Hotlines are one of the most effective and cost-efficient external mechanisms that a corporation can deploy in its compliance program. This solution has been used by companies for more than 40 years. Depending on the size and complexity of an organization, hotlines also have been adopted by companies in the past decade as a best practice for fraud detection and to promote the integrity and compliance of an organization.
Various legislative initiatives have increased the use of hotlines, including the U.S. Sarbanes–Oxley Act of 2002 (SOX) and the United Kingdom’s Public Interest Disclosure Act (PIDA), which came into force in the United Kingdom in 1999. As a response to several high-profile corporate scandals, SOX implemented reporting requirements for accounting and audit matters of public companies (each audit committee shall establish procedures for “the receipt, retention, and treatment of complaints received by the issuer” as well as “confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters”). The establishment of external hotlines satisfied the legislative requirements. Similarly, the U.S. Securities and Exchange Commission (SEC) adopted rules to create a whistleblower program of its own. As announced by the SEC on May 25, 2011, the SEC whistleblower program, created under Section 922 of the Dodd–Frank Act, “rewards individuals who provide the agency with high-quality tips that lead to successful enforcement actions.” Awards are available to individuals who voluntarily provide original information to the SEC that results in a successful enforcement action in which the SEC obtains sanctions totaling more than $1 million.
The SEC has awarded more than $1.3 billion to 328 whistleblowers since the inception of the program. Awards started out relatively modestly early in the program’s history but have gotten progressively larger. On May 5, 2023, the SEC announced the largest-ever award to a whistleblower at almost $279 million. This is more than double the previous largest award in October 2020, which was $114 million. During the fiscal year ending in September 2022, the SEC received the largest number of submissions to the program in its history (more than 12,300) and issued 103 whistleblower awards, totalling over $229 million. Similarly, Britain created PIDA after inquiries into several major disasters revealed that dangerous conditions had persisted at certain companies for many years, and employees didn’t feel there was a mechanism to address the conditions or that their concerns would be acted upon. PIDA created protections for persons who might disclose such information. British employers, keen to keep such disclosures internal and avoid prosecution under PIDA, introduced internal hotlines to receive reports of dangerous practices. The passage of SOX in the US served as a catalyst for various federal agencies to assess internal controls and reporting and response consistency to reports of improprieties. This resulted in encouragement to have whistleblower solutions by the U.S. Office of Government Ethics’ internal mandate under and by requirements or encouragements such as the Hatch Act, the Whistleblower Protection Act, the Federal Employee Protection of Disclosures Act, and OMB Circular A-123.
Hotlines have become viewed as cheap insurance against fraud, waste, and abuse; corporate malfeasance; health and safety; harassment and other human resources–related issues; and equal employment and affirmative action claims. According to the most recent Report to the Nations by the Association of Certified Fraud Examiners (ACFE), the average organization loses up to 5% of its annual revenue to fraud each year, with the median loss of $117,000 per case. The average loss for financial statement is the least common yet generates the highest losses with a median loss of $593,000 per case. Obviously, the longer a fraud persists, the more financial damage it causes the company. With the average duration of a fraud being 12 months from commencement to detection, the early detection or prevention of fraud can pay for the hotline and case management operations for many years. The ACFE found that 42% of all fraudulent schemes were detected by a tip, with more than half of those tips coming from employees. Hotlines were used by whistleblowers in 27% of all cases reported.
Hotlines should not be viewed as a primary, or even initial, means of prevention or detection of illegal, unsafe, or detrimental practices. Within most organizations, reports of malfeasance or misconduct should first be made to the employee’s supervisor or an internal department (human resources, legal, compliance, etc.), and the hotline should be the final reporting option or a safe haven if anonymity is required. Employees and managers should be trained on a company’s ethics and compliance requirements, usually through a code of conduct or similar document.
