Whistleblower Programs

Whistleblower Programs in Bangladesh: The Best, Most Practical Guide for Companies in Bangladesh — With Dubai & London Context for Foreign Investors

By TRW Law Firm — Investigations, Compliance & Employment (Dhaka • Dubai • London)

Executive snapshot (read this first)

• Whistleblowing is a business control, not just a policy. In Bangladesh, it’s how you catch bribery, procurement collusion, payroll ghosts, bonded-warehouse diversion, harassment, and data leaks before regulators or buyers do.
• Bangladesh has a public-interest disclosure law (and sectoral expectations for banks and listed companies) plus serious criminal exposure around corruption and fraud. Treat all reports as legally sensitive and investigation-worthy.
• UAE & UK add extra layers. DIFC/ADGM in the UAE have explicit whistleblowing regimes; the UK’s PIDA framework and sectoral rules (e.g., FCA/PRA) set a high bar on anti-retaliation, confidentiality, and “qualifying disclosures.” If you operate across Dhaka–Dubai–London, build one program with local addenda.
• Design choices matter: anonymity vs. confidentiality, law-firm privilege, Bangla-first communications, WhatsApp intake, SLAs, domestic inquiries (Bangladesh), and careful cross-border data handling.
• Winning formula: easy intake + strong protection + disciplined investigations + visible remediation + board metrics. That’s what regulators, donors, lenders, buyers—and your own people—expect.

Part A — What a whistleblower program really is (and isn’t)

A whistleblower program is a system that lets employees, contractors, suppliers, distributors, and even customers report concerns safely, and ensures those concerns are investigated fairly, with protection from retaliation. It’s not a poster or inbox. It’s the junction of:

1. Governance (policy, scope, roles, independence)
2. Intake (channels that people actually trust and use)
3. Protection (anti-retaliation measures that work in practice)
4. Investigation (lawful evidence + due process)
5. Outcome (remediation, discipline, and feedback)
6. Reporting (board dashboards and continuous improvement)

In Bangladesh, this system must “speak” Bangla and work on WhatsApp (or SMS/USSD) for hourly and field staff. In Dubai and London, it must slot into free-zone or UK statutory frameworks and satisfy sectoral regulators (banking, financial services, telecom).

Part B — Legal and regulatory context you must internalize

We’ll stay practical and high-level. Specifics evolve by circular or amendment; use this as your operating blueprint and confirm numbers and forms when you implement.

Bangladesh (core points)

• Public-interest whistleblowing exists. A dedicated statute enables disclosure of public-interest information and aims to protect the discloser from victimization. In practice, your corporate policy should mirror that logic: good-faith reporting → protection from adverse action.
• Corporate governance for listed companies expects an ethical conduct and reporting mechanism under the audit committee’s oversight, with channels to report concerns, confidentiality, and fair treatment.
• Banking & financial services: Bangladesh Bank guidance expects banks and NBFIs to maintain whistleblowing policies, fraud-risk controls, and escalation mechanisms; many approvals (e.g., digital banking) scrutinize complaint/reporting channels.
• Labour realities: Disciplinary action against employees requires due process (show-cause, domestic inquiry, reasoned order). If a reporter is punished without process, expect litigation and reinstatement risk.
• Criminal law exposure: Bribery, gratification, forgery, false accounting, and money laundering are crimes. Reports touching these issues must be triaged with legal privilege and evidence preservation from hour one.
• Harassment cases: Binding court guidelines require a Complaint Committee (woman-chaired, with external member) for sexual-harassment matters—your whistleblowing SOP must integrate with that process.
• Data & cyber: A comprehensive privacy regime is imminent; today’s cyber and sector rules still expect log retention, incident response, and lawful handling of personal data in your case files.

UAE (Dubai and the federal context)

• DIFC/ADGM (the two financial free zones) have explicit whistleblowing regimes: protected disclosures to specified persons; requirements for regulated firms (e.g., DFSA/FSRA) to maintain effective arrangements; anti-retaliation expectations; and confidentiality.
• Mainland UAE does not yet have a single, sweeping whistleblowing statute, but sectoral and corporate-governance rules push firms—especially in financial services—to implement speak-up frameworks, protect reporters, and escalate to regulators where appropriate.
• Defamation and cyber-crime laws: External/public allegations can create legal risk if false or malicious. A strong internal program is not optional; it’s protective.

