Whistleblowing laws in Switzerland, what’s the current situation and what should companies consider?
Progress in Switzerland towards providing legal protection for whistleblowers in the private sector has been slow and attempts to introduce legislation have so far failed.
No current law protecting whistleblowers
Currently there is no law in Switzerland protecting whistleblowers from dismissal by their employer. Between 2003 and 2020, several efforts to clarify the law around the topic of whistleblowing were rejected by either the Federal Council (Bundesrat) or National Council (Nationalrat).
The measures that whistleblowers in Switzerland may consider taking to report a suspected irregularity, and the circumstances in which they may report directly to the authorities or the media, have been established by case law in the Swiss courts on the basis of the existing legal provisions in labor law, criminal law and data protection law.
This means that the Swiss courts continue to rule on each case separately, without any clear legislation to guide their decision-making. Pressure continues, however, for Switzerland to improve its whistleblowing law. Most recently from the OECD which initially recommended in 2011 that Switzerland adopt protections for private sector whistleblowers and which in July 2022 has issued a statement that if Switzerland does not take concrete steps toward implementing whistleblower protections, the OECD will commence preparations for a High-Level Mission to Switzerland in December 2022.1
Why Swiss companies should act now and should not wait for the enactment of a Swiss whistleblower legislation
A well-functioning whistleblowing hotline may prevent substantial fraud related losses
- According to the latest Report to the Nations from the ACFE, (i) tips from employees remain by far the most common way for organisations to detect fraud, (ii) organisations with hotlines detect frauds more quickly than those without hotlines by an average of six months, and (iii) fraud losses were two times higher at organisations without hotlines. Furthermore, the recently published Whistleblowing Report 2021 found out that, although the Swiss companies that participated in the survey were less frequently affected by misconduct than companies in other countries, the proportion of financial damages of CHF 100’000 or more is highest in Switzerland from among the countries that participated in the survey.
- In reality, we often see that although an organization has sophisticated controls in place, fraud and misconduct issues are more often brought to light by whistleblowers instead of by the controls. Therefore, having a clear reporting path allowing early reporting before there is significant financial or reputational damage done might be imperative to ensure the health of the organization’s business. Companies are well advised to take the view that fraud is likely to happen sooner or later. Or as the old adage says, better safe than sorry.
A whistleblowing system may be required under the EU Whistleblower Directive
- EU member states continue to work on the implementation of the EU’s Whistleblower Directive into national laws. Of the Swiss companies surveyed that are impacted by the EU Whistleblower Directive, only a small minority (<6%) are prepared to be fully compliant with the Directive, according to the recently released Whistleblowing Report 2021. The reason for this level of unpreparedness / delay is unclear, as the EU Whistleblower Directive sets out clear minimum key requirements and although there may be small deviations in the legislation passed in each Member State, such deviations will be minor (e.g., whether or not follow-up is required for anonymous reports) and should not hinder current preparations.
- Swiss companies that may not have a requirement under the EU Whistleblower Directive but with ties abroad, in particular into the European Union, might find it beneficial to implement a whistleblowing hotline in conjunction with the implementation of such systems by their subsidiaries or headquarters. However, since group-wide hotlines may not be longer permissible under the revised EU directive (Art. 8), this will pose a challenge to multinationals and may encourage some companies to do away with existing centralized whistleblowing systems leaving some Swiss companies, who rely on the centralized systems of their corporate groups, to find their own solution.
What companies need to consider now
Deloitte Conduct Watch Demo
Register here for a demo
On August 31, 2022, the Federal Council adopted the new Data Protection Ordinance (“DPO”) and decided that the new DPA and the new DPO shall enter into force on September 1, 20232. Regarding data protection in whistleblowing processes, it is important to consider topics such as the handling of personal data of both the reporting and the accused person, information obligations, rights of access, records keeping, and data storage and retention practices and policies.
According to Art. 321 a Para. 1 of the Code of Obligations (“CoO”), the employee has to uphold the justified interests of an employer in good faith. Art. 321 a Para. 4 CoO states the obligation to confidentiality.
