EU Whistleblower Directive, Part 1

August 26, 2022

For the next part of this webinar go to EU Whistleblower Directive, Part 2

Transcript for EU Whistleblower Directive, Part 1

Nick Gallo: Hello, everybody. Welcome to the ComplianceLine webinar on “The EU Whistleblowing Directive.” I am here with Mary Inman. She is a partner at Constantine Cannon, head of their International Whistleblowing Practice. She’s an absolute expert on this new thing that came out a few months ago that we’re gonna dive deep on today. How’s it going, Mary?

Mary Inman: It’s great, Nick. Really happy to be here. I’m loving your fish tank. It’s mesmerizing.

Nick: Well, good. If we get boring, people could just watch the fish tank. But that’s not gonna happen. So, I saw you last at Compliance Week in D.C. and we had a great time catching up, and you had just done a talk on this very topic. And it was wide, it was…you know, everybody loved it, everyone learned a lot from it. And so, we thought it’d be fun to get together and really be able to dive deep.

So, before we get into the topic, everyone, as you know, the world-famous ComplianceLine book giveaway is in full effect, so keep our chat going, and these are always best when we can have a really interactive session. So, if you can populate the chat with some questions, we’ll do our best to answer those live. The best questions will get the book. But why don’t we all start out by dropping in where we’re from, and we’ll get going. So, Mary, thank you so much for joining us, so excited to dive in here. Why don’t we just talk at a high level, what is this new directive and who does it affect?

Mary: Yeah. So, it’s really creating a level of sea change in terms of Europe’s approach to whistleblowing. So, I thought it might be helpful to ground us with the motivation, the inspiration for the directive. So, the reason that the directive was adopted was, as often in the case of legislation, in reaction to an unfortunate event. So, the EU directive is inspired by a whistleblower who basically was at PwC in Europe, and he was assigned…Even though he was a French national, he was working in Luxembourg. And so, what he did is, during his assignment in Luxembourg, he revealed some accounting irregularities and some companies taking advantage of the lax Luxembourg tax reporting requirements. And really what happened to him, and actually to the reporters that he reported to, was that even though his whistleblowing as he exposed it would’ve been protected under French law, he was criminally prosecuted under Luxembourg law. So, the idea was we need to create a safety net, otherwise, employees can’t feel safe to work across the 27 member states of the EU. So, there needs to be a safety net put below them so that there’s a minimum standard for reporting for whistleblowers. So, it was really his scenario and what happened there that they wanted to prevent from happening again. So, that’s the origin story.

Nick: So, there’s all these different member states and they all have these different rules, and they do kind of function a little bit more like our own states in terms of, you know, you cross state lines for business all the time and we’re not subject to, you know, a different rule in Arkansas than, you know, is in place in New York or something like that. So, there’s basically levels the playing field, as you said, and kind of puts rules in place that supersede sort of contrary laws from member state to member state.

Mary: Absolutely. And it’s interesting before the EU directive was passed, only probably five or six states had any form of whistleblower or protection. So, the majority of member states did not. So, this sort of raises the level of protections across all 27 member states. What’s really important to note here is that this protection only applies to whistleblower reports on violations of EU law. So, it’s not violations of its independent state laws, it’s just violations of the EU directive. So, remember if you’re a member state, you’ll have your own national laws, but you’ll also have requirements for you as a member of the EU. So, when they listed the scope, the material scope of the types of reports that will be protected under this directive, they’re talking about product…these are things that the EU regulates, so product safety and compliance, transport safety, protection of the environment, nuclear safety, food safety, public health, public procurement, financial services, consumer protection, and protection of privacy.

Nick: Interesting. Okay. So, this is not sort of a cart blanche for a whistleblower on any kind of whistleblowing. It’s really only about EU laws that supersede, sort of, those state laws, or those member state laws. So, that’s a big point.

Mary: Absolutely. So, a great example would be if you’re an Edward Snowden in France, and you’re violating national secrets, that’s not an EU law, that’s the French national law on not reporting on military secrets. So, does that make sense? So, that would be the difference between…but if Snowden didn’t report on the military but was reporting on that that military equipment had a radiation and was harming the public, then he could have blown the whistle on that and been protected by the directive, but not blown the whistle on if the French government wasn’t behaving properly, or he was, you know, divulging military secrets that belonged to the French.

Nick: Well, I’m so glad that this webinar is a safe space, and I’m so glad that I feel so safe with you because I didn’t really understand that distinction, you know, before this. I thought it was kind of a carte blanche umbrella for any kind of whistleblowing. But, I mean, talk to us a little bit on how this…you know, is this like a full step forward? Is this the sort of furthest step forward that the EU could do given what the purview is, and how does this sort of complicate things for, you know, say a domestic country that’s operating across, you know, 25 of the 27 member states in the EU?

