Whistleblowing through the eyes of the institution for occupational retirement provision

Belgium
Available languages: NL

1.Introduction

The topic of “whistleblowing” is trending today. Most articles on this topic have been written from an HR point of view. However, institutions for occupational retirement provision (hereinafter “IORP”) should not be forgotten.

As of 2017, these IORPs already implemented procedures to receive and handle internal reports.

In 2019, the new Directive of the European Parliament and Council on the protection of persons reporting breaches of Union Law was published. The Whistleblowing Directive was then transposed into a new act.

Following the Belgian transposition Act, IORPs must review their policy and procedure on internal reporting.

2. Scope

Upon publication of the act, there was discussion about its scope and, more specifically, whether IORPs were included in this scope. The answer to that question seems unequivocally to be yes.

In principle, the obligation to set up internal reporting channels and procedures applies to legal entities with 50 employees. Since most IORPs in Belgium do not have employees, let alone reach the threshold of 50 employees, it was said that IORPs were not obliged to set up internal reporting channels. Nothing could be further from the truth, as there is an exception for “financial services, markets and products”. Legal entities operating in financial services, markets and products must set up an internal reporting channel regardless of the threshold of 50 employees. The act also defines what “financial services, markets and products” are. These include individual and occupational pension products. Consequently, IORPs, which thus fall under financial services, markets and products, must set up an internal reporting channel.

Having established that IORPs must set up an internal reporting channel, it is important to consider what the reports may cover.

In practice, notifications to the IORP will mostly be about financial services, markets and products, privacy and personal data protection, combating tax fraud and social fraud.

To know who can report, we need to look at the personnel scope, which includes: “private sector reporting entities that have obtained information about breaches in a work-related context”, such as employees, shareholders and anyone belonging to the administrative, management or supervisory body, and service providers or suppliers. Consequently, in the context of an IORP, members of the Board of Directors, General Assembly, and an operational body such as Daily management can report. Key functions and (employees of) service Providers can also report. Finally, reporting is also possible by (active or passive) affiliates, pensioners and beneficiaries, but only to the extent the reporting concerns financial services, markets and products and prevention of money laundering.

3. Report & public disclosure

3.1. Internal reporting procedure

Reports can be filed in two different ways, namely through an internal or an external reporting channel (FSMA or DPA). Finally, it is also permitted to make a public disclosure.

An internal reporting channel allows the reporter to share information about a breach with the IORP. This report can be made to a designated person or department. This person is a so-called whistleblower officer and should be impartial, independent and hence free of conflicts of interest. Therefore, the DPO or a board member may not be the most appropriate whistleblower officer. However, it is equally possible to outsource this internal reporting channel to an external service provider. In this case, an outsourcing agreement will consequently be concluded between the external service provider and the IORP. To conclude this outsourcing agreement, the IORP’s outsourcing policy must, of course, be respected. Also, GDPR regulations should not be overlooked.

It is advisable to ask the Compliance officer to manage and investigate such internal reports. In accordance with the Belgian IORP Act, the Compliance officer is authorised to monitor integrity risks, including internal reports.

Finally, the question is often asked whether an IORP can use the internal reporting channel of the sponsoring company. To this, a nuanced answer applies. The act provides the possibility for legal entities with less than 250 employees to share resources. These resources may relate to the internal reporting channel or investigative capabilities. Consequently, if the sponsoring company has less than 250 employees, the IORP can share resources with the sponsoring company. However, the reporter must be informed of this and have the opportunity to protest against (e.g. an investigation by the sponsoring company). The reporter should thus be able to request that the internal report be handled by the IORP's own whistleblower officer. Feedback on the measures taken must also be provided by the IORP itself. Special attention is also required for conflicts of interest between the IORP and the sponsoring company. It should also be noted that the entry into force of the law differs depending on the number of staff. If the sponsoring company has more than 50 but less than 250 employees, the company must set up an internal reporting channel by 17 December 2023 while the IORP must do so as early as 15 February 2023. So it may not be practically feasible to align this.

A report can be submitted either in writing or orally. If a report is done orally, it is possible to schedule a physical meeting at the request of the reporting person. However, it is also recommended to offer this possibility to the reporting person who has filed an internal report in writing. In doing so, a prompt exchange of information and documents between reporting person and the designated person is established.