Additional training needs to reinforce a company’s commitment to ethics and compliance while ensuring complaints are not mishandled or downplayed. Furthermore, the training should make clear that attitudes and conduct that undermine a commitment to ethics and compliance are not tolerated, and ethics and compliance are strongly backed by senior leaders and the board of directors. Unfortunately, because of the emphasis placed on the hotline by SOX, PIDA, and other legislation, a company can place an inordinate amount of emphasis on the existence of a hotline and its ability to prevent and discover ethical and compliance breaches. The hotline is an important tool in an organization’s arsenal of detection and prevention, but it should be designed to support and complement an overall issue awareness strategy.
Establishing an effective issue awareness strategy provides an opportunity to instill confidence in the corporation’s desire to develop and maintain a positive culture of integrity and compliance. This value can be enhanced with transparency of the inquiry as well as an issue awareness and resolution process.
Choosing a Reporting Solution
Defining and developing a reporting solution begins with an analysis of your organizational complexity. Your organization’s size, industry, operational geographies, operational style (centralized or decentralized; union or non-union; weak culture or strong culture; complexity or magnitude of programs, operations, and transactions; extent of manual processes or applications; etc.), and historical significance of risk are the primary considerations. Additional consideration should be given to the primary industry or industries you serve. Each industry has a unique set of regulatory requirements and common risk components that should be serviced by the reporting solution. Finally, your organization’s risk tolerance and social responsibility goals should be factored in to ensure the appropriate level of rigor and process complexity is applied.
Hotline reports should not be limited to reports of fraud and abuse. An important aspect of any good reporting solution is the ability for stakeholders to inquire about their potential actions when confronted with an ethical dilemma or to express a concern for something they believe may be occurring. It is also important to provide feedback to the reporting stakeholder as to what they can expect from the reporting process, and if you have other reporting or support vehicles in place, where and how to use them. It is important to structure the hotline system to receive actionable reports and shift frivolous concerns or other such feedback to more appropriate venues.
The most common areas of reporting for a hotline are:
Corruption, theft, and fraud;
Finance and accounting concerns;
Information or asset misuse and access;
Customer/partner/competitor concerns, including the Foreign Corrupt Practices Act;
Equal opportunity/affirmative action matters;
Environmental, health, and safety;
Industry-specific regulatory risks;
Harassment and other human resources–related issues; and
Given the generational dynamics of today’s workforce, a hotline solution should be a combination of web and telephone intake. Regardless of the method of reporting, hotlines must be trustworthy from the potential reporter’s point of view. While it is possible for organizations to consider installing a toll-free line and answer calls within their organization, it is generally not cost- or process-effective. Potential reporters, especially employees who are most likely to witness issues for which the hotline was created, often don’t believe that a company-created and staffed hotline will provide a confidential forum and fear retaliation. Selection of a third-party vendor ensures 24/7/365 access and availability as well as a degree of stakeholder assurance that only comes from a third-party operator. Some organizations may desire or choose to employ an ombudsman to receive and respond to certain hotline reports. This choice is often based on the culture and makeup of the organization and can prove very effective.
The choice an individual organization makes on a reporting mechanism will ultimately depend on the culture of the organization. Those organizations with a small, tightly knit employee population may favor an approach that a larger organization would find unworkable. The opposite may also be true. Regardless of how an organization chooses to implement its hotline, its presence, objective, and guidelines must be clearly communicated to the stakeholders—employees, vendors, spouses, and customers—to ensure the solution’s effectiveness. Nothing is more damaging to employees’ and other stakeholders’ beliefs in a hotline solution than to see complaints mishandled, downplayed, or not followed up on or attitudes and conduct that undermine a commitment to ethics and compliance. These behaviors cannot be tolerated, and senior leaders and the board of directors need to send a strong and consistent message that ethics and compliance are valued throughout the organization.
Multinational organizations implementing a global reporting system are faced with a special set of challenges and complexities due to the various data protection laws and cultural differences among countries. In some cases, countries have passed laws or issued rulings that appear to be at odds with anonymous reporting systems, such as those mandated by the SOX.