Mary: From the perspective of where I sit as an advocate for whistleblowers, it’s a huge step forward. It’s a huge step forward for mobility, as you’re saying, for employees across countries and companies to be able to know that they can safely report. So, I only see it as a uniformly positive thing, but here’s where it gets tricky. And this is where…and to my American mind. So, I lived for over four years in the UK, I had our international whistleblower practice. So in that capacity, I started to really start to understand and comprehend more what EU legislation looks like. And so what EU directives do, and what the whistleblowing directive in particular does, is it sets the floor. But in the preamble, it basically says there’s nothing against and, in fact, we promote and would recommend that people set higher standards than we’ve set.

So, that creates a quagmire for companies operating across multiple countries because, you know, you can figure out what your baseline is, but you’re gonna need to know if the member states you’re operating in went above it, you’re gonna have to know the extra bells and whistles that they put on it. So, this is sort of interesting but so far, the deadline for the 27 member states to transpose the directive into their national law was December 2021. Only eight member states have complied. Hungary has sat it out and it hasn’t even tried to comply, so they’ve got the egg on their face. They’re very bad behavior, they’re getting, again, an F. And then the remaining member states are in process. So, I just wanted to say that quickly because I’m sure a lot of people listening right now, they’re like, “Holy crap, what countries do I need to be compliant in?” And right now it’s the eight member states that have transposed the law and we’re still waiting for the others.

Nick: But, I mean, at some level, probably the most conservative approach would be to just, you know, infer what those are going to be across the board and not try to sort of thread the needle and say, “Where are the other 20…? X Hungary, X the eight that have already I implemented it.” I mean, that’s kind of probably the most, sort of, functional way to operationalize adherence to this thing.

Mary: One hundred percent. And so yes, you should be complying immediately to the minimum, which is what the EU directives sets. I guess my finer point is that there are only eight member states that have transposed their laws. So, those are the ones you’re gonna need to look to to see if they added any bells and whistles.

Nick: So, we got our first question, keep these questions coming, gang. Is it only applicable to facilities within the EU? What if a company is a subsidiary from another country? That’s a great question.

Mary: So, I’m not 100% sure. My sense is that if you’re operating in the EU that you have to comply, but that may be more of a nuanced question in terms of…I can definitely give you the overview and I’m not 100% sure on that one. I don’t know exactly what the specifics are there.

Nick: So, talk to us a little bit about where member states are able to, sort of, add their own bells and whistles as you’ve kind of referred to it, or on what sort of aspects of putting something in place have you seen companies kind of go above and beyond that base floor?

Mary: Right. So, I haven’t seen, I’m not as familiar with specifically what bells and whistles have been added on because there’s a lot of different permutations. But before we talk about bells and whistles, maybe it makes sense to talk about what is required, and then we can talk about how you could go beyond because I thought maybe…I’m not trying to duck the question, but I sort of feel like it would be more helpful to the audience to know what is mandatory for you and then we can talk about how you can go above and beyond.

Nick: Perfect. Okay, so let’s dive in.

Mary: Yeah. So, in terms of what’s mandatory, there are a couple of things. So, the first thing to know, and I think it’s very important for an audience like yours where we’ve got a lot of people who are working for companies that are operating throughout the EU, you need to have…whether you’re a public company or a private company, if you have more than 250 employees, you’re required to have an internal reporting mechanism. And you can use an external vendor like ComplianceLine and others to help satisfy that requirement, but you also have to have and allow for confidential reporting. So, you need to have sort of a state-of-the-art reporting mechanism. You noticed I talked about the number 250. So, if you have 250 or more employees, you already need to be compliant. You’re already late if you haven’t already put this into place. For companies with 50 or more employees, you have until 2023. You have a little bit more time to put this into place.

So, that’s where, you know, the recommendation very much, of course, is for companies that, in many senses, best practice is not required in the directive, but best practice is often to use external vendors so that you’re using the state-of-the-art technology so that there’s many ways now where we can protect confidentiality of whistleblowers. As you know intimately that no longer do we have a hotline where if someone speaks with a French accent in a company that’s based in Australia, you might be outed. So, obviously, there’s a lot of sophisticated reporting mechanisms now that allow you to be compliant. So the first thing you need to do is have an internal reporting mechanism.

The second thing you need to do is you shouldn’t retaliate against employees who speak up, because if you do you can be legally liable under the state laws. And so it’s a little bit different than in the United States. So, it’s actually a stricter standard, so we basically say in legal speak that the EU directive reverses the burden of proof. And what I mean by that is that in the United States, when someone has been retaliated against, the burden is on the person, the whistleblower, to prove that they were retaliated against not because they were chronically late or got a poor performance evaluation, but it was because they spoke up. In Europe now, they’ve flipped it. So, all the whistleblower needs to do is show that they truthfully reported, and the burden shifts to the employer to prove that they didn’t do it because they were retaliating. So, this is very significant and much more protective. So, we can talk a little bit more about the practicalities of how you avoid retaliation and what retaliation looks like, but those…

Nick: Let’s dive right into that because that’s such a big one. I’m always talking about this ECI report that basically said four to five people that spoke up experienced actual retaliation. And that was up from, you know, three out of five or something like that a couple of years ago. So, let’s dive into the practicalities of that and how organizations can sort of guard against that flipping of the burden of proof, which is to your point, it’s a way different approach, it’s way different sort of set of defenses that you probably have to build along the way from an operational standpoint to make sure that you have your docks in a row if something like this comes up.

