Guideline on Whistleblowing Procedures for Banks and Authorized Foreign Banks

Publication date: March 18, 2022
Effective date: June 30, 2022

I. Introduction

1. The Financial Consumer Agency of Canada (FCAC) has developed a Guideline on Whistleblowing Procedures for Banks and Authorized Foreign Banks (Guideline) to set out its expectations with respect to Banks’ (including federal credit unions’) and Authorized Foreign Banks’ (Banks) implementation of the whistleblowing provisions in the Bank Act.

2. Part XVI.1 of the Bank Act establishes the whistleblowing provisions that apply to Banks. A Bank must establish and implement policies and procedures for dealing with matters in relation to a wrongdoingFootnote 1  (Policies and Procedures), the particulars of which have been reported to the Bank by an employee.

3. FCAC encourages other federally regulated financial entities, such as trust and loan companies and insurance companies, to review this Guideline to develop and implement or improve their Policies and Procedures. 

4. A Bank is responsible for ensuring it meets the whistleblowing requirements established in the Bank Act.

5. A Bank, and any parties subject to the requirements in s. 627.15 of the Bank Act (Third Parties), should ensure that employees of the Third Parties have access to the Bank’s Policies and Procedures and can report wrongdoings to the Bank or the Third Party as if they were employees of the Bank. In addition, Banks should ensure that Third Parties comply with the prohibition from retaliationFootnote 2  set out in the Bank Act.

6. FCAC recognizes that Banks may tailor their Policies and Procedures to align with the nature, size and complexity of their business, distribution channels and products and services. 

7. This Guideline should be read in conjunction with all applicable legislation and regulations. 

II. Key principles

8. A Bank’s senior management and the committee of the board responsible for the Bank’s compliance with consumer provisions—or, in the case of an Authorized Foreign Bank, its senior management—should oversee the establishment and implementation of Policies and Procedures and communicate and demonstrate support for whistleblowing throughout the organization. In establishing the Policies and Procedures, a Bank should be guided by the following principles: 

Effectiveness

A Bank’s Policies and Procedures should be comprehensive and implemented to receive and deal with reports of wrongdoing in a fair and consistent manner, where employees are encouraged to report a wrongdoing. 

Accessibility

A Bank’s Policies and Procedures should be easy for employees to locate, navigate and understand. 

Safeguards

A Bank’s Policies and Procedures should ensure that the identity of an employee who reports a wrongdoing, and any information that could reasonably be expected to reveal the employee’s identity, will be kept confidential. The Policies and Procedures should also demonstrate how the Bank protects employees against retaliation.

III. Effective whistleblowing Policies and Procedures

9. To be effective, a Bank’s Policies and Procedures should specify the process for dealing with reports of wrongdoing to promote a culture of compliance, including: 

9.1 providing for the allocation of adequate financial, technical and human resources to deal with reports of wrongdoing in a fair, consistent and objective manner at all levels of the Bank’s whistleblowing process 

9.2 demonstrating that safeguards are in place to avoid conflicts of interest

9.3 establishing a regular review process to improve its Policies and Procedures: 

9.3.1 the Bank should be able to demonstrate how the outcomes of the review are implemented as changes or additions to its Policies and Procedures and should communicate those changes or additions to all employees

9.4 demonstrating that a process is in place to determine whether a disclosure from an employee is a report of wrongdoing:

9.4.1 the Bank’s Policies and Procedures should demonstrate that all reports of wrongdoing will be investigated appropriately and in a timely manner

Organizational commitment

10. All employees should be encouraged to report wrongdoings. A Bank should issue a statement of support throughout the organization and demonstrate that it supports the reporting of wrongdoing at all levels. The statement of support should include a statement regarding the prohibition from retaliation.

11. A Bank should appoint 1 or more employees to be responsible for working closely with senior management to oversee the development and implementation of its Policies and Procedures, including adequate resources to maintain, monitor and assess the effectiveness of its Policies and Procedures.

Training

12. A Bank’s Policies and Procedures should include:

12.1 a commitment to regular and ongoing training for employees that covers all aspects of the Policies and Procedures, with the aim of encouraging reporting

12.2 specific and tailored training for all employees who deal with reports of wrongdoingFootnote 3  

12.3 a process for focusing training on employees who have a greater opportunity to witness, detect or contribute to a wrongdoing because of the responsibilities of their position.

12.4 a process to demonstrate how employees will be made aware and receive training when changes or additions are made to relevant legislation, regulations and/or guidelines, including what could be considered a wrongdoing

13. A Bank should ensure accessibility to all training materials.

IV. Accessible whistleblowing Policies and Procedures

14. A Bank’s Policies and Procedures should demonstrate that all steps of the process will be fair, impartial, timely and maintain confidentiality.

