Whistleblower protection

Since the entry into force of Regulation (EU) No 468/2014 of 16 April 2014 (SSM Framework Regulation), the CSSF has set up an independent communication channel allowing any person acting in good faith and working or having worked in or with entities of the Luxembourg financial sector to report to the CSSF in a confidential and secure manner any dysfunctions in or irregularities committed by or at entities subject to the supervision of the CSSF.

This page will be updated according to the situations encountered by the CSSF as well as the different interpretations and guidelines given by the Whistleblowing Office (l’Office des signalements). Moreover, the competent jurisdictions will ultimately be in charge of the interpretation of the law. The CSSF declines any liability as to the use and interpretation made of the information stated below.

This channel must not be used for complaints against entities supervised by the CSSF, or for simply establishing contact with the CSSF or for general enquiries.

In Luxembourg, the Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law aiming at creating a uniform European legal framework to protect whistleblowers in certain policy areas of the European Union was transposed by the Law of 16 May 2023 transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (hereinafter the “Law of 16 May 2023”).

The scope of application of the Law of 16 May 2023 extended the protection of whistleblowers to breaches of national law as a whole. Thus, whistleblowers meeting the conditions of the Law of 16 May 2023 who report breaches of the rules of law, be they administrative or criminal, are therefore protected against any form of retaliation.

The rules applicable to the reporting of potential or actual breaches in the financial sector are currently laid down in the Law of 16 May 2023, which is supplemented by provisions in the following sectoral laws:

• Article 58-1 of the Law of 5 April 1993 on the financial sector, as amended;
• Article 8-3 of the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended, which was introduced by the Law of 25 March 2020, as amended;
• Article 58-10 of the Law of 10 November 2009 on payment services, as amended, allowing the CSSF to set up effective mechanisms to encourage reporting of breaches of Regulation (EU) 2015/847 to the CSSF;
• Article 149b of the Law of 17 December 2010 relating to undertakings for collective investment, as amended;
• Article 23 of Council Regulation (EU) No 1024/2013 of 15 October 2013 (SSM Regulation);
• Title 3 (Articles 36 to 38) of the SSM Framework Regulation;
• Article 36(7) of the Law of 23 July 2016 concerning the audit profession, as amended;
• Article 8 and of the Law of 23 December 2016 on market abuse, as amended;
• Article 46 of the Law of 30 May 2018 on markets in financial instruments, as amended;
• Article 271-1 et seq. of the Labour Code, introduced by the Law of 13 February 2011 strengthening the means against corruption, as amended;
• Article 4 of the Law of 6 June 2018 on central securities depositories and implementing Regulation (EU) No 909/2014;
• Article 10 of the Law of 16 July 2019 on prospectuses for securities.

The CSSF is only competent for handling reports in relation to breaches of the regulations relating to the financial sector, subject to the competences conferred on it by the Law of 23 December 1998 establishing a financial sector supervisory commission (“Commission de surveillance du secteur financier”) (“Law of 23 December 1998”) and by the different “sector-specific” laws applicable to the financial sector. Further information concerning the mission and competences of the CSSF is available on the dedicated page.

You may also contact the Whistleblowing Office for general information on the competent authority according to the type of report.

The Law of 16 May 2023 protects whistleblowers working in the private or public sector who acquired information on breaches in a work-related context (current, past or future work-based relationship), including:

• the workers (including civil servants and State employees);
• the self-employed persons;
• the shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including the non-executive members, as well as the volunteers and the paid or unpaid trainees;
• any persons working under the supervision and direction of contractors, subcontractors and suppliers.

It also protects:

• the facilitators (natural person who assists a whistleblower in a confidential manner);
• the third persons who are connected with the whistleblowers and who could suffer retaliation, such as colleagues or relatives of the whistleblower;
• the legal entities that the whistleblower owns and works for or is otherwise connected with in a work-related context;
• the persons who reported or disclosed information on breaches anonymously, but who are subsequently identified and suffer retaliation;
• the persons reporting breaches to relevant bodies, offices or agencies of the European Union.