Mary: Absolutely. So, I mean, I think the standard advice has always been by general counsels and employment lawyers…and I’m not an employment lawyer, by the way. But the standard advice, of course, is to document, document, document anything that relates to an employee. And so, I think here because the burden is so much higher on the employer now that that is even more true now. So, the presumption is gonna be that if someone all of a sudden was terminated, or remember retaliation takes many different forms that are much more subtle, like not inviting people to meetings anymore, shutting them out, and making it more difficult for them to do their jobs, denying promotions, lots of things like that, all a whistleblower has to say is, “Hey, I reported that Theranos or, you know, was not testing the blood. And I reported it to the health advisories that the tests were wrong. And all of a sudden now I’m not invited to meetings anymore.” The burden will then be on the employer to prove that. And so, you’ll need to have documented that, you know, actually to disprove that, you’re gonna have to say, “No, you know, two days before, they filed a fake expense report or…” You’re gonna have to make sure that you’re tracking all of that sort of thing.

Nick: Wow, I mean, that’s so new. What do you think…you know, now we’re just gonna kinda navel-gaze for a sec, but how do you think this can…like, what do you think some of the negative externalities of this approach are going to be? How do you think that this ends up playing out?

Mary: I think it’s interesting. I mean, the burden-shifting just means it’s more…I think it will play out by having companies being advised by their general counsels to be more conservative about retaliation. And in fact, in my view, of course, sitting as a person who represents whistleblowers, that’s just right. We need employers to really think carefully about why they take a particular action because remember, I use this expression a lot that our view of whistleblowers collectively as humanity, and this is obviously a hugely wide-reaching statement, is that it’s medieval, we shoot the messenger to divert attention from the message. And that’s true, whether it’s in our personal life or elsewhere. So, you know, think about how you react when someone close to you calls you out on something. We tend to get really defensive.

And so, what we see, time and time again, is whistle lawyers are gaslit, they’re retaliated against, they’re made to…you know, I’ve even had one client who reported Medicare fraud. This case was just reported in Bloomberg Health. Basically, when she would not sign a certification that Medicare required because she believed that the diagnoses were inflated and incorrect, and she kept saying, “No, I won’t sign it,” they ultimately sent someone in the organization who was a psychologist to see her. So, again, it’s pathologizing. If you’re a whistleblower, you’re not a team player, you’re not gonna go along, and so there’s something, you know, very divergent about you. And my point of saying that is that’s how hardwired we are to respond negatively when someone tells us difficult truths about what’s going on.

Nick: Well, I do it with my own kids. I mean, just if I’m being really honest, I tell my daughter, “Stop telling on your sister.” You know what I’m saying? Like, maybe I’m part of the problem. But that again just speaks to how difficult is is for a whistleblower to overcome, you know, that stigma or to kind of exert that courage, and that’s rooted in a bunch of good things usually, right? Like, it’s a high conscientiousness, it’s, you know, a desire for the mission that they’ve sort of signed up to pursue to be real. And when they see violations for it, you know, most whistleblowers…I think you’ll attest to this, most whistleblowers say that, you know, they couldn’t sleep at night and even with all the bad things that happened, they would probably do it again in most instances. So, at some level, it’s kind of encouraging that there’s this sort of, you know, broad directive that is kind of acknowledging that on a real macro level and forcing member states to kind of adhere to it. And just the fact that they’re pushing it down to organizations below, I mean, below 100 is kind of a big deal as well.

Mary: Yeah. And I think in terms of what folks operating in the EU are gonna notice is that one thing that I didn’t mention among the requirements is there’s an additional requirement, is that there’s an encouragement under the…there’s three tiers of reporting, three ways to report under the EU directive if you’re reporting a violation of EU law. The first way is internally, and that’s what everyone in the audience presumably is hoping we want. And the directive is written in such a way to encourage the very people who can correct the problem should be the first port of call. Absolutely, 100% correct. There was a push during the law-making to say that that was mandatory, that in order to be eligible to the protections against retaliation, you had to report internally first. That was struck down.

Nick: Interesting.

Mary: And the reason for that is that remember for many frauds, not all of them, but I think certainly the ones that are in the newspapers, frauds where they are conceived, the architects of the fraud are at the very highest level. So, you’re reporting on, you know, Elizabeth Holmes, right? Reporting internally is not gonna work. You’re gonna get your head cut off because you’re reporting to the very people who are aware. So, they’ve left a mechanism, they’re saying it’s where if you can’t realistically believe it’s safe for you to report internally, you may bypass internal and go to external. External has two prongs. External is to a state, that would be a government authority, or also to the media. So, that’s a really important…I think a lot of people would get panicked by this and I think you should. I mean, in Europe now there’s very clear signposting. Everyone within an organization needs to be shown a list of the external state entities. So, the state operators have to put in place channels where people can bring violations of EU law, and newer employees have to be made aware of that.