United Kingdom (London)

• PIDA (Public Interest Disclosure Act): robust protection for workers making qualifying disclosures about wrongdoing (criminal offenses, health/safety dangers, environmental damage, etc.), to employers or prescribed persons (regulators).
• Sector rules (FCA/PRA): regulated firms must have independent channels, named champions, internal training, and reporting. Non-retaliation is actively policed.
• NDAs cannot gag whistleblowers on protected disclosures. Culture and outcomes really matter in the UK: boards are expected to see metrics and act.

Takeaway: For Dhaka–Dubai–London operations, adopt a single global standard that meets the highest bar (often UK free-to-speak principles), then add Bangladesh and UAE annexes addressing local procedures, labour due-process, free-zone specifics, and defamation/data-handling cautions.

Part C — What should be “in scope” (and what should not)

Include (always): bribery/kickbacks, procurement collusion and bid rigging, fraud/asset misappropriation, financial reporting manipulation, AML/sanctions breaches, customs/bonded-warehouse abuses, health & safety violations, sexual harassment and bullying, data-privacy violations, cyber incidents, environmental harms, competition/antitrust concerns, human-rights/child-labour risks, and serious policy breaches.

Route specially:

• Sexual harassment → to the Complaint Committee process (Bangladesh) with privacy and survivor-safety guardrails.
• Immediate danger (fire/structural/violence) → emergency response first, investigations later.
• Labour grievances (pay errors, leave, overtime disputes) → HR grievance route, but keep the door open if retaliation emerges.
• Customer complaints → service desk, unless they allege bribery/fraud/harassment—then treat as whistleblowing.

Part D — Program architecture that actually works in Bangladesh (and scales to Dubai & London)

1) Governance & independence

• Board/Audit Committee oversight with a named Whistleblowing Officer (WBO) or “Speak-Up Officer.” The WBO should report functionally to Legal/Compliance, not to line management.
• Investigation Charter approved by the board: authority to preserve data, interview staff, access premises, and engage external counsel/forensics.
• Conflicts wall: anyone named in a report (or their chain of command) is walled off from triage, decisioning, and investigation.

2) Policy suite (Bangla + English; Arabic where relevant)

• Whistleblowing Policy (plain language): scope, examples, channels, anonymity vs. confidentiality, how investigations work, anti-retaliation, and feedback timelines.
• Anti-Retaliation Standard: clear list of prohibited behaviours (termination, demotion, shift changes, roster punishment, denial of leave, exclusion, harassment), interim protection measures, and sanctions for violators.
• Investigation SOP: intake → triage → legal hold → plan → evidence → interviews → analysis → outcome → remediation → closure letters → board reporting.
• Data Handling SOP: who sees what; personal-data minimization; cross-border transfer rules; retention and secure archiving.

3) Intake channels (make them real)

• 24×7 web form (mobile-first), email, hotline, and WhatsApp number. Place a QR code on posters, payslips, ID card backs, and canteen boards.
• Third-party/outsourced option for higher trust (especially helpful in Bangladesh for factory/field conditions).
• Physical drop-boxes in plants (with daily dual-control collection).
• Anonymous option: allowed, but encourage confidential named reports by explaining protections and how identity is shielded from local management.
• Language: Bangla and English in Bangladesh; Arabic and English in Dubai; English (plus relevant community languages) in London.

4) SLAs & communications

• Acknowledge within 48 hours (or next business day) if contact details exist.
• Triage decision within 5–7 days: open, route, or close (with reason).
• Status updates at least every 30 days until closure (even if just “in progress”).
• Closure letters explaining outcome without disclosing confidential personnel info.

Part E — Anti-retaliation that people believe

• Immediate shield: once a report is opened, HR and line management receive a hold notice prohibiting changes to the reporter’s role, pay, shift, or benefits without WBO approval.
• Safety assessment: for harassment or intimidation risk, consider shift swaps, re-assignment, or no-contact orders (without penalizing the reporter).
• Confidentiality: limit identity knowledge to the small core team; use code names in project trackers.
• Monitoring: for 6–12 months post-closure, HR runs a retaliation check—performance ratings, overtime approvals, transfers, and leave decisions are reviewed.
• Discipline: retaliation is a stand-alone misconduct with serious penalties up to dismissal.

