Industry guide · Finance & Regulated Teams

Whistleblowing and conduct reporting for regulated firms

Disclosure routes aligned with FCA whistleblowing expectations, SYSC governance, and SMCR accountability—distinct from customer complaints and operational incident systems.

Regulated firms must show that disclosures are received, owned, and documented. The FCA received 281 new whistleblowing reports in Q1 2025 containing 752 allegations; 41% resulted in action to reduce harm. Firms need intake and case management that produces a defensible record—not a shared compliance inbox.

281

New whistleblowing reports received by the FCA in Q1 2025.

Source: FCA whistleblowing quarterly data, Q1 2025 · View source

752

Allegations contained in FCA Q1 2025 whistleblowing reports.

Source: FCA whistleblowing quarterly data, Q1 2025 · View source

41%

Of FCA Q1 2025 whistleblowing reports where the FCA took action to reduce harm.

Source: FCA whistleblowing quarterly data, Q1 2025 · View source

Operational context

Typical concerns in regulated financial services

Speaking-up in regulated firms sits between conduct risk, financial crime controls, and personal accountability under SMCR. The FCA's non-financial misconduct survey found bullying and harassment at 26% and discrimination at 23% of reported misconduct types—routing must treat conduct and compliance disclosures with equal rigour.

Disclosures conflated with customer complaints

Staff concerns about conduct, controls, or culture must not be logged in consumer redress or complaints systems lacking investigation workflow and audit trail.

FCA whistleblowing channel vs internal route unclear

Workers may not know when to use the FCA's prescribed-person route versus internal compliance—and internal routes must still produce regulator-ready documentation.

SMCR accountability without case ownership

Senior manager conduct concerns need named investigation owners and controlled visibility—not informal escalation to the SMF holder's inbox.

Follow-up pushes reporters into corporate email

FCA Q1 2025 data shows most whistleblowers included contact details; firms still need secure internal follow-up that protects identity when reporters choose anonymity.

Process design

Reporting workflow in regulated firms

A six-step route connecting disclosure intake, compliance ownership, and board-ready records—without mixing whistleblowing into unrelated operational systems.

Step 1

Disclosure received

Worker submits via secure portal or documented hotline route

Owner: Anonymous or identified reporter

→

Step 2

Regulatory triage

Category assigned; FCA reportability assessed where applicable

Owner: Compliance intake

→

Step 3

Compliance owner assigned

Named SMF holder or 2LoD lead takes ownership

Owner: Compliance / risk

→

Step 4

Secure follow-up

Clarification and evidence via protected messaging

Owner: Assigned investigator

→

Step 5

Investigation

Findings documented with role-based access

Owner: Compliance, HR, or financial crime

→

Step 6

SMCR / board record

Outcome logged; themes for audit committee and regulator-ready export

Owner: Company secretariat / board

Organisational design

Typical governance structure

Speaking-up routes map to three lines of defence—business ownership, compliance oversight, and independent assurance.

Staff / contractor reporter

Front office, control functions, or outsourced staff

Secure disclosure channel

Internal portal—not line manager by default

First line (business)

Line management controls and immediate escalation

Second line (compliance & risk)

Whistleblowing triage, conduct, financial crime

Third line / board

Internal audit, audit committee, SMCR accountability

Three lines of defence

Speaking-up routes mapped to regulatory governance

1st line

Business & operations

Day-to-day conduct and control ownership

2nd line

Compliance & risk

Oversight, policy, whistleblowing triage

3rd line

Internal audit

Independent assurance and board reporting

Audit trail

8 events

report submitted

anonymous08:42

ai triage complete · HIGH

system08:43

status → reviewing

s.jones09:32

message sent (secure)

system10:05

file uploaded · policy-excerpt.pdf

anonymous11:40

file uploaded · shift-rota-March.xlsx

anonymous11:41

assigned to compliance lead

system11:42

note added · awaiting site visit

s.jones14:18

Scenarios

Industry-specific examples

Illustrative scenarios—ownership varies by firm type, SMF structure, and whether the FCA prescribed-person route applies.

ScenarioCategory

Mis-selling pressure on advisers

Paraplanner reports targets that encourage unsuitable product recommendations; requests anonymity from line management.

Conduct (NFMI)

AML control bypass

Operations analyst flags systematic easing of CDD checks on a high-value client segment.

Financial crime

Gifts and entertainment policy breach

Relationship manager reports undisclosed hospitality from a vendor linked to procurement decisions.

Regulatory breach

SMF conduct concern

Control-function staff raise bullying by a senior manager with certified SMF responsibilities.

Governance / SMCR

Taxonomy

Risk categories commonly reported

Taxonomy aligned to FCA whistleblowing themes and internal conduct frameworks—supporting triage between compliance, HR, and financial crime owners.

Conduct (NFMI)

Bullying, harassment, discrimination, and non-financial misconduct—26% and 23% respectively in FCA survey data.

BullyingHarassmentDiscrimination

Financial crime

AML, sanctions, fraud, and market abuse concerns requiring financial crime investigation.

AML bypassInsider dealing tipFraudulent transactions

Regulatory breach

Policy, permissions, and conduct-of-business failures with regulatory reporting implications.

Mis-sellingGifts & entertainmentConflicts of interest

Governance & SMCR

Senior manager conduct, control failures, and board-level accountability concerns.

SMF conductControl overrideRetaliation against reporter

Governance

Ownership models

Regulated firms typically combine internal compliance ownership with FCA prescribed-person escalation and, where required, independent intake.

Route	Primary owner	Escalation
Internal compliance route	Head of compliance or whistleblowing champion	SMF holder → audit committee
FCA prescribed-person escalation	FCA (external); firm documents internal handling separately	Regulatory correspondence; firm response record retained
Independent / external intake	Third-party hotline with compliance handoff	Audit committee with full case export

Operating model

Team responsibilities

Clear 2LoD ownership reduces the gap between a disclosure arriving and a record the firm can defend to the FCA or internal audit.

Compliance (2nd line)

Own whistleblowing triage and regulatory reportability assessment
Assign investigators and maintain SMCR-relevant documentation
Coordinate FCA correspondence where disclosures escalate externally

Financial crime

Investigate AML, fraud, and market integrity categories
Preserve evidence for SAR and regulatory reporting decisions
Maintain separation from business-line pressure on cases

Company secretariat / board

Support audit committee reporting on speaking-up themes
Ensure serious outcomes reach board oversight
Maintain regulator-ready exports and retention policies

Product fit

Why organisations use Disclosurely

Disclosurely structures the internal route firms must operate alongside FCA whistleblowing—it does not replace regulatory reporting obligations or SMCR accountability.

Audit trail for regulatory review

Receipt, ownership, messages, files, and status changes in one case record—supporting internal audit and FCA interaction documentation.

Role-based access for sensitive conduct cases

Need-to-know visibility for NFMI and SMCR investigations without circulating details through corporate email.

Secure follow-up without breaking anonymity

Compliance teams can request clarification and evidence through protected messaging when reporters choose not to identify themselves.

Buyer resources

Commercial pages for finance & regulated teams buyers

Use these pages when your team moves from industry context to vendor evaluation, pricing, or procurement requirements.

Enterprise whistleblowing softwareEvaluate multi-entity governance, access controls, audit readiness, and regulated procurement needs.Whistleblowing case management softwareCompare intake, triage, investigation, evidence, closure, and regulator-ready records.EU-compliant whistleblowing softwareReview Directive-style acknowledgement, follow-up, ownership, and audit-trail requirements.

See how Disclosurely supports finance & regulated teams reporting workflows.

View pricing Book a walkthrough Anonymous reporting