Whistleblowing | Workplace Compliance
Qatar Financial Center Regulatory Authority (QFCRA) Whistleblowing Rules
The QFCRA Whistleblowing Rules require Qatar Financial Center-authorized firms to implement a protected reporting policy with independent channels, allowing employees and other stakeholders to report wrongdoing confidentially and without retaliation.
Table of contents
What Are the QFCRA Whistleblowing Rules?
The Qatar Financial Center Regulatory Authority (QFCRA) is the independent regulator of the Qatar Financial Center (QFC), established under Law No. 7 of 2005. The Authority introduced its protected reporting framework through the General (Protected Reporting) Amendments Rules 2018, which are now contained in Chapter 4A of the General Rules 2005 (GENE).
The QFCRA oversees whistleblowing by operating its own external protected reporting channel and publishing a Protected Reporting Guide, most recently updated in September 2025, which explains how individuals can submit reports directly to the regulator.
Covered entities are QFC-authorized firms, meaning entities licensed to conduct regulated financial services in or from the Qatar Financial Center. A protected reporter is anyone who makes a report in good faith regarding known or suspected misconduct involving an authorized firm, including but not limited to employees, shareholders, customers, and vendors.
Who Is Responsible for the QFCRA Whistleblowing Rules?
The Qatar Financial Center Regulatory Authority (QFCRA) supervises firms’ compliance with Chapter 4A and operates its own Protected Reporting Team, which receives reports directly via email at whistleblowing@qfcra.com.
Where the QFCRA identifies misconduct, including retaliation against a protected reporter, it can pursue disciplinary action under Part 9 of the QFC Financial Services Regulations and Article 16 of the QFC Employment Regulations, providing two legal bases for enforcement action. Appeals against QFCRA decisions can be brought before the QFC Regulatory Tribunal.
What Are the Possible Penalties Under the QFCRA Whistleblowing Rules?
The QFCRA has a range of sanctions available for firms or individuals found to be in breach of the protected reporting rules or to have retaliated against a reporter. This includes prohibiting individuals from performing controlled functions, withdrawing a firm’s authorization or an individual’s approval, issuing public censures, and imposing financial penalties.
The QFCRA determines financial penalties based on the nature and severity of the contravention and generally publicizes enforcement outcomes to support transparency and deter similar conduct across the QFC.
What Do the QFCRA Whistleblowing Rules Require?
Under the rules, QFC-authorized firms must adopt a written protected reporting policy that provides at least two independent reporting channels, such as a dedicated email address, a phone line, or a web form, and appoint a sufficiently senior individual to oversee its implementation.
A report qualifies for protection if it is made in good faith, meaning the reporter reasonably believes it is true, concerns an authorized firm or someone connected to it, and is submitted to the firm itself, an authority responsible for the matter, or an officer of the State under Qatar’s criminal reporting law.
Once a firm becomes aware that someone has made what appears to be a protected report, it must treat that person as a protected reporter unless and until this status is disproven. The firm cannot retaliate against the reporter or anyone who assists or cooperates with an investigation into the report.
Employee grievances, harassment complaints, and matters that fall under the Customer Dispute Resolution Scheme or the Financial Scams Framework are explicitly outside the scope of protected reports. Firms should therefore direct these concerns to separate channels.
Why Are the QFCRA Whistleblowing Rules Important?
The QFCRA’s ability to accept reports directly, without requiring individuals to use a firm's internal process first, means an inadequate or untrusted internal channel does not just create a compliance gap. It increases the likelihood that concerns reach the regulator before the firm has the opportunity to investigate them internally, allowing the QFCRA to assess how seriously the firm treats protected reporting.
Because protections extend to non-employees, a firm’s protected reporting policy must be accessible to external stakeholders, not just communicated internally to employees. Firms that treat the two-channel requirement as a formality rather than part of a broader reporting strategy may find that reports become concentrated through a single channel, undermining the independence the requirement is intended to provide.
How FaceUp Helps Comply with the QFCRA Whistleblowing Rules
FaceUp helps meet the rules’ requirement for “two or more independent reporting channels” by providing an easy-to-use solution that can be implemented in as little as two hours. Employees can report via web forms, 24/7 hotlines, and iOS/Android mobile apps in 113 languages.
End-to-end encryption and anonymous two-way messaging support confidentiality and anti-retaliation protections, while centralized case management, role-based permissions, and automatic activity logs help firms demonstrate compliance during a QFCRA review.
Quick Facts
Full legislation
Applies to
All QFC-authorized firms
Penalties
Prohibition, withdrawal of authorization or approval, public censure, and financial penalties, determined based on the nature and severity of the contravention.
The FaceUp Solution
FaceUp is an anonymous reporting and compliance platform designed to help businesses meet whistleblowing regulations worldwide, including those in the US, EU, UK, and UAE.

Fully Anonymous Reporting
Give staff multiple secure channels to report their concerns, complete with an anonymous two-way chat.
Mobile-First Accessibility
No IP storage, no device IDs, encrypted submissions
Customizable forms, categories, routing rules, and more

Customizable Case Management
Create an easily verifiable audit trail through a customizable case management system with automatic routing.
Supports multiple locations, subsidiaries, or units
Entity-specific routing and access permissions
Optional notifications via email, Teams, or Slack

Real-Time Data Analytics
Identify trends, repeated issues, and escalation risks early with customizable visual real-time dashboards.
Filter by category, region, channel, and more
Share without revealing sensitive information
ISO 27001 and SOC 2-certified local servers