Reporting of breaches (whistleblowing) at banks and other entities supervised by Banka Slovenije

Banka Slovenije is, among other things, competent and responsible for conducting supervision of compliance with prudential requirements and requirements in connection with corporate governance, prevention of money laundering and terrorist financing, payment services, consumer protection, and consumer lending by banks and savings banks. In addition to information in the aforementioned areas, information in connection with any fraud, abuse, ethically questionable conduct or acts of corruption committed by entities supervised by Banka Slovenije is also of relevance.

In its treatment of breaches reported by whistleblowers, Banka Slovenije distinguishes between:

For whom is the reporting of breaches at banks and other supervised entities designed?

The whistleblowing process for reporting breaches at banks and other entities supervised by Banka Slovenije is primarily designed for employees of banks and other entities supervised by Banka Slovenije, but breaches may also be reported by other persons who have at their disposal information about possible breaches in relation to the provision of financial services or compliance with prudential requirements.

Each individual can contribute to more effective supervision of banks and other supervisory entities by reporting breaches and providing relevant information to Banka Slovenije. For Banka Slovenije, a report of a breach is an important additional source of information for the exercise of its supervisory powers.

If you, as a user of financial services, believe that a bank or other supervisory entity has breached the applicable regulations when dealing with you and you would like a substantive response regarding your specific case, please select the Complaints by users of financial services (bsi.si).

 

Reporting of breaches under the Protection of Whistleblowers Act (external whistleblowing)

External whistleblowing is designed for the reporting of breaches that the whistleblower learned of in their working environment at an entity supervised by Banka Slovenije in accordance with its powers and tasks.

In accordance with its powers, Banka Slovenije addresses external whistleblowing under the ZZPri only if the whistleblower explicitly states in their report that there is a risk of retaliatory measures and that they need protection as a whistleblower under the aforementioned law. The protection of whistleblowers applies to reports of breaches that are still in progress, or that occurred or came to an end in the last two years.

For whom is external whistleblowing designed?

In accordance with the ZZPri, external whistleblowing is intended solely for the reporting of breaches of regulations that the whistleblowers learned of in their working environment, and thus may only be utilised by a whistleblower who is or was employed at or in a similar relationship with a supervised entity that is supervised by Banka Slovenije in accordance with its powers, and who previously submitted an internal whistleblowing report at the supervised entity, or if there is no internal whistleblowing platform put in place as envisaged by the ZZPri, if the internal whistleblowing could not be effectively addressed, or if the whistleblower believes that in the event of internal whistleblowing there is a risk of retaliatory measures.
 

How do I report a breach?

Whistleblowing reports can be submitted by post, by email, by using the online form or by telephone. Reports can also be submitted anonymously in all instances.

  1. By using the online form at the bottom of this page (only in Slovene):
    When submitting a report via the online form, you will receive a unique password, which you need to keep safe. You can then update the report later by using the password.
  2. By emailing zvizgac@bsi.si:
    Please be aware that by its very nature, email does not specially protect the information from being viewed by third parties.
  3. By post addressed to:
    Banka Slovenije
    Banking supervision - Report of external breach – do not open
    Slovenska cesta 35
    1505 Ljubljana
    (IN PERSON)
  4. By telephone (in the case of submitting whistleblowing report pursuant to ZZPri):
    by prior notification by e-mail to: zvizgac@bsi.si (the conversation may be recorded)

When submitting a whistleblowing report by post, save the consignment sending date, the content of the whistleblowing report, and the business name of the bank or supervised entity to which the report relates. This information will be useful for any updates of the whistleblowing report, or for feedback.

Contact information for the whistleblowing officer (the official responsible for whistleblowing under the ZZPri)

Mitja Bukovec
zvizgac@bsi.si
 

Protection of the whistleblower’s identity, and other important information about the whistleblowing system

Do I have to provide my personal data in the whistleblowing report?

If for any reason you do not wish to disclose your personal data and/or contact information in the whistleblowing report, you can also submit a report to us anonymously. Banka Slovenije will address an anonymous whistleblowing report within the framework of its supervisory powers and will act in accordance with regulations.

