An AACI White Paper on Whistleblowing Systems and Governance Readiness

November 3, 2025

Mike J. Masoud, CACL, CACM, CFE, MIPA AFA, MBA
Senior Director – Middle East & Africa
The American Anti-Corruption Institute (AACI)

Executive Summary

Whistleblowing remains one of the most powerful mechanisms for detecting and deterring corruption, fraud, and other forms of misconduct. In 2025, global standards continue to evolve — from The AACI’s Standard on Fighting Corruption 280: Whistleblowing (SFC 280) to the OECD’s latest guidance and France’s Loi Waserman under the Sapin II framework.

This white paper provides a practical roadmap for designing and implementing an effective whistleblower program that meets the highest international benchmarks in governance, ethics, and accountability. It integrates The AACI’s principles with the legal and procedural standards of France and the OECD to create a unified model for organizational integrity.

The paper outlines:

• Core requirements of an effective whistleblowing policy under SFC 280, the French Sapin laws, and OECD frameworks.
• Roles and responsibilities of management, ethics officers, and audit committees in building trust and ensuring independence.
• A 10-point readiness checklist that helps organizations assess their systems against global best practices.
• Measurable indicators — such as report acknowledgment timelines, retaliation handling, and training coverage — to track effectiveness and accountability.

---

By aligning with these frameworks, organizations can transform whistleblowing from a compliance formality into a cornerstone of good governance.

Ultimately, implementing an effective whistleblower program in 2025 is not just a regulatory expectation; it is a strategic investment in institutional integrity and public trust.

Introduction

Whistleblowing is one of the most effective tools for detecting fraud, corruption, and other forms of misconduct. The American Anti-Corruption Institute’s Standard on Fighting Corruption 280 (Whistleblowing) requires organizations to adopt a whistleblowing policy that lowers corruption risks to acceptable levels and recognizes that tips are often the most effective means of detecting fraud (AACI, 2023).

Globally, whistleblower laws and guidelines are evolving. France has enhanced protections through Sapin II, its 2022 Law No 2022-401 (often called Loi Waserman), and proposals for Sapin III (Couturier Sadgui, 2023), while the OECD’s 2021 Anti-Bribery Recommendation and earlier 2016 report on whistleblower protection outline best-practice principles (OECD, 2016; OECD, 2021). This article explains how to build an effective whistleblower program that complies with The AACI Standard SFC 280 and integrates insights from French law and OECD guidance. The goal is to help organizations foster a speak-up culture, meet legal obligations, and reduce corruption risks.

Defining Whistleblowing

The AACI defines whistleblowing as a deliberate, non-obligatory disclosure of material wrongdoing under an organization’s control, made to an authorized person who could retaliate (AACI, 2023). Whistleblowing can be internal (reported within the organization) or external (reported to regulators, law enforcement, or the public). The AACI SFC 280 emphasizes that a whistleblowing policy must allow anonymous reporting, engage all stakeholders (employees, contractors, auditors, customers, suppliers, and community members), and ensure complaints are received and investigated by competent, ethical individuals (AACI, 2023).

France’s Sapin II and the 2022 Loi Waserman broaden the definition of a whistleblower. Under the French framework, a whistleblower is a natural person who reports, in good faith and without financial compensation, a crime or misdemeanour, harm to the general interest, or a violation of EU or international law (Couturier Sadgui, 2023). Notably, the transposition law introduced a new status for facilitators (e.g., unions or colleagues assisting the whistleblower) and extends protection against reprisals to them (Couturier Sadgui, 2023). The law also abolishes the previous “cascading” reporting hierarchy; whistleblowers may report internally, externally, or publicly without first following a particular order (Couturier Sadgui, 2023).

The OECD’s 2016 report on whistleblower protection underscores that effective systems should offer multiple reporting channels and allow whistleblowers to select the reporting route they consider safest (OECD, 2016). Potential whistleblowers should have direct access to external review agencies if internal channels are ineffective or if they fear reprisal or confidentiality breaches. The report also emphasizes anonymity options, recommending hotlines that assign a unique identifier to protect identity and encourage anonymous follow-up (OECD, 2016). The OECD notes that confidentiality, rather than financial incentives alone, is the primary safeguard of an effective whistleblower protection system (OECD, 2016).

Purpose and Benefits of a Whistleblowing Policy

The objective of a whistleblowing policy is to uncover misconduct early and strengthen governance (AACI, 2023). The AACI SFC 280 lists numerous benefits: lowering fraud costs, deterring culprits, improving governance, reducing corruption risks, and enhancing citizenship (AACI, 2023).

