Contents
Today we are introducing a new blogpost from our partners at Kerberos, a compliance and AML service provider. This post sheds light on the Whistleblower Protection Act, now applicable to all German fund managers regardless of their size.
Lena Olschewski, AML-Expert, Chairwoman of the German Association of MLROs and CEO of legeARTIS Compliance, has outlined key aspects of the Whistleblower Protection Act (HinSchG), but there is much more to explore. Keep an eye out for our in-depth articles on KYC, KYB, and AML coming soon. If you have questions or particular concerns, don't hesitate to reach out.
bunch is here to make things simpler. Our digital platform is designed to streamline the complexities of managing private market funds. We provide an end-to-end solution, from digital onboarding to seamlessly handling compliance and reporting, with a modular setup that allows you to pay for what you need.
How did the HinSchG come into effect?
The development of the HinSchG was a lengthy process. Initially, the implementation of the EU Whistleblower Directive was supposed to be transposed into German law by the end of 2021. However, it took one and a half years longer for the federal government and the states to agree on the HinSchG in the mediation committee of the Bundesrat. The European Court of Justice even imposed a fine of over 14 million euros for the delayed implementation, which is now borne by the taxpayer.
Who is affected and what are the deadlines?
According to the National Regulatory Control Council, the HinSchG affects approximately 74k companies with 50-249 employees, 17k companies with more than 250 employees, especially companies in the financial and insurance sectors in Germany, regardless of their size. Specifically, for capital management companies, this entails establishing an internal whistleblower office and demonstrating appropriate processes since July 2, 2023, when the law came into effect, without exception.
What is required?
Obligated companies must establish channels for employees to submit internal reports on grievances. Additionally, an external reporting office will be set up at the Federal Ministry of Justice and, if applicable, at the state level. Internal reporting offices must offer the possibility to submit reports orally or in writing. Companies must ensure that feedback to the reporting person is possible, and only authorized persons can access the reports. However, this is no longer the case as soon as a company's IT administration could potentially access an email inbox of the reporting office or a voicemail box. Additionally, those responsible must be free of conflicts of interest and possess the ability to professionally handle reports. For this reason, it is particularly inadvisable for companies with few employees to entrust this task to the management. Because a conflict of interest, especially in smaller teams, can be a reason for submitting reports to external offices, which then cause external interventions in the company.
What are the possible fines?
The Whistleblower Protection Act stipulates that reporting offices do not have to be exclusively anonymous but should enable the processing of anonymous reports. The maximum fine framework is up to €50,000 and can be imposed, for example, if reports are prevented, no reporting office is established or operated. Employers must also justify why retaliations are not expected in the event of complaints by employees. Companies can also claim damages in case of false reports.
What does the process look like?
Upon receipt of a (anonymous) report, reporting offices must confirm it within seven days. It must be technically possible for the reporting offices to remain in contact with the reporters without disclosing information to unauthorized third parties. The person providing the hint must not suffer any professional disadvantages due to their reports. Reports must be checked for plausibility, and if necessary, measures must be taken to rectify grievances. Reporting offices must provide feedback to the person providing the hint within three months. This feedback must include any measures already taken or planned and the reasons for them.
What are things that should be reported?
Not every report of a violation of legal provisions is covered by the HinSchG. Reasons for reports can be violations of criminal law or fineable offenses, especially those that protect life, limb, or health. In addition, violations of the Money Laundering Act, data protection laws, or the Supply Chain Due Diligence Act.
What does this mean for venture capital funds?
The implementation of the HinSchG presents companies with two major challenges.
First, the strict data protection provisions that restrict access to report data to the responsible persons. The use of internal IT-supported systems is made difficult by these regulations.
Second, the independent processing of reports by persons without conflicts of interest, especially in companies with few employees.
Further hurdles include training employees, communicating with reporting authorities, and documenting measures. Companies that want to operate internal reporting offices should have them reviewed by experts and independently monitor legislative developments.
Outsourcing of Internal Reporting Offices
An alternative to the internal establishment of reporting offices is outsourcing. Kerberos offers an IT-supported whistleblower system that meets all legal requirements, enables the submission and processing of anonymous tips via an anonymous mailbox, and guides reporters through the reporting process. If necessary, the ombudsperson as the responsible office for processing reports can also be outsourced to Kerberos.
Thanks for your attention! If you have any questions, feel free to reach out to us here.