FCA Whistleblowing Obligations for Payment Institutions and EMIs

Whistleblowing is one of the most important mechanisms for detecting regulatory breaches, fraud, money laundering and misconduct within financial services firms. For FCA-authorised payment institutions and electronic money institutions, maintaining effective whistleblowing arrangements is both a regulatory obligation and a practical safeguard against the accumulation of unchecked compliance failures. This article examines the legal framework, FCA expectations and practical implementation steps for payment firms.

What Are the FCA Whistleblowing Requirements?

The FCA's whistleblowing framework is set out in SYSC 18 of the FCA Handbook, which applies to all FCA-authorised firms. The rules require firms to have appropriate internal arrangements for the disclosure of reportable concerns by whistleblowers — defined broadly to include employees, workers, contractors and, in some cases, former employees. The framework was significantly strengthened in 2016 following the recommendations of the Parliamentary Commission on Banking Standards and the FCA's own review of whistleblowing practices across the industry.

For payment institutions and EMIs, the key requirements are: establishing internal reporting channels that are accessible and clearly communicated to all staff; ensuring that whistleblowers are not subjected to detriment or retaliation; appointing a senior individual with responsibility for the effectiveness of whistleblowing arrangements; and maintaining records of disclosures, investigations and outcomes. Firms with fewer than 250 employees and revenue below £1 billion are subject to lighter requirements — they do not need to appoint a formal whistleblowers' champion — but must still have adequate arrangements in place.

The Whistleblowers' Champion Role

Firms that meet the threshold criteria — UK revenue exceeding £1 billion, or UK-listed — must appoint a Senior Manager Function holder (typically an independent non-executive director) as the whistleblowers' champion under SYSC 18.4. The champion's role is to ensure the firm's whistleblowing arrangements are effective and that the board is informed about whistleblowing activity, trends and any systemic issues identified.

In practice, most payment institutions and EMIs fall below the revenue threshold and are not required to appoint a formal champion. However, the FCA expects all firms to designate a senior individual who takes personal responsibility for the quality and credibility of whistleblowing arrangements. This person should not be the compliance officer or MLRO — particularly where the concern may relate to AML failures — to avoid conflicts of interest.

PIDA Statutory Protections

The Public Interest Disclosure Act 1998 (PIDA) provides statutory protections for workers who make qualifying disclosures about matters including criminal offences, regulatory breaches, health and safety dangers, environmental damage, miscarriages of justice and deliberate concealment of any of these matters. Under PIDA, a qualifying disclosure can be made to the employer, a prescribed regulator (including the FCA and PRA), or, in limited circumstances, a wider audience.

Workers who make qualifying disclosures are protected against dismissal and detrimental treatment. An employee dismissed for making a qualifying disclosure can bring an automatic unfair dismissal claim regardless of length of service. Workers subjected to detriment short of dismissal can bring a claim to an employment tribunal. Firms should be aware that settlement agreements cannot prevent a worker from making a disclosure to a regulator — any contractual term purporting to restrict regulatory whistleblowing is void under PIDA and FCA rules.

FCA Direct Reporting and External Channels

The FCA operates its own whistleblowing line and actively encourages individuals to report concerns about regulated firms directly to the regulator. The FCA received over 1,800 whistleblowing reports in the 2023/24 financial year, and has publicly stated that intelligence from whistleblowers is one of its most important sources of information for identifying misconduct and prioritising supervisory action.

Payment firms should assume that some employees will report directly to the FCA rather than using internal channels. This is not a failure of the firm's arrangements — it reflects the statutory framework and the FCA's active encouragement. However, firms where the internal arrangements are perceived as ineffective, retaliatory or lacking confidentiality will see a higher proportion of external disclosures, reducing the firm's ability to address issues internally before they reach the regulator.

Practical Implementation for PIs and EMIs

Effective whistleblowing arrangements for payment institutions and EMIs should include: a written policy that is clearly communicated to all staff during onboarding and periodically thereafter; multiple reporting channels including at least one anonymous option (external hotline or online portal); a named senior individual responsible for receiving and managing disclosures; a documented investigation process with defined timescales; feedback mechanisms for whistleblowers; protections against retaliation embedded in HR policies; regular training for all staff on how to raise concerns; and board or governance committee reporting on whistleblowing activity at least annually.

Common failures observed during FCA assessments include: whistleblowing policies that are technically compliant but buried in employee handbooks with no active communication; absence of anonymous reporting options; investigation processes that are controlled by the subject of the complaint; inadequate record-keeping; and failure to report themes or trends to the board. The FCA takes a dim view of firms where the whistleblowing arrangements are a compliance exercise rather than a genuine safeguard.

Whistleblowing and the SMCR

Under the Senior Managers and Certification Regime (SMCR), senior managers have a statutory duty of responsibility for the areas of business under their control. Where a senior manager is aware — or should reasonably be aware — that whistleblowing arrangements in their area are inadequate, they may face personal regulatory action. The FCA has indicated that suppressing or discouraging whistleblowing, or retaliating against whistleblowers, could constitute a breach of the individual conduct rules under COCON.

For payment institutions subject to the core or limited scope SMCR, the obligation to maintain effective whistleblowing arrangements should be clearly allocated to a specific senior manager function within the firm's Statement of Responsibilities. This individual should receive regular reports on disclosures, investigations and outcomes, and should be responsible for ensuring the board is informed.

Regulatory Context and Enforcement

The FCA has made clear that it considers whistleblowing to be a critical component of good governance and firm culture. While enforcement action specifically for whistleblowing failures is relatively rare, the FCA has taken action against firms and individuals for retaliating against whistleblowers or suppressing disclosures. More commonly, inadequate whistleblowing arrangements feature as an aggravating factor in enforcement cases arising from underlying misconduct — demonstrating that the firm lacked the mechanisms to detect and address problems internally.

Regulatory Counsel advises payment institutions and EMIs on whistleblowing policy design, governance frameworks and SMCR compliance. Contact us for a free initial consultation. See our compliance support page for more on our advisory services.