French law similarly aims to encourage reporting and protect whistleblowers from retaliation. The Loi Waserman obliges organizations and municipalities with at least 50 employees or 10,000 residents to implement secure, confidential whistleblowing systems with impartial contact persons, diligent follow-up, and clear information on external reporting procedures (Couturier Sadgui, 2023). It also mandates deadlines for acknowledging receipt of a report and providing feedback within three months (Couturier Sadgui, 2023).

The OECD (2016) underscores that effective whistleblower protection promotes transparency, integrity, and accountability while fostering an open organizational culture in which employees feel confident to report wrongdoing. The report stresses that confidentiality is the cornerstone of a sound whistleblower protection framework, as assurance that one’s identity and information will remain protected encourages individuals to speak up. It further notes that incentive mechanisms—whether monetary or otherwise—may complement but cannot replace the essential role of confidentiality in sustaining ethical conduct (OECD, 2016, pp. 20, 69).

Regulatory and Ethical Foundations

The AACI Standard SFC 280

SFC 280 requires organizations to establish and maintain an effective whistleblowing policy. Key elements include anonymous reporting channels, competent recipients, impartial investigations, and stakeholder engagement (AACI, 2023). Management and those charged with governance must ensure that the policy is implemented and enforced (AACI, 2023). The standard encourages governments to provide protection and financial incentives for whistleblowers and notes the success of reward programs like the U.S. SEC’s (AACI, 2023).

French Framework: Sapin II, Loi Waserman, and Sapin III Proposals

France’s Sapin II (2016) introduced comprehensive anti-corruption measures, including an anti-corruption agency, mandatory compliance programs for large companies, and protection for whistleblowers. The 2022 Loi Waserman transposed the EU Whistleblower Directive and strengthened protections. It requires companies and public institutions with at least 50 employees to implement secure whistleblowing systems (Couturier Sadgui, 2023). Key provisions include integrating reporting procedures into internal regulations, guaranteeing confidentiality, appointing impartial contact persons, diligent follow-up (including anonymous reports), and providing clear information on external reporting channels (Couturier Sadgui, 2023).

Reporting can be written or oral and may include a face-to-face meeting upon request (Couturier Sadgui, 2023). A Council of State decree also mandates independence, feedback deadlines, and procedures for data handling (Couturier Sadgui, 2023). The law abolishes the cascading reporting requirement, allowing whistleblowers to choose internal, external, or public disclosure (Couturier Sadgui, 2023).

France’s proposed Sapin III aims to further improve anti-corruption efforts by extending geographic scope, clarifying the role of the Haute Autorité pour la Transparence de la Vie Publique (HATVP), and strengthening legal protections (Couturier Sadgui, 2023).

OECD Guidance

The OECD’s 2021 Anti-Bribery Recommendation updates its Good Practice Guidance on internal controls, ethics, and compliance. It stresses that companies should implement a strong and effective whistleblowing system that offers confidential and anonymous reporting and anti-retaliation measures (DLA Piper, 2022). The Recommendation urges countries to ensure comprehensive and effective protection of whistleblowers in public and private sectors (OECD, 2021).

The OECD’s 2016 report Committing to Effective Whistleblower Protection provides detailed guidance. It emphasizes that internal and external reporting channels should be available in parallel, allowing whistleblowers to select whichever reporting path they deem most secure. The report notes that potential whistleblowers should have direct access to external authorities if internal mechanisms are ineffective or if they fear reprisals or breaches of confidentiality. It further advocates for anonymous reporting through systems such as hotlines that allocate unique identifiers and secure mailboxes for confidential follow-up. While incentive mechanisms may complement reporting systems, the OECD underscores that confidentiality remains the essential foundation of whistleblower protection (OECD, 2016, pp. 52–69).

Core Requirements under The AACI SFC 280 and French Law

Establish a Whistleblowing Policy – Management must maintain a policy that covers all stakeholders, including employees, contractors, vendors, and auditors (AACI, 2023).

Anonymity and Confidentiality – The policy should not require whistleblowers to reveal their identity; anonymity increases reporting efficacy (AACI, 2023). The French Loi Waserman mandates that reporting channels guarantee confidentiality and restrict access to authorized staff (Couturier Sadgui, 2023). The OECD recommends hotlines or secure portals that allow anonymous reporting and assign unique identifiers for follow-up (OECD, 2016).