So, if you’re not listening, they’re now being told, sort of the equivalent of the OSHA water cooler postings, who to call, what number to call. So, I think that’s really important for people to recognize, is that I think, you know, Europe generally is behind the U.S. in terms of having protections for whistleblowers and certainly having what we have and what my specialty is rewards for whistleblowers. In the U.S. we all know you can go to the SEC, the IRS, all these entities who have constructed offices of the whistleblower that are flashing neon signs saying, “Come report to us.” That didn’t exist in Europe and it will now, and it is now. So, again, it creates more risk for companies that their employees are gonna have that in their handbook or in some paper that says, “Here’s where I can go if I’m not being listened to.”

Nick: So, a third party kind of counts as internal, and then we have two external sources. Is that kind of the broad framework?

Mary: Right. So, you know, the preference is to report internally. And when you do report internally, so say you don’t have the Theranos scenario, and you need to report internally because it could get fixed, and someone can fix it, there’s actually requirements upon you as the employer for time periods within which you must respond. You have to respond within seven days of confirming receipt of it, and then you have three months to report back. So, no longer can this just get dumped into some, you know, inbox that says, “Here’s my complaint line.” You actually have requirements that you have to give feedback to the people. And in fact, that’s just good practice. Right?

Nick: Totally, yeah.

Mary: Because if you’re not giving feedback, they’re coming running to dial the SEC or to dial me to call the SEC if there’s a U.S. angle. So, they’ve just legislated good practice in my view. So, that’s a piece of it. And then the number three channel, of course, is the media. You can go to the media if you haven’t, but the preference is to…you know, the requirement is to channel internal first if you can, there’s no conflict, then you go to the state law enforcement, designated law enforcement people, they have an obligation to respond as well within a certain time period, and then you can go to the media.

Nick: Got it. So, there is kind of a hierarchy or at least some kind of a preference for how those avenues should be attacked. So, let’s talk a little bit about what specific metrics that are sort of mandatory or at least advisable to be disclosed. If you know what those are, how should folks kind of go about maintaining those? When we’re talking about reporting back to the reporter or, you know, are they gonna get audited, what kind of data points should they be operationalizing their process toward?

Mary: Right. So, I think it’s really important that I think a lot of people listening will start to get terrified when they hear this, that you have to report back. Because certainly from the legal department’s perspective, they’re saying, “Hey, we’re conducting an investigation, sometimes we can’t always report back the full results here.” So there are limitations on what, you know, what you can report, but you do have to give some sort of feedback on status and update. You don’t have to tell them exactly what’s going on, but you do have to report back.

Nick: So, how do you think folks should start kind of preparing for this? Let’s say it’s a company that, you know, that is expanding into Europe or let’s say, somebody that has operations that are in the 20 states that, you know, haven’t sort of translated this into their own laws. What kind of things should folks be doing to kind of anticipate this?

Mary: Well, there’s a number of things that they can do. And there’s one other thing I haven’t mentioned just so that I can put out on the table all of the strange complications of operating in Europe. So, one thing that they can be doing to prepare is to start thinking about…I would say first thing to do is hire an external vendor if you can. I just think that there’s so much great technology out there, there’s so many people, you don’t need to reinvent the wheel, there’s teams like ComplianceLine and other vendors that are just terrific and have already anticipated a lot of these problems for you, and actually, you know, have all of this stuff in place. You can get 1,000 white papers from various external providers of internal reporting mechanisms.

All right. I just lost my earbud. But the thing that I think folks may not appreciate is that you need to make sure that your whistleblowing hotline is compliant with GDPR. So, GDPR is the data protection requirement in Europe, and you’re onboarding a whistleblower’s information, you have to handle that the way you would handle anybody’s personal data. And you have to be really careful because under GDPR, anyone who…if you’re maintaining someone’s data, that person whose data you’re maintaining has the ability to file something called a subject access request, something called a SAR. And you need to be very careful, what is the intersection between GDPR and the whistleblowing directive?

If you’re complying to a subject access request, and at that same time you’re gonna divulge personal data of a whistleblower who under the directive whose name you’re required to keep confidential, these are the things that I think people need to think about in terms of when you really get into the weeds. We’re really hoping that the EU will provide guidance on how to do this effectively. The relationship between GDPR and EU whistleblowing directive, but until then folks need to be thinking about that. So, that was just a very practical don’t forget about GDPR because you’re operating in Europe and you’re taking on people’s personal data in the form of whistleblower reports. Go ahead.

