If last year, in December, Law 361/2022 on the protection of whistleblowers in the public interest entered into force, which establishes a general framework for the protection of a person who reports a violation of the law (a whistleblower in the public interest), only for public institutions and companies of private companies with more than 249 employees, starting this year (December 17, to be exact), the provisions will also apply to private legal entities that have between 50 and 249 employees.
The law defines the necessary and mandatory framework of transparency and fairness through which Romanian companies and public institutions can create and maintain a good culture of organizational integrity.
According to this law, like the institutions and companies that came under the auspices of the provisions from last year, small and medium-sized companies (in terms of the number of employees) will have some very clearly defined obligations in the law. This is primarily an obligation to establish reporting channels that meet several criteria: confidential, internal (accessible to third parties), designed, established and used in a secure manner to allow communication with the whistleblower. The obligation to inform is added, which means confirmation of receipt of the whistleblower’s notification within seven days and feedback within three months. Equally important is the conduct of internal investigations following a whistleblower report to review and resolve issues reported as violations. In addition, companies are obliged to ensure personal protection (confidentiality), protection of whistleblowers from reprisals, to which is added the provision of clear and accessible information regarding external reporting procedures. In addition, for failing to ensure the confidentiality of whistleblowers through clear operating procedures, the law provides for the most severe penalty for companies, namely 40,000 lei (approximately 8,000 euros equivalent).
5 important steps to compliance
1. Understanding the organization and setting goals depending on size, culture, type of activity and corporate governance.
The first and most important step is to determine the goals the company wants to achieve by implementing the whistleblower law. The answer can range from simple (just complying because that’s what the law requires) to complex, in which case the company aims to do more than that by creating a culture of integrity.
2. Drawing up an action plan and establishing responsibilities
It is important to define responsibilities and finalize the procedural framework with an ethics officer responsible for receiving reports and managing an internally agreed reporting channel. This responsible person can be a person or a team, internal or external. If the internal option is chosen, it can be composed of employees of the legal department, HR department, compliance department, etc., since they are employees who, by the nature of their duties, also deal with the integrity of employees and the company. The option of outsourcing should be considered, at least from the point of view of efficiency, speed and independence in solving reports. In addition, let’s not forget about the high level of specialization of the potential external manager who will take on the reception, triage and resolution of complaints. In addition, the establishment of a reporting channel(s) should be considered as an important step in the implementation of the law enforcement action plan.
3. Determination of the appropriate reporting channel
The law does not make specific mentions and, in practice, this aspect is left to the discretion of each company and responsible person in the company. In addition, the presence of an anonymous message channel is not mandatory, but the maximum confidentiality of messages should be ensured. The reporting channel should be designed to protect the privacy (or even anonymity) of whistleblowers, be easily accessible, ideally with multiple reporting options (e.g. email, phone, website or mobile app), protect against retaliation, and be impartial through clear management of processes and independence of the appointed person.
On the other hand, it must be clear and reliable, allowing to gather enough information to start an investigation. Also important is a designated person who will need to receive ongoing training to receive reports, understand different types of fraudulent activity, and accurately apply established policies and procedures.
4. Implementation of the reporting process, compilation and implementation of procedures
A case management procedure is as important as, if not more important than, a whistleblowing policy, as it helps in handling sensitive cases expeditiously. Therefore, this procedure must be well thought out, developed according to the realities of the company and implemented through periodic trainings to remind the responsible persons how they should act and what they should do to achieve the goals defined by the Whistleblowing Policy. Companies can choose a reporting policy integrated into the existing internal regulation or create a separate regulation (recommended option).
5. Communication campaign and training of relevant personnel
In our opinion, two categories of training should be created to ensure proper implementation of the law, one for workers and one for the reception and response team. In the latter case, details about the form and options for reporting – to the authorities or public disclosure (with the associated reputational risk), outside the internal boundaries, are mandatory.
We recommended that the companies we assist in Whistleblower Act training consider the two categories of staff separately, as the task of the reception and response team involves several powers.
It is important to note that the action plan has implications for the area of employee/union consultation. Therefore, it becomes a legal obligation for the company to inform them of the intention to implement such a policy. In other words, a consultation should take place before implementation to check that the way the reporting channel has been designed, the data security methods, the access method and the legal basis for the processing are appropriate.
Sanctions provided for by Law 361/2022
At first glance, it seems that the legislator has foreseen relatively small sanctions or, in any case, not so drastic that Romanian companies are worried if they discover shortcomings in the application of the law. For the three main liabilities, the amounts range from 3,000 to 40,000 lei, which, depending on the company’s size and turnover, may (or may not) have a significant impact. In addition to the risk of financial sanctions, we are talking about a much greater risk, namely the risk to the reputation of a company that has violated legal provisions regarding the integrity of the company and its employees.
There is no doubt that a secure and confidential reporting mechanism created and provided to company employees will increase trust in organizations. This leads to a more open, transparent work environment, promotes and helps create a culture of integrity. A properly prepared and filed whistleblowing report can provide the necessary evidence in investigations of fraud or other unethical conduct.
Ensuring compliance with the Whistleblower Protection Act not only ensures compliance with legal obligations placed on organizations, but also demonstrates the benefits of a culture of integrity to employees, customers, investors and other stakeholders.
The article is signed by Andrea Simion, Forensic & Integrity Manager, EY Romania and Anka Athanasiou, Associate, Senior Managing Associate, Bank, Deacon & Partners
Article supported by EY Romania
Source: Hot News
Lori Barajas is an accomplished journalist, known for her insightful and thought-provoking writing on economy. She currently works as a writer at 247 news reel. With a passion for understanding the economy, Lori’s writing delves deep into the financial issues that matter most, providing readers with a unique perspective on current events.