Photo by Andres Garcia on Unsplash
The Financial Conduct Authority runs its own whistleblowing regime, separate from general UK employment law and from the EU’s whistleblower directive. For banks, insurers, and large investment firms it is not optional. The rules sit in SYSC 18 of the FCA Handbook, they have been in force since September 2016, and they carry specific structural obligations: a named senior manager accountable for whistleblowing, an internal channel that handles every kind of report, and an annual report to the board. This guide sets out what SYSC 18 requires, which firms it binds, how it interacts with the Public Interest Disclosure Act and the EU directive, and what a compliant channel looks like in 2026.
Direct answer
The FCA’s whistleblowing rules are in SYSC 18 of the FCA Handbook, in force since 7 September 2016. They are binding on “relevant firms”: UK banks, building societies, and credit unions with assets over £250m, PRA-designated investment firms, and insurers subject to Solvency II. Those firms must appoint a whistleblowers’ champion (a senior manager under the Senior Managers and Certification Regime), operate an internal channel able to handle all disclosures from all types of person, tell UK staff about the FCA and PRA whistleblowing services, include non-deterrence wording in settlement agreements, report on whistleblowing to the board at least annually, and notify the FCA if they lose an employment tribunal brought by a whistleblower. All other FCA-regulated firms are expected to treat SYSC 18 as non-binding guidance and adopt comparable arrangements.
What SYSC 18 actually requires
SYSC 18 is the FCA’s codification of how a regulated firm should run whistleblowing internally. It does not replace the legal protection a worker gets under the Public Interest Disclosure Act 1998. It sits on top of it, telling firms how to build the channel and govern it. The substantive obligations for a relevant firm break down into six parts.
1. An internal whistleblowing channel. The firm must have arrangements that can handle disclosures from any person (not just employees) about any matter, anonymously if the reporter chooses, and that are capable of handling reports about the firm itself, its group, and individuals within it. The channel has to be able to receive a concern, assess it, escalate it, and keep a record.
2. A whistleblowers’ champion. The firm must allocate the oversight of its whistleblowing arrangements to a specific senior manager. In practice the champion is usually a non-executive director. The role is a prescribed responsibility under the Senior Managers and Certification Regime, which means a named, approved individual is personally accountable to the FCA for the integrity, independence, and effectiveness of the firm’s whistleblowing policy, including protection of whistleblowers from detriment. The champion does not have to operate the channel day to day, but they own the outcome.
3. Non-deterrence wording in settlement agreements. When a firm settles with a departing worker, the agreement must make clear that nothing in it prevents the worker from making a protected disclosure. A confidentiality clause that looks like it gags a whistleblower is both a SYSC 18 breach and, separately, unenforceable to that extent under employment law.
4. Telling staff about the regulators’ own channels. UK-based employees must be told that they can report directly to the FCA or the PRA, and how. The internal channel is encouraged, but the worker’s statutory right to go straight to the regulator cannot be hidden.
5. An annual report to the board. The firm must present a report on the operation of its whistleblowing arrangements to its governing body at least once a year. This is the governance hook: it forces the board to look at volume, themes, and outcomes, and it gives the champion something concrete to be accountable for.
6. Notifying the FCA of lost whistleblowing tribunals. If the firm loses (or settles after a finding) an employment tribunal where the claimant was a whistleblower, it must tell the FCA. A pattern of these is a supervisory red flag.
Which firms are bound, and which are only “encouraged”
This is the part most often misread. SYSC 18 is binding only on relevant firms. The category covers:
- UK deposit-takers (banks, building societies, credit unions) with assets of £250m or more.
- PRA-designated investment firms.
- Insurance and reinsurance firms within the scope of Solvency II, and the Society of Lloyd’s and managing agents.
For every other FCA-regulated firm, SYSC 18 (other than the parts that simply restate the law) applies as non-binding guidance. The FCA’s clear expectation is that smaller firms read the guidance and put proportionate arrangements in place. “Non-binding” does not mean “ignore”. If a small adviser firm has no channel at all and a reporter suffers detriment, the FCA can still act through its principles (Principle 3, adequate systems and controls) and through the Conduct Rules.