The Commission Nationale de l’Informatique et des Libertés (CNIL) guidelines and subsequent recommendations brought forth by Germany, Belgium, and the European Union (EU) require diligent, thoughtful application and a systematic operational thoroughness.
If your organization operates worldwide, there are a number of agencies and groups that must be considered before deploying your hotline, and the list is growing. The primary groups to consider are:
European Union: European Data Protection Board
Germany: Düsseldorfer Kreis
Belgium: Data Protection Authority
Ireland: Data Protection Commission
Japan: Financial Instruments and Exchange Act (commonly referred to as J-SOX)
Spain: Agencia Española de Protección de Datos/Ley Orgánica de Protección de Datos de Carácter Personal (AEPD/LOPD)
Canada: Personal Information Protection and Electronic Documents Act
When operating a whistleblower hotline outside the United States, it is important to use the local language, and, when socializing the hotline with stakeholders, it is critical to explain the purpose and process of the hotline.
Organizations should stress anti-retaliation protections and take steps to demonstrate the solution’s anonymity safeguards. When describing the hotline process, ensure stakeholders understand certain categories of personal data are outside the boundary of the hotline’s reporting capabilities under EU data privacy law.
As an example, employers operating in France since 2005 are required to register their whistleblowing schemes with the CNIL. This was routinely done by self-certifying under the CNIL’s Single Authorization (AU-004), which indicated that the whistleblowing scheme complied with the pre-established conditions set out in this authorization. Originally, the scope of the Single Authorization was limited to finance, accounting, banking, corruption, and compliance with Section 301(4) of SOX, which required the establishment of confidential procedures for anonymous submission of questionable accounting or auditing matters and the company’s treatment of those reports. But since then, the CNIL has permitted an extension of the scope of whistleblower schemes to include reports of anti-competitive practices; compliance with the Japanese Financial Instruments and Exchange Act; and certain non-financial topics, including workplace discrimination, harassment, safety, hygiene, and environmental protection.
What gets included in these categories will vary from country to country, but examples include data relating to racial or ethnic origin, health, religious or political opinions, and criminal records. It is also important to recognize many EU countries require formal consent by the stakeholder reporting into the hotline for this data to be used and transmitted. This consent can be easily made a part of the hotline script or online reporting tool.
In an effort to satisfy the regulations of SOX or other legislative requirements, US companies with EU-based affiliates often find themselves with information gathered in the EU. To transfer or allow access to such information by the US parent requires compliance with the EU data protection rules. Historically, organizations had enjoyed convenience and protections under, first, the U.S.–EU Safe Harbor Framework, and then later, the EU–U.S. Privacy Shield. But the EU Court of Justice ruled on July 16, 2020, that the Privacy Shield Framework is no longer a valid mechanism. The U.S. Department of Commerce and the European Commission have initiated discussions to determine the possibility for an enhanced EU–U.S. Privacy Shield Framework.
On July 10, 2023, after almost three years, the European Commission adopted an adequacy decision for European Union and United States transfers of personal data, known as the EU-U.S. Framework. The EU Commission concluded that "the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework." To join the EU-U.S. Data Privacy Framework, US companies will have to commit to complying with a detailed set of privacy obligations which include, among other things, a requirement to delete data that is no longer necessary for the purpose for which it was collected and to ensure similar protections when shared with third parties. In addition, the new legal framework includes several safeguards against US public authorities accessing data transferred under the new framework, especially in the context of access for criminal law enforcement and national security. Such access is to be limited to "what is necessary and proportionate to protect national security."
Communicating the Reporting Solution
Just because you have a hotline doesn’t mean people will use it. You must create a communication stream that not only asserts the existence of the hotline, but communicates its value, its objectives, and the organization’s commitment. Tone from the top and publicity around the hotline via posters, wallet cards, training, and even creating YouTube videos will help assure the use and importance of your hotline.
