What the regulation says
If a country has whistleblower laws in place, companies are typically required to establish internal reporting channels, safeguard the confidentiality of whistleblowers, and protect employees from retaliation — no matter their size. In practice, this means companies must:
- Maintain a written record of whistleblowing reports, even if no reports are made;
- Take adequate and proportionate measures to ensure secure reporting channels and protect employees from retaliation.
There’s no strict template, but the expectation is clear: create internal systems that are appropriate to your business size and risk profile.
Why this matters
This is especially important for companies with a complex management structure, where the following risks may arise:
- commercial bribery
- cartel arrangements
- conflict of interest
- forgery
- AML/KYC breaches
- tax reporting manipulation
- labour rights violations
When internal reporting channels are missing or unclear, these risks can escalate — and so can the consequences.
What a compliant policy looks like
For most businesses, compliance doesn’t mean building a legal fortress. The following elements are generally sufficient:
- A clear Whistleblower Policy document
- An internal logbook or journal for recording reports
- Periodic training or refreshers (for larger teams)
- A designated point of contact or compliance officer
We helped a client to set up a system that included a basic policy, simple reporting form, and a secure folder for recordkeeping. No unnecessary bells or whistles — just a clean, functional solution that meets the regulatory standard.
Case in Point: ADGM Holding Company with One Director
We recently worked with a client — a holding company registered in the Abu Dhabi Global Market (ADGM) with just one employee: the director. No staff. No complex operations. Still, ADGM regulations require all companies to maintain:
- a written whistleblowing logbook
- proportionate reporting procedures and protections
Here's what we did:
- Developed a basic but compliant whistleblower policy
- Created a simple reporting form and log template
- Documented the director’s acknowledgment
- No training sessions, no corporate infrastructure — just a clean, risk-aligned solution.
What happens if you don’t comply
Some regulators, like ADGM, may impose fines (up to USD 50,000), issue warnings, or even suspend business licenses for non-compliance. While enforcement is still rare, scrutiny is increasing.
Even outside ADGM, many regions (like the EU, UK, US) have specific whistleblower protections — and enforcement cases are growing. Having even a minimal policy in place offers:
- Protection from regulatory claims
- Evidence of good governance
- A healthier workplace culture
What’s actually mandatory in ADGM
ll companies in ADGM must maintain a written log of whistleblowing reports, regardless of whether any reports are received.
Additional measures (like staff training or policy audits) are only mandatory if:
- your annual turnover exceeds USD 13.5 million, or
- your employee count exceeds 35
For smaller businesses, a simple written policy and log will often be enough. That said, minimal overcompliance—like creating a clear form and storing reports in a secure location—can help preempt future scrutiny.
Final thoughts from our team
Whether you’re operating in the UAE, UK, or elsewhere, whistleblower compliance doesn’t have to be difficult. What matters is tailoring the solution to your real business structure — not just copying a template from a multinational.
This guidance was developed by Roman Motorin, Associate at Futura Digital, as part of a recent client engagement. If you’re looking to implement your own whistleblower framework — or audit an existing one — get in touch with our team.
-min.png)