UAE twist: Balance whistleblower protection with defamation/cyber exposure—encourage internal disclosure first and keep identity tightly controlled. Free zones (DIFC/ADGM) set explicit anti-retaliation expectations—mirror them group-wide.

UK twist: Train managers on PIDA concepts: do not dismiss, demote, or treat detrimentally a worker for a protected disclosure. Review NDAs to ensure they expressly preserve protected disclosures.

Part F — Triage and scoping (first 72 hours done right)

1. Risk sort: life/safety risk, criminal exposure, regulator notice triggers, data breach involving personal data, senior-management implication, public-interest sensitivity.
2. Legal hold: send Bangla + English hold to named custodians; suspend auto-deletion for email, chats, drives, WhatsApp exports (where lawful), logs, CCTV, access control, ERP.
3. Team & conflicts: assign a case lead; check conflicts; if senior leadership is implicated, escalate to board/audit chair and external counsel.
4. Plan: write a scoping memo—allegations, issues, elements to prove, custodians, systems, third-parties, initial hypotheses, and timeline.

Part G — Evidence and investigations (Bangladesh-fit, UAE/UK-compliant)

1) Digital evidence you will actually use

• Messaging: WhatsApp/IMO/Messenger are primary in Bangladesh. Use targeted exports with consent/policy; forensically image devices when proportionate and lawful.
• Email & cloud: preserve mailboxes and shared drives (Google/Microsoft), including admin logs.
• Operational systems: ERPs, attendance/biometrics, access control, CCTV DVRs (short retention!), POS, RFID, GPS, bonded-warehouse logs.
• Financial: bank statements, mobile-money (MFS) ledgers, LC files, invoices/packing lists/B/L, customs declarations, VAT returns.
• Telecom (for operators/ISPs): CDRs, interconnect logs, CLI integrity, spam/A2P records.

2) Collection standards

• Document chain of custody; hash images; use evidence bags and seals.
• Keyword strategy: English, Bangla Unicode, and phonetic English for common terms (chai-pani, commission, manage, adjust).
• Minimization: keep collections tight; segregate personal data; redact where feasible.

3) Interviews

• Offer Bangla or English; trained interpreters; no manager present for junior staff.
• Start with witnesses → then subjects; show documents; ask time-anchored questions.
• Keep contemporaneous notes; for critical sessions, audio record only with consent or use two-investigator notes.

4) Analysis frameworks that save time

• AP/GL forensics: duplicate invoices, weekend postings, round sums, split POs beneath approval limits, Benford checks.
• Trade tests: HS code and price vs. market benchmarks; LC amendment patterns; third-country routing; inventory reconciliation.
• Network links: shared phones/addresses among vendors and employees; bKash/Nagad wallet clusters; distributor hub-and-spoke patterns.

5) Due process and outcomes

• Bangladesh: for employees, follow domestic inquiry steps before dismissal—show-cause, inquiry, reasoned order.
• UAE: observe free-zone rules for regulated entities; maintain strict confidentiality; verify visa/employment consequences with HR.
• UK: ensure fairness and reasonableness; keep records anticipating tribunal scrutiny; preserve protected disclosure status.

Part H — Integration with harassment and dignity-at-work processes

• Complaint Committee (Bangladesh): whistleblowing intake routes sexual-harassment matters to the Committee. Maintain victim-centric safeguards, privacy, and time-bound investigations.
• Training: supervisors and committee members need specialized training; keep case logs and closure actions.
• Overlap: where harassment involves bribery or procurement coercion, run a joint plan: safety first, then financial and conduct aspects.

Part I — AML, sanctions, and financial-crime disclosures

• If reports suggest money laundering or sanctions violations, escalate to Legal/Compliance immediately.
• For regulated entities (banks, NBFIs, PSPs), trigger internal AML escalation; assess whether to file suspicious reports under financial-intelligence rules.
• For non-regulated corporates, still treat findings like criminal exposure; tighten controls; consider law-enforcement engagement through counsel.

