The entry into force of Law 2/2023 obliged thousands of Spanish companies to establish internal reporting channels within a very tight timeframe. Correct implementation is not just a compliance matter: a well-designed channel can be a valuable governance tool for detecting irregularities before they cause greater harm.
Step 1: Scope Assessment
The first step is to determine whether the company is covered by the law. Companies with 50 or more employees — counting both full-time and part-time staff — are subject to the obligation. In corporate groups, the threshold is assessed company by company, although the law permits shared use of the channel among entities in the same group.
Beyond the headcount criterion, Law 2/2023 requires the channel regardless of workforce size for financial sector entities (banks, insurers, fund managers), political parties receiving public funding, trade unions and employer organisations with public funding, and public sector foundations.
The material scope of the channel is also broader than many companies assume: it is not limited to criminal offences. It also covers breaches of European Union law in areas as varied as competition, taxation, environmental protection, product safety, data protection, money laundering and food safety. In Spain, the law extended the scope to cover breaches of Spanish law in general.
Step 2: Channel Design
The channel can be internal (managed by the company itself, for example through the compliance or internal audit department) or external (outsourced to a specialist provider). The law allows companies with between 50 and 249 employees to share the channel with group entities or use certified external providers.
The channel must accept written, oral and, if the informant requests it, in-person communications. It must guarantee confidentiality and anonymity when the informant requires it.
Technical requirements for digital systems: If the channel is implemented through a digital platform — the most common solution — it must ensure end-to-end encryption, secure storage of informant data, separation of access between the channel manager and senior management, and the possibility of anonymous two-way communication with the informant to request additional information.
Handling anonymous reports: The law requires that anonymous communications be processed, but does not impose a mandatory investigation obligation. The internal policy must set clear criteria for deciding when to investigate an anonymous report and how to document that decision.
Step 3: Internal Policy and Training
It is essential to approve a reporting management policy that regulates timelines, the investigation process, informant protection and the regime of prohibited retaliation. Training for channel managers and senior leadership is key to avoiding errors that could lead to penalties.
Legal timelines to observe: The law sets specific time obligations that must be reflected in the internal policy. The channel manager must acknowledge receipt of the communication within a maximum of seven business days of receiving it. Within three months of that acknowledgement, the informant must be informed of the actions planned or taken and the reasons for them.
Protections for the informant: The law expressly prohibits retaliation against anyone who reports in good faith, even if the information communicated turns out to be incorrect. Prohibited retaliation includes not only dismissal or disciplinary action but also any detrimental measure such as changes to working conditions, negative performance reviews, exclusion from promotion or psychological pressure. Companies must establish internal mechanisms to detect and remedy potential retaliation.
Step 4: Periodic Review and Audit
The channel should be reviewed at least annually to verify its effective operation. Internal or external audits can help detect deficiencies before they become sanctionable non-compliance.
Effectiveness indicators: A periodic audit of the channel should assess the number of communications received, average processing time, the percentage of communications closed with a formal investigation, the types of irregularities reported and whether corrective measures have been adopted as a result. A channel that receives no communications for years is not necessarily a positive indicator: it may reflect distrust in its effectiveness or lack of awareness of its existence among employees.
Policy review: The policy should be updated when company activities or group structure change, or when relevant regulatory changes occur. The addition of new regulated activities may expand the material scope of the channel.
The whistleblower channel as part of the compliance programme
In companies with a comprehensive compliance programme, the whistleblower channel is one component of a broader system that includes the code of ethics, the risk map, internal control procedures and the responsibilities matrix. A well-designed channel reinforces a culture of integrity and is taken into consideration by criminal courts as evidence of the legal entity’s diligence in preventing offences.
At BMC we help clients design, implement and audit their whistleblower channels. See our compliance services.
