Whistleblowing Policy (Singapore)

A Whistleblowing Policy in Singapore documents the organisation's approach and the obligations placed on those it covers.

Singapore does not have a standalone whistleblower protection statute comparable to the United Kingdom's Public Interest Disclosure Act 1998 or the United States' Sarbanes-Oxley Act. Protection for whistleblowers in Singapore arises from a patchwork of statutory provisions, contractual obligations, and common law principles. The Prevention of Corruption Act (Cap. 241) protects informants who report corruption to the Corrupt Practices Investigation Bureau (CPIB). The Penal Code 1871 criminalises retaliation against witnesses and persons who report offences. The Securities and Futures Act 2001 (Cap. 289) contains protections for individuals who report securities violations to MAS.

The Accounting and Corporate Regulatory Authority (ACRA) expects companies to maintain proper internal controls, and a whistleblowing policy forms part of the internal control environment audited under the Singapore Standards on Auditing. The Singapore Exchange Listing Rules (SGX-ST Rules) require listed companies to disclose in their annual reports whether they have a whistleblowing policy, the procedures for reporting, and how the board oversees whistleblowing complaints.

A Whistleblowing Policy differs from a grievance procedure. Grievance procedures address individual employment disputes — salary disagreements, leave entitlements, interpersonal conflicts — whereas whistleblowing concerns relate to broader organisational misconduct that may affect public interest, shareholder value, or regulatory compliance. Whistleblowing complaints are typically investigated by the audit committee, internal audit function, or an independent investigator, rather than the HR department.

The Personal Data Protection Act 2012 (PDPA) applies to the collection and processing of personal data in whistleblowing reports. The PDPC has issued guidance confirming that organisations may collect and use personal data in whistleblowing reports without the consent of the individuals concerned, provided the collection and use are necessary for investigative purposes under Section 17 of the PDPA (the exception for investigations). Under Singapore law, the common-law requirements for a valid contract — offer, acceptance, consideration, and intention to create legal relations — and Section 8 of the Employment Act 1968 (Cap. 91) govern the core requirements for this type of document.

A Whistleblowing Policy is needed in Singapore whenever an organisation seeks to promote a culture of integrity and provide a safe reporting mechanism for misconduct.

When a company is listed on the Singapore Exchange (SGX), the Code of Corporate Governance 2018 issued by MAS and the SGX-ST Listing Rules require the board of directors to establish and disclose a whistleblowing policy. The audit committee is responsible for overseeing the policy and reviewing all whistleblowing complaints. Failure to maintain a whistleblowing policy may result in regulatory queries from SGX RegCo.

When a financial institution regulated by the Monetary Authority of Singapore (MAS) — including banks, insurers, fund managers, and payment service providers — implements internal governance frameworks, MAS Guidelines on Corporate Governance (revised 2021) and MAS Notice on Internal Controls require a whistleblowing mechanism. MAS Notices 610 (banks) and 321 (insurers) reinforce the expectation that regulated entities maintain channels for reporting misconduct.

When a company operates in an industry with heightened corruption or fraud risk — construction, procurement, government contracting, or commodity trading — a Whistleblowing Policy provides a structured alternative to ad hoc reporting. The Corrupt Practices Investigation Bureau (CPIB) encourages organisations to adopt internal reporting channels as a first line of defence against corruption.

When an organisation prepares for an external audit under the Singapore Standards on Auditing, auditors assess whether the entity has established appropriate channels for employees to report concerns about fraud, financial misstatement, or non-compliance with laws. The absence of a whistleblowing policy may be flagged as a deficiency in internal controls.

When a multinational corporation headquartered in a jurisdiction with mandatory whistleblowing requirements (e.g., the EU Whistleblower Protection Directive, the US Dodd-Frank Act) establishes operations in Singapore, the Singapore subsidiary should adopt a localised Whistleblowing Policy that complies with both the parent company's global standards and Singapore law, including the PDPA 2012. Under Singapore law, the common-law requirements for a valid contract — offer, acceptance, consideration, and intention to create legal relations — and Section 169 of the Companies Act 1967 (Cap. 50) govern the core requirements for this type of document.

A well-drafted Singapore Whistleblowing Policy should contain the following elements to comply with regulatory expectations and protect both the organisation and the whistleblower.

Policy Purpose and Scope: A clear statement of the policy's objective — to provide a safe and confidential channel for reporting suspected misconduct — and the categories of reportable conduct covered, including fraud, bribery, corruption, financial misstatement, regulatory non-compliance, safety violations, and environmental breaches. The policy should specify who is covered: employees, directors, contractors, suppliers, and other parties.

Reportable Conduct: A detailed list of the types of misconduct that should be reported through the whistleblowing channel, distinguishing whistleblowing reports from personal grievances. Reportable conduct typically includes violations of the Prevention of Corruption Act (Cap. 241), the Penal Code 1871, the Securities and Futures Act 2001 (Cap. 289), the Workplace Safety and Health Act 2006 (WSHA), the Environmental Protection and Management Act (Cap. 94A), and the company's own code of conduct.

Reporting Channels: The methods by which reports can be made — dedicated email address, hotline, online portal, or written submission to a designated officer. The policy should identify the person or body responsible for receiving reports (typically the chairman of the audit committee, the chief compliance officer, or an independent third-party provider). Multiple channels increase accessibility and encourage reporting.

Confidentiality: An assurance that the identity of the whistleblower will be kept confidential to the extent permitted by law. The policy should acknowledge that confidentiality may be limited if disclosure is required by law, court order, or regulatory investigation. The PDPA 2012 permits the collection and use of personal data for investigative purposes under Section 17.

Whistleblower Protection: An express commitment that the organisation will not tolerate retaliation against any person who makes a report in good faith. Retaliation includes dismissal, demotion, salary reduction, transfer, harassment, or any adverse employment action. The policy should state the consequences for any person found to have retaliated against a whistleblower.

Investigation Process: The procedure for investigating whistleblowing reports, including the appointment of investigators, the timeline for commencing and completing investigations, the standard of proof applied, and the reporting of investigation outcomes to the audit committee or board of directors. The investigation process must comply with principles of natural justice — the accused person must be informed of the allegations and given an opportunity to respond.

Oversight and Governance: The role of the audit committee (for listed companies) or the board of directors in overseeing the whistleblowing framework, reviewing investigation reports, and reporting statistics on whistleblowing complaints in the company's annual report. SGX-listed companies must comply with the disclosure requirements under the Code of Corporate Governance 2018.

PDPA Compliance: A statement that the collection, use, and disclosure of personal data in connection with whistleblowing reports will comply with the Personal Data Protection Act 2012, including the investigative purpose exception under Section 17. Organisations using forms-legal.com can customise the PDPA clause to reflect their data protection practices.

Governing Law: A statement that the policy is governed by the laws of Singapore, including the Companies Act 1967 (Cap. 50), the Prevention of Corruption Act (Cap. 241), and the PDPA 2012. Under Singapore law, the common-law requirements for a valid contract — offer, acceptance, consideration, and intention to create legal relations — and Section 8 of the Employment Act 1968 (Cap. 91) govern the core requirements for this type of document.