Part J — Competition/antitrust and trade disclosures

• Bangladesh: watch for hub-and-spoke information flows via shared distributors or trade associations.
• UAE/UK: sector regulators (and UK CMA) take collusion seriously; first-in leniency can matter. Your policy should encourage prompt internal reporting and counsel review for leniency strategies.

Part K — Data protection and cross-border handling

• Bangladesh: treat case files as sensitive personal data; restrict access; prepare for a modern privacy regime.
• Dubai (UAE): free zones have privacy regimes; mainland has sectoral expectations. Be careful with external disclosures.
• London (UK): personal data in case files must meet UK data-protection standards; redact and minimize exports.
• General rule: keep investigations on-shore where possible; if you must export, use secure transfer, need-to-know, and anonymization/pseudonymization where feasible.

Part L — Foreign companies in Bangladesh: the 24 big cautions

1. No “facilitation” payments—they’re bribes.
2. Use a third-party hotline to boost trust among factories/field staff.
3. Bangla-first everything (policy, posters, auto-replies, closure letters).
4. WhatsApp intake increases usage; just handle data lawfully and proportionately.
5. Protect identities—share on a need-to-know basis; use code names.
6. Domestic inquiries before dismissal; shortcuts lose in court.
7. Complaint Committee for harassment is non-negotiable.
8. Labor contractors: ensure they have their own speak-up route—or include their workers in yours.
9. Customs/C\&F brokers: high-risk third parties; encourage reports from them and about them; build non-retaliation into contracts.
10. Bonded-warehouse controls: invite anonymous tips; audit diversions rigorously.
11. MFS wallets: kickbacks often flow via mobile money—add these traces to your analytics.
12. Defamation risk (UAE): encourage internal reports first; handle reputational matters with counsel.
13. PIDA awareness (UK): managers must understand protected disclosures.
14. Subsidized “rewards”: if you pilot small recognition for high-value tips, do so privately and carefully (UK competition enforcers sometimes publicize informant rewards; Bangladesh corporates should avoid market-wide bounties that could encourage frivolous claims).
15. Supplier speak-up: QR codes on POs and contracts; enable non-employee reporting.
16. Data minimization: don’t mirror whole phones if message exports will do.
17. Metric discipline: track retaliation audits and time to closure—buyers ask for these.
18. Union engagement: reassure worker reps that whistleblowing isn’t anti-union; share aggregate stats.
19. Dawn-raid readiness: whistleblowing can lead to raids—train reception/security.
20. Privilege: route high-risk matters through counsel; mark communications appropriately.
21. Document hygiene: avoid loose chat comments (“we all know they pay chai-pani”)—these sink defenses.
22. Public-interest reports: some disclosures may properly go to authorities—help employees do this safely and lawfully.
23. Contract clauses: add anti-retaliation, audit rights, and speak-up requirements to distributor/agent contracts.
24. Close the loop: send closure letters; publish anonymized case studies—people need to see the system working.

Part M — Technology & process design that staff will actually use

• Case-management platform with role-based access, audit logs, and time-stamped actions.
• Multi-channel intake (web, email, hotline, WhatsApp, SMS, drop-box).
• Language detection and auto-translation for first pass; always human-review.
• Auto-acknowledgments that promise protection and timelines.
• Investigation workspace with legal holds, evidence tagging, and document review.
• Analytics plug-ins for AP/GL, payroll, procurement, and mobile-money patterns.
• Retention & deletion automation per policy.
• Board dashboard built-in (see Part S).

Part N — Training and culture

• All-hands, 20-minute primer (Bangla/English/Arabic) on what to report, how, and protection guarantees.
• Supervisor modules on how not to retaliate; how to preserve evidence; what to say when approached.
• Investigator school: interviewing skills, digital evidence, documentation, bias awareness.
• Harassment training for Complaint Committee.
• Micro-nudges: poster refreshes, payslip reminders, lanyard QR codes, short WhatsApp gifs.
• Leadership messages: quarterly notes from the CEO underscoring zero tolerance for retaliation and celebrating resolved cases (anonymized).

