Is there a law to protect whistleblowers? If so, which law?

From a public law perspective, the Guidelines for the Promotion and Operation of the System of Internal and External Corruption Whistleblowing Citizens and the Protocol to Protect Corruption Whistleblowers issued by the Mexican Ministry of Public Service contain measures to be observed exclusively by federal public officials, directed towards protecting individuals reporting alleged acts of corruption, human rights violations and harassment committed by federal public officials through a platform overseen by said Mexican Ministry of Public Service. Such a Ministry relies on a "Reports and Citizen Attention Coordination” and an "Attention and Whistleblowing Protection Direction” to issue protocols to protect whistleblowers. In addition, the General Law of Administrative Responsibilities ("LRGA,” for its acronym in Spanish) establishes that public officials reporting serious administrative faults may request reasonable security measures, holding administrative authorities to conceal the identity of the anonymous complainant submitting the reports after which they begin their investigation processes.

From a private law perspective, there is no specific law binding companies to protect internal whistleblowers. The LGRA foresees mechanisms to be observed by private parties in implementing self-regulating mechanisms and an integrity program to include a whistleblowing system guaranteeing the protection of its users, for which only indicative guidelines have been developed. Nonetheless, private parties are held to comply with general provisions in regard to data privacy and confidentiality (contained in the General Law for the Protection of Personal Data in Possession of Obliged Parties) and human rights and antidiscrimination (mainly referred in Mexico´s Federal Constitution, the Federal Law to Prevent and Eliminate Discrimination and their state similes), which may serve as protective measures for whistleblowers in addition to the provisions contained in a series of international instruments for which Mexico is a part of such as the United Nations Convention Against Corruption.

Are companies legally obliged to introduce a whistleblowing system?

According to the Mexican legal framework, companies are not obliged to introduce a whistleblowing system but is instead left to their discretion as part of the implementation of an adequate "due control” or "organization, management and risk prevention model” (in the criminal sphere) and an "integrity policy” (in the administrative sphere). Together, they make up the basis for an ethics and compliance program ("compliance program”), for which guiding criteria issued by public authorities do exist, including non-binding standards for the establishment of whistleblowing systems, from which the descriptions provided below are drawn.

If so, which companies must introduce a whistleblowing system (number of employees, turnover, sector)?

As mentioned above, companies are not obliged to introduce a whistleblowing system. Nevertheless, all companies are advocated to implement whistleblowing systems, as all legal entities, regardless of their distinctive traits, may be held liable for the commission of a series of crimes, serious administrative faults, and other legal infractions for which proof of the implementation of an adequate compliance program, including a whistleblowing system, may serve to mitigate and in other cases to exclude, the consequences resulting from such.

What forms can a whistleblowing system take (written, verbal, email, electronic tool)?

The whistleblowing system shall be known and accessible, enabling its use by offering a broad range of channels of communication for people to file their complaints in writing (delivered in a filing office or sent to a specific email address), verbally (in an in-person mode, to the Committee established for such purpose), digitally (through the website established for such purpose) or by other means (such as through the establishment of a hotline).

Which reports must be permitted?

All bona fide reports, based on legitimate suspicions of possible violations of the company´s internal provisions and/or other applicable legal provisions in matters pertaining to the commission of a series of crimes (among others, corruption, including illegal inducement, influence peddling, fraud, and money laundering), serious administrative faults (among others, bribery and influence peddling to induce the authority) and other breaches to other applicable provisions (in matters pertaining among others to bribery, fraud, human rights, data management, labor, environment and antitrust matters, and conflict of interest), to guard any kind of connection with the company, must be permitted and processed accordingly.

Must anonymous reporting be guaranteed?

Although it is left for the companies to determine within their internal whistleblowing policies whether anonymous reporting shall be allowed, confidentiality must be guaranteed and always kept regarding the reports received, the parties involved and the investigation process, assuring that no retaliations shall be made against its users.

Who must be able to provide information (only employees or also external third parties)?

Employees of the company (including those of the parent company, its subsidiaries and/or affiliates), third parties guarding connection with the company (suppliers, customers and/or stakeholders) and others to have knowledge of possible breaches, must be able to provide information through the channels of communication implemented for such purpose.

Can companies rely on one centralized hotline or is it necessary to have one hotline for each subsidiary?

Although companies with subsidiaries may opt to rely on one centralized hotline to receive, process, and review all the complaints arising from the parent company and its subsidiaries and/or affiliates, considering language barriers (if such subsidiaries and/or affiliates were to be located in other countries) and the fact that the requirements set forth by law in regard to the extent to which certain terms are understood and other reporting legal duties may vary from jurisdiction to jurisdiction, it is recommended for such centralized mechanism to be supported by local bodies to which local cases may be referred to.

Can a whistleblowing system also be operated by an external body (e.g. consultant)?

As a way of guaranteeing confidentiality and objectiveness during the process, companies may opt to confide the management of their whistleblowing system to an autonomous internal body (integrated by experienced people in the subject matter and of undisputable reputation) or an external body, who shall then report to an autonomous internal body and/or to the top management.

Are sanctions imposed for failure to introduce a whistleblowing system?

The omission of a compliance program containing a whistleblowing system does not result in sanctions. Rather, having it may serve to exclude or mitigate the liability for which companies may be subject to if found liable for a series of crimes, serious administrative offenses and/or other breaches to other applicable legal provisions.