If you want to submit an anonymous employee’s whistleblowing report, our recommendation is that you do not include contact information (name, address, phone number, email address, etc.) in the report, or state any other circumstances from which your identity might be inferred.

Should you wish to receive feedback about your report being received and addressed, despite making an anonymous report, you can cite simple information for where you wish the feedback to be sent.

We also advise you not to use work computers or other work resources to submit your report.

When submitting a report by email or via the online form, please be aware that the Banka Slovenije server records information about the IP address of the computer from which the mail was sent or the form was submitted, in the software for implementing Banka Slovenije’s information security policy (firewall, router, reverse proxy). In these cases it is practically impossible to exclude the information about the IP address of the specific computer used to submit a particular report, given the large quantity of data and additional security measures at Banka Slovenije (restricted access to the database, audit trails of access to data). Here it should be noted that the information about the IP address of the computer used to send the message or submit the report does not allow for the identification of the actual sender (when the computer can be used by different users), and the identity of the individual sender is additionally protected by the data confidentiality guaranteed by providers of telecommunications services and the managers of the local network to which the computer is connected.

What information in connection with a breach is relevant to investigations?

In a whistleblowing report you describe in your own words the actions that in your opinion are contentious and that contravene the regulations binding on the bank or other entity supervised by Banka Slovenije.

In the report you provide a precise description of the illegitimate acts or omissions that constitute a breach by the bank or other supervised entity and, where possible, you cite the relevant circumstances, witnesses, documents and other evidence of the breach.

In the process of addressing and investigating potential breaches there is often a need to obtain additional information from the whistleblower, for which reason you also submit your contact information in the report, unless you wish to make the report anonymously. Banka Slovenije will treat your contact information (name, address, phone number, etc.) as strictly confidential.

Can I later update a whistleblowing report that I have submitted?

You can update your report at any time. This applies equally to reports submitted anonymously.

If the report was submitted via the Banka Slovenije online form

When first logging in to submit a whistleblowing report via the online form, the whistleblower receives a unique password that allows for reports to be updated later and for additional information and documentation to be submitted. A whistleblower who submitted the report via the online form updates it via the online form by selecting the “I want to update an existing whistleblowing report” option. To update an existing report, the whistleblower enters the unique password obtained when first logging in.

To update a report submitted by post or by email, the whistleblower can later submit additional information or documentation in the same way, stating that the information relates to a whistleblowing report previously submitted.

If the report was submitted by post or email

The whistleblower may update their own report by stating in a new message when the report was submitted, which bank or other supervised entity it relates to, and what breach was reported (and other information from which the whistleblowing report can be identified).

Do I receive feedback about the progress of my report once submitted?

Banka Slovenije confirms receipt of a whistleblowing report with the whistleblower within seven days of receiving it, unless the whistleblower expressly requests otherwise, or if Banka Slovenije judges that confirming its receipt might threaten to expose the identity of the whistleblower. Banka Slovenije acts in the same way in cases of anonymous whistleblowing, if the whistleblower has stated where to send the confirmation of receipt.

Banka Slovenije notifies the whistleblower of the completion and outcome of the process. If the process is not completed within three months of the report being received, Banka Slovenije informs the whistleblower of the progress and state of the process, and in particular of any measures envisaged or taken. Banka Slovenije acts in the same way in cases of anonymous whistleblowing, if the whistleblower has stated where to send the confirmation of receipt.

Forwarding of whistleblowing report

Whenever Banka Slovenije receives an external whistleblowing report under the ZZPri that does not fulfil under its remit, it forwards it together with the personal data to the materially competent authority for external whistleblowing referred to in Article 14 of the ZZPri.

