Companies operating in Italy should take note of an important change in Italian law introducing more comprehensive regulations on whistleblowing procedures in the public and non-financial private sector. Among other relevant aspects, Law No. 179/2017, which entered into force on December 29, 2017, expands existing whistleblowing protections to the private sector, requiring companies that have adopted formal compliance programs pursuant to Legislative Decree No. 231/2001 (“Decree 231”) to also implement a formal whistleblower program.

Prior to Law No. 179/2017, only financial services and banking firms were required to implement formal whistleblower programs, pursuant to Italian legislation implementing European Directive 23/2013 (CRDIV).  In addition, Law No. 190/2012, also called the “Anticorruption Law,” provided protection against retaliation for civil servants who reported the commission of a wrongdoing.  Many companies operating in Italy have adopted formal compliance programs pursuant to Decree 231, incentivized by a provision that affords a defense against certain types of criminal offences for firms with such a program. Law No. 179/2017 requires such companies to integrate a formal whistleblower policy as part of their compliance programs.

Background:  Legislative Decree 231

Under Italian law legal entities do not have an obligation to adopt a compliance program, but they are encouraged to do so in order to avoid or at least minimize their liability in the event a crime is committed.  Under Decree 231 a legal entity can be held criminally liable for certain crimes committed by its legal representatives, directors or executives (whether formally or de facto) or by employees.  Liability under Decree 231 may extend to crimes involving money laundering, market abuse, cross-border crimes, corruption and misappropriation, and a variety of other corporate offenses.  However, companies may shield themselves from liability arising from the commission of crimes if, among other things, prior to the crime’s commission, they adopt and effectively implement a compliance model designed to prevent crimes of the same kind as the one committed.

Whether a compliance model was effectively implemented and able to prevent criminal offences is determined by criminal courts on a case-by-case analysis based on a situation-specific approach.  However, Decree 231 sets forth certain requirements for compliance programs.  For example, according to Article 6, paragraph 2, a compliance program must identify the activities that, when performed, may give rise to crimes or facilitate their commission; implement protocols governing the adoption and execution of decisions and the management of financial resources to prevent the commission of crimes; set forth reporting duties to the supervising body and have a disciplinary code punishing noncompliance.

Law No. 179/2017’s Whistleblower Protection Requirements

Like Decree 231, Law No. 179/2017 does not require firms to adopt a compliance or whistleblower protection program.  Specifically, pursuant to the new paragraph 2-bis of Article 6 Decree 231, compliance programs shall include a whistleblowing procedure so that officers and employees can report violations of Decree 231.  Accordingly, companies that have adopted compliance programs in accordance with Decree 231 should evaluate whether their policies comport with Law No. 179/2017, and companies seeking to implement compliance programs should incorporate whistleblower protections as part of those policies.

Overview of Requirements

Law No. 179/2017 includes specific requirements for qualifying whistleblower policies.  Specifically, a compliance program must provide for:

  • More than one whistleblowing channel able to protect whistleblowers’ identity, of which at least one has to be computerized;
  • The prohibition of acts of discrimination or retaliation against whistleblowers;
  • Disciplinary measures for those who retaliate against a whistleblower and for the whistleblowers who intentionally or with gross negligence file false or unsubstantiated reports of violations.

The law also requires that companies ensure the confidentiality of whistleblower’s identity to the extent permitted by Italian law.  Unlike in certain other jurisdictions, however, there is no requirement that anonymous whistleblower complaints be entertained.

To satisfy the requirements of Law No. 179/2017, formal whistleblower channels must be available to persons indicated in Article 5, lett. a and b, of Decree 231, namely: a) directors, managers or other subjects acting on behalf of the company or one of its organizational units; and b) persons subject to the direction or supervision of the abovementioned.  This means that, technically, a whistleblower program need not be available to self-employed contractors, external consultants, or others.  As a practical matter, there may be good reasons to nonetheless include such persons within the scope of a whistleblower program – including that it is generally better for a firm to company to hear about allegations of misconduct first, and before they are reported to government authorities.  In many jurisdictions, in fact, a company may be able to achieve a significantly better outcome in a government investigation by self-reporting misconduct.

Managing Whistleblower Complaints

Law No. 179/2017 does not specify how whistleblower complaints must be escalated or who within an organization must review them.  However, the structure of the law strongly suggests that such complaints should be escalated to the Compliance Program Supervisory Body (Organismo di Vigilanza) that Decree 231 requires companies to adopt as part of qualifying compliance programs. Pursuant to Decree 231[1], the Supervisory Body is already deputed to supervise the proper implementation of and compliance with the model, receiving information flows coming from the management.  Moreover, the Supervisory Body is usually composed of professional and independent members, minimizing the risk of potential conflicts of interest.[2]  In the alternative, the Organismo di Vigilanza may deputize an appropriate officer or internal function to receive and evaluate whistleblower complaints.

The law also does not require that a company consider frivolous or unsubstantiated allegations.  Rather, complaints must be grounded on “accurate and consistent elements of fact” (Art. 2-bis, lett. a, Decree 231).  This provision suggests that it would be appropriate to adopt a screening mechanism for evaluating whether complaints require a formal investigation or may be addressed or disposed of in a less formal way.

Anti-Retaliation Measures

An important part of any whistleblower program is the prevention of retaliation.  Law No. 179/2017 provides protection against retaliation by permitting whistleblowers to raise allegations of retaliatory and discriminatory acts arising from whistleblowing activities to the Senior Labor Inspectorate (Ispettorato del Lavoro) personally or through a labor union. Moreover, in case of disputes concerning disciplinary measures, dismissals, transfers, or demotions imposed after the employee blew the whistle, the new Law provides that the burden of proof shifts, requiring the employer to demonstrate that the measure is based on grounds different from the reporting.  The existence of strong anti-retaliation provisions means that companies would be well advised not only to adopt their own anti-retaliation provisions, but also to provide formal training to employees on those policies and to see that they are effectively enforced.