Stakeholder Engagement – The policy must identify who may act as a whistleblower and ensure inclusive engagement (AACI, 2023). French law extends protection to facilitators and third parties who assist whistleblowers (Couturier Sadgui, 2023).

Competent and Ethical Handling of Reports – Complaints should be received by impartial, competent individuals and investigated ethically (AACI, 2023). The Loi Waserman requires the appointment of an impartial contact person to follow up on reports (Couturier Sadgui, 2023).

External Reporting and Non-Retaliation – Whistleblowers should be able to report externally without fear of retaliation (AACI, 2023; Couturier Sadgui, 2023). The OECD emphasizes that external channels should be accessible when internal reporting fails or when the whistleblower fears reprisals (OECD, 2016).

Motivating Whistleblowers – The AACI encourages governments to offer financial incentives and notes the success of U.S. reward programs (AACI, 2023). The OECD (2016) observes that while some systems provide incentives to encourage reporting, confidentiality remains the most critical element of whistleblower protection.

Designing an Effective Whistleblower Programme

1. Leadership Commitment and Tone at the Top – Ethical leadership fosters speak-up cultures. The AACI notes that ethical leadership strongly influences internal whistleblowing (AACI, 2023).
2. Define Policy Scope and Reporting Channels – A clear policy should define reportable misconduct (fraud, bribery, money-laundering, harassment, health & safety violations) and specify who can report. Under French law, the definition includes violations of EU or international law and threats to the general interest (Couturier Sadgui, 2023).
3. Ensure Anonymity, Confidentiality, and Data Security – Use secure technology to protect whistleblower identity. Anonymous reports should be accepted, and information accessible only to authorized individuals. The OECD recommends assigning unique identifiers for follow-up (OECD, 2016). Feedback deadlines should be defined; French law requires acknowledging receipt within seven days and providing an update within three months (Couturier Sadgui, 2023).
4. Select Competent Recipients and Investigators – Complaints should be handled by individuals of high integrity, independence, and competence (AACI, 2023). In France, companies must appoint an impartial and competent contact person for whistleblowing (Couturier Sadgui, 2023).
5. Investigation and Case-Management Procedures – Develop written procedures for triaging, investigating, and resolving reports. Under the Loi Waserman, feedback to the whistleblower must occur within three months (Couturier Sadgui, 2023).
6. Incorporate Incentives and Motivators – While The AACI encourages financial incentives to promote ethical behavior (AACI, 2023), the OECD (2016) underscores that confidentiality, not incentives, remains the essential safeguard underpinning effective whistleblower protection.
7. Training and Awareness – Provide regular training and awareness campaigns to employees, contractors, and external stakeholders.
8. Monitor, Review, and Improve – Regularly evaluate the program’s effectiveness through metrics such as the number of reports, resolution times, and employee surveys.

---

Integrating OECD, The AACI, and French Principles

Multiple Reporting Channels and Choice – The AACI SFC 280 and OECD guidance both stress the importance of providing internal and external channels to encourage reporting (AACI, 2023; OECD, 2016). The French Loi Waserman removes the internal-first requirement and allows direct external reporting (Couturier Sadgui, 2023).

Anonymity and Confidentiality – Protecting whistleblowers’ identity is central (AACI, 2023; OECD, 2016; Couturier Sadgui, 2023).

Non-Retaliation and Legal Protection – Under the Loi Waserman, whistleblowers and facilitators are protected against reprisals (Couturier Sadgui, 2023). The AACI (2023) and OECD (2021) also emphasize anti-retaliation measures.

Clear Definitions and Transparency – Define what constitutes reportable misconduct and who qualifies as a whistleblower. The OECD (2016) highlights that clearly defining who qualifies as a whistleblower and what constitutes reportable wrongdoing is essential to ensure clarity, legal certainty, and trust in the system.

Incentives and Recognition – The OECD (2016) observes that while some systems use incentives to encourage reporting, most rely on confidentiality as the central safeguard of adequate whistleblower protection (p. 69).

---

Challenges and Solutions

Fear of Retaliation – Ensure anonymity, enforce strict non-retaliation policies, and communicate protection success stories.

Lack of Trust in Confidentiality – Invest in secure reporting systems, third-party hotlines, and encryption.

Cultural Barriers – Address through continuous ethics training, leadership example, and open dialogue.