Authorities for external whistleblowing:

  1. Agency for Communication Networks and Services
  2. Securities Market Agency
  3. Competition Protection Agency
  4. Traffic Safety Agency
  5. Insurance Supervision Agency
  6. Agency for the Public Oversight of Auditing
  7. Banka Slovenije
  8. National Review Commission
  9. Financial Administration of the Republic of Slovenia
  10. Market Inspectorate
  11. Office for Money Laundering Prevention
  12. Information Commissioner
  13. Information Security Inspectorate
  14. Radiation and Nuclear Safety Inspection Service
  15. Radiation Protection Inspectorate
  16. Food Safety, Veterinary and Plant Protection Inspectorate
  17. Labour Inspectorate
  18. Public Sector Inspectorate
  19. Environment and Planning Inspectorate
  20. Agency for Medicinal Products and Medical Devices
  21. Supervisory authorities as defined by regulations governing the use of European cohesion policy funds in Slovenia
  22. Health Inspectorate
  23. Slovenian Sovereign Holding
  24. Commission for the Prevention Of Corruption

If no other authority is designated as competent for external whistleblowing under Article 14 of the ZZPri, Banka Slovenije forwards an anonymised description of the reported breach to the materially competent supervisory authority. The full report, including personal data, will only be forwarded to the materially competent supervisory authority by Banka Slovenije with your express consent. The Commission for the Prevention of Corruption is responsible for protecting the whistleblower in these cases in accordance with Article 17 of the ZZPri.

Which reports will Banka Slovenije forward to the ECB?

In accordance with the tasks conferred on the ECB by Council Regulation (EU) No 1024/2013 of 15 October 2013 (conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions), the ECB took over direct supervision of certain banks in Slovenia on 4 November 2014. The ECB is also the competent authority for investigating breaches in the area of the tasks conferred on it.

Any whistleblowing reports whose content relates to matters falling under the remit of the ECB will be forwarded to the ECB in line with the previous paragraph.
 

How is confidentiality ensured with regard to the identity of the whistleblower?

Confidentiality of the identity of the whistleblower

Banka Slovenije will treat information about the whistleblower, and all other information from which the whistleblower’s identity may be directly or indirectly determined or inferred, as strictly confidential. Banka Slovenije may disclose information about the whistleblower solely on the basis of the whistleblower’s express consent, or:

  • in the case of reports of breaches under the ZBan-3:
    • when the disclosure of the whistleblower’s identity is necessary for the execution of criminal proceedings or subsequent judicial proceedings;
    • when subsequent judicial proceedings are initiated in connection with the actions of the bank or other supervised entity, Banka Slovenije will have to forward information about the whistleblower’s identity to the competent prosecution authorities or the court if this is relevant to the proceedings;
  •  in the case of whistleblowing reports under the ZZPri:
    • if so required by the state prosecutor, when this is strictly necessary for the investigation of criminal offences (the whistleblower is informed in advance of the disclosure of their identity to the prosecution);
    • if so required by the court, when this is necessary for judicial proceedings, including judicial proceedings to protect the rights of the person that is the subject of the report (the whistleblower is informed in advance of the disclosure of their identity to the court).

Notwithstanding the above, no-one may disclose the whistleblower’s identity if to do so would threaten their life, or seriously endanger the public interest or national security and defence.

Protection of personal data in internal processes

The whistleblowing officer has sole access to information about the whistleblower’s identity in the first stage.

If the whistleblowing report is submitted via the online form, the message is transmitted via an encrypted HTTPS connection, which means that with the exception of the whistleblowing officer, no-one on the Banka Slovenije network can access the data in the message. Reports submitted by email are not protected by a secure connection.    

In the internal investigation process all data from which the whistleblower’s identity can be determined is segregated and protected against unauthorised access. An audit trail is provided for any viewing of the data on the whistleblower’s identity.

The whistleblowing officer may disclose the identity of the person that submitted the report in the internal investigation process, but only to authorised persons directly involved in the investigation process, where this is necessary for the process to be conducted and the breach to be officially established.

Retention period for information on the whistleblower’s identity

Banka Slovenije retains the whistleblowing report and the information on the whistleblower’s identity for five years after the completion of the investigation.

The personal data on the whistleblower, the intermediary, related parties, the person that is the subject of the report, and those involved in the investigation of a reported breach, and the content of the report are destroyed after the end of the retention period, while the report record data is retained even after the end of the retention period in accordance with bylaws.

