Report a breach
Who can report a breach?
Anyone may notify the National Bank of Belgium (hereinafter, the “NBB”) of a suspected or actual breach of the provisions of Belgian laws and European regulations, including any implementing provisions, concerning the status and supervision of financial institutions and the prevention of the use of the financial system for the purposes of money laundering or financing terrorism, that the NBB has the duty to oversee.
Information can be reported anonymously or not, using a dedicated platform, which can be accessed via a link here.
What breaches can be reported?
The reporting procedure is designed to facilitate the reporting, by persons acting in good faith,[1] of suspected or actual breaches of the legal and regulatory provisions concerning the status and supervision of financial institutions and the prevention of the use of the financial system for the purposes of money laundering or financing terrorism, that the NBB has the duty to oversee.
The procedure is designed to facilitate the reporting of breaches committed by:
- financial institutions under the supervision of the NBB pursuant to Article 36/2 of the Act of 22 February 1998 establishing the organic statute of the National Bank of Belgium (i.e. credit institutions, investment firms with the status of stockbroking firms, insurance companies, reinsurance companies, mutual guarantee societies, central counterparties, settlement institutions, institutions equivalent to settlement institutions, payment institutions and electronic money institutions); and
- the prudential supervisory authorities of the above-mentioned Belgian or foreign financial institutions, including the NBB in its capacity as supervisory authority responsible for compliance with anti-money laundering standards.
Reports concerning negligence or breaches committed by credit institutions, financial holding companies and mixed financial holding companies subject to the supervision of the European Central Bank (ECB) pursuant to Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring upon the ECB specific tasks concerning policies relating to the prudential supervision of credit institutions (list available here) - must be submitted directly to the ECB.
The reporting procedure discussed here is not intended to deal with breaches of provisions concerning consumer protection or the supervision of financial markets. These fall within the remit of the FSMA or the FPS Economy.
The procedure is not intended to provide advice, victim support or any financial compensation to the whistleblower.
What protection is there for the person reporting the breach?
The Act of 28 November 2022 establishes the status of the whistleblower and the protection to be afforded to them. It permits any person, whether an employee or self-employed, shareholders, persons belonging to the administrative, management or supervisory body of an organisation, volunteers or trainees, and any person working under the supervision of (sub)contractors and suppliers, job applicants or even customers, to report breaches of financial legislation falling within the remit of the NBB or the ECB.
This report can be made in parallel with an internal report or independently.
The NBB will only use the information provided in a report exclusively to exercise its legal duties. The information is subject to the rules of professional secrecy laid in the Act of 22 February 1998. The protection of the whistleblower and of the person(s) to whom a breach is reported in a report is therefore guaranteed.
What action will be taken on the report?
The NBB will acknowledge receipt of the report. Pursuant to its supervisory duties, the NBB will analyse the information received and take any action it deems appropriate.
Insofar as the NBB and the persons involved in the exercise of its supervisory duties are bound by professional secrecy, the whistleblower cannot be informed of follow-up action(s) taken concerning the information received. However, where necessary and possible, the NