Some clarifications on Whistleblowing

As known, Legislative Decree no. 24/2023 directly concerns all companies, regardless of size, which have adopted an Organisation, Management and Control Model pursuant to Legislative Decree no. 231/2001 (so-called MOG 231).

In fact, the new regulation, by entirely repealing paragraphs 2-ter and 2-quater and completely reformulating paragraph 2-bis of art. 6 of Legislative Decree no. 231/2001, has also profoundly affected the administrative liability of entities: in fact, following the reform, the reporting channels already used within the MOG 231 will no longer be considered compliant and will have to be modified in line with the provisions of Legislative Decree no. 24/2023.

Moreover, the previous regulations allowed the company to have a certain flexibility in terms of means and organizational tools used for the implementation of the reporting channels.

In a nutshell, these channels were required to allow employees and close collaborators to report violations being relevant pursuant to Legislative Decree no. 231/2001, while guaranteeing the confidentiality of the whistleblowers and their protection from possible retaliation; then, the disciplinary system was required to punish those who carried out retaliation and/or made false reports with willful misconduct or gross negligence.

Based on the above, the application practice had led companies, especially smaller ones or those having more limited resources, to implement mailboxes was often managed directly by the Supervisory Board.

In such a context, the reform introduced has revolutionized the entire pre-existing system, providing for a series of innovations whose real scope will probably be fully understood only after the issue, by 30 June 2023, of the ANAC Guidelines and the consolidation of new operating practices.

In fact, with regard to the object of the reports - "what" can be reported - the reform brings about some significant changes, namely:

• companies that employed less than 50 workers in the previous year are only required to activate an internal reporting channel that only concerns violations of MOG 231;
  
  companies with more than 49 workers will have to provide for a reporting channel that also addresses violations of EU law (with a consequent extension of the objective scope);
• companies that must be considered as public entities and/or that provide public services - and have a MOG 231 -, regardless of the number of employees, will have to provide a reporting channel which, in addition to the previous ones, also concerns administrative, accounting, civil or criminal offenses that harm the public interest or the integrity of the administration.

The use of the e-mail box as a reporting channel also deserves further consideration: given that it is not expressly prohibited, it certainly no longer represents a tool that, alone, can be considered sufficient, functional or even suitable: in fact, one of the central aspects of the reform is that the reporting channel is no longer a tool through which reports can be made, but rather a real instrumental and procedural apparatus, which impacts the entire organization. In fact, this channel should:

• be managed by a dedicated person, office or external subject, having adequate autonomy and specific training;
• allow reports to be made in written, oral or face-to-face form; ensure the adequate documentation or recording of oral or face-to-face reports; store data in compliance with the GDPR; encrypt data, documents or information relating to reports, tracing and compartmentalizing the related access data, etc.

Therefore, since a mailbox cannot be used alone, it is only uneconomical compared to the platforms or suites that are available on the market today, capable of supporting all the necessary tools in a single product.

Lastly, the reform provides for the need to extend the scope of application of the corporate disciplinary system, providing for penalties against those who:

• have committed retaliation, obstructed or attempted to obstruct a report, violated the confidentiality obligation;
• have not set up the reporting channels or adopted the procedures required for making and managing reports, or have adopted procedures that do not comply with those set by law or has not carried out the verification and analysis of the reports received;
• have made a false report with willful misconduct or gross negligence.

However, the decision to extend the application of administrative and disciplinary sanctions also to the cases of bad management of the channel and/or of the reports seems fraught with consequences, at least under two aspects.

Firstly, from an organizational point of view, it appears to involve the need to:

• guarantee the channel's internal managers adequate tools and resources for the purpose, so that they can be fully autonomous and, subsequently, personally liable for any inadequate management;
• or, provide contractual remedies suitable for punishing any breaches by external managers, as well as indemnities in relation to the liability (also due to a tort) which the company could face in the event of irregularities found.

Secondly, from a systematic point of view, it would seem to place the SB in a quite delicate position: in fact, on the one hand, Legislative Decree no. 24/2023 provides that the reporting channels are an integral part of the MOG 231, thus forcing the SB to supervise the management of the same within the scope of its activities; on the other hand, however, if the SB were entrusted with more than the mere supervision of the channel, they would have an organizational and management responsibility which is not suitable for a body which, pursuant to Legislative Decree no. 231/2001, is characterized by its independence from the company administration. Moreover, the SB would govern a part of the activities which they would also have the obligation to supervise, thus entering into a conflict of interest with respect to its own function.