In connection with Directive 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law, the CSSF published on 5 May 2020 its first whistleblowing reporting of breaches of financial sector regulations to the CSSF (the “Report”).
The Report gives practical guidance as to how the whistleblowing procedure has to be followed by the whistleblower and how it has to be implemented by the CSSF.
Substance of the Report
Any person, and in particular employees or former employees of entities of the financial sector in Luxembourg, may in good faith submit a whistleblowing report directly to the CSSF in a confidential and secure manner subject to that person having good grounds for believing that there have been breaches of applicable regulation. Excluded from the whistleblowing procedure are breaches that are of a criminal nature which fall within the scope of activities of the State Prosecutor.
Under certain circumstances, the CSSF also estimates that the whistleblowing procedure can be used by customers of financial service providers.
In a first step and before contacting the CSSF, employees of entities of the financial sector are requested to use the whistleblowing procedures in their workplace, if any. Even though the CSSF will still consider whistleblowing reports from those that have not followed their workplaces’ internal whistleblowing procedures, the CSSF strongly encourages employees to firstly blow the whistle internally.
Whistleblowing shall in principle be made via a written statement of information transmitted to the CSSF by email to the following address: whistleblowing [at] cssf.lu.
In case the report received by the CSSF concerns a significant supervised entity within the meaning of the single supervisory mechanism, whistleblowers are requested to use the whistleblowing procedure at the European Central Bank (the “ECB”) by using this link.
Where such a report has not been made to the ECB but only to the CSSF, the CSSF ensures to forward the report to the ECB and informs the whistleblower accordingly.
As regards the information to be provided to the CSSF, the whistleblower must at least (if the report does not contain hard evidence) have reasonable grounds to believe that the information and any allegations the report contains are substantially true.
The CSSF Report states that the CSSF commits to protect the whistleblower’s identity within the limits of the applicable legislation: neither the identity of the employee having blown the whistle, nor the identity of third parties which may be involved, will be disclosed to the entity concerned. The identity of the whistleblower or of third parties will only be disclosed in circumstances in which the disclosure becomes unavoidable in law (for example, in case the act is of a criminal nature and the CSSF has the duty to inform the State Prosecutor).
Despite all the precautions that the CSSF will take to not disclose the identity of the whistleblower, it cannot, however, guarantee that the employer may not discover the whistleblower’s identity by cross-checking information.
No legal advice and no information on the action taken given by the CSSF to the whistlebower
The Report furthermore states that the CSSF will not give any legal advice to a whistleblower as regards the information reported to the CSSF. Due to the legal duty on professional secrecy, the CSSF will also not inform the whistleblower on the actions taken on the whistleblowing report.