Whistleblowing Regime in the Banking and Financial Sector

The adoption of Law No. 179/2017 also provides a timely opportunity to reflect on the whistleblowing rules that already applied in the Italian financial and banking sectors.  As described above, the first law introducing whistleblowing procedures in the private sector was Law No. 154/2014, which amended the Consolidated Finance Law (Testo Unico della Finanza) and the Consolidated Banking Law (Testo Unico Bancario) requiring banks and financial intermediaries to implement mechanisms to report breaches of financial and banking regulations.

Specifically, banks and financial intermediaries must provide:

  • specific and independent channels in order to allow their staff to report violations of banking and financial laws and regulations;
  • protection for employees who report breaches committed within the institution against retaliation, discrimination or other types of unfair treatment;
  • protection of personal data concerning both the person who reports the breaches and the person who is allegedly responsible for a breach.

Both Bank of Italy and Consob (the Italian Companies and Exchange Commission) have issued implementing provisions of these rules.

Implementing Regulations:  The Banking Sector

On July 21, 2015, Bank of Italy amended Circular no. 285 of December 17, 2013 specifying that:

  • banks must identify the person responsible for the internal reporting system, who has the obligation to oversee the procedure, to report any relevant violations to the corporate bodies, and to prepare the annual report on the functioning of the whistleblowing system;
  • banks must ensure the confidentiality of the information and clarify the procedure according to which the whistleblower and the accused person have to be informed about the development of the investigation;
  • the reporting channel must be accessible not only to employees but also to those who collaborate with the bank on the basis of a fixed or temporary contract;
  • the whistleblower has the obligation to declare whether she has any conflicting private interest in connection with the reported violation. However, banks must also provide the whistleblower who is jointly liable of the violation with preferential treatment;
  • banks can also outsource the reporting system to a third party.

Implementing Regulations:  The Financial Sector

On January 17, 2018, Consob issued analogous rules, entering into force on January 31, 2018[3].  Under those regulations, non-bank financial institutions must:

  • identify the person responsible for the internal reporting system, who has the obligation to oversee the procedure and to promptly report any relevant violations to the corporate bodies;
  • ensure the confidentiality of the information and clarify the procedure according to which the whistleblower and the accused person have to be informed about the development of the investigation;
  • provide for the obligation of the whistleblower to declare whether she has any conflicting private interest in connection with the reported violation;
  • provide the whistleblower who is jointly liable of the violation with preferential treatment;
  • financial institutions can also outsource the reporting system to a third party.

Unlike the Bank of Italy, Consob does not specify who can report violations of financial laws and regulations through the whistleblowing system.  Therefore, each financial institution can decide whether whistleblowing mechanisms should be accessible – other than to employees – to those who collaborate on a contractual basis with the institution.

Whistleblower Programs Must Comply With Italian and European Privacy Law

In addition to the specific requirements of Law No. 179/2017 and predecessor legislation in the financial sector, whistleblowing procedures must also comply with Italian and European privacy law.  In July 2016, the European Data Protection Supervisor issued Guidelines on processing personal information within a whistleblowing procedure, listing detailed recommendations.  Even if they formally addressed European Institutions and Bodies, these guidelines are an invaluable tool for any company wanting to implement a whistleblowing procedure compliant with data protection regulations.  Specifically:

  • Companies should collect (and retain) only information which are relevant, adequate and necessary for the investigation;
  • Companies should ensure the confidentiality of the information;
  • However, persons involved in the whistleblowing procedure should be informed about the processing of their data and be provided with a specific data protection statement as soon as practically possible, for example by email. However, when this information can jeopardize the investigation, the disclosure can be deferred.  Deferral of information should be decided on a case-by-case basis and the reasons for any restriction should be documented;
  • Companies should define proportionate conservation periods for the personal information processed within the scope of the whistleblowing procedure depending on the outcome of each case (a shorter retention period for reports that did not lead to an investigation);
  • Implement both organizational and technical security measures based on a risk assessment analysis of the whistleblowing procedure in order to guarantee a lawful and secure processing of personal information

In view of the forthcoming entry into force, on May 25, 2018, of the General Data Protection Regulation (“GDPR”),[4] companies should consider how whistleblower allegations will be processed and what information will be provided to the whistleblower.  Relevant considerations include, among others, whether information provided by whistleblowers will be handled by a third party, transferred abroad, or communicated to a foreign authority.  Depending on the circumstances, and the nature of the information a whistleblower provides, such the GDPR may limit the way in which whistleblower complaints can be processed.

Conclusion

The adoption of Law No. 179/2017 is an opportune time for companies that operate in or that have potential exposure to Italy to re-evaluate the adequacy of their whistleblower policies and procedures.  While this is particularly true for companies that have adopted compliance programs pursuant to Decree 231, the proliferation of whistleblower anti-retaliation provisions around the world mean that the adoption of formal whistleblower policies and training is increasingly becoming a critical part of any compliance program.


[1] See Article 6, paragraph 1, b, and Article 6, paragraph 2, d.

[2] Decree 231 only requires that the Supervisory Body has “autonomous power of initiative and control”.  However, Confindustria — the main Italian industry association — has issued guidelines suggesting that it must be provided with adequate financial resources and that its member(s) must meet professional, independency and continuity of action requirements.

[3] Consob amended its Regulation on the collection of risk capital via on-line portals, adopted with Resolution no. 18592 of 26 June 2013.

[4] EU Regulation No. 2016/679.