How would you design a whistleblowing program that meets the EU Whistleblower Directive and actually gets used?
A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.
THE SHORT ANSWER
Meeting the Directive: provide secure internal reporting channels (written and/or oral), acknowledge receipt within seven days and give feedback within three months, allow anonymous reporting where national law permits, and — critically — prohibit and protect against retaliation, with confidentiality of the reporter's identity. Assign impartial, competent persons to follow up. But compliance alone doesn't drive usage; trust does. So I'd add independence (a channel that doesn't route through the implicated line), visible tone-from-the-top that reports are welcomed not punished, clear communication and training on how/what to report, demonstrable follow-through on past cases (without breaching confidentiality), and metrics tracking volume, retaliation complaints, and outcomes. A channel nobody trusts is theater — protection and credible action are what make it real.
WHAT INTERVIEWERS LISTEN FOR
- ✓Secure channels, 7-day ack, 3-month feedback, anonymity where allowed
- ✓Anti-retaliation protection + confidentiality of identity
- ✓Independent follow-up by competent persons
- ✓Trust via tone-from-top, training, demonstrated action, metrics
COMMON MISTAKES
- ✗Channel routed through implicated management
- ✗Ignoring anti-retaliation/confidentiality
- ✗Treating it as a box-tick with no follow-through
Reading isn't the same as answering under pressure.
Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.
RELATED QUESTIONS
- How do you build a compliance culture?
- How do you handle a regulatory exam?
- How do you assess the effectiveness of a compliance program?
- How do you respond to a BaFin finding?
- How do you handle conflicting regulatory requirements across jurisdictions?
- How do you handle a data subject access request (DSAR)?