Once the internal reporting channel has been set up and the person authorised to receive internal reports has been designated, the procedure on handling reports should be drawn up:

  1. Thus, the act prescribes that an acknowledgement of receipt of the internal report must be sent to the reporting person within seven days from receipt of the internal report.
  2. The designated person will then investigate and follow up the internal report. In our opinion, this investigation can take place in cooperation with the IORP key functions, as long as the identity of the reporting person is protected. Any follow-up should be discussed with the Board of Directors, which is the competent body to take decisions and actions.
  3. In addition, the reporting person should receive feedback on his or her internal report no more than three months after the acknowledgement of receipt. If no acknowledgement of receipt was sent, feedback will have to be provided within three months following the expiry of the seven-day period. This feedback may include the outcome of the investigation by the designated person as well as any follow-up actions by the IORP. Hence, the content of the feedback must, in our opinion, be substantial and may not be limited to merely stating that the report was justified or not. As a result, a reporting person will no longer be left in the dark about the outcome of the internal report.
  4. Lastly, information on the procedure for external reporting to the competent authorities should be provided to the reporting person. If this deadline is not feasible, this will also be motivated and follow-up will be required. 

3.2. External reporting procedure

First of all, it is important to know that an external report can be made directly. It is therefore not legally required to complete the internal reporting procedure first, which is all the more reason to promote the internal procedure.

The external procedure means that the report is not made to the designated person within the legal entity, but to an external authority. The act states that the competent authorities to receive reports will be designated by Royal Decree. An independent and autonomous external reporting channel will be set up. With regard to IORPs, it seems only logical that the regulator, the Financial Markets and Services Authority (hereinafter “FSMA”), should act as competent authority in this respect as it has done in the past. Nevertheless, the FSMA may consider that is not solely competent to receive the report, upon which the report is transferred to the competent authority or the federal coordinator on reports.

Furthermore, the procedure for external reporting is similar to the internal reporting procedure:

  1. An acknowledgement of receipt of the external report should also be sent to the reporting person within seven days of receiving the report.
  2. The report must be carefully investigated and follow-up after which the reporter receives feedback within a maximum of three months after acknowledgement of receipt or three months after expiry of the seven-day period after the report has been made. However, in the case of an external report, the deadline may be extended to six months. This extension must be duly justified.
  3. The reporting person must be informed on the outcome of the investigations following the report.
  4. In case of an external report, the competent authority may decide that a reported breach is clearly minor and does not require further follow-up. A similar approach can be followed in case of repetitive reports, which do not contain any meaningful new information on breaches compared to a past report.

Both in case of a report on a minor breach and in case of a repetitive report, the competent authority will inform the reporting person of the decision taken and the motivation thereof. In each case, the reporting person will be informed of the outcome of the report.

Regarding the notification of the procedure, this information will be publicly available on the website.

3.3. Public disclosure

In this newsletter, we would like to briefly mention the option of public disclosure. A public disclosure often means contacting the media or posting a story on social media. This option is a last resort for the reporting person. It is important to note that protection to the reporting person under this act in case of public disclosure is only applicable if he or she has already reported internally and/or (directly) externally but:

  1. no appropriate action was taken in response to the report within the timeframe; or
  2. the reporting person has reasonable grounds to believe that the breach may constitute an imminent or manifest danger to the public interest, or a risk of retaliation or there is a low prospect of the breach being effectively addressed.

Therefore, a reporter must first examine the above situations and thoroughly investigate whether public disclosure is appropriate before, for example, making statements to the media.

4. Transparency of procedures

Finally, the questions arises how information regarding the procedure should be disclosed to potential reporting persons. Drawing up an internal policy is the first step, but this policy should obviously also be made available to all potential reporting persons. Therefore, this policy should be sent to all key persons of the IORP and discussed during a Board of Directors meeting, General assembly meeting and meetings of other Operational bodies. Upon concluding a service level agreement, a copy should also be sent to the IORPs' service providers (including key functions and DPO). At date the Code of ethics, Outsourcing policy and continuity police will be already sent to (new) service providers. Awareness can also be created by providing training. Regarding plan members, it is important to post the policy on the IORP's website, which may or may not be accessible to the general public or only to (active or passive) affiliates, beneficiaries or pensioners.

5. Conclusion

In 2019, the Whistleblowing Directive became a hot topic. Three years later this Directive is finally being transposed into Belgian law. Although there was some discussion on the applicability of the act to IORPs, this debate now seems to be closed. It is essential for IORPs to align their internal policies with the new legal provisions and to elaborate and implement the procedure for internal reporting. If they need support in doing this, they can always rely on our experience as legal advisor and Compliance officer of several IORPs. CMS also offers a comprehensive training package, including specific training on the new whistleblower regulation.

For more information on whistleblowing and IORPs in Belgium, contact your CMS client partner or local CMS experts.