2024 WLG Whistleblower Guide: India
Is there a law to protect whistleblowers? If so, which law?
There is no single comprehensive legislation in India that provides protection to whistleblowers. In 2014, there was an attempt to codify a statute, and accordingly, the Whistle Blowers Protection Act, 2014 ("Whistle Blower Act") was enacted to file whistleblower complaints against public servants regarding corruption, wilful misuse of power, or commission of criminal offense by public servants. However, to date, the provisions of the Whistle Blower Act have not yet been enforced by the Central Government of India.
Furthermore, there are a few other statues containing provisions and schemes launched by few government agencies to protect and reward the whistle blowers.
Are companies legally obliged to introduce a whistleblowing system?
Yes. (i) listed companies, (ii) companies that accept deposits from the public, and (iii) companies that have borrowed money from banks and public financial institutions in excess of INR 500 million ((i), (ii) & (iii) collectively referred to as "Covered Companies") as per the Companies Act, 2013 ("Companies Act") read with the Companies (Meetings of Board and its Powers) Rules, 2014 ("Companies Rules") and Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015, (iv) Securities and Exchange Board of India ("SEBI") registered intermediaries like stock brokers, debenture trustee, custodians, asset management companies, alternative investment funds, mutual funds, foreign venture capital investors, etc., (v) insurers, (vi) investment managers of Infrastructure Investment Trusts ("InvITs") and (Real Estate Investment Trusts ("REITs”) and (vii) banking institutions such as commercial banks (including regional rural bank), all India Financial Institutions, Urban co-operative banks, State co-operative banks, Central co-operative banks and non-banking financial companies (including Housing Finance Companies) are mandatorily required to frame policies, code of conduct and other vigil mechanisms under the respective legislative framework governing such entities.
If so, which companies must introduce a whistleblowing system (number of employees, turnover, sector)?
Covered Companies, irrespective of the sectors, have to introduce whistle blowing system. Additionally, companies in banking, insurance and companies dealing in securities markets are also required to have whistle blowing systems.
What forms can a whistleblowing system take (written, verbal, email, electronic tool)?
Under the Companies Act, Protected Disclosures Scheme for Private Sector and Foreign Banks dated April 18, 2007, and Public Interest Disclosure and Protection Informers Resolution dated April 21, 2004 (as further amended vide the resolution dated August 14, 2013), the law does not prescribe the specific mode of communication. Companies generally prescribe e-mails, letters, toll-free numbers, etc., as reporting media to disclose the information. In various regulations like SEBI (Prohibition of Insider Trading) Regulations, 2015 ("SEBI PIT Regulations"), SEBI (Grant of Reward to Informant under Recovery Proceedings) Guidelines, 2023 ("SEBI DR Guidelines"), the Income Tax Informants Reward Scheme, 2018 ("IT Informants Reward Scheme") and Benami Transactions Informants Reward Scheme, 2018 ("Benami Informants Reward Scheme"), formats of complaints have been specified, and the same are required to be submitted through post in sealed envelopes or through e-mails.
Which reports must be permitted?
All whistleblowing policies permit complaints/disclosure of information regarding non-compliance/violation of specific laws, corruption, misuse of office/authority, actual or suspected frauds, misappropriation of funds, etc., under relevant statutes.
Must anonymous reporting be guaranteed?
Some regulations provide formats in which complaints must be submitted. The said forms require the informant to include his/her name, date of birth, address, mobile number, e-mail address, Aadhar number, passport, etc. In some schemes like the IT Informants Reward Scheme and the Benami Informants Reward Scheme, once the form is submitted, in order to maintain the secrecy of the identity of the informant, a unique informant code is allotted to the informant. Furthermore, in order to hide the privacy of the informant, laws recommend that an informant, while drafting the text of the complaint, expunge such information from the content of the complaint which could reasonably be expected to reveal his/her identity. Further, some regulators like Reserve Bank of India ("RBI") have specified that for the protection of the identity of the complainant, RBI will not issue any acknowledgment of receipt of the complaint, and the complainants should not enter into any further correspondence with RBI in their own interest.
Who must be able to provide information (only employees or also external third parties)?
Almost all regulations permit any person, foreign person, stakeholders, employees, directors and their representative bodies, customers, vendors, NGOs, members of the public, etc. to be whistleblowers.
Can companies rely on one centralized hotline or is it necessary to have one hotline for each subsidiary?
There is no specific mechanism for a whistleblowing hotline and various modes are adopted by a company such as post, e-mail address, toll-free number, website, etc., for the access/communication channels that are crucial for an effective whistleblowing mechanism. Further, as per the SEBI PIT Regulations, the board of directors may designate a division to function as the independent office of informant protection, which shall maintain a hotline for the benefit of potential informant. The laws in India put no limitation on one centralized hotline, so one common and centralized hotline can be established by a company to detect and address the potential frauds within a company group.
Can a whistleblowing system also be operated by an external body (e.g. consultant)?
Section 177 (9) and (10) of the Companies Act read with Rule 7 of the Companies Rules provides that:
The Covered Companies which are required to constitute an audit committee under applicable law shall oversee the vigil mechanism through the committee and if any of the members of the committee have a conflict of interest in a given case, they should recuse themselves and the others on the committee would deal with the matter on hand.
In the case of other Covered Companies, the board of directors shall nominate a director to play the role of audit committee for the purpose of a vigil mechanism to whom other directors and employees may report their concerns.
Having said that, the audit committee and board of directors are free to engage external/independent bodies such as lawyers, investigators, charted accountants, etc., to provide guidance or aid for the functioning of the whistleblower mechanism.
Under SEBI (InvITs) Regulations, 2014 and SEBI (REITs) Regulations, 2014, the investment manager/manager (as the case may be) may engage an independent service provider for providing or operating the vigil mechanism who shall report to the audit committee.
Are sanctions imposed for failure to introduce a whistleblowing system?
Yes, Section 178(8) of the Companies Act provides for a penalty of INR 0.5 million and every officer of the company who is in default shall be liable to a penalty of INR 0.1 million in case of non compliance.
In case of violation of the SEBI PIT Regulations and SEBI DR Guidelines, a penalty which shall not be less than INR 0.1 million but which may extend to INR 10 million can also be levied.
Any banking company that does not comply with the RBI regulations shall be punishable with a fine which may extend to INR 0.1 million, and where a contravention or default is a continuing one, with a further fine which may extend to INR 0.01 million for every day, after the first, during which the contravention or default continues.
As per the Insurance Act, 1938 also, any person who does not comply with the directions or policies of Insurance Regulatory and Development Authority of India (IRDAI) shall be liable to a penalty of INR 0.1 million for each day during which such failure continues or INR 10 million, whichever is less.
Further, as per SEBI guidelines for InvITs and REITs, non-compliance can lead to cancellation or suspension of registration, holding an inquiry, etc.
Who must be able to provide information (only employees or also external third parties)?