Whistleblowing wakeup call

The revelations at Singapore Post (SingPost) reported in recent months underscores the key role of whistleblowers in exposing corporate misconduct. While the company has taken serious action in response, it puts a spotlight on the need for more comprehensive whistleblowing legislation across the region. More than anything the SingPost exposure highlights the dearth and significant action on whistleblowing reports. Are other corporate executives in Asia all on the straight and narrow or do companies need to beef up their whistleblowing processes?

On 21 December 2024, SingPost, a leading postal and logistics provider in Singapore with a market capitalization of approximately S$1.26 billion (US$930 million) and a significant 63% float held by investors (as of November 2024), dismissed Group CEO Vincent Phang, Group CFO Vincent Yik, and International Business Unit CEO Li Yu after an internal investigation as well as external advisors found they had mishandled whistleblower reports. The investigation determined that the three made misrepresentation concerning the whistleblower’s allegations to the Audit Committee.

SingPost disclosed that it received in early 2024 whistleblower reports which alleged that employees in its international business unit manipulated parcel status codes to falsely mark undelivered parcels as "delivery failures" to avoid penalties tied to a specific customer contract. Subsequently, the company’s two-phase internal investigation found the allegations to be valid. The first phase initially conducted by Group Internal Audit (GIA) (and later with external legal counsel and a forensics service provider), established deliberate data falsification. Three employees directly involved were dismissed, and a police report was filed. Preventative measures were also introduced to avoid future misconduct. The second phase, carried investigations into the whistleblowing reports. Phang, Yik and Li were found to have made serious misrepresentations to the Audit Committee over three occasions between March and April 2024 concerning the whistleblower’s allegations, which undermined the work of the GIA.

Following the board’s decision to dismiss them, the three executives announced that they would contest their sacking, arguing that they were unaware of the full investigation findings when interviewed by the Audit Committee. The Securities Investors Association (Singapore) (SIAS) chimed in and called for an independent review over the three executives’ dismissals, questioning the Internal Audit department’s objectivity and expertise; it also raised the issue of whether the executives had sufficient knowledge of the investigation outcome when speaking with the Audit Committee.

Singapore has not had many major whistleblowing incidents, but some have been quite high profile. The last major corporate whistleblower case in the island republic was five years back involving Wirecard, where a Singapore-based employee exposed fraudulent transactions in its Asia-Pacific operations and alerted the media after facing internal resistance, triggering investigations by the Monetary Authority of Singapore (MAS) and the police. Wirecard eventually collapsed after €1.9 billion in company funds were found to be nonexistent. In that case the whistleblower faced harassment, surveillance and threats, forcing him to resign and relocate (although he is now back in Singapore). Earlier, there was another significant whistleblowing case involving the Noble Group in 2015 that led to its collapse; the whistleblower was similarly harassed and feared for his safety.

These earlier cases highlight natural concerns about whistleblower protections that might stymie legitimate reports. Other markets have not had whistleblowing incidents as high profile even though there is no lack of significant corporate malfeasance in the region. If so few cases are reported, it may indicate that whistleblowing mechanisms in many parts of the region are not functioning effectively.

Singapore’s whistleblowing approach

Singapore, to its credit, has had whistleblowers coming forward and has various reporting mechanisms across government agencies. For instance, the Inland Revenue Authority of Singapore (IRAS) handles tax evasion reports, while the Economic Development Board (EDB), Singapore Exchange (SGX) and the Accounting and Corporate Regulatory Authority (ACRA) oversee sector-specific complaints. Some level of legal protection for whistleblowers is embedded in various laws: individuals can report suspected corrupt activities to the Corrupt Practices Investigation Bureau (CPIB), with limited protection for identity confidentiality under the Prevention of Corruption Act (PCA). Employees who report workplace safety hazards or breaches are protected under the Workplace Safety and Health Act. But beyond the patchwork of sectoral regulations and statutes, Singapore is no different from other Asian jurisdictions including Hong Kong, China, the Philippines, Indonesia and Thailand that do not have comprehensive whistleblowing legislation covering corporate crime, corruption and fraud.

SGX has made efforts in recent years to strengthen whistleblowing mechanisms of listed issuers. In 2019, the exchange established a whistleblowing office although its scope then was limited to breaches of listing, trading and clearing rules, as well as market manipulation. Since 2022, SGX has mandated that listed companies maintain a whistleblowing policy. Under the Listing Rules, companies must appoint an independent function to handle reports, ensure confidentiality, protect whistleblowers from retaliation and assign oversight to the Audit Committee.

Despite regulatory requirements, the quality of whistleblowing policies among SGX-listed companies remains patchy. At ACGA’s 23rd Annual Conference last November, Professor Yuen Teen Mak, Director of the Centre for Investor Protection at NUS Business School, shared preliminary findings from an ongoing study on whistleblowing policies among 536 Singaporean listed issuers (the full report is due to be released by the end of the month).

