Why financial services firms need to rethink their whistleblowing policies

A culture of fear is preventing finance professionals from reporting fraudulent activity and their silence is putting companies at risk

Fighting Fraud illustration

Whistleblower’s disclosures are vital in identifying incidences of fraud and protecting businesses from any potential financial and reputational repercussions. However, finance professionals are becoming increasingly reluctant to blow the whistle.

More than half (52%) of people working in the finance sector have spotted or suspected internal fraud in their workplaces, according to a survey of 1,500 finance professionals by fraud detection software company Medius. But of those who noticed illicit behaviour, 83% failed to blow the whistle.

Fear of retaliation and consequences for potentially false claims were cited as the main reasons for keeping quiet. Respondents reported seeing whistleblowers left out of important decisions (66%), moved to a different team (28%), subjected to name-calling (27%) and given the cold shoulder (26%), due to their reports. Meanwhile, 48% feel that the UK legal system does not adequately protect whistleblowers. 

Sherron Watkins is the former vice president of Enron Corporation who alerted the CEO to accounting irregularities in 2001, four months before the company declared bankruptcy. After coming forward, she was subject to derogatory names including snitch, rat and traitor. 

Similarly, Sarah Carver and Jennifer Griffith, exposed a fraud scheme of more than $550 million while employed at the Social Security Administration, the events of which are documented in the Apple TV series The Big Conn. In efforts to silence their disclosures, they experienced multiple acts of retaliation, were denied protection and were ultimately forced out of the company.

Employees are the last line of defence against today’s increasingly sophisticated fraud campaigns but a dwindling confidence in reporting suspicious activity puts organisations at severe risk. 

A grey area 

There is a widespread belief that as long as someone follows the rules, they are doing the right thing, even if those rules are transparently leading to a bad outcome. 

“You don’t want to be the person who raises their hand, because then you become the person who doesn’t understand the rules. What is compliant and what is morally correct is not usually black and white; individuals and organisations need to be able to operate in that grey area,” says Rob Hayward, chief strategy officer at Principia, an organisational ethics advisory firm. 

He points to the case of Ossie Lofton, a 90-year old woman from Florida, whose bank spent two years trying to foreclose her house because she was 27 cents in debt. Nobody at the bank objected at any point to turfing a vulnerable woman out of her house for the sake of such a small sum. From an outsider’s perspective, this appears shocking, Hayward says. But the incident highlights the dampening effect on people’s moral judgement that happens when compliance and ethics are viewed in such a binary way.

For a long time, there has been an understanding that if you put the right processes and systems in place, the behaviour and culture will follow. “This is an essential part but it’s not the whole picture,” Hayward explains. “It is not the rules and processes that govern people’s behaviour, it is the environment they are operating in, the attitudes of their leaders and the mindsets of people around them.”

How to create an open culture

Businesses need to cultivate a culture where people feel confident asking questions, raising concerns and challenging their superiors. 

Hayward claims that companies are most vulnerable to widespread cases of financial fraud or misconduct when there is a “captive finance team” who accept the information they’re given without ever asking the difficult questions and assume the information they’re provided with is trustworthy. “This typically happens when there is a leader with an alpha personality who is not open to being challenged,” he adds.

It is up to financial leaders to set an example of what an effective challenge looks like – and to do so in public, he stresses. They need to be seen to hold the business to account, to play the role as the independent auditor of the information they are getting as well as processing and reporting on it.

More important still, when people are questioning, challenging or even whistleblowing, businesses need to ensure they are being stringent on monitoring for retaliation. “This not only includes obvious moves to discriminate, such as threatening to fire the individual, but softer reactions,” Hayward says. “Maybe this person’s career didn’t progress as quickly as it might have done, or they are being shut out of important meetings.”

Such strategies might include having simple and easily accessible internal reporting channels and taking extra measures to protect the confidentiality of a whistle-blower’s identity, such as allowing anonymous reporting. 

It is worth noting that the likelihood of employees speaking up is highly correlated with their confidence in the meritocracy and fairness of the organisation. As Hayward points out: “Employees will only feel safe enough to say something when they’re being treated well in all aspects of their job.”

Prateek Swaika, a London-based litigation lawyer at law firm Boies Schiller Flexner, says business leaders should be aware of the legal solutions available within the UK to protect and incentivise whistleblowing.

Although the UK no longer has to comply with the EU’s Whistleblowing Directive, he advises organisations consider taking voluntary guidance from it and implement internal procedures in relation to investigating concerns. For example, including requirements to acknowledge receipt of a report within a set number of days, maintaining confidentiality of a whistleblower’s identity and providing feedback, where possible, to the whistleblower within a prescribed time limit. 

Swaika also recommends that businesses consider providing the whistleblower with independent, free and comprehensive legal advice. Above all else, organisations need to have a clear and visible whistleblowing policy in place so that employees know exactly what to do should such a situation arise. 

In comparison to the US and EU, the legal protections currently offered to whistleblowers in the UK are “limited”, Swaika admits. The Public Interest Disclosure Act 1998 has been subject to criticism for failing to adequately protect whistleblowers. A key concern is that it only allows whistleblowers to seek compensation from an employment tribunal after suffering a detriment, rather than preventing it from happening in the first place, or putting in place guidelines on how the report and the whistleblower should be dealt with. 

“The complex hurdles for disclosure protection, a lack of incentivisation for whistleblowers and the potential for legal repercussions all function as deterrents to such activity,” Swaika explains. 

More recently, however, there have been calls for reform to the whistleblowing framework in the UK. The new director of the Serious Fraud Office, a governmental department that investigates and prosecutes fraud, has suggested that whistleblowers should be incentivised to come forward, a common practice in US law enforcement. 

The critical role of technology 

A fear of potentially false claims is preventing employees from blowing the whistle on suspected fraud. Indeed, 93% of financial professionals reported that they would feel more comfortable raising suspicions if they had more evidence, according to the Medius survey. 

Emma Brown, chief financial officer at Medius, believes that this is where anomaly-detection technology can help, providing finance teams with the evidence and assurances they need to be more forthcoming about fraudulent activity. 

And yet, many organisations are failing to take advantage of these tools, Brown says. In her view, manageable risks like fraud are being neglected by businesses whose finance teams still rely on manual payment and invoice reviews. She says that even those that do have automated payment solutions in place are usually focused on efficiency gains, rather than detecting fraud.

Brown notes that this is even more surprising given the increasing sophistication of fraud campaigns that have emerged in recent years, including the growing popularity of AI-powered deepfakes, phishing and system breaches, as well as authorised push payment transactions, where fraudsters trick people into transferring money to them.

The number of reported fraud cases in 2023 rose by 18% to a three-year high, according to accounting consultancy BDO’s FraudTrack report, while high-value cases (over £50m) increased by 60% year-on-year.

Brown disagrees with assumptions that the onus should be solely on the CFO to be at the front line of financial fraud. “No one person should have responsibility for that,” she says. “The rate at which technology is rapidly evolving has changed the conversation when it comes to fraud prevention.”

Despite this, annual auditing requirements, which are designed to reduce risks like fraud within an organisation, have not been updated to reflect technological advancement in this area, Brown notes. “They have not changed since I was an accountant. This presents a huge gap between the way that fraud controls are tested and the way that it happens,” she adds. “Introducing more controls and protections as part of company audit requirements would certainly help to reduce the need to rely on whistleblowers.”

Ultimately, business leaders cannot afford to assume that their employees feel comfortable enough to speak up when they see evidence of internal fraud. Creating a culture of openness that destigmatises and incentivises whistleblowing can help encourage more employees to come forward.

The case for paying whistleblowers

Expand Close