Photo by Wesley Tingey on Unsplash
How SYSC 18 sits on top of PIDA
The Public Interest Disclosure Act 1998 is the underlying employment-law protection. It amended the Employment Rights Act 1996 to protect workers who make a “qualifying disclosure” in the public interest from dismissal and detriment. A disclosure becomes protected when it is made to the right recipient: the employer, a legal adviser, or a “prescribed person”. The FCA is a prescribed person, which is why a worker can take a concern about an authorised firm straight to the regulator and keep their protection.
SYSC 18 does not change any of that. What it adds is structure. PIDA tells you a worker is protected. SYSC 18 tells the firm it must build a channel, name an accountable senior manager, and govern the whole thing at board level. A firm can be fully PIDA-compliant in the sense that it does not retaliate, and still breach SYSC 18 because it never appointed a whistleblowers’ champion or never reported to the board.
The practical implication: treat the two as a single design problem. The channel you build to satisfy SYSC 18 is also the channel that determines whether a disclosure was properly received and handled if a PIDA claim lands later. A clear, time-stamped, append-only record of what was reported and what the firm did with it is the firm’s best evidence in a tribunal.
The FCA’s own whistleblowing service
A worker does not have to go through their firm first. The FCA operates a whistleblowing line and accepts reports in confidence. The regulator will protect the reporter’s identity as far as the law allows, but it is honest that it cannot always guarantee anonymity, particularly if a matter proceeds to enforcement and the source’s account becomes evidence.
For firms, the takeaway is that suppressing an internal report does not make it disappear. It increases the chance the worker goes to the FCA directly, which removes the firm’s opportunity to investigate and remediate first. A well-run internal channel is, among other things, a way to keep concerns inside the firm long enough to fix them.
What this means for firms with EU operations
The UK left the EU before EU Directive 2019/1937 had to be transposed, so UK firms are not directly bound by the directive. But two things keep it relevant.
First, a UK financial group with subsidiaries or branches in EU member states still has to meet the directive locally. A UK bank with a German or Irish entity must give that entity a compliant internal reporting channel under the relevant national transposition (HinSchG in Germany, the 2014 Act as amended in Ireland), with the directive’s 7-day acknowledgement and 3-month feedback deadlines. The FCA regime does not discharge that obligation, and the directive’s regime does not discharge SYSC 18.
Second, financial services is one of the ten subject-matter areas the EU directive covers explicitly, and EU-regulated financial firms have their own channel obligations regardless of headcount. So a firm operating on both sides of the Channel ends up running two overlapping regimes. The sensible design is one channel architecture that satisfies the stricter requirement in each jurisdiction, rather than two parallel systems. Our country compliance guides set out the national rule for each EU and EEA jurisdiction, and the UK page covers the post-Brexit position in more detail.
There is also a market-abuse overlap. UK MAR, retained after Brexit, requires arrangements for reporting suspected market abuse, and the EU Market Abuse Regulation does the same for EU venues and issuers. For a trading firm, the whistleblowing channel and the market-abuse reporting route should be joined up so that a tip about, say, insider dealing reaches both the compliance function and, where required, the regulator.
Photo by Colin White on Unsplash
Building a SYSC 18 channel that holds up
A channel that satisfies the rule has a recognisable shape. The features below are the ones that matter when the FCA reviews arrangements or a tribunal reads the case file.
Open to everyone, not just staff. SYSC 18 expects the channel to take reports from any person, including contractors, former employees, and people in the firm’s group. The intake form should not gate on an employee number or a corporate email.
Genuinely confidential, with an anonymous route. The reporter should be able to submit without giving a name, and to follow up without revealing identity. That means no mandatory email field, no IP logging that ties back to a person, and a case code plus reporter-held secret for follow-up. A channel that quietly captures identifying data undermines both the SYSC 18 confidentiality expectation and the firm’s credibility with its own staff.
An accountable owner. The whistleblowers’ champion needs visibility of the arrangements without necessarily seeing every individual report. A permission model that gives a designated case handler first sight, with defined escalation to the champion and a conflict-of-interest path, matches the regime.