A successful hotline solution requires the organization’s commitment to maintaining a culture that promotes the prevention, detection, and resolution of instances of conduct that do not conform to law, regulation, policies, or procedures.
A good initial introduction or reintroduction to your employees would include a communication from the CEO announcing the hotline’s existence, its importance to the organization’s core values, and a declaration of support for its use. The most common ways to publicize the hotline would include emails, posters, brochures, wallet cards, newsletter articles, website pages, code of conduct, and training events.
Continued reinforcement by the senior management team to express their support of the initiative will be much more effective than a “one-and-done” approach. Emphasis needs to be placed on the organization’s commitment to the program along with a reminder that retaliation of any sort will not be tolerated.
The CEO should make clear that not only are employees encouraged to use all of the organization’s reporting methods, but also that they are expected to use the hotline if they become aware of, or are asked to participate in, a compliance violation and feel they have no other avenue to report. Companies should view an ethics communication campaign as an advertising initiative that seeks to inspire a certain behavior within the workforce.
With multiple generations operating in the workforce now, using a combination of communication vehicles to publicize the hotline is necessary. Know your audiences and ensure that publicity for the hotline communicates your organization’s appreciation and willingness to accept feedback through the hotline. However, based on your code of conduct and other policies, it can be important to reinforce the hotline as a tool in your arsenal along with other reporting options, such as your open-door policy. For large companies with employees in many different locations, one of the most effective ways to build awareness of the hotline, while reinforcing the need for open and honest dialogue, is to get line managers involved.
A recent development for hotlines is to encourage not just the reporting of unethical behaviors, but also honoring those who have exhibited ethical behavior in challenging circumstances. Remember, the hotline can be a positive tool—use it to promote and support the behavior you desire from your organization.
An important component of the hotline’s operation is determining how to support the desire for transparency during the inquiry and its resolution. You must decide, most likely with the assistance of your legal department, the nature and amount of feedback you will provide to those who make reports. It is important to provide assurance to reporters that they have been heard and that you are committed to the consistent enforcement of corporate behavioral expectations. Features that may assist this effort include providing a confidential report number and password known only to the reporter, which allows them to anonymously check on the company’s response to their report. This feature also gives you the ability to initially research the report and ask additional, clarifying questions, and companies should encourage the reporter to provide additional information. Additionally, never miss the opportunity to reinforce your commitment to nonretaliation for those willing to assist the corporation in its self-regulation.
Anonymous versus Confidential
While it may seem unimportant, there is a common confusion between respecting the confidentiality and anonymity of a reported incident. Anonymity relates to protecting the identity of the individual who reported the issue or event, and confidentiality relates to the protection of the reported information.
Ultimately, thinking through the data flow from initial report through distribution, escalation, and resolution is a priority when establishing your hotline. It is important to control the flow of data and ensure that implicated parties, who may be recipients of hotline reports, are removed from the review process and denied access to the report. This step ensures that if an individual is named or implicated in the report, the company has an alternate data flow, including potential escalations, to address the issues implicated in the report.
The aforementioned 2022 ACFE report found that the primary reason employees choose not to report their concerns or observations is fear of being subjected to retaliation, retribution, or harassment for reporting the concern. Therefore, a nonretaliation/nonretribution policy should be established. This policy will reassure employees who wish to report concerns through the hotline or directly through the chain of supervision or compliance department.
In most cases, training supervisors and managers is essential. Many organizations find that reports received into the reporting system can inflame and evoke a negative response from the persons in authority affected by the report. Therefore, it is critical to train managers and supervisors so they know they are not permitted to engage in retaliation, retribution, or any form of harassment directed against an employee who reports a compliance concern.