The following are not subject to protection:

• the reports of breaches relating to national security;
• the whistleblowers whose relationships are covered by:
  • medical professional privilege;
  • professional privilege between lawyer and client;
  • professional privilege binding notaries or bailiffs;
  • the secrecy of judicial deliberations;
  • the rules governing criminal proceedings.

It must be noted that the CSSF will handle with the same degree of confidentiality the reports of any person acting in good faith who wishes to report any dysfunctions in or irregularities committed by or at entities subject to the supervision of the CSSF, including of persons not subject to the protections provided for by the Law of 16 May 2023.

The whistleblower may report any breach of national and/or Union law, i.e. acts or omissions that:

• are unlawful; or
• defeat the object or purpose of directly applicable provisions of national or European law.

The whistleblower may communicate any information, including reasonable suspicions, about:

• actual or potential breaches; and
• attempts to conceal such breaches;

which occurred or are very likely to occur:

• in the organisation in which the whistleblower works or has worked; or
• in another organisation with which the whistleblower is or was in contact through his or her work.

The whistleblower may not disclose information acquired or to which he or she obtained access by committing a criminal offence.

In order to be protected against any form of retaliation within the meaning of the Law of 16 May 2023, the whistleblower must:

• have had reasonable grounds to believe that the reported information on breaches was true at the time of reporting and that such information falls within the scope of the Law of 16 May 2023; and
• have made either an internal (through the reporting channels of his or her enterprise or administration), an external (through the CSSF’s reporting channels) or a public (following an unsuccessful external report) report.

The CSSF is committed to protecting the whistleblower’s identity within the limits of the applicable laws. In other words, neither the identity of the reporting employee, nor that of any third persons involved will be disclosed without the explicit consent of the whistleblower.

The CSSF will not disclose:

• the identity of the whistleblower without his or her explicit consent;
• any other information from which the identity of the whistleblower may be directly or indirectly deduced.

Where applicable, the CSSF does not use or disclose trade secrets for purposes going beyond what is necessary for proper follow-up.

The confidentiality with respect to the identity of the whistleblower may only be waived where that is a necessary and proportionate obligation under the Law of 8 June 2004 on the freedom of expression in the media or under European Union law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defence of the person concerned.

In such a case, the CSSF informs the whistleblower in writing with a rationale before his or her identity is disclosed, unless such information would jeopardise the related investigations or judicial proceedings.

Where such a report does not fall within the CSSF’s remit, this report is transmitted in a confidential and secure manner to the competent authority referred to in Article 18 of the Law of 16 May 2023. The collected data may be transmitted to other national competent authorities or to bodies, offices or agencies of the European Union that are competent in the framework of the cooperation provided for in Article 19 of the Law of 16 May 2023.

Where a report on allegations addressed to the CSSF must be investigated, the persons with the appropriate access authorisation, transmit that report, according to its object, to the competent departments within the CSSF. Where anonymisation is not possible without compromising the CSSF’s investigatory and supervisory activities, only the personal data necessary for the investigation will be transmitted.

For the purposes of fulfilling the missions conferred on it by the Law of 16 May 2023, and more precisely concerning the handling of reports, the CSSF may need to process personal data.

Any processing of personal data carried out pursuant to the Law of 16 May 2023, including the exchange or transmission of personal data by the competent authorities, is carried out in accordance with Regulation (EU) 2016/679, hereinafter “General Data Protection Regulation” or “GDPR”.

As a public authority processing personal data, the CSSF is required to fulfil its obligations in its capacity as controller.

After examination, where necessary and subject to the confidentiality obligations referred to above, personal data thus obtained may be processed in the framework of the exercise of tasks or investigations falling within the CSSF’s remit. In this context, the processing of your data is necessary for the performance of a task carried out in the public interest of which the CSSF is in charge (Article 6(1)(e) of the GDPR).

Personal data which are manifestly not relevant for the handling of a specific report are not collected or, if accidentally collected, deleted without undue delay.

Personal data obtained through a report that is deemed unjustified by the authorised agents, as it falls outside the CSSF’s remit, are deleted without delay.

