Whistleblowing

On 14 November, the CSSF published a set of trilingual Whistleblowing forms for the reporting of breaches of financial sector regulations to the CSSF. The CSSF asks do not use this form for customer complaints against entities subject to the supervision of the CSSF or for general requests for information to the CSSF.
In the meantime, the CSSF also updated its Whistleblower Protection Guidelines on 12 December 2023, which we would like to present below:
Since the enactment of Regulation (EU) No 468/2014 on 16 April 2014, the CSSF has established an independent communication channel to enable individuals within or associated with the Luxembourg financial sector to confidentially report dysfunctions or irregularities. This regulatory framework is further enhanced by the transposition of Directive (EU) 2019/1937 through the Law of 16 May 2023, extending whistleblower protection to breaches of national law.
The Law of 16 May 2023, transposing Directive (EU) 2019/1937, broadens the scope of protection to whistleblowers reporting breaches of national law. Various sectoral laws supplement this framework, encompassing the financial sector, money laundering, payment services, collective investment, market abuse, audit profession, and others. The CSSF’s competence is confined to regulations related to the financial sector as stipulated by the Law of 23 December 1998.
The Law of 16 May 2023 safeguards whistleblowers across private and public sectors, encompassing workers, self-employed individuals, shareholders, administrative bodies, volunteers, trainees, facilitators, and third persons connected to whistleblowers. Certain relationships, such as those covered by medical or professional privilege, fall outside this protection.
Whistleblowers may report any breaches of national or Union law, including unlawful acts or omissions defeating the object of applicable provisions. The reporting may cover actual or potential breaches and attempts to conceal such breaches within the organization where the whistleblower works or has worked or in another organization associated with their work.
To benefit from protection, whistleblowers must have reasonable grounds to believe the reported breaches are true, falling within the Law of 16 May 2023, and make either internal, external, or public reports. Confidentiality is a key aspect, and whistleblowers should not disclose information obtained through criminal offenses.
CSSF commits to protecting whistleblower identity within legal limits. Confidentiality may be waived in specific cases. Personal data processing complies with GDPR, and data relevant to a report are stored for three months after the investigation’s closure.
Reports can be filed externally via the CSSF’s reporting channels, using a form (see above), email, in-person visits, or phone contact. Internal reporting is encouraged first for private and public sector entities, and follow-up procedures are mandated.
CSSF acknowledges receipt of reports within seven days, diligently follows up, and may request necessary information from the reported entity. Due to professional secrecy, specific measures taken are not disclosed to whistleblowers.
Reports beyond CSSF’s competence are confidentially transmitted to relevant authorities. CSSF cooperates with the European Central Bank for significant banks. CSSF holds powers to impose fines on entities hindering reports or violating confidentiality, with penalties ranging from EUR 1,500 to EUR 250,000.
Whistleblowers are protected against retaliation measures, and any form of retaliation is prohibited. CSSF may impose fines on those retaliating against whistleblowers, and whistleblowers benefit from a reversal of the burden of proof in case of adverse measures.