Nick: Oh no, I was just gonna say, I mean, these were obviously written sort of separately by separate groups, but there’s tremendous intersection, and especially today when there’s so much data kind of flying across the pond back and forth, especially for multinational companies that are maybe based here, but they have these operations over there. They’re still subject to those laws and subject to the nuances between these two overarching, you know, directives essentially.

Mary: Right. Right. Right. Absolutely. And I think the other piece of advice I would give is I always think that it’s important to look at case studies on what not to do. And there’s a case study in Europe that I don’t think Americans are as familiar with, and it’s one that I think is really revelatory. And that is the story of Jes Staley, the former CEO of Barclays Bank. He’s an American who is the CEO of Barclays in the UK. And how this relates is that in the wake of the financial crisis, the UK adopted basically what looks like something called the senior managers’ regime but it includes a requirement that’s almost identical to what the EU whistleblowing directive has for internal reporting requirements. And so, to me, this gets at the pitfalls that you need to avoid and the culture you need to create because what happened is under the new senior managers’ regime, you’re supposed to have, just like the whistleblowing directive, you have to mandatorily allow confidential reporting.

So, Barclays hires these fancy state-of-the-art external compliance people, they build for him and for Barclays the perfect internal reporting mechanism with all the trappings that are required, and then one of the first reports across the bow is a report that comes to Jes Staley’s offices in the UK from the U.S. Postal Service in the form of a letter accusing him of cronyism in terms of some of his appointments, I think to the board and to other places. And so, that’s a report that needed to go through the channels, and what is the CEO’s response to this? His first response is, “Tell me who the messenger is. I need to know their identity. Tell me who they are. I need to know the identity of the reporter.” So, then their people say…So you may forgive him for, like, maybe he’s too busy in his day-to-day that no one apprised him of this, they appraise him of like, “Uh-uh, that’s not allowed under senior managers’ regime.” He doubled down and said he still needed to know. Then actually, you know, his requirement was that he wanted to find out, so he actually, you know, falsified and gave false pretenses to the U.S. Postal Service to try to get them to tell him who it was and where it came from.

So, I say this because this is a company that invested all the right things in terms of ticking the boxes to comply, but the CEO wasn’t on board. So, you tell me, who’s gonna report at Barclays Bank now? You’re never gonna get a report again. I mean, so he was fined by the UK regulator something like $600,000, which I frankly think is bus money for somebody like Jess Staley. The Americans, the Department of Financial Services in New York, which regulates and actually did something that I thought was appropriate, comes something close to like a $12 million fine against Barclays itself to show the gravity of such an interaction. But the reason I tell this story is because I think, you know, this happened at, you know, one of the top financial institutions in the world who has really sophisticated compliance and hired really topnotch vendors.

So I just said it as a cautionary tale because if you haven’t created a culture, you can’t just buy an internal reporting mechanism and expect people to report to it, and expect the people getting reports to be trained on how to receive a report, and how to listen up, and how to not, you know, reflexively retaliate. There’s a lot of training that needs to go into place in order for these to be effective. And so, in the terms of Barclays Bank, he was all over the FTE for a matter of a year-plus getting really bad PR for the bank, and that obviously all could have been avoided.

Nick: Yeah, you’re not naturally just gonna get healthy just because you bought a Peloton, you know what I’m saying? You’ve got to ride it. And that culture is such a…It’s like a reputation, it can be ruined in a minute. Regardless of, you know, all those dollars that were spent, regardless of how sort of rock-solid…to your point, they had all those best practices in place and it was all ruined in a minute, and those have long-standing implications for the feelings of individual people who can be these risk sensors in our organization. If we start to crowdsource that, I mean, it can have long-lasting implications on them and, you know, why are you ever gonna speak up in an organization like that again?

Mary: Right. Absolutely. Absolutely.

Nick: Do you have any suggestions on how we can report on effective whistleblowing mechanisms given how, sort of, confidential whistleblowing reports and incidents are?

Mary: Oh, that’s interesting. So that, you’re getting out of my area expertise and into like what’s the back office look like? What’s the back office look like on tracking the number of reports and how…? I mean, I think you’re asking a great question. I don’t know that I have the best advice, but the great question is you do need to be able to do a look-back and see how that reporting is going. And you should be looking at the number of reports, the time it’s taking to get back to the whistleblower, the time to resolution, and to try and figure out who’s not reporting. I mean, that’s the thing, is that the easy data to collect is what you have in front of you, which will be the folks who did report. It won’t be the folks who opted not to.

And so, I think the way you collect that data is I think you have to do surveys and be more frank about asking people. Because when you look at a lot of the research, something…I’m trying to remember the organization in Europe that did a big research study on how many people have reported fraud when they’ve observed it in their organizations, and it’s a shockingly low number. And so what I often observe is that it’s also a gendered response, I think women and people of color, in particular, tend to report more if you’re able to link them together, what we see in sort of in the MeToo movement, but we see a lot of white men are reporting because they can see other white men reporting.