The personal data obtained by means of a report are stored for three months following the closure of the investigation conducted by the CSSF in the discharge of its relevant tasks or proceedings with respect to the allegations made in the report until the end of the appeal period.

In accordance with the Law of 17 August 2018 on archiving, the files with heritage value must be stored for archiving purposes in the public interest beyond these durations of administrative usefulness.

Please contact the CSSF’s Data Protection Officer (DPO) for any question regarding the processing of your personal data by the CSSF at the following email address: dpo@cssf.lu or by post to:

Commission de Surveillance du Secteur Financier

DPO / Pascal Pirih
283, route d’Arlon
L-1150 Luxembourg

In addition, please read the CSSF’s Terms of Service and Privacy Policy.

The persons wishing to report breaches of the law may report them externally to the CSSF either directly, or after having made an internal report provided that it is possible to address the breach efficiently internally and that they consider that there is no risk of retaliation.

Any person wishing to report breaches of the law that fall within the CSSF’s remit, may address the CSSF in French, Luxembourgish, German or English:

• by means of the form available at the following link: form;
• by email to: whistleblowing@cssf.lu;
• in person at the head office of the CSSF;
• by phone: +352 2625 1 2757 during office hours for a first contact.

The form should be the preferred channel as it is the best way of ensuring the independence and autonomy requirements for the receipt and handling of reports received in accordance with Article 17 of the Law of 16 May 2023.

The CSSF’s external reporting channels ensure the completeness, integrity and confidentiality of the transmitted information. The access to the information thus transmitted is limited to certain authorised CSSF agents who are bound to professional secrecy pursuant to Article 16 of the Law of 23 December 1998, which refers to Article 458 of the Criminal Code.

The CSSF does not record reports made via phone but may draft precise minutes detailing the main elements of the conversation and give the whistleblower the opportunity to verify, rectify and sign them for approval.

In case of reports made via other channels or other CSSF staff members, the latter are also bound to secrecy as regards the identity of the whistleblower or the person concerned and transmit the report without delay to the staff members in charge of handling reports. As a reminder, all the CSSF staff members are subject to professional secrecy within the meaning of Article 458 of the Criminal Code and in accordance with Article 16 of the Law of 23 December 1998.

Every private sector (counting 50 or more workers) and public sector entity (except local authorities counting fewer than 10,000 residents and entities counting fewer than 50 workers) must propose channels and procedures for internal reporting and for follow-up.

Private sector entities with 50 to 249 workers may share resources as regards the receipt of reports and follow-up of internal reports. The reporting channels must be operational by 17 December 2023.

The persons wishing to report breaches of the law are encouraged to make an internal report before making an external report, unless the internal report would be detrimental to them (retaliation by the employer for instance).

The Whistleblowing Office can inform and help any person wishing to make a report.

The CSSF receives and follows up on the reports falling within its remit. Please remember that further information concerning the tasks and competences of the CSSF is available at “About the CSSF”. The CSSF may request in writing that the entity referred to in the report communicate all information it deems necessary, with due regard to the confidentiality of the whistleblower’s identity.

The CSSF notably ensures:

• to acknowledge receipt of the report within 7 days of the receipt, unless:
  • explicitly requested otherwise by the whistleblower; or
  • there are reasonable grounds to believe that acknowledging receipt of the report would compromise the protection of the whistleblower’s identity;
• to diligently follow up on the report.

Due to the legal obligation in respect of professional secrecy under Article 458 of the Criminal Code, the CSSF will not inform the whistleblower on the concrete measures taken following his or her report, unless these measures will be the object of a disclosure in accordance with the applicable legal provisions.

Where the CSSF receives a report for which it is not competent, it transmits this report within a reasonable timeframe, in a confidential and secure manner, to the national competent authority referred to in Article 18 of the Law of 16 May 2023. The latter informs the whistleblower thereof.

Whistleblowers are invited to follow the whistleblowing procedure set up by the European Central Bank (ECB) (Whistleblowing (europa.eu)) to report facts concerning significant banks within the meaning of the Single Supervisory Mechanism (SSM). However, if the CSSF receives a report concerning a significant bank, it transmits this report to the ECB and informs the whistleblower thereof.

