Whistleblowing

What is whistleblowing?

Whistleblowing – or breach reporting – as it relates to the European Central Bank, is the process by which you can report breaches of relevant European Union law committed by a supervised bank, national supervisor or the ECB itself.

If you suspect that a supervised bank, a national supervisor or the ECB has breached relevant EU law, you can report your suspicions to the ECB via a secure external whistleblowing platform.

Before you use the whistleblowing platform, please make sure that you know what kind of information can be submitted to the ECB, and how submission via the platform works – as outlined below.

When to contact the ECB via the whistleblowing platform?

Contact the ECB via the whistleblowing platform if:

  • a supervised bank (legal term: supervised entity) breaches relevant EU law

or

  • a national supervisor or the ECB itself (legal term: competent authority) breaches relevant EU law

or

  • a bank that is directly supervised by their national supervisor breaches ECB decisions or ECB regulations that impose obligations on it in relation to the ECB

Contact the national supervisor if:

or

  • the breach relates to consumer protection or the implementation of anti-money laundering rules by supervised banks – the ECB is not competent to investigate these kinds of breaches and does not provide any legal advice on these matters

Legal definitions: supervised entity and competent authority

Supervised entities are referred to, under the SSM Framework Regulation, as:

  • credit institutions established in participating Member States
  • financial holding companies established in participating Member States
  • mixed financial holding companies established in participating Member States
  • branches established in participating Member States by credit institutions established in non-participating Member States

Competent authorities are national supervisors (also referred to as national competent authorities) and the ECB.

In order to find out which entities are supervised by the national supervisor and which are supervised by the ECB please check the regularly updated list of supervised entities, which includes further explanations.

What is relevant European Union law?

The relevant European Union law, for the purposes of the breach reporting/whistleblowing mechanism (BRM), comprises the rules relating to the prudential supervision of credit institutions. The ECB applies these rules when carrying out the tasks conferred on it by the Single Supervisory Mechanism (SSM) Regulation.

These rules are composed of directly applicable regulations such as the Capital Requirements Regulation (CRR).

When directives are considered relevant EU law, the national implementations of these directives are also considered to be relevant EU law – e.g. national implementations of the Capital Requirements Directive (CRD IV).

If directly applicable regulations grant options to Member States, the national legislation exercising those options is considered to be relevant EU law.

ECB regulations, such as the SSM Framework Regulation and ECB decisions, are also considered to be relevant EU law.

ECB decisions and decision-making processes

How to report a breach

A breach should be reported through the whistleblowing platform. All reports must be submitted in good faith and with reasonable grounds. Misusing the whistleblowing platform may constitute a criminal offence. To protect the reputation and rights of all parties involved, the ECB may therefore seek the initiation of criminal proceedings at the national level if a report was not submitted in good faith.

Report a breach via the whistleblowing platform

Information submitted to the whistleblowing platform is processed externally on behalf of the ECB by the secure third-party provider EQS Group AG. EQS Group does not have access to the content of submissions. For more information please read the full privacy statement.

Step 1: Fill in the online form

  • Information may be provided in any of the official EU languages
  • Anonymous reports are accepted
  • Information provided should be as accurate and complete as possible

Step 2: Submit supporting documents (see below)

How to submit supporting documents

The ECB recommends submitting documents to support allegations. It may refrain from follow-up measures if a report contains unsubstantiated allegations.

Submit documents via the upload function on the whistleblowing platform by selecting the relevant file(s) and clicking the upload button when requested to do so.

Please make sure that, when submitting information anonymously, you remove information that could identify you – for example file properties that may contain your name as author of a document

Which documents can be uploaded?

The following file formats are accepted (up to a maximum size of 10 MB): PDF, Word, Excel, Power Point, GIF and JPEG.

What is the inbox?

The inbox is a secure communication channel that is provided to you after you have submitted information to the whistleblowing platform. Even when submitting information anonymously, you will still be provided with an inbox.

After submission, you will receive a unique breach report number and you will have to select a password.

Your inbox allows you to check the status of your report.

We will also use the inbox to let you know if we require additional information in relation to your report.

Important: It is not possible to restore access to your inbox if you forget your breach report number or password.

How to check your inbox

Please log in to your inbox to check the status of your report, and to ascertain whether the ECB requires additional information.

Log in using the unique breach report number provided to you via the whistleblowing platform and the password you created.

Important: It is not possible to restore access to your inbox if you forget your breach report number or password.

How are breach reports dealt with?

An expert team assesses whether the report is relevant to the ECB or a national banking supervisor. If the team concludes that the report is relevant, they will forward the report to the responsible area within the ECB, or to a national banking supervisor.

A relevant report may lead to supervisory actions being taken – for example, information requests, on-site inspections, supervisory measures or sanction procedures.

Due to professional secrecy rules, we are not allowed to communicate the outcome of a report to the informant. However, each year, an aggregated and anonymised summary of reported breaches and the consequent actions taken is published as part of the ECB’s annual report on supervisory activities.

Confidentiality

All reports are handled confidentially in compliance with the EU data protection framework. The ECB protects personal data and ensures appropriate protection for both the persons who report breaches and for the accused persons.

Privacy statement

Related information