So, anyway, there’s lots of different permutations to all that, but I think in terms of your metrics, that’s another thing you could measure is what’s the gender, what’s the age, what’s the seniority, the power level? So, one thing from someone who is very high up and has a lot of power to report, what about people who have a lot more to lose? I think sort of the perspective of what looks like a healthiest reporting hotline would be one where you’re getting reports from throughout all levels of the organizational structure.

Nick: Yeah. I mean, I think over this next decade the organizations or the departments that really are gonna ascend forward and be those sort of those bastions of the culture that are gonna separate them from their competitors are gonna be the ones who are able to look at these pools of data that are coming through their hotlines and through these other sort of data ponds for, you know, the softwares that they use to do their job to draw those kinds of conclusions, and use those conclusions to inform and improve upon, you know, whatever objectives are in place.

I wanna go back to that study that you referenced because, I mean, to me…Well, let’s just zoom out for a second. I think a lot of clients that we’ve talked to, a lot of, you know, prospects that we talk to are looking at this thing as like, “Oh my gosh, it’s a whole nother confusing thing, What am I gonna do?” And obviously, we need to adhere to this directive, obviously, we need to, you know, make sure that that we’re coloring inside of these new lines that are overlaid across the jurisdictions that we exist in. But I’d like to maybe, you know, try to reframe this a little bit from, you know, a pain in the neck to a real opportunity to maybe embolden whistleblowers and protect them more. And what’s some of the positive benefits to our cultures and to our operations can stem from that kind of an approach versus, you know, a hands-ringing how am I gonna sort of not-get-in-trouble approach?

Mary: I love this question. I feel like you’ve given me the softball so I can hopefully hit it out of the park. So, you know, I’ve spent over 25 years representing whistleblowers, and what’s been my experience and it’s confirmed in the data is that whistleblowers aren’t out there laying in the weeds ready to go and, you know, be traders to their organizations. And so, we need to have a fundamental rethinking about who whistleblowers are. And there’s a fabulous report that just came out of GWU and the University of Utah that actually proves something that I’ve known intuitively for my whole career, which is that whistleblowers actually help companies be…they’re assets to their corporations, not liabilities, and they actually help companies to be more profitable.

So, the study that was done is that these two graduate business school professors were given access to a provider, one of the world’s leading providers of the internal reporting mechanisms to Fortune 500 companies, a huge dataset anonymized. And basically what they deduced is that companies that have internal reporting mechanisms that are ringing off the hook, using the hotline analogy, but, you know, proverbially the trial balloons, the messages are going up, have fewer federal investigations, have fewer lawsuits against them, the lawsuits that do come settle for far less. So basically, there are demonstrable profit margin…things that help the bottom line that can be told by companies that have those kinds of systems where people feel safe to speak up compared to those companies where the hotlines are essentially silent. And to me, what that shows is what the research…is what you’re alluding to, is that whistleblowers are, in the words of one great social behavioral scientist, Christian Hunt, who’s in the compliance space with the…he basically says they’re forward indicators of risk.

Nick: A hundred percent.

Mary: I say they’re your best risk management tool, right?

Nick: Absolutely.

Mary: And the sooner we can think about these people as not only not disloyal, which is the reputation, like you’re saying with your daughter, don’t tattletale, they’re the most loyal, right? They’re the ones who are willing to lean in and tell you the unpopular thing and take the risks that come with that, sort of the reflexive action that comes with that. And I think the more we think about and reward, meaning give accolades and value that, the more your company is gonna thrive when you have all of these canaries in the coal mine telling you where the pitfalls are before you’re overtaken by noxious fumes.

Nick: Well, think about how much money…you know, let’s think about a financial institution. Think about how much money they spend putting all these, sort of, sensors on the different systems that people are pushing money through and so forth in order to hopefully identify fraud or identify something, you know, untoward happening. Well, if you can activate the human beings who are…I mean, a human being is smarter than any kind of, you know, code that’s put in place to look for something that’s not working. If you can activate those folks and get them to speak up, it’s a much more dynamic, to your point, risk center, a much more dynamic chief risk officer, you know, an organization that’s full of chief risk officers is probably gonna stamp out risk a lot faster and a lot more readily than those who are, you know, scared to speak up.

So, it’s such an opportunity and it’s so interesting that it’s 2022 and we’re having this conversation. It’s so interesting how backward some of the thinking, you know, is out there. It’s really very bizarre. And, you know, if you can have an organization full of whistleblowers…There’s so many people in our organization that are whistleblowers or previous whistleblowers. I’d love to have an organization full of them because not only can we empathize better with the folks that are coming to us to report something, but also I know that if I have that kind of a culture, we’re gonna find problems quicker, and you know, I’m not a kind of sweep it under the rug kind of a guy, I want those problems on the surface so that we can actually solve them and actually, you know, be authentically a good company, not one that just appears to be good. So, there’s so much in it and I can sort of go all day about this very topic.