Part O — 30/60/90-day rollout for first-time implementers

Days 1–30 — Stabilize

• Appoint Whistleblowing Officer and approve Investigation Charter.
• Publish plain-language policy (Bangla/English; Arabic for Dubai teams).
• Stand up intake channels (web, WhatsApp, hotline, email, boxes); test anonymously.
• Draft Anti-Retaliation Standard; push a CEO note: “Report. We’ll protect you.”
• Select external partners (hotline provider, forensics, translators).
• Create legal hold templates and chain-of-custody forms.

Days 31–60 — Institutionalize

• Train managers and investigators; run a tabletop investigation.
• Integrate harassment Complaint Committee process.
• Add speak-up clauses to supplier and contractor agreements.
• Turn on analytics for AP/GL, procurement, payroll.
• Launch Board dashboard v1 (intake volume, categories, SLA compliance).

Days 61–90 — Assure

• Complete two investigations end-to-end; issue closure letters; publish an anonymized case study.
• Run a retaliation audit on the first batch of reporters.
• Adjust SLAs and resources; conduct a poster/QR campaign at plants and depots.
• Present quarterly results to the board; lock the FY improvement plan.

Part P — Twelve-month maturity roadmap (what “great” looks like)

1. Hotline awareness >80% and trust >70% (surveyed).
2. Time to triage <7 days; median case closure <45 days (varies by complexity).
3. Anonymous share initially high, trending toward more named reports as trust grows.
4. Retaliation cases: zero—and staff believe it (prove with audits).
5. Cross-border discipline: UK and UAE teams say the process “works here too.”
6. Supplier/contractor reports make up 10–25% of intake (that’s healthy).
7. Control fixes shipped on the back of cases (procurement, bonded-warehouse, payroll, IT).
8. Board asks smart questions—and gets crisp answers grounded in data.

Part Q — Templates you can copy (short-form)

1) Whistleblowing Policy (one-page version)

• Purpose: enable safe reporting of wrongdoing (list examples).
• Who can report: employees, ex-employees, contractors, suppliers, customers.
• Channels: web/QR, WhatsApp, hotline, email, drop-box (list).
• Anonymous or named: both allowed; confidentiality assured.
• Process: acknowledge in 48 hours; triage in 7 days; updates every 30; fair investigation; outcome and remediation.
• Protection: zero tolerance for retaliation; interim safety measures; discipline for retaliators.
• Privacy: data minimization; secure handling; limited access; retention rules.
• No gagging: nothing in this policy restricts lawful disclosures to authorities.
• Contacts: WBO name/number/email; external hotline provider.

2) Anti-Retaliation Pledge (wallet card)

Retaliation is misconduct. No demotions, pay cuts, roster punishments, shift changes, harassment, or exclusion due to reporting or cooperating. Breach = discipline up to dismissal.

3) Intake Form (web/WhatsApp)

• What happened? When and where? Who was involved?
• Urgency (safety/criminal risk)?
• Evidence exists (docs, chats, photos, CCTV, logs)?
• Reporter contact (optional, confidential).
• Language preference.
• “I understand my report will be handled confidentially and that retaliation is prohibited.”

4) Legal Hold (Bangla + English)

• Matter name, dates, systems, custodians, do-not-delete instructions, FAQ, contact, acknowledgment link.

5) Investigation Plan (skeleton)

• Allegations & elements; custodians; systems; search terms (Bangla/English/phonetic); evidence tasks; interview list; timeline; risk log; communications plan.

6) Closure Letter (to reporter)

• Thank you; summary of steps (without naming disciplined persons); whether substantiated; high-level remediation; next steps; reiteration of anti-retaliation and contact for any concerns.

Part R — Special scenarios & playbooks

1) Procurement/Kickbacks

• Indicators: split POs under limits; new vendors days before award; shared phone/email DNA with staff; vague “marketing” invoices.
• Actions: freeze payments; legal hold; vendor KYC (TIN/BIN, UBO); three-way match; interview evaluation committee; remediate with pre-qualification and conflict declarations.

2) Bonded-Warehouse Diversion

• Indicators: yield anomalies; scrap volumes surge; night dispatches.
• Actions: reconcile BoE/GRN/dispatch; weighbridge logs; GPS routes; CCTV; tighten scrap tenders and route seals.

