GENE 4A.2.2 Content of protected reporting policy

(1) An authorised firm's protected reporting policy must comply with all of the following requirements:
(a) it must provide 2 or more independent channels for making a protected report;

Guidance
For example, a firm's policy could provide both a dedicated email address and a dedicated telephone number to which reports can be made.

(b) if appropriate, it must provide for such a report to be made in a language other than English;
(c) it must recognise that such a report could be made by anybody with the necessary information (not only by an officer or employee);
(d) it must allow a protected report to be made anonymously;
(e) it must provide for the identity of a protected reporter to be kept confidential (so far as possible);

Guidance
The Regulatory Authority recognises that the investigation of a protected report may reveal the identity of a protected reporter or make it possible to infer it.
(f) it must provide for reasonable measures to protect a protected reporter, anyone who assists in investigating a protected report, and anyone who cooperates with the investigation, against retaliation;
(g) it must explicitly recognise a protected reporter's right (and, in certain cases, obligation) to report to or communicate with the Regulatory Authority, another regulator or an authority of the State;

Note 1 Under the Criminal Procedures Code of the State (Law No. (23) of 2004), article 32, a person who has knowledge of certain crimes must report it to the State Prosecutor's Office or a judicial commissioner.

Note 2 For the firm's obligation to cooperate with the Regulatory Authority, see rule 1.2.14.
(h) it must provide a suitable set of guiding principles, and clear procedures, for the assessment, investigation and escalation of a protected report;
(i) it must provide for the investigation of a protected report to be independent of the individual or business unit concerned;

Guidance
This could include making arrangements for the investigation to be done by a third party.
(j) it must provide for a protected report to be acknowledged, and for the protected reporter who made it to be kept informed (to the extent that is appropriate in the circumstances) about the progress and outcome of the investigation;
(k) it must provide for the reporting, monitoring and investigation of retaliation, attempts at retaliation and threats of retaliation;
(l) it must provide for retaliation, an attempt at retaliation, or a threat of retaliation to be treated as gross misconduct;
(m) it must provide for appropriate reporting to the firm's governing body and the Regulatory Authority about protected reports, the investigation of such reports and the outcome of the investigations.
(2) The firm must set out the policy clearly in a document, and must ensure that all of the firm's officers and employees have access to, and understand, the document.
(3) The document must also clearly set out statements of:
(a) the benefits to the firm of the protected reporting policy; and
(b) the firm's commitment to it.
Inserted by QFCRA RM/2018-3 (as from 1st May 2018).