Based on that, employees must first report misconduct internally to the employer. Only if all means of reporting internally have been exhausted and only if there is a public interest concern, the employee may disclose the relevant issue to authorities. If the authorities fail to take any action and as a last resort, the employee might report the misconduct to the public. It is therefore in an organisation’s own interest to provide the adequate means of reporting internally and to investigate reports unbiased and thoroughly. If an employee chooses to report outside of the organisation, the issue can quickly get out of control and can lead to a major crisis.
Swiss law and best practices expect the Board of Directors to take responsibility for the internal control system, dealing with risk and compliance.3 The Swiss Code of Best Practice for Corporate Governance states that “The Board of Directors should provide internal control and risk management systems that are suitable for the company. Risk management refers to financial, operational and reputation-based risks”. Thus, the Board of Directors is also responsible for data protection matters and the correct implementation of the revised DPA. As data protection is a key element in any whistleblowing system, this responsibility also means the Board of Directors can be subject to criminal penalties originating from data protection legislation. It is notable that the sanctions under the revised Data Protection Act are sanctions of (administrative) criminal law, which are imposed in criminal proceedings, affect the responsible persons personally and may not be paid or insured by the company.
Simply having a whistleblowing hotline is not enough. Companies must also have a comprehensive ethics program and culture so that employees feel empowered and safe enough to speak up. This is particularly relevant in Switzerland where fear of retaliation remains very real. According to the Ethics at Work: 2021 international survey of employees, only 41% of employees (among the lowest of the 13 countries surveyed) in Switzerland that have been aware of misconduct at work have spoken up about it with management, another appropriate person, or through any other mechanism. In other words, more than half of the workforce remains silent when fraud or misconduct is observed at work, which is a shocking high number. The main reason why Swiss employees do not raise their concerns is that they felt it might jeopardise their job.
Demonstrating that whistleblowing reports are taken seriously and dealt with swiftly will build trust with your employees and ultimately encourage them to come forward if they witness misconduct. Accordingly, the Board of Directors is well advised to take the risk of fraud seriously and review the organization’s approach towards the prevention, detection and response to fraud and misconduct. This should include a review of the organization’s whistleblowing system (for example, against the principles of ISO 37002) and a check to ensure that the employees know when and how to use it. Moreover, the organization should make sure that the staff tasked with handling the whistleblowing cases are well aware of all potentially relevant risks and how to appropriately handle a case. For example, an employee reports via whistleblowing hotline that behind the organization’s plant there is a hole in the meadow where nothing grows anymore. Is this now just a case of waste or could this potentially be an environmental risk?
Increasing economic uncertainty creates pressure on various levels of an organization. We have observed that times of economic instability may increase an individual’s justification to commit fraudulent acts, be it in the form of theft, financial statement fraud, conflicts of interest or even acts of corruption. Organizations may want to revisit their fraud management framework, adapt controls and close backdoors to increased fraud risks, especially in light of the recent change of work patterns to hybrid working models.
In today’s ever-changing world, it’s important to also consider the integration of subjects such as Environmental Social Governance (ESG), modern slavery, sanctions and data protection / data transfer into the whistleblowing policy.
It’s not just financial fraud and misconduct that can negatively impact an organization by e.g., destroying an organization’s reputation, subjecting an organization to intense media scrutiny, undermining relationships with suppliers, customers, financial institutions and financial markets; and/or damaging employee morale and leading to an increase in attrition.
Deloitte's whistleblowing solution
To assist organisations in handling whistleblowing caseloads, Deloitte has launched its whistleblowing solution, Deloitte Conduct Watch. Find out how you can manage your whistleblowing risk with us.
Who should read this article?
Corporate executives, Board members and General Counsels are responsible for responding to suspected fraud in their organisation. Since such events do not occur every day it is essential to have a playbook and checklists on hand so as to be ready to respond effectively and prevent an uncontrolled escalation of the matter into a veritable corporate crisis. For further insights on what to do when fraud occurs, we refer to our article “Responding to fraud: doing nothing is not an option”.