Proposed Guideline on Whistleblowing Policies and Procedures for Banks and Authorized Foreign Banks

I. Introduction

1. The Financial Consumer Agency of Canada (FCAC) has developed this draft Guideline – Whistleblowing Policies and Procedures for Banks and Authorized Foreign Banks (Guideline) to set out the Agency’s expectations with respect to banks’ and authorized foreign banks’ implementation of whistleblowing provisions in the Bank Act.

2. Part XVI.1 of the Bank Act sets out the requirements regarding whistleblowing provisions that apply to banks, including federal credit unions, and authorized foreign banks (Banks). A Bank must establish and implement policies and procedures for dealing with matters in relation to a wrongdoingFootnote 1  (Policies and Procedures), the particulars of which have been reported to the Bank by an employee.

3. FCAC encourages other federally regulated financial entities, such as trust and loan companies and insurance companies, to review this Guideline and develop, implement or improve their whistleblowing Policies and Procedures. 

4. A Bank is responsible for ensuring it meets the whistleblowing requirements set out by Part XVI.1 of the Bank Act.

5. A Bank, and any parties subject to the requirements in s. 627.15 of the Bank Act (Third Parties), should ensure that employees of the Third Parties have access to the Bank’s Policies and Procedures and can report wrongdoing as if they were employees of the Bank to the Bank or the Third Party. In addition, Banks should ensure that Third Parties comply with the prohibition against retaliationFootnote 2  under the Bank Act.

6. FCAC recognizes that Banks may tailor their Policies and Procedures in accordance with the nature, size and complexity of their business, distribution channels and products and services.

7. This Guideline should be read in conjunction with legislation and regulations. 

II. Key principles

8. A Bank’s senior management and the committee of the board responsible for the Bank’s compliance with consumer provisions should oversee the establishment and implementation of Policies and Procedures and articulate support for whistleblowing throughout the organization.

9. In establishing the Policies and Procedures, a Bank should be guided by the following principles: 

i. Effectiveness

A Bank’s Policies and Procedures should be comprehensive and implemented to receive and deal with reports of wrongdoing fairly, where employees are encouraged to report a wrongdoing. 

ii. Accessibility

A Bank’s Policies and Procedures should be easy for employees to find, navigate and understand. 

iii. Protection

A Bank’s Policies and Procedures should ensure the confidentiality of employees who report a wrongdoing as well as demonstrate how the Bank protects employees against retaliation.

III. Effective whistleblowing Policies and Procedures

10. To be effective, a Bank’s Policies and Procedures should include the following elements.

Organizational commitment

11. Policies and Procedures should indicate the process for dealing with reports of wrongdoing to promote a culture of compliance.

12. All employees should be encouraged to report wrongdoings. A Bank should issue a statement of support throughout the organization and demonstrate that reporting wrongdoing is supported at all levels of the bank. The statement of support should include a prohibition on retaliation.

13. Policies and Procedures should allocate adequate financial, technical and human resources to deal with reports of wrongdoing in a fair, timely and impartial manner at each step of the process. Banks should be able to demonstrate how adequate resources have been allocated. This includes appointing one or more employees to be responsible for working closely with senior management to oversee the development and implementation of its Policies and Procedures, with adequate resources to implement and maintain effective Policies and Procedures.

14. Policies and Procedures should establish a regular review to improve Policies and Procedures. Banks should be able to demonstrate how the outcomes of the review are implemented as changes or additions to Policies and Procedures and should communicate those changes or additions to all employees.

Investigating reports of wrongdoing

15. Policies and Procedures should demonstrate that a process is in place to determine whether a disclosure is a report of wrongdoing. Policies and Procedures should demonstrate that the report of wrongdoing will be investigated appropriately.

