CHAPTER 3–WHISTLEBLOWING POLICIES
179-20 Whistleblowing policy
(1) An AIFC Participant must establish a written policy on whistleblowing that:
- (a) is approved by its Governing Body;
- (b) complies with this Part; and
- (c) is appropriate for the nature, scale and complexity of the AIFC Participant's business.
(2) An AIFC Participant that is a branch, or is a member of a group, may rely on the whistleblowing policy of its head office, or a group-wide whistleblowing policy, provided that the policy substantially complies with this Part.
179-21 Content of whistleblowing policy
(1) An AIFC Participant's whistleblowing policy must comply with all of the following requirements:
- (a) it must provide two or more independent channels for making a Protected Report, which may include any two of the following non-exhaustive examples:
(i) a dedicated email address to which reports may be sent;
(ii) a dedicated telephone number over which reports may be made; and
(iii) designated individual(s) within the AIFC Participant to whom reports may be made.
- (b) if appropriate, it must provide for a report to be made in a language other than English;
- (c) it must recognise that a report may be made by anybody with the necessary information (not only by an officer or employee of the AIFC Participant);
- (d) it must allow a Protected Report to be made anonymously;
- (e) to the extent that a Protected Reporter's identity is disclosed voluntarily or is revealed to, or inferred by, the AIFC Participant following an investigation of the Protected Report, the policy must provide for the identity of that Protected Reporter to be kept confidential (so far as possible);
- (f) it must provide for reasonable measures to protect a Protected Reporter, anyone who assists in investigating a Protected Report, and anyone who cooperates with the investigation, against retaliation or detriment;
- (g) it must explicitly recognise a Protected Reporter’s right (and, in certain cases, obligation) to report to or communicate with the entities or individuals listed in section 179-17(1) (Protected Reports and Protected Reporters);
- (h) it must provide a suitable set of guiding principles, and clear procedures, for the assessment, investigation and escalation of a Protected Report;
- (j) it must provide for a Protected Report to be acknowledged by the AIFC Participant, and for the Protected Reporter who made it to be kept informed (to the extent that is appropriate in the circumstances) about the progress and outcome of the investigation;
- (k) it must provide for the reporting, monitoring and investigation of retaliation, attempts at retaliation and threats of retaliation against, and any other actions causing detriment to, the Protected Reporter and any Persons that assist in the conduct of the investigation;
- (l) it must provide for retaliation, an attempt at retaliation, or a threat of retaliation and any other actions causing detriment to the Protected Reporter or a Person assisting an investigation into a Protected Report to be treated as gross misconduct;
- (m) it must provide for appropriate reporting to the AIFC Participant's governing body and the AFSA about Protected Reports, the investigation of such reports and the outcome of the investigations.
(i) it must provide for the investigation of a Protected Report to be independent of the individual or business unit concerned, for example through the appointment of a third party investigator;
(2) The AIFC Participant must set out the policy clearly in a document, and must ensure that all of the firm’s officers and employees have access to, and understand, the document.
(3) The policy must also clearly set out statements of:
- (a) the benefits to the AIFC Participant of the whistleblowing policy; and
- (b) the AIFC Participant's commitment to it.
179-22 Implementation of whistleblowing policy
(1) The Governing Body of an AIFC Participant must ensure that the AIFC Participant's whistleblowing policy is fully implemented.
(2) In particular, the AIFC Participant's Governing Body must take reasonable steps to ensure that a Protected Reporter, anyone who assists in investigating a Protected Report, and anyone who cooperates in the investigation, are protected against retaliation and any other action causing detriment.
(3) An AIFC Participant must nominate an appropriately senior individual to oversee the implementation of the whistleblowing policy.
(4) An AIFC Participant that receives a Protected Report must notify the AFSA within five business days.
(5) An AIFC Participant's Governing Body must ensure that the whistleblowing policy is reviewed and, if necessary, updated at least once every three years by:
- (a) the AIFC Participant’s internal auditor; or
- (b) an independent and objective external reviewer.
(6) An AIFC Participant must provide regular training for all of its Employees on its whistleblowing policy and any relevant procedures contained in the policy. In particular, the AIFC Participant must provide appropriate specialist training for the Employees who are responsible for key elements of the policy.
(7) An AIFC Participant may outsource the implementation of its whistleblowing policy. If the AIFC Participant does so, it must ensure that the outsourcing agreement:
- (a) nominates the individual referred to in subsection (3); and
- (b) otherwise provides appropriately for the implementation of the firm’s obligations under the policy.
(8) In the event that the AIFC Participant outsources the implementation of its whistleblowing policy, its rights and obligations under this Part shall remain unaltered, notwithstanding anything to the contrary in the outsourcing agreement.