• GENE Part 4A.2 GENE Part 4A.2 Protected reporting policies

    • GENE 4A.2.1 Obligation to have protected reporting policy

      (1) An authorised firm must establish a written policy on protected reporting that:
      (a) is approved by the firm's governing body;
      (b) complies with this Part; and
      (c) is appropriate for the nature, scale and complexity of the firm's business.
      (2) An authorised firm that is a branch, or is a member of a corporate group, may rely on the protected reporting policy of its head office, or a group-wide protected reporting policy, provided that the policy substantially complies with this Part.
      Inserted by QFCRA RM/2018-3 (as from 1st May 2018).

    • GENE 4A.2.2 Content of protected reporting policy

      (1) An authorised firm's protected reporting policy must comply with all of the following requirements:
      (a) it must provide 2 or more independent channels for making a protected report;

      Guidance
      For example, a firm's policy could provide both a dedicated email address and a dedicated telephone number to which reports can be made.

      (b) if appropriate, it must provide for such a report to be made in a language other than English;
      (c) it must recognise that such a report could be made by anybody with the necessary information (not only by an officer or employee);
      (d) it must allow a protected report to be made anonymously;
      (e) it must provide for the identity of a protected reporter to be kept confidential (so far as possible);

      Guidance
      The Regulatory Authority recognises that the investigation of a protected report may reveal the identity of a protected reporter or make it possible to infer it.
      (f) it must provide for reasonable measures to protect a protected reporter, anyone who assists in investigating a protected report, and anyone who cooperates with the investigation, against retaliation;
      (g) it must explicitly recognise a protected reporter's right (and, in certain cases, obligation) to report to or communicate with the Regulatory Authority, another regulator or an authority of the State;

      Note 1 Under the Criminal Procedures Code of the State (Law No. (23) of 2004), article 32, a person who has knowledge of certain crimes must report it to the State Prosecutor's Office or a judicial commissioner.

      Note 2 For the firm's obligation to cooperate with the Regulatory Authority, see rule 1.2.14.
      (h) it must provide a suitable set of guiding principles, and clear procedures, for the assessment, investigation and escalation of a protected report;
      (i) it must provide for the investigation of a protected report to be independent of the individual or business unit concerned;

      Guidance
      This could include making arrangements for the investigation to be done by a third party.
      (j) it must provide for a protected report to be acknowledged, and for the protected reporter who made it to be kept informed (to the extent that is appropriate in the circumstances) about the progress and outcome of the investigation;
      (k) it must provide for the reporting, monitoring and investigation of retaliation, attempts at retaliation and threats of retaliation;
      (l) it must provide for retaliation, an attempt at retaliation, or a threat of retaliation to be treated as gross misconduct;
      (m) it must provide for appropriate reporting to the firm's governing body and the Regulatory Authority about protected reports, the investigation of such reports and the outcome of the investigations.
      (2) The firm must set out the policy clearly in a document, and must ensure that all of the firm's officers and employees have access to, and understand, the document.
      (3) The document must also clearly set out statements of:
      (a) the benefits to the firm of the protected reporting policy; and
      (b) the firm's commitment to it.
      Inserted by QFCRA RM/2018-3 (as from 1st May 2018).

    • GENE 4A.2.3 Implementation of protected reporting policy

      (1) The senior management of an authorised firm must ensure that the firm's protected reporting policy is fully implemented.
      (2) In particular, the firm's senior management must take reasonable steps to ensure that a protected reporter, anyone who assists in investigating a protected report, and anyone who cooperates in the investigation, are protected against retaliation.

      Note Under the Employment Regulations of the QFC, article 16, a person "...who in good faith raises concerns about or reports crimes, contraventions (including negligence, breach of contract, breach of law or requirements), miscarriages of justice, dangers to health and safety or the environment and the cover up of any of these by their Employer shall not be dismissed or otherwise penalised directly or indirectly for such acts, including in respect of any prohibition against disclosure of nonpublic information.".

      Guidance
      1 Retaliation or an attempt at retaliation against an employee who has made a report referred to in the Employment Regulations, article 16, would therefore be a contravention of a legal requirement (see rule 4A.1.1 (1), definition of protected report, paragraph (e) (ii)), and could itself be the subject of a protected report.
      2 Also, see FSR, article 84 (1) (B) — retaliation against such an employee would contravene article 16 of the Employment Regulations, thus is a contravention of a relevant requirement, and could therefore give rise to disciplinary or enforcement action under FSR, Part 9.
      3 However, article 16 protects only employees; this Chapter requires anybody who makes a protected report to be protected against retaliation.
      (3) An authorised firm must nominate an appropriately senior individual to oversee the implementation of the firm's protected reporting policy.

      Guidance
      The individual nominated need not be an employee or even a board member, but could for example be a legal adviser in an outside law firm.
      (4) An authorised firm that receives a protected report must notify the Regulatory Authority within 5 business days.
      (5) An authorised firm's governing body must ensure that the firm's protected reporting policy is reviewed at least once every 3 years by:
      (a) the firm's internal auditor; or
      (b) an independent and objective external reviewer.
      (6) An authorised firm must provide regular training for all of its officers and employees on its protected reporting policy and the applicable procedures. In particular, the firm must provide appropriate specialist training for the officers and employees who are responsible for key elements of the policy.
      (7) An authorised firm may outsource the implementation of its protected reporting policy. If the firm does so, it must ensure that the outsourcing agreement:
      (a) nominates the individual referred to in subrule (3); and
      (b) otherwise provides appropriately for the implementation of the firm's obligations under the policy.
      Inserted by QFCRA RM/2018-3 (as from 1st May 2018).
      Amended by QFCRA RM/2021-1 (as from 1st July 2021)