Where the CSSF receives a report concerning a breach of regulations or decisions of the ECB by a less significant entity within the meaning of the SSM, it transmits this report to the ECB, without communicating the identity of the reporting person, unless the whistleblower gives his or her explicit consent.

In addition to its powers of investigation, the CSSF may impose an administrative fine on natural and legal persons, that:

1) hinder or try to hinder a report;
2) refuse to provide the information requested by the CSSF in the framework of its mission or who provide incomplete or false information;
3) contravene the confidentiality of the whistleblowers;
4) refuse to address the reported breach;
5) do not establish the channels and procedures for internal whistleblowing and their follow-up, in breach of the Law of 16 May 2023.

Such fine can amount between EUR 1,500 and EUR 250,000. The maximum of the fine may be doubled in case of a repeat offence within 5 years as from the last sanction that has become definitive.

An action for judicial review of the decisions taken by the CSSF in accordance with the Law of 16 May 2023 may be lodged before the Tribunal administratif (Administrative Tribunal) within one month from the date of notification of the decision.

A penalty of imprisonment of 8 days to 3 months and a fine of between EUR 1,500 to EUR 50,000 may be imposed on a whistleblower who knowingly reported or publicly disclosed false information.

A person making a false report will be liable under civil law. The entity that suffered harm may claim compensation for the damage suffered before the competent jurisdiction

A whistleblower who publicly discloses a breach is protected by the Law of 16 May 2023 if:

• the person first reported internally and externally or directly externally, but no appropriate action was taken in response to the report within 3 months following the report; or
• the person has reasonable grounds to believe that:
  • the breach may constitute an imminent or manifest danger to the public interest (e.g. where there is an emergency situation or a risk of irreversible damage);
  • in the case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed, due to the particular circumstances of the case, such as those where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach).

Whistleblowers who fulfil de conditions for protection do not break the law by disclosing information and do not incur liability of any kind:

• concerning (internal and/or external) reporting or public disclosure provided that they had reasonable grounds to believe that reporting or public disclosure was necessary for revealing a breach of law;
• in respect of the acquisition of or access to the information which is reported or publicly disclosed (unless such acquisition or access constitutes a self-standing criminal offence);
• as a result of reports or public disclosures made, including in legal proceedings for defamation, breach of copyright, breach of secrecy, breach of data protection rules, disclosure of trade secrets, or for compensation claims based on private, public, or on collective labour law.

They have the right to rely on that reporting or public disclosure to seek dismissal of the case.

Any form of retaliation, including threats and attempts of retaliation against whistleblowers resulting from their report, is prohibited.

The following are automatically null and void:

• the suspension of an employment contract, lay-off, dismissal, failure to renew, or early termination of, a temporary employment contract or equivalent measures;
• demotion or withholding of promotion;
• the transfer of duties, change of location of place of work, reduction in wages, change in working hours;
• withholding of training;
• the imposition or administering of any disciplinary measure, reprimand or other penalty, including a financial penalty;
• the failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that he or she would be offered permanent employment;
• the negative performance assessment or employment reference;
• the early termination or cancellation of a contract for goods or services;
• the cancellation of a licence or permit;

Are also prohibited:

• coercion, intimidation, harassment or ostracism;
• discrimination, disadvantageous or unfair treatment;
• harm, including to the person’s reputation, particularly in social media, or financial loss,  including loss of business and loss of income;
• blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry;
• psychiatric or medical referrals.

The whistleblower who suffers retaliation measures may, within 15 days following the notification of the measures, request the competent jurisdiction to declare the measures null and to order them to cease.

The person who has not invoked the nullity of the retaliation measures or who has already obtained their nullity may, furthermore, claim damages.

The CSSF recommends, as regards court proceedings, to use the services of a lawyer.

The persons that retaliate or initiate abusive procedures against whistleblowers may be fined between EUR 1,250 to EUR 25,000.

The whistleblower who suffers adverse measures automatically benefits from the presumption that these measures have been taken against him or her as a retaliation for the report.

It is therefore for the person who has taken retaliatory measures to establish the grounds therefor.