16. Policies and Procedures should indicate that investigations are fair and conducted in an impartial manner.

Training

17. Policies and Procedures should include a commitment to regular and ongoing training for employees that covers all aspects of the Policies and Procedures, with the aim of encouraging reporting. Specific and tailored training should be provided for all employees who deal with reports of wrongdoing.Footnote 3

18. Policies and Procedures should include a process for focusing training on employees who have a greater opportunity to witness, detect or contribute to a wrongdoing because of the responsibilities of their position.

19. Policies and Procedures should demonstrate how employees will be made aware and receive training when changes or additions are made to legislation, regulations and/or guidelines, including what could be considered a wrongdoing.

IV. Accessible whistleblowing Policies and Procedures

20. A Bank’s Policies and Procedures should include information on the steps the Bank will take when receiving reports of wrongdoing, conducting fair investigations and reporting findings of investigations, including a commitment to deal with reports of wrongdoing in a confidential and timely manner.

21. Policies and Procedures should indicate how the Bank will make employees aware of their ability to report wrongdoings, including clearly indicating all options regarding how and to whom employees can report wrongdoings. It should also make employees aware of the resources available to support them in reporting wrongdoings.

22. Policies and Procedures should be easy for employees to find, navigate and understand. They should:

23. A Bank should provide its employees, including those who wish to make anonymous reports of wrongdoing, with access to confidential advice. Confidential advice should be available at any time during the process of reporting a wrongdoing.

24. Confidential advice should be provided by an appointed senior officer(s) or an external, independent body, such as a whistleblowing hotline. Policies and Procedures should document how to access confidential advice, including the relevant contact information.

25. Policies and Procedures should indicate that employees are not required to report internally at the Bank, and that they can instead report directly to the Commissioner of the Financial Consumer Agency of Canada (Commissioner), the Office of the Superintendent of Financial Institutions (Superintendent), any other government agency or body that regulates or supervises financial institutions, or a law enforcement agency.Footnote 4

26. Policies and Procedures should provide employees with contact information to report wrongdoing externally to the Commissioner and Superintendent.

27. Policies and Procedures should include information to inform employees of other channels they can use to make complaints or file a grievance that would not be considered a report of wrongdoing.

V. Protection

28. A Bank’s Policies and Procedures should include measures for demonstrating how confidentiality will be maintained throughout the process of reporting a wrongdoing, including how the employee’s identity and information that could reveal the employee’s identity,Footnote 5  and advice provided, will be kept confidential.

29. Policies and Procedures should include safeguards against the misuse of information that could reveal the identity of the employee and commit to explaining these safeguards to employees who report a wrongdoing. Policies and procedures should also include access restrictions for confidential information, including the provision of access rights to specific employees.

30. Policies and Procedures should allow for reports of wrongdoing to be made anonymously.

Exceptions to confidentiality

31. A Bank’s Policies and Procedures should address when a Bank may consider disclosing the identity of an employee to the Commissioner, the Superintendent, government agency or body, or law enforcement agency.

32. Policies and Procedures should include safeguards for the secure transfer of identifying information to the Commissioner, the Superintendent, government agency or body, or law enforcement agency, if this information is considered necessary for purposes related to its investigation.Footnote 6

33. Policies and Procedures should indicate how the Bank will inform employees when their identity or information that could reveal their identity has been disclosed, and to whom, and that the employee will be informed of such disclosure when it has been made by the Bank.Footnote 7

Prohibition from retaliation

34. Policies and Procedures should include information on how the Bank is under a prohibition against retaliation. This should include measures that the Bank will take to protect against dismissing, suspending, demoting, harassing, disciplining or otherwise disadvantaging an employee for reporting a wrongdoing.Footnote 8

VI. Administrative

35. A Bank may identify breaches of consumer provisions as a result of investigating a report of wrongdoing. In such cases, the Bank should assess whether the breach should be reported to FCAC as outlined in the Agency’s Mandatory reporting guide for federally regulated financial institutions. Policies and Procedures should indicate that when reporting, FCAC expects the bank to identify that it became aware of the breach through a whistleblowing report.

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: