Recent events, including a significant judgment from the UK Supreme Court and the adoption of a landmark European Union directive, have put the spotlight on whistleblowing once again.
When faced with a whistleblower disclosure, there is plenty to keep GCs up at night, from ensuring that the report is properly investigated to preventing reprisals. But it has become increasingly clear that whistleblowers play an invaluable role in ensuring corporate compliance and that, for the good of the organisation, whistleblowing should be made as easy and effective as possible. Nearly half of the respondents to Kroll’s 2017/18 Global Fraud and Risk report indicated that whistleblowers uncovered instances of fraud within their organisations.
In the area of whistleblowing, as elsewhere, legal departments face the daunting task of reducing costs while managing increasing legal complexity. Meeting this challenge requires clarifying how the legal team fits into the whistleblowing process, as well as fostering a culture that encourages people to speak up. Understanding the changes that technology is bringing to whistleblowing is a critical step in ensuring that an organisation’s whistleblowing procedures are up to scratch.
Technology replacing the whistleblower: RegTech reducing the risk of reprisals
The use of technology, including artificial intelligence, to spot patterns and make predictions from vast amounts of data is far from new. What has changed is the unprecedented availability of data, coupled with the exponential growth of computing power. RegTech is harnessing this revolution to help institutions meet the demands of an increasingly complex regulatory environment.
Some of the most advanced RegTech solutions are being applied by financial institutions to automate KYC and AML compliance, analyse customer transactions for anomalies, and vastly decrease the number of false positives that are costly to investigate. RegTech is also being used within companies to detect and prevent asset misappropriations, corrupt schemes, and financial statement fraud. For example, AI is being applied to identify otherwise invisible connections between e-mails, pdf documents, expense reporting, social media profiles, criminal record checks and work hour reports. This capability can be used not only to spot misconduct but also to prevent it by applying predictive analytics to flag risk.
It follows that in some jurisdictions, there may also be an incentive for organisations to adopt RegTech to minimise the risk of corporate criminal convictions. For instance, section 7 of the UK’s Bribery Act 2010 – one of the strictest examples of international anti-bribery legislation – makes the failure of an organisation to prevent bribery an offence (see Practice note, Bribery Act 2010: corporate criminal liability). However, it is a defence under section 7(2) for the organisation to ‘show that [it] had in place adequate procedures designed to prevent’ such conduct. It is not farfetched to imagine that a company’s demonstration of reliance on a RegTech solution to combat bribery could be sufficient to succeed under section 7(2).
Moreover, the upshot has been that technology has delivered insights that might otherwise have needed to be brought forward by a human whistleblower – if detected at all.
The reasons for RegTech adoption to be on in-house counsel’s radar therefore go beyond efficiency gains. Algorithms cannot be personally victimised or directly retaliated against – making the potential for technology to replace whistleblowers and thereby reduce the personal, professional, and financial toll they face, significant. Though obstacles – including legacy IT systems and privacy concerns – remind us that RegTech is no panacea for whistleblowers’ challenges, the rise of RegTech means that whistleblowing may be just the latest human endeavour to be taken over by machines.
Technology empowering the whistleblower: hotlines, portals, apps – and blockchain
The foremost barrier to blowing the whistle is the fear of retaliation. The difficulty of ensuring confidentiality and, in some cases, the anonymity of the whistleblower therefore looms large. A related problem is the use of trusted channels of reporting, which must be secure and effective. Technological applications offer potential solutions.
While hotlines, and increasingly web portals, are widely used, a relatively recent development is the emergence of whistleblowing mobile apps. Apps combine the advantages of web portals, which include the ability to send documents, with the accessibility of mobile phones, creating a universal platform that can be employed almost anywhere.
However, perhaps the most promising technological development for whistleblowers – albeit the least actualised to date – is blockchain, which when applied to whistleblowing can offer several important advantages:
- First, blockchain-based solutions can strike the balance between the need for anonymity and the importance of being able to re-establish contact with the whistleblower. WhistleAI is currently working towards this goal by combining the benefits of blockchain, crowdsourcing and AI. To ensure anonymity their platform relies on zero-knowledge protocols, which entail splitting information into fragmented pieces before sending it for verification.
- The second advantage of blockchain is its immutability. Data, once uploaded on a blockchain-based platform, is time-stamped and cannot be deleted or tampered with. This allows whistleblowers to aggregate data securely before deciding whether to disclose the materials.
- A unique and controversial feature of blockchain is its ability to offer compensation to the whistleblower through smart contracts. This mechanism would not only give the whistleblower confidence in their identity’s security, but also provide them with payment through cryptocurrency, which could be automatically transferred to their account once the disclosed information is verified and the reward conditions are satisfied.
- Another possible advantage of blockchain is its application as an information escrow. This can be done through a smart contract, programmed to release information if certain conditions are met. For example, Callisto, initially designed to combat sexual harassment, forwards reported misconduct only when there are at least two complaints about the same alleged perpetrator, thus helping to eliminate the ‘first-mover disadvantage’ and lessen the perceived likelihood of retribution.
The European Union’s landmark new whistleblowing directive mandates reporting mechanisms across all sectors within both private companies and public institutions above a certain size. Whether an organisation’s internal channels are compromised, or could not reasonably be expected to work, bears on the question of whether whistleblowers are entitled to report directly to authorities. The role of technology in supporting whistleblowers by providing trusted disclosure channels is therefore crucial. Even if a post-Brexit regulatory landscape may not impose the EU’s whistleblowing requirements in the UK, the directive will influence a common corporate minimum standard.
Just as companies are beginning to appreciate the significant contributions whistleblowers make to corporate compliance, whistleblowing is being transformed. Technology stands not only to replace, but also to empower whistleblowers. If harnessed, both possibilities should help GCs sleep better at night.
This is a summary of a chapter contributed by the co-authors to a recently-published collection, FinTech:Law and Regulation (Edward Elgar).