The preliminary findings revealed that only 55% of companies disclosed their whistleblowing policy on their website, while just 56% confirmed that all complaints received were reviewed. 43% of the companies failed to disclose whether they accepted anonymous complaints and 6% explicitly stated that they did not. Only nine out of 218 companies surveyed engaged an external whistleblowing hotline or service provider - possibly taking comfort that SGX RegCo now offers a whistleblowing office for reporting concerns about listed companies.

An analysis in Professor Mak’s study of data for 2023/24 highlighted some transparency gaps. While 57% of companies reported received no whistleblowing complaints, 38% did not disclose the number of complaints received. For over half of the companies examined with no reported cases, it is unclear whether this reflects a lack of misconduct or ineffective whistleblowing mechanisms.

SingPost’s whistleblowing policy complies with SGX rules. Yet its confidentiality provisions, with terms like "need to know", could be viewed as ambiguous. The policy also lacks explicit anti-retaliation protection and does not confirm receipt of reports, which may discourage complaints. Additionally, reports are routed through Group Internal Audit with no direct reporting option to the Audit Committee Chair and no external whistleblowing avenue.

SingPost is not an outlier in this regard. ACGA’s review of 15 of the largest SGX-listed companies by market capitalization found that most have only generic whistleblower policies. These policies typically assign oversight to the Audit Committee, with reports directed to the Head of Internal Audit or, in some cases, the Audit Committee Chair, while in most cases offering assurances of confidentiality. Six of the fifteen companies we examined state that their whistleblowing programmes are managed by a third-party service provider, indicating some level of external oversight. However, none explicitly outlined exact protections against retaliation, which may contribute to the limited number of whistleblowing complaints.

The SingPost whistleblowing case stands out for a whistleblower willing to come forward and action taken on a complaint. One is hard pressed to find many such cases across the region. Given the significant risk to their financials, trust of customers and general reputation, it is incumbent on corporate boards to examine if their whistleblowing mechanisms are effective and that serious reports are being escalated for their attention. Often, the offences are committed or involved at the very top levels of management; yet in many cases they oversee and can undermine the whistleblowing process. Regulators thus need to ensure not just that there are whistleblowing mechanisms but that effective oversight of the process is treated as a key board responsibility.

Some advances in legislation

In recent years, several markets in the region have taken steps to strengthen legal protection for corporate whistleblowers. In Japan, the 2022 amendments to the Whistleblower Protection Act strengthened safeguards against dismissal for those reporting to authorities and expanded the definition of whistleblowers to include former employees who had left within 12 months. In Korea, the 2020 amendments to the Public Interest Whistleblower Protection Act expanded protections by increasing the number of statutes covered from 284 to 468, significantly expanding the range of illegal activities that could be reported and for whistleblower protections to apply to more cases. Last year, the law was amended again to remove the ceiling on government compensation for public whistleblowers. Korea also introduced an enforcement provision requiring companies to comply with the Anti-corruption and Civil Rights Commission’s (ACRC) requests to take disciplinary action against anyone who breaches the confidentiality of whistleblowers or retaliates against whistleblowers in the private sector.

In Australia, whistleblowing protections were consolidated under the Corporations Act 2001 in 2019, extending safeguards to employees, officers, contractors, associates, and their relatives. The law covers companies, financial institutions, and certain non-profits, protecting whistleblowers from retaliation when reporting misconduct internally, to regulators or, in some cases, to journalists. Retaliation is a criminal offense, with penalties including imprisonment and heavy fines. Breaches of confidentiality can also lead to fines or jail terms, and whistleblowers can seek compensation for damages. In March 2023, the Australian Securities and Investments Commission (ASIC) issued guidance on best practices for whistleblowing policies, setting the expectations on corporates.

Last December, Taiwan's legislature passed the Whistleblower Protection Act, its first dedicated law to safeguard whistleblowers in the public sector, prohibiting retaliation and providing legal protections. The law was promulgated in January and will take effect by July 2025, although with a potential review for extension to the private sector three years after enactment.

While Singapore has demonstrated that whistleblowing reports can lead to action, the absence of a standalone, universal whistleblowing legislation leaves gaps in protection and enforcement. To strengthen accountability and encourage whistleblowers to come forward, Singapore should consider legislative efforts to establish a comprehensive whistleblowing framework. A dedicated law covering corporate crime, corruption and fraud would provide clearer protection, ensure consistent handling of reports across sectors and position the market as a leader on such frameworks. The region needs higher standards and more effective mechanisms for whistleblowing to be functional and a credible check on wayward executives.