A defensible record. Every action on a case (received, acknowledged, assessed, escalated, closed) should be time-stamped and held in an append-only log. This is what produces the annual board report and what answers a tribunal’s question about whether the firm handled the concern properly.
Board-level reporting built in. If the system can produce volume, theme, and outcome data on demand, the annual report to the board stops being a manual exercise and becomes a query.
Confidly was built to this shape. The reporter interface takes anonymous submissions with no email, IP, or device fingerprint, issues a server-side case code with a reporter-only secret, runs acknowledgement and feedback timers, and writes every action to an append-only audit log. The permission model supports a designated handler with delegation for conflicts, which maps onto the champion-plus-handler split that SYSC 18 implies. For the investigative side of a report once it lands, see our guide on how to run a whistleblower investigation.
Common SYSC 18 failures
Drawing on supervisory themes and the kinds of gaps that surface in reviews:
No named champion, or the champion left. The prescribed responsibility was allocated once and never revisited. The named individual has since moved on and nobody picked it up. This is a governance failure that an FCA review finds quickly.
A channel that gates on identity. The “anonymous” channel asks for an email “so we can follow up”. That is not anonymous, and staff know it, which is why the channel gets no use.
Settlement agreements with stale gagging clauses. A template confidentiality clause that predates 2016 still implies the worker cannot speak to the regulator. It needs the non-deterrence carve-out.
No annual board report. The arrangements exist on paper but the board has never seen data on how they are used. Without the report, the firm cannot show the regime is effective, only that it exists.
Treating non-binding guidance as no obligation. A smaller firm reads “non-binding” and does nothing. When a concern is mishandled, the absence of any arrangement at all becomes the supervisory problem.
FAQ
Is FCA whistleblowing the same as PIDA? No. The Public Interest Disclosure Act 1998 is the employment-law protection that stops a worker being dismissed or subjected to detriment for a protected disclosure. SYSC 18 is the FCA’s set of rules telling regulated firms how to build and govern an internal whistleblowing channel. PIDA protects the person; SYSC 18 structures the firm. A firm can comply with one and breach the other.
Which firms have to comply with SYSC 18? The binding obligations apply to relevant firms: UK banks, building societies, and credit unions with assets over £250m, PRA-designated investment firms, and Solvency II insurers (plus the Society of Lloyd’s and managing agents). Every other FCA-regulated firm should treat SYSC 18 as guidance and put proportionate arrangements in place. “Non-binding” is not the same as “optional”.
Who is the whistleblowers’ champion? A senior manager, usually a non-executive director, who holds the prescribed responsibility for the firm’s whistleblowing arrangements under the Senior Managers and Certification Regime. They are accountable to the FCA for the integrity, independence, and effectiveness of the policy and for protecting whistleblowers from detriment. They oversee the arrangements rather than handling individual reports.
Can a worker report straight to the FCA instead of their firm? Yes. The FCA is a prescribed person under PIDA, so a worker can report to it directly and keep their statutory protection. The FCA runs a confidential whistleblowing line. It protects the reporter’s identity as far as the law allows but cannot always guarantee anonymity if the matter goes to enforcement.
Does the EU whistleblower directive apply to UK firms? Not directly, because the UK left the EU before transposition was due. But a UK firm with EU subsidiaries or branches must give those entities a channel that complies with the relevant national transposition of EU Directive 2019/1937, including the 7-day acknowledgement and 3-month feedback rules. Firms operating on both sides of the Channel usually run one channel architecture that meets the stricter requirement in each place.
What happens if a firm ignores SYSC 18? For a relevant firm, it is a rule breach the FCA can act on directly, and the named champion is personally accountable. For other firms, the FCA can act through its principles and the Conduct Rules if a lack of arrangements leads to a mishandled concern. In either case, losing a whistleblowing employment tribunal is reportable to the FCA and a supervisory red flag.
See also
- Whistleblower protection laws: EU, UK, and US compared: how PIDA, the EU directive, and US regimes line up.
- Whistleblowing policy: what it must include in 2026: the document your channel points at.
- How to run a whistleblower investigation: handling a report once it lands.
- UK compliance guide: the post-Brexit position for firms with UK and EU operations.
- Calculate your maximum fine: exposure under each EU country’s transposition.