Mary: Your point of hiring whistleblowers and putting them within your organization, it does the two things that you said, it also sends the signal to other whistleblowers that this is a safe place to speak up. We value speak-up so much that we’ve hired someone who is a known whistleblower. Like I always say, you know, my client is Tyler Schultz, one of the Theranos whistleblowers. And I always say, “Put Tyler Schultz on your board, put Tyler Schultz…you know, put known whistleblowers in places in your organization. It sends an incredible message of how you value people with that courage.” And we all love to value them from afar. We always, you’re either a hero or a villain, and we need to normalize whistleblowing. And one way we can normalize it and make it more an everyday act is by bringing those people in.

Nick: Yeah. I mean, your culture is just the sort of sum total of what you celebrate and what you end up rejecting. And it’s such an easy opportunity to celebrate in a sort of public, tangible way by bringing folks like this in, but it’s always gonna be a challenge. And, you know, I’d love to kind of talk for a few more minutes about this thing, how this great resignation and the massive, you know, labor shift that’s going on across our organizations, increases sort of either the opportunity or the risk that we can either get the whistleblowing thing right or get it wrong. And what I’m kind of talking about is, you know, the fear of retaliation is a big deal. Even if those ECI numbers I threw out are half wrong, it’s still a massive number. I tend to agree with you in that study that you referenced that the number of reports that are available, in theory, within your organization are, you know, multiples, orders of magnitude beyond what you’re probably getting.

And, you know, the fact is as people are kind of changing organizations, you know, some of those sort of cultural underpinnings or those cultural pillars that folks have are leaving. Like, that sort of cultural, whatever you wanna call it, tribal knowledge is leaving your organization and it’s being replaced by somebody else who doesn’t know the ins and outs of your organization, and perhaps is bringing baggage of their own. Like, maybe they left an organization because they didn’t believe the old mission or maybe they left their old organization because of a bad experience. How does that create an opportunity, do you think, for folks, whether it’s leadership, whether it’s folks in the ethics and compliance department, to really make sure that these new people understand that, you know, a culture of like, you know, positivity toward whistleblowers is available and to reap the benefits that translate into profit, and all these other things from this sort of, you know, relatively new group of employee base?

Mary: Yeah. I think what’s so interesting is that one of the things we experienced with COVID is sort of a lack of…I always felt sorry for the people who were onboarded to new jobs during COVID because I think it’s so hard to be acclimatized to like, “This is our culture.” A lot of the things we learn about culture, of course, goes on around the proverbial water cooler. So, you need to create those environments. And so I think since we didn’t have those environments, I think it was harder to, sort of, impart your culture in that way. I think there’s a lot we can do in terms of just really practical things like with new recruits and with your existing employees, what do you do for your performance evaluations? Do you have a measure that measures the ability to, you know, challenge and ask tough questions or the ability to raise concerns? Shouldn’t that be something…I mean, that’s what we all measure. If you start a new job, you look at what am I measured against? There’s a concrete measure, a concrete way you can do that right there. So, I think that’s one way.

I think it’s also really important to train people on how to give and receive feedback. So, I think that for, you know, for your newer employees, I think they’re mostly gonna be giving, but they hopefully are gonna be receiving it too. So, I think there’s gonna be a lot to be done in terms of training. We don’t come out of the womb knowing how to have difficult conversations, and so I actually think, you know, we are all now getting used to in the wake of the MeToo movement we all do our mandatory annual sexual harassment training. And in a lot of those, right, you’re asked to…they do scenarios for you. I would love to see more of that kind of just role modeling and more innocuous, sort of, situations to see how is it that we respond. And so I think when you’re bringing on new people, I think it’s really important for them to see that training right outta the gate, this is what we value. We value it so much that this is mandatory training that we want you to engage in.

Nick: Yeah. I mean, so much of the mandatory training is just to, you know, whatever’s like cast down upon us from the states that we operate in or whatever, it sends a massive message though if we’re giving mandatory training on some of these topics. So, I’d love in the last kind of few minutes here, we have a bunch of questions and I was looking at the wrong screen, so apologies to everyone. We may wanna do like a coffee talk after this, Mary, to answer these questions because I was looking at the wrong tab. So, please don’t roast me, everybody, here. But there’s a lot of great questions here. So, let’s just do kind of rapid-fire really quick and then we’ll kind of wrap up with your last word or the last thing you’d love to share with us. So, what obligations do companies have to explain to employees how to report externally in each of those individual countries? So, remember you said that there’s the three different ways to report, do those need to be contained in the policies, like here are all the state agencies or, you know, the member state agencies for each individual country, do those need to be contained in the policies?

Mary: Yeah. And this is where I feel like to your point, Nick, you called this a masterclass. I would love to consider this the 101, the EU whistleblowing directive.

Nick: So stay tuned for the 201 class. Okay, great.