3) Payroll Ghosts

• Indicators: shared phones/bank accounts; no photos; overtime clusters under one supervisor.
• Actions: HRIS ↔ bank/mobile-wallet reconciliation; physical headcount checks; liveness on biometrics; policy and roster fixes.

4) Harassment

• Use the Complaint Committee route; protect complainant; no forced mediation; time-bound outcomes; training.

5) Cyber/Data

• Contain; image devices; rotate credentials; examine logs; classify incident; notify as per policy; remediate with MFA, PAM, DLP.

Part S — Board dashboard (quarterly)

• Volume: reports by source (employees, suppliers, customers), by site, by category.
• Speed: acknowledgment SLA, median days to triage/close.
• Outcomes: substantiation rate; financial recovery; control fixes shipped; repeat-finding rate.
• Protection: retaliation audits; zero-case confirmation; any allegations of retaliation and outcomes.
• Culture: awareness survey scores; anonymous vs. named trend; training completion rates.
• Cross-border: UK/UAE specific metrics; regulator interactions (if any).
• Serious matters: high-risk cases, escalations to authorities (count, not details), lessons learned.

Part T — Frequently asked questions (fast, practical answers)

Q: Should we allow anonymous reports in Bangladesh?
Yes. Provide both anonymous and confidential named channels. Anonymous options increase intake early; as trust builds, more reporters will identify themselves.

Q: Can we review WhatsApp chats on personal phones?
Only where lawful and proportionate, and consistent with BYOD or consent frameworks. Prefer targeted exports and minimize collection.

Q: Do we have to tell authorities immediately about bribery allegations?
Not automatically. Assess credibility and evidence with counsel. Where credible and material, design an engagement plan with authorities. Never obstruct.

Q: How do we stop false or malicious reports?
State clearly that bad-faith reporting is misconduct. But do not weaponize this—most reports mix facts and misunderstandings. Investigate proportionately.

Q: Can NDAs stop someone from going to a regulator (UK)?
No. Protected disclosures are preserved. Make this explicit in NDAs and handbooks.

Q: Will people use the hotline?
Only if it’s visible, Bangla-first, multi-channel, and seen to work (closure letters, anonymized case studies, and visible fixes).

Q: What about defamation risk in the UAE?
Encourage internal reporting; keep strict confidentiality; investigate promptly; escalate externally through counsel as needed.

Q: Can suppliers use our program?
They should. Encourage supplier and contractor reports; add non-retaliation obligations to contracts.

Part U — How TRW makes this painless (and effective)

• Program build: policies, SOPs, anti-retaliation standard, bilingual templates, third-party hotline selection, poster/QR assets.
• Training: all-hands, manager, investigator, and Complaint Committee modules (Bangla/English/Arabic).
• Case management: selection and configuration of platforms; lawful data handling in Bangladesh/UAE/UK.
• Analytics: AP/GL and trade-based red-flag libraries; mobile-money and procurement patterning.
• Investigations: rapid legal holds, digital forensics (devices, chats, cloud, ERP), interviews, documentation, and outcome memos fit for regulator or court.
• Remediation: control fixes, supplier contract re-papering, culture campaigns, and quarterly board dashboards.
• Cross-border alignment: one global standard with Bangladesh and UAE/UK addenda so you clear audits in Dhaka, Dubai, and London without rewriting the book every time.

Contact TRW Law Firm
Phones: +8801708000660 · +8801847220062 · +8801708080817
Emails: info@trfirm.com · info@trwbd.com · info@tahmidur.com
Offices: Dhaka — House 410, Road 29, Mohakhali DOHS • Dubai — Rolex Building, L-12 Sheikh Zayed Road

Final word

A credible whistleblower program in Bangladesh isn’t a formality—it’s your early-warning radar for bribery, safety failures, harassment, payroll fraud, bonded-warehouse diversions, and cyber risk. If you operate across Dhaka, Dubai, and London, build to the highest common denominator (UK-style protection, UAE free-zone discipline), then tune for Bangladesh realities: Bangla-first communications, WhatsApp-friendly intake, domestic-inquiry due process, and genuine anti-retaliation. Do that, and your program will not just “comply”—it will protect people, margins, and your license to operate.