Retaliation claims continue to be an escalating issue for companies. The US Equal Employment Opportunity Commission (EEOC) released its fiscal year 2022 (October 1, 2021–September 30, 2022) statistics regarding individual charges filed, including charges of retaliation. The total number of individual charges filed had been decreasing since fiscal year 2011, with a noticeable drop-off in charges filed during FY 2020 and 2021 which most attribute to the worldwide COVID-19 pandemic. Notably, however, the percentage of charges alleging retaliation had been steadily increasing from FY 1997 through FY 2021. FY 2022 saw 51.6% of the claims alleging or including retaliation. The 37,898 charges alleging retaliation during fiscal year 2022 (up from 34,332 in 2021) resulted in monetary benefits to claimants in the amount of $39.7 million (up from $34.0 million in 2021), which does not include benefits obtained through litigation.
Triage, Escalation, and Investigation
Identifying those within your organization who will initially receive and review hotline reports is very significant. Equally important is the creation of standards of criteria, values, and indicators that suggest or require the escalation of reported issues.
One of the most important indicators is the nature of the reported issue. Many hotline reports are unsubstantiated and reflect the bias and unjustified frustration of the author, but most are immediately actionable. Perhaps the most important step in evaluating reports is determining which ones will need resolution. Likewise, selecting and training the individuals charged with triaging your hotline reports is perhaps one of the most important activities during your implementation process.
Once a report is received into your reporting solution, it is important to establish a procedure for responding back to the individual who submitted the report. Regardless of your hotline solution, it should enable you to respond, ask follow-up questions, and otherwise communicate with the individual making the report—whether anonymous or identified.
This follow-up can be as simple as a thank-you for reporting, but it can also be a means to reinforce your program’s resolution strategy. You may want to advise the reporter whether the resolution status will be shared with them. The majority of individuals who do not trust or use the hotline express fear of reprisal and the belief that nothing will be accomplished. Responding after a report is filed helps build credibility and value for your hotline solution. But remember, it is important to have your counsel review, prior to any hotline activity, your response strategy and your anticipated response remarks.
Regardless of the level of formal case management you deploy in your solution, it is important to establish a set of steps or guidelines for bringing a matter to consistent resolution. First, set a time expectation from the receipt through the review of the reported information. Next, assign a priority for the issue or matter reported. This assignment can be as simple as low, medium, or high, or something more elaborate. As noted above, this step would be the proper time to review the case for potential escalation. A case needing escalation can require specific steps for handling, the inclusion of key personnel in the process, or the inclusion of external resources. Your escalation strategy should also anticipate the elevation of a report to the chair of the audit committee or others on the board of directors. Devising the appropriate levels of protection or urgency should be based on a combination of reported information and other criteria.
You will find that a number of cases will open and close within a short period of time—sometimes the same day. Others will take much longer, and so it is important to establish a set of stages so that the resolution process can be designated by the case owner for tracking and measurement. Steps to take following a reported issue’s resolution should include more than just checking off a box showing the case was closed. Some indication of how the case was closed must be required. Simply “closed” or “resolved” will not provide your organization with the necessary analysis data points to ultimately improve your process.
Just as you devised a series of criteria and outcomes for escalation of the issue or matter, it is equally critical (especially in a decentralized organization operating in several locations) to define the potential levels of punishment and the procedures for tagging it or titling it for case management. The analytical review of your hotline, when properly established, can be invaluable to helping formulate and improve your ongoing preventive and reactive structures.
While there is no accepted or mandated data retention policy for US companies, don’t assume the data retention requirement for hotline data is the traditional seven years. Depending on your organization, there are myriad variables that will affect your hotline data retention policy. For instance, if you are a multinational or non-US company, the length of retention can be as short as 60 days post resolution, unless the issue has significance to the cultural values of the organization.
The best rule of thumb for retention of reports received from the hotline is a retention/destruction policy that mirrors the retention policy for similar information received or developed by your organization (e.g., for routine information gathered, investigated, and resolved, following the organization’s data retention policy. If a hotline report involves a potential EEOC violation, retain the information for the minimum required period by the applicable statute).