WHISTLEBLOWING: COMPLIANCE AND THE ROLE OF THE PROFESSIONAL
Companies, even small and medium-sized ones, must meet more and more compliance requirements, both mandatory related to market regulations and voluntary in order to implement a differentiation strategy aimed at gaining a competitive advantage. A central issue in terms of legal and corporate compliance is that of Whistleblowing: its purpose is to prevent illegal phenomena in both the public and private sectors.

NORMATIVE
The English term "Whistleblowing" refers to a "whistleblowing" through which the whistleblower wishes to inform the organization of which he or she is a member of the illegal phenomenon (irregular, illegal, potentially harmful behavior) he or she has witnessed, given that the organization itself is an injured party.
The main innovations in the field of Whistleblowing are the result of the transposition of Legislative Decree No. 24/23 in implementation of the related EU legislation; there is:

• an expansion of the subjects obliged to apply the legislation, 
• an expansion of the reporting modalities,
• an expansion of the potential reporting subjects.

In fact, regardless of the business activity, as of December 17, 2023, legal entities with at least 50 employees must necessarily apply the regulations and develop Whistleblowing channels, as well as all legal entities already equipped with an Organizational Model compliant with Legislative Decree 231/01, regardless of size parameters.

TECHNICAL IMPLICATIONS
In order to be compliant with the regulations, the company can develop the following possible channels to be used to implement Whistleblowing:

• an internal channel within the organization,
• a channel external to the organization, normally towards the ANAC (National Anti-Corruption Authority) which is the reference body,
• through a public disclosure of a different type.

The legislation also assumes a broadening of the possible reporters of the violation that has come into contact, viz:

• employees, including former,
• suppliers,
• stakeholders in general; it is specified that in this sense the legislation is really broad, as it is also included, for example, a person who has come into contact with the company to simply have an interview.

Reports may concern violations of national or EU regulatory provisions that harm the public interest, the integrity of the public administration or the private entity of which they have become aware in a public or private work context: consequently, it seems clear that the possible pool of the report is very wide.

Some possible offenses that can be reported are listed as a non-exhaustive list:

• bribery, conflict of interest, fraud to customers, company,
• theft or misuse of company resources/assets,
• environmental crimes,
• discrimination/harassment,
• crimes with the public administration, 
• computer, corporate, accounting and tax crimes, 
• crimes of violation of Human Rights and Code of Ethics,
• violation of privacy, occupational safety and health,
• irregularities in selection processes, 
• administrative offenses of various kinds.

Note well that the regulations exclude all reports related to a personal interest of the reporter that pertain to individual labor relations, such as disputes or interpersonal conflicts.

THE ROLE OF THE PROFESSIONAL
The professional, such as a Certified Public Accountant or Auditor, can assist the company to ensure that it is compliant with regulations and avoid sanctions, as it is required to:

• establish a specific channel for Whistleblowing. Multiple channels can be outlined, but at least one of them must be computer-based for exclusive use and encrypted, as it must ensure the confidentiality of the registrant: with the new legislation, a specially dedicated e-mail address is not compliant;
• set up specific procedures through the identification of individuals designated to handle the report and the consequent flow of information; autonomy and independence requirements are necessary to carry out the checks: it is also advisable to inform internally its employees about which channels and individuals are designated to handle the report;
• provide appropriate training for employees;
• ensure compliant handling of personal data;
• manage and regulate the communications received and the outputs reporting on the application of the regulations; in this perspective, it is important to equip the company with a "DPIA," Data Protection Impact Assassment, i.e., an impact assessment on how Whistleblowing is handled.

Lastly, the legislation opens in favor of the professional a possible professional specialization: by investing in personal training he/she can take on positions as DPO, Data Protection Officer, i.e., external person appointed by the organization in charge of the management of the aforementioned data and operational practices; in addition, the legislation also creates an impact on the issue of Whistleblowing verification obligation related to positions connected to the Board of Auditors and SBs, Supervisory Bodies.

Edited by: Luigi Alfredo Carunchio, Chartered Accountant and Statutory Auditor

You can download the article in PDF here

For more information:

luigicarunchio@valoreassociati.it

The firm supports clients in corporate governance