Fraud is not a small-company problem or a big-company problem. It is a payroll-attached problem, and the people closest to it usually work there. Every modern fraud study and every major financial regulator (and the European Union itself) reach the same conclusion: a business that wants to catch wrongdoing early needs a working channel for the people who see it first to speak up safely.
Tips still beat every other detection method
The 2024 ACFE Report to the Nations looked at 1,921 occupational fraud cases across 138 countries and found that 43% of them came to light through a tip, more than three times the next-best method. Internal audit accounted for 14%, management review for 13%. Employees themselves supply more than half (52%) of those tips; customers and vendors provide most of the rest.
How people report has shifted too. Web-based intake (40%) has overtaken phone hotlines (30%), with email at 37% in between, and anonymous reports still account for 15% of the volume. When you encourage whistleblowing inside your own walls, you are building the most reliable fraud-detection lever the data has measured.
What fraud actually costs while it hides
Duration drives the cost. The median occupational-fraud scheme runs for 12 months before anyone catches it, and losses pile up at roughly $9,900 per month over that window. Cut the duration in half and you cut most of the cost.
The same dataset shows, year after year, that organisations with anonymous reporting hotlines uncover frauds sooner and lose less per case than those without one. The exact gap moves between editions of the global fraud study, but the direction has held for over a decade. A reporting channel pays for itself the first time it shaves six months off a billing scheme.
Why the EU made internal channels mandatory
Having a whistleblowing system used to be good practice. Inside the European Union it is the law. Directive 2019/1937 obliges every private organisation operating in the EU with 50 or more employees to provide secure internal reporting channels, named case handlers, fixed acknowledgement and feedback timelines, and explicit retaliation protection. Sectoral rules in financial services, AML, and aviation pull smaller firms into the same regime.
"Whistleblowers should not be punished for doing the right thing. Our new, EU-wide rules will make sure they can report in a safe way on breaches of EU law."
Věra Jourová, then European Commissioner for Justice
All 27 Member States have transposed the directive, most past the deadline. In early 2025 the European Commission imposed combined penalties of around €40 million on five of them; Germany alone was fined roughly €34 million. At company level, member-state penalties for non-compliance run up to €50,000 per violation, plus separate GDPR exposure when reports are stored or routed badly.
Retaliation has stopped being free
The other half of the cost equation is what happens when a worker reports and the employer pushes back. In April 2025 a former SunEdison executive secured a $34.5 million settlement over Sarbanes-Oxley retaliation claims, the largest documented under that statute. March 2025 brought a $1.64 billion judgment against a Johnson & Johnson Janssen unit driven by two False Claims Act whistleblowers. Numbers like these used to be theoretical.
The SEC's whistleblower programme paid out $255 million to 47 individuals in FY2024, its third-highest year on record, and over $2.2 billion since 2011. The agency also brought eleven enforcement actions against employers using restrictive agreements to silence reporters, including a record $18 million penalty.
"The tips, complaints, and referrals that whistleblowers provide are crucial to the Securities and Exchange Commission as we enforce the rules of the road for our capital markets."
Gary Gensler, then SEC Chair
The question for an employer is no longer "can we afford a hotline?" It is "can we afford the lawsuit if we do not have one and someone retaliates anyway?" If you are wondering whether it is safe to be a whistleblower, the SEC's annual report is your evidence base.
What a working system looks like
A whistleblowing system that satisfies regulators and actually surfaces fraud has the same shape across jurisdictions. Reports come in through a confidential, mostly web-based channel with a phone fallback, get stored in a way that survives both a subpoena and a leak, and route to a named handler who is not the subject of the complaint. Retaliation is prohibited in writing with real consequences attached, and the resulting evidence trail is detailed enough that an auditor can follow it without leaning on anyone's memory.
That specification is what the directive enforces, and it is also what insurance underwriters, customers in regulated supply chains, and your own audit committee will keep asking to see. What you do when a report arrives matters at least as much as what you collect: a channel without a process is a liability, not a control. Purpose-built whistleblowing software is the cheapest way to put both in place.
The original argument for whistleblowing was simple: tips find fraud sooner and cheaper than anything else. That argument is reinforced by a regulatory mandate that fines you for not having a channel and a litigation environment that fines you for retaliating once you do. Detection cost, compliance cost, retaliation cost. A working system pulls all three down, and the companies that figure that out earlier write smaller cheques later.