Protection of whistleblower’s identity under the ZZPri

The provisions of the law governing access to information of a public nature do not apply to documents and other material in connection with a whistleblowing report until the end of the process. The information on the whistleblower’s identity is not classed as information of a public nature even after the end of the whistleblowing report process. This applies even when documentary material is forwarded to another competent authority for processing. Any attempt to determine the whistleblower’s identity and to disclose information about the whistleblower constitutes a misdemeanour for which the ZZPri prescribes a fine.

Exclusion of liability with regard to disclosure

A whistleblower who reports information about a breach in accordance with the ZZPri is not in breach of any restriction or prohibition with regard to the disclosure of information, and bears no liability in connection with the whistleblowing report or public disclosure, provided that they do not report or disclose false information, and that they have reasonable grounds for believing that the reporting or public disclosure of information of this type is essential to the exposure of the breach on the basis of law.

This does not apply to restrictions on the disclosure of information set out by regulations in the area of the protection of confidential information, the professional privilege and secrecy of lawyers, health workers and health assistants, the secrecy of judicial deliberations, and the rules of criminal proceedings.

Notwithstanding the provisions of the law governing professional secrecy, the reporting or public disclosure of information that includes professional secrets is not unlawful, provided that the whistleblower reports or discloses it in accordance with the ZZPri. The whistleblower bears no liability in connection with the acquisition of or access to the information that they are reporting or disclosing, provided that this acquisition or access does not constitute a criminal offence per se.

In any proceedings against a whistleblower for defamation, breach of copyright, breach of confidentiality of information, breaches of data protection rules, or compensation claims, the whistleblower bears no liability of any kind for reports or public disclosures on the basis of the ZZPri, and in any motion to dismiss the claim against them may make reference to the report or public disclosure, if they have reasonable grounds for believing that the reporting or public disclosure of information was essential to the exposure of the breach.

Information on breaches identified and measures imposed

If Banka Slovenije determines in a supervisory procedure that a breach has occurred at the bank or supervised entity, it will impose supervisory measures or sanctions against the bank or supervised entity in accordance with regulations.

Information about the findings in a supervisory procedure and about the supervisory measures imposed constitute confidential information on the basis of law, and may not be disclosed other than in cases defined by law. Certain information on the supervisory measures that it imposes on the basis of regulations is published by Banka Slovenije on its website.

What should I do if I am subjected to retaliatory measures after reporting a breach?

If you are subjected to retaliatory measures after reporting a breach at a bank or supervised entity, please report this to Banka Slovenije as an update to the whistleblowing report (see above).

If you submitted the whistleblowing report anonymously, Banka Slovenije will not be able to act on any report of retaliatory measures. In this case we recommend that you provide your personal data when updating the whistleblowing report.

Protecting a whistleblower from retaliatory measures in the case of a report processed according to the ZZPri

Actions that worsen the whistleblower’s position and are a consequence of the submission of the whistleblowing report (even if the person taking the actions against the whistleblower cites different grounds for so doing) are deemed retaliatory measures. Examples include termination of employment, reassignment, and harassment. Retaliatory measures are forbidden, and may constitute a misdemeanour. In the event of retaliatory measures, it is possible to file a temporary injunction, by which the court orders the employer to cease and desist from the retaliatory measures. If labour law measures have already been enforced, an action at a labour court is also possible. In the event of termination of employment, the whistleblower is also entitled to compensation for unemployment, irrespective of the grounds for termination (even for cause).

Whistleblowers who are natural persons (legal persons are not entitled to protection) and who submitted a whistleblowing report inside their working environment and consequently suffered retaliatory measures (termination of employment, reassignment, harassment and similar) are entitled to protection and support measures under the ZZPri. The protection is provided to whistleblowers who submitted their whistleblowing report in good faith (when submitting the report they believed the information to be true). Whistleblowers who knowingly submit a false report are not entitled to protection, and submitting a report of this kind may also constitute a misdemeanour.

The whistleblowing officer is able to advise a whistleblower who is subjected to retaliatory measures of their legal options, and within the framework of their powers will aid the whistleblower in administrative and judicial proceedings to address the retaliatory measures, for example by providing confirmation of the submission of a whistleblowing report, or providing evidence from the report investigation process that the whistleblower needs in other proceedings.

Information on NGOs active in the protection of whistleblowers under the ZZPri

TO REPORT FORM >>