These key elements are reiterated in the Independent Commission Against Corruption’s Corporate Whistleblowing Policy – Framework of Core Elements (see ‘Essential features of an effective whistleblowing framework’).

The role of corporate culture

Whether an employee feels secure enough to report fraud will depend not only on what it says in the brochure, but on what actually goes on in practice within an organisation. A recent guide on whistleblowing published by Herbert Smith Freehills (Whistleblowing Laws, Culture and Policies: A Global Guide For Private Sector Employers), points out that ‘any policy, code or procedure, anywhere in the world, will only work if it is trusted by those who are expected to use it’. 

Mr Tam stresses that it is therefore imperative for companies to communicate to employees that they can make complaints at whatever level and that there is a commitment to the process. The framework also needs to be designed to ensure that anyone alleged to be involved in the malpractice, however senior, is excluded from the follow-up process. As Mr Datwani points out, ‘If I complain against the CEO, but under the policy the CEO determines the response to complaints, then what would be the point? People who blow the whistle must absolutely know that they are safe, otherwise the policy will not work’. 

Moreover, while the tone needs to be set from the top, Mr Tam points out that companies need to get buy-in from all staff. He makes the point that frontline employees such as sales personnel are often the most effective whistleblowers, but are not necessarily the highest placed within the company. In order then for these employees to feel safe enough to come forward, it is vital that management sends the message to all stakeholders, especially those on the front line that these issues are important.

The global perspective

Fear of retaliation and practical considerations have long been daunting hurdles for potential whistleblowers. The tide is however turning – regulators in many jurisdictions are recognising that employees are valuable sources of information that lift the veil on corporate malfeasance. Whilst the new amendments to the Code are a step in the right direction, legislative initiatives in Hong Kong need to follow suit. 

In the meantime, governance professionals need to keep abreast of legal developments globally. The reality of business today is that companies no longer operate under a static regulatory umbrella and very few of Hong Kong companies operate just in the Hong Kong SAR. Practices in one jurisdiction quickly become mandatory requirements in another and companies operating globally need to observe standards in the various jurisdictions they are operating in. A governance professional who has developed internal mechanisms of the highest standard is less likely to be caught wrong footed. 

Sharan Gill 
Sharan Gill is a lawyer and writer based in Hong Kong.   

SIDEBAR: Essential features of an effective whistleblowing framework

Ensure whistleblower protection and transparency. Two key disincentives to potential whistleblowers are the fear of retaliation and the belief that nothing will be done anyway. Whistleblowing frameworks therefore have to be confidential, there has to be protection against retaliation and there needs to be a mechanism for getting back in touch with whistleblowers to reassure them that the matter is being looked into. While this information would not be a full account of allegations and responses, ensuring that the whistleblower is kept informed of developments is an important step in the process.  

Ensure independent and impartial assessment of whistleblower reports. This is best achieved by having a specialised designated person or ‘intake team’ to handle any reports. Mr Tam points out that the team can be an internal or external one, though there is some evidence for increased confidence in external providers.  

Prevent conflicts of interest and provide clear reporting channels. When a complaint is first received, there should be a quick triage to determine whether there are any conflicts of interest. If, for example, those involved in handling the report include someone alleged to be involved in the malpractice, then that person should be excluded from the follow-up process. Reporting channels should be designed accordingly. Reports against staff members or business counterparts can be made to a designated officer, for example the company secretary, internal auditor or head of compliance. Reports against directors or senior management can be made to the chairman of the board’s audit committee. In addition, reports can be made to designated independent personnel, such as independent non-executive directors.  

Publicise your whistleblowing policy and reporting channels. Communicating with staff and other stakeholders is essential. This should include regular training of staff on relevant policies and the reporting channels. 

Regularly review your framework. In addition to the above, organisations should regularly review their whistleblower framework to ensure it remains fit for purpose.