Internal and external reporting of breaches (whistleblowing)

  1. Banking Law: Article 21, § 1, 8° (internal reporting of breaches)
  2. Other laws:
  3. Relevant thematic NBB circulars:
  4. International reference documents:

Internal reporting of breaches

Compliance with regulations, corporate values and internal codes of conduct and the effectiveness of the institution's internal controls are enhanced where there are channels for staff to raise legitimate concerns internally, in good faith, about significant breaches of such regulations, corporate values and codes or about unethical or illegal behaviour relating to matters within the institution's competence and control. In this context, institutions should put in place and maintain appropriate internal reporting policies and procedures for staff to report potential or actual breaches of regulatory or internal requirements, including in particular requirements imposed by the Banking Law and Regulation No 575/2013, or of the internal governance arrangements, through a specific, independent and autonomous channel.

The proper operation of the reporting process should depend on clear rules and procedures that precisely indicate what can be reported and specify the stages of the procedure. The internal reporting procedures should meet the criteria set out in the law transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, which regulates the establishment of internal and external reporting channels and the handling of breach reports and the NBB circular issued on its basis, as well as in paragraph 138 of Guidelines EBA/GL/2021/05. The management should see to it that the information communicated by staff is effectively examined and that the necessary measures are taken to rectify any dysfunction.

The rules provided should be in compliance with the legislation on privacy. Institutions can usefully resort to the advice of the authorities in charge of these matters in order to assess their rules on the basis of the applicable provisions. Please refer to paragraphs 132 to 138 of Guidelines EBA/GL/2021/05 (future legislation: law transposing Directive (EU) 2019/1937).

External reporting of breaches

The NBB and the ECB have set up systems for reporting breaches. The practical details of the reporting system set up by the NBB can be found on the NBB's website under “Report a breach”[1]. In this respect, the NBB recommends that institutions ensure that, during training sessions, reference is made - in writing - to the NBB's external reporting system.

Article 36/7/1 of the Law of 22 February 1998 establishing the Organic Statute of the NBB (future legislation: law transposing Directive (EU) 2019/1937) prohibits any civil, penal or disciplinary proceedings, any professional sanctions and any unfavourable or discriminatory treatment, and any termination of the employment contract of a member of staff because of his or her having reported a breach. The NBB may impose an administrative sanction on any institution that violates this prohibition.

The NBB uses the information supplied in the breach report exclusively for the purpose of performing its legal tasks. That information is subject to the enhanced confidentiality regime laid down in Article 36/7/1, § 2 of the Law of 22 February 1998 establishing the Organic Statute of the NBB (future legislation: law transposing Directive (EU) 2019/1937). The protection of the person reporting the breach and of the person accused in this report is therefore guaranteed.

 

[1] It is noted that this system for reporting breaches to the NBB is not specifically intended for breaches of the Banking Law, but also for breaches of other prudential regulations and anti-money laundering regulations.