GENE 4A.2.3 Implementation of protected reporting policy

(1) The senior management of an authorised firm must ensure that the firm's protected reporting policy is fully implemented.
(2) In particular, the firm's senior management must take reasonable steps to ensure that a protected reporter, anyone who assists in investigating a protected report, and anyone who cooperates in the investigation, are protected against retaliation.

Note Under the Employment Regulations of the QFC, article 16, a person "...who in good faith raises concerns about or reports crimes, contraventions (including negligence, breach of contract, breach of law or requirements), miscarriages of justice, dangers to health and safety or the environment and the cover up of any of these by their Employer shall not be dismissed or otherwise penalised directly or indirectly for such acts, including in respect of any prohibition against disclosure of nonpublic information.".

Guidance
1 Retaliation or an attempt at retaliation against an employee who has made a report referred to in the Employment Regulations, article 16, would therefore be a contravention of a legal requirement (see rule 4A.1.1 (1), definition of protected report, paragraph (e) (ii)), and could itself be the subject of a protected report.
2 Also, see FSR, article 84 (1) (B) — retaliation against such an employee would contravene article 16 of the Employment Regulations, thus is a contravention of a relevant requirement, and could therefore give rise to disciplinary or enforcement action under FSR, Part 9.
3 However, article 16 protects only employees; this Chapter requires anybody who makes a protected report to be protected against retaliation.
(3) An authorised firm must nominate an appropriately senior individual to oversee the implementation of the firm's protected reporting policy.

Guidance
The individual nominated need not be an employee or even a board member, but could for example be a legal adviser in an outside law firm.
(4) An authorised firm that receives a protected report must notify the Regulatory Authority within 5 business days.
(5) An authorised firm's governing body must ensure that the firm's protected reporting policy is reviewed at least once every 3 years by:
(a) the firm's internal auditor; or
(b) an independent and objective external reviewer.
(6) An authorised firm must provide regular training for all of its officers and employees on its protected reporting policy and the applicable procedures. In particular, the firm must provide appropriate specialist training for the officers and employees who are responsible for key elements of the policy.
(7) An authorised firm may outsource the implementation of its protected reporting policy. If the firm does so, it must ensure that the outsourcing agreement:
(a) nominates the individual referred to in subrule (3); and
(b) otherwise provides appropriately for the implementation of the firm's obligations under the policy.
Inserted by QFCRA RM/2018-3 (as from 1st May 2018).
Amended by QFCRA RM/2021-1 (as from 1st July 2021)