15. A Bank’s Policies and Procedures should include information about the steps the Bank will take when it receives reports of wrongdoing, conducts investigations and reports findings and outcomes of investigations. 

16. A Bank’s Policies and Procedures should indicate how the Bank will make employees aware of their ability to report wrongdoings, including clearly indicating all options regarding how and to whom employees can report wrongdoings. It should also make employees aware of the resources that are available to support them in reporting wrongdoings.

17. A Bank’s Policies and Procedures should be easy for employees to locate, navigate and understand. The Policies and Procedures should: 

17.1 be written in language that is clear, simple and not misleading

17.2 indicate that the available internal channels at the Bank and external channels to report a wrongdoing will be easily accessible to all employees 

17.3 include the definition of wrongdoing and examples of wrongdoing for each of the subsections identified in the definitionFootnote 4  

18. A Bank should provide information about its whistleblowing process in a confidential manner to its employees, including employees of Third Parties, and make it available to those who wish to make anonymous reports of wrongdoing. At any time during the process of reporting a wrongdoing, employees should be able to access information about a Bank’s whistleblowing process confidentially.

19. Information about a Bank’s whistleblowing process should be provided confidentially by an appointed senior officer(s) or external entity or made available confidentially through a whistleblowing hotline. Policies and Procedures should document how to access this information, including the relevant contact information.

20. A Bank’s Policies and Procedures should indicate that employees have the choice of reporting a wrongdoing internally at the Bank or directly to the Commissioner of the Financial Consumer Agency of Canada (Commissioner), the Office of the Superintendent of Financial Institutions (Superintendent), any other government agency or body that regulates or supervises financial institutions, or a law enforcement agency.Footnote 5

21. A Bank’s Policies and Procedures should provide employees with contact information to report wrongdoing externally to the Commissioner and/or Superintendent.

22. A Bank’s Policies and Procedures should include information regarding other channels that employees can use to make a complaint or file a grievance that would not be considered a report of wrongdoing.

V. Safeguards

23. A Bank’s Policies and Procedures should include measures for demonstrating how an employee’s identity—and any information that could reasonably be expected to reveal their identity—will be kept confidential throughout the process of reporting a wrongdoingFootnote 6  as well as how any advice provided will be kept confidential.

24. A Bank’s Policies and Procedures should allow for reports of wrongdoing to be made anonymously.

25. A Bank’s Policies and Procedures should include access restrictions for confidential information, with access rights for specific employees.

26. A Bank’s Policies and Procedures should include measures against the misuse of information that could reveal the identity of the employee, should commit to explaining these measures to employees who report a wrongdoing, and should make information about these measures available to those who wish report anonymously. 

Exceptions to confidentiality

27. A Bank’s Policies and Procedures should indicate that a Bank may consider disclosing the identity of an employee, and/or information that could reasonably be expected to reveal their identity to the Commissioner, the Superintendent, a government agency or body, or a law enforcement agency, if the disclosure is necessary for the purposes related to an investigation.

28. A Bank’s Policies and Procedures should indicate that persons and entities identified in subsection 979.2(4) of the Bank Act may disclose to each other the identity of an employee and/or information that could reasonably be expected to reveal their identity.

29. A Bank’s Policies and Procedures should include safeguards for the secure transfer of identifying information to the Commissioner, the Superintendent, government agency or body, or law enforcement agency if this information is considered necessary for purposes related to an investigation.Footnote 7

30. A Bank’s Policies and Procedures should indicate how the Bank will inform employees when their identity or information that could reveal their identity has been disclosed, and to whom, and that the employee will be informed of such disclosure when it has been made by the Bank.Footnote 8

Prohibition from retaliation

31. A Bank's Policies and Procedures should indicate that it is prohibited from retaliating against an employee for reasons set out in the Bank Act. Policies and Procedures should describe the measures that the Bank will take to protect against dismissing, suspending, demoting, harassing, disciplining or otherwise disadvantaging an employee for reporting a wrongdoing.Footnote 9

VI. Administrative

32. A Bank may identify breaches of consumer provisions as a result of investigating a report of wrongdoing. In such cases, the Bank should assess whether the breach should be reported to FCAC as outlined in the FCAC’s Mandatory reporting guide for federally regulated financial institutions. A Bank’s Policies and Procedures should indicate that, when reporting, FCAC expects the Bank to identify that it became aware of the breach through a whistleblowing report.

33. A Bank should maintain a record of all the reports of wrongdoing it receives and investigates, including any anonymous reports of wrongdoing and any received by or in relation to a Third Party.

VII. Miscellaneous

34. Questions relating to this Guideline can be sent by email to compliance@fcac-acfc.gc.ca or by mail to:

Financial Consumer Agency of Canada
Attention: Deputy Commissioner, Supervision and Enforcement Branch
427 Laurier Ave West, 6th Floor
Ottawa, ON K1R 5C7

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: