Whistleblower Policy Explained: Beyond the Fine Print , SEBI LODR Compliance Guide
Amrita Desai
Ms. Amrita Desai, based in Mumbai, is a qualified Company Secretary and Lawyer. She consults on Corporate Governance, Legal Compliance, and Capital Markets. Her expertise spans both Litigation and Non-Litigation matters. She advises boards and corporates on regulatory frameworks and risk mitigation. She is committed to delivering practical, business-aligned legal solutions.
A Whistleblower Policy, also referred to as a Vigil Mechanism, is a framework that enables directors and employees of a listed entity to report genuine concerns regarding unethical conduct, actual or suspected fraud, violations of the company’s code of conduct, or other misconduct, without fear of retaliation.
Whistleblower Policy Drafting under SEBI (LODR) Regulations:
Â
Building an Effective Governance Framework
Â
For many promoters, founders and CFOs, a Whistleblower Policy is often viewed as a compliance document that is approved by the Board, uploaded on the company’s website and rarely revisited. In reality, it is a fundamental pillar of corporate governance.
Under the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (“SEBI LODR”), a whistleblower mechanism is not intended to be a symbolic policy. It is designed to provide directors and employees with a credible, confidential and protected channel to report genuine concerns, while ensuring appropriate oversight by the Audit Committee.
What the Law Requires ?
Â
Regulation 22 of the SEBI LODR Regulations requires every listed entity to:
- establish a vigil mechanism (whistleblower policy) for directors and employees to report genuine concerns;
- provide adequate safeguards against victimization of whistleblowers;
- ensure direct access to the Chairperson of the Audit Committee in appropriate or exceptional cases; and
- require the Audit Committee to periodically review the functioning of the vigil mechanism.
These requirements are complemented by Section 177 of the Companies Act, 2013, which mandates listed companies and prescribed classes of companies to establish a vigil mechanism with safeguards against victimization and direct access to the Audit Committee Chairperson.
Further, Schedule IV to the Companies Act, 2013 places an additional responsibility on Independent Directors to satisfy themselves that:
- the vigil mechanism is adequate and operational; and
- persons using the mechanism are not subjected to unfair treatment or retaliation.
Collectively, these provisions make it clear that regulatory expectations extend far beyond adopting a written policy. Companies are expected to establish an effective governance framework capable of receiving complaints, protecting whistleblowers, conducting impartial investigations, ensuring appropriate escalation and maintaining adequate records for regulatory and governance purposes.
Essential Components of a Robust Whistleblower Policy:
Â
A well-drafted whistleblower policy should be practical, clear and aligned with the company’s governance structure.
Clearly Defined Scope
The policy should clearly identify the matters that may be reported, including:
- fraud and financial irregularities;
- bribery and corruption;
- accounting or audit concerns;
- conflicts of interest;
- misuse or abuse of authority;
- violations of law or company policies;
- unethical conduct; and
- retaliation against whistleblowers.
Equally important is defining matters that fall outside the scope of the mechanism, such as routine HR grievances, employment disputes or investor service complaints that are governed through separate grievance redressal mechanisms.
Multiple Reporting Channels
An effective whistleblower mechanism should provide multiple reporting avenues, such as:
- dedicated email addresses;
- secure online reporting portals;
- whistleblower hotlines;
- designated ethics or compliance officers; and
- direct reporting to the Audit Committee in appropriate circumstances.
Providing multiple channels reduces barriers to reporting, particularly where the alleged misconduct involves senior management or immediate reporting supervisors.
Confidentiality and Protection Against Retaliation
The policy should clearly explain:
- how confidentiality will be maintained;
- who will have access to complaint information;
- circumstances under which identities may be disclosed;
- measures adopted to protect whistleblowers; and
- disciplinary consequences for acts of retaliation or victimization.
General statements regarding confidentiality are insufficient. The policy should establish clear procedural safeguards that inspire confidence among employees.
Structured Investigation Process
A robust policy should define the investigation framework, including:
- preliminary assessment of complaints;
- criteria for accepting or rejecting complaints;
- appointment of investigators;
- handling complaints involving senior management, directors or promoters;
- reporting to the Audit Committee;
- timelines, where appropriate; and
- documentation and closure procedures.
The policy should also address situations where allegations are not substantiated but reveal weaknesses in internal controls, ensuring that corrective actions are considered wherever necessary.
Audit Committee Oversight
The Audit Committee should receive periodic updates regarding:
- number and nature of complaints received;
- status of investigations;
- significant findings;
- corrective actions implemented; and
- overall effectiveness of the whistleblower mechanism.
Regular oversight strengthens governance and demonstrates compliance with regulatory expectations.
Common Drafting Mistakes:
Â
Despite regulatory requirements, companies frequently make avoidable drafting errors such as:-
Treating the Policy as a Template Exercise
Many organizations simply adopt standard templates without tailoring them to their governance structure, reporting hierarchy or risk profile. A whistleblower mechanism should reflect the company’s operational realities rather than generic drafting.
Promising Absolute Anonymity Without Adequate Procedures
Encouraging anonymous reporting is valuable; however, the policy should also establish appropriate procedures for evaluating anonymous complaints, filtering malicious or frivolous allegations and verifying available evidence before initiating formal investigations.
Absence of Investigation Protocols
Policies often explain how complaints may be submitted but fail to describe how they will be evaluated, investigated, escalated and closed. Such gaps create uncertainty, inconsistent decision-making and increased governance risk.
Why It Matters?
Â
A whistleblower policy is far more than a statutory compliance requirement:
- For promoters and founders, it reinforces organizational integrity by encouraging employees to raise concerns without fear of retaliation.
- For CFOs, finance leaders and governance professionals, it provides an early-warning mechanism for detecting issues such as financial misconduct, control failures, procurement irregularities, related party concerns, accounting manipulation or ethical violations before they develop into significant regulatory or reputational risks.
- For investors, lenders, independent directors and potential acquirers, an effective whistleblower framework demonstrates governance maturity, board oversight and a commitment to transparency—factors that are increasingly evaluated during investment and due diligence processes.
Conclusion:
Â
While the law does not prescribe a standard format for a whistleblower policy, it establishes clear governance principles centered on transparency, accountability, protection of whistleblowers and effective oversight.
Ultimately, the most effective whistleblower policies are those that employees trust and are willing to use. A policy that is practical, well-governed and consistently implemented enables organizations to identify concerns early, strengthen internal controls and reinforce a culture of integrity. In today’s regulatory environment, an effective whistleblower mechanism is not merely a compliance obligation—it is an essential component of sound corporate governance.
Good governance begins when someone can safely say, “something isn’t right”.
Disclaimer
The material presented on this blog is intended solely for informational purposes. The opinions expressed here are solely those of the respective authors and do not necessarily reflect the views of Fintrac Advisors. No warranties are made regarding the completeness, reliability, or accuracy of this information. Any actions taken based on the information presented in this blog are solely at the reader’s risk, and we will not be liable for any losses or damages resulting from its use. Seeking professional expertise for such matters is strongly recommended. External links on this blog may direct users to third-party sites beyond our control. We do not take responsibility for their nature, content, or availability.
For any clarifications or queries, please feel free to reach out to us at:Â admin@fintracadvisors.com