Mary: Well, no, and I’d like to bring in…there’s a couple of people who regularly join me in these kinds of discussions who know all the ins and outs. And because I’m just a whistleblower lawyer who practices under the American laws, I know we’ve done…We wrote a report and I can send out to people. We were commissioned to write a report for the European Federation of Journalists on how the EU directive…is it protective of folks in the media? So we did a deep dive, we definitely have good knowledge on it, but this isn’t like our sole area of expertise. So, I’d love to bring in other voices.

Nick: Yeah, that’s fine. So this is the 101 course. So, what I’d love to do in the chat, if you guys are interested in a 201 course, please just put a 1 in the chat and then we’ll kind of tally those up. And if there’s enough interest, then, Mary, maybe you can come on with a couple of other people that, you know, we can be the teacher’s assistants or whatever for the 201 class. How does that sound?

Mary: That sounds great. I’ve spoken at the SCCE and others with a professor by the name of Dr. Vigjilenca Abazi and she’s been my subject matter expert. She was actually on the ground and was influential in getting the legislation passed. So, this is her specialization, so I’d love to, sort of, bring her in for the really nuts-and-bolts questions that we’re getting.

Nick: So, we just got a hundred 1s, so let’s get her on the line, and let’s get this scheduled. Like, there were just a hundred 1s that popped up in the chat. So, if you guys have some of these next-level nuanced questions, please drop them in the chat. We’ll download this, and we’ll get together with Mary and her colleague, and we’ll make sure that this 201 class is super dialed-in for you. We always want these webinars to be of value for you, we have…you know, what I love about the industry that we’re in is it’s packed with people like Mary, and it’s packed with people like you who are fighting the good fight and making our workplaces better. It’s such a great opportunity for us to make our entire world better, and I just love this community. So, any other kind of big takeaways as we wrap up here, Mary?

Mary: Yeah, I mean, I think my big takeaway is something you’ve heard that we were…sort of a theme you were hopefully teasing out throughout this, which is that I’d really like to see companies see this as an opportunity and not as a burdensome, sort of an onus that’s been put upon you or thrust around your neck. Because really, Europe is trying to get to a place that the U.S. has been, and in fact, they’re actually jumping ahead of us in some ways. And so one of the questions was where does the UK sort out in all of this? The UK is no longer a member of the EU, so they are not required or there’s some debate but they don’t see themselves as being required to adopt the directive, so they’re not going to.

But what they have done, and what I think the U.S. will start to do too, is they’re adopting their own legislation. They have a couple of bills right now to beef up their existing whistleblower protection legislation. So, it’s really causing all the boats to rise, so I guess that’s just my way to say to folks, don’t see this as a burden. My sense is that Europe is trend-setting in some ways here, and, you know, I certainly know that, you know, a number of states in the U.S. are looking at this, a lot of legislators and others are looking, we all want to be at the best practices. And Europe just took a little bit of…at least for them, a bit of a quantum leap.

Nick: Well, that’s the beauty of this whole thing. I mean we can sort of start to see around the curve what other big jurisdictions are doing and, you know, I get that it’s sort of confusing for a lot of folks and it seems scary, but there’s a lot of common sense behind it. And I think to the extent that we can be more conservative or we can pull forward some of those things that might not be in place here, we can probably infer 80% of the direction that something like this is gonna go. And I can’t imagine that it’s 10 years from now and the United States doesn’t have a similar type of thing. So, even if, you know, someone’s listening and they don’t have, you know, international operations, I think it’s a great opportunity to do, you know, a high-level survey of what the essence of that directive is and how you can use that to, you know, be more persuasive in your own organization to get your program changed or put things in place that are ultimately gonna take advantage of, you know, all these potential risk identifiers in your organization, all these potential whistleblowers, and start turning that sort of cultural ship.

Mary: Absolutely. And I think that the United States, we’re really great at…well, we’re fabulous at paying law enforcement, recognizing the value of whistleblowers as confidential informants, and having all of these offices of the whistleblowers, but we don’t …in the level of retaliation protection, we’re very siloed. We had Sarbanes-Oxley in the wake of Enron. We have Dodd-Frank in the wake of the financial crisis. But we don’t have the umbrella, and that’s one of the learnings that we are trying to take away. A lot of folks on the U.S. side of the pond are trying to take away from this is that there’s a real value to an umbrella protection and we really don’t have that.

Nick: Well, to your point, it applies everywhere. It applies everywhere, you know. Anyways, everyone, thank you so much for joining us on this webinar. There were so many 1s. A round of applause for Mary. Mary, thank you so much for coming. I learned a lot as always, always so fun to get together with you. We will circle up, you know, presently so that we can…Look, you’re getting a round of applause, there’s emojis, there’s charts, there’s thank yous. This was a lot of fun as always, I will circle up to kind of plan this 201 course and we’ll document some of these questions. So, everyone, all, thank you so much for joining, until next time.

Mary: Thank you for having me on. Thanks, everybody. Cheers.