Legal Complexity – Harmonise internal policies with the highest international anti-bribery and corruption standards and ensure regular program updates (OECD, 2021).

Practical Implementation Readiness and Oversight

To translate policy into measurable practice, organizations should regularly assess the operational readiness of their whistleblower programs. The following checklist and indicators offer a practical baseline aligned with The AACI Standard SFC 280, French requirements, and OECD guidance.

---

Whistleblower Programme Readiness Checklist (10 Key Elements)

1. The anonymous online or hotline reporting portal is live and secure.
2. Impartial case owner or ethics officer formally designated.
3. Acknowledgement of reports within seven calendar days.
4. Substantive feedback is provided to the whistleblower within three months.
5. GDPR / data-protection mapping is completed and reviewed annually.
6. Secure evidence-handling and digital case-management process in place.
7. Retaliation-reporting and escalation route documented and communicated.
8. Audit or ethics committee receives quarterly dashboard updates.
9. Quarterly anonymized statistics on reports published internally.
10. Annual training coverage for employees and contractors is≥ 90 percent.

---

Performance Metrics and KPIs

1. % of cases acknowledged within 7 days.
2. % of cases closed or updated within 90 days.
3. Mean time-to-closure for investigations.
4. % of anonymous reports maintain two-way communication.
5. % of whistleblowers receiving feedback within statutory deadlines.
6. % of staff trained on whistleblowing policy annually.
7. Board / audit-committee review frequency (quarterly or semi-annual).

---

Governance and Oversight

Responsibility for oversight should rest with the audit or ethics committee, not line management, to preserve independence. This committee should review trends, retaliation cases, and system effectiveness each quarter and report key findings to the board.

Third-Party Scope

The program’s coverage must extend to vendors, suppliers, agents, and consultants, ensuring that all contracts include explicit speak-up and non-retaliation clauses. External stakeholders should have clear access to the same reporting channels and protections.

Conclusion

Implementing an effective whistleblower program in 2025 requires integrating The AACI Standard SFC 280 with contemporary legal frameworks such as France’s Sapin II, Loi Waserman, and emerging Sapin III, as well as best practices articulated by the OECD. By aligning policies with The AACI, French, and OECD standards, organizations can detect misconduct early, reduce corruption risks, enhance governance, and build a culture of integrity.

📄 Download the full AACI White Paper (PDF)
[Download Now]

References

Bwerinofa-Petrozzello, R., 2023. ‘Preventing fraud with internal controls: A refresher’. Journal of Accountancy, 1 Aug 2023. [online] Available at: https://www.journalofaccountancy.com/issues/2023/aug/preventing-fraud-with-internal-controls-a-refresher.html [Accessed 30 Oct 2025].

Couturier Sadgui, L., 2023. ‘New French whistleblowing law: The transposition of the EU Directive’. EQS Group Blog, 22 Nov 2023. [online] Available at: https://www.integrityline.com/expertise/blog/new-french-whistleblowing-law/[Accessed 30 Oct 2025].

DLA Piper, 2022. ‘The new OECD anti-bribery recommendation: Practical implications for business’. DLA Piper Global Anti-Corruption Perspective, 23 Feb 2022. [online] Available at: https://www.dlapiper.com/en-us/insights/publications/global-anti-corruption-perspective/global-anticorruption-perspective-q1-2022/the-new-oecd-anti-bribery-recommendation [Accessed 30 Oct 2025].

Kohn, S., 2025. ‘OECD in support of whistleblower protections’. Kohn, Kohn & Colapinto Blog, 29 Oct 2025. [online] Available at: https://kkc.com/oecd-in-support-of-whistleblower-protections/ [Accessed 30 Oct 2025].

OECD, 2016. Committing to Effective Whistleblower Protection. OECD Publishing, Paris. [online] Available at: https://www.oecd.org/content/dam/oecd/en/publications/reports/2016/03/committing-to-effective-whistleblower-protection_g1g65d0a/9789264252639-en.pdf [Accessed 30 Oct 2025].

OECD, 2021. Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions. OECD Publishing. [online] Available at: https://www.oecd.org/daf/anti-bribery/2021-OECD-Anti-Bribery-Recommendation-Overview.pdf [Accessed 30 Oct 2025].

The American Anti-Corruption Institute (AACI), 2023. Standard on Fighting Corruption 280: Whistleblowing. [online] Available at: https://theaaci.net/Standard-on-Fighting-Corruption-280-Whistleblowing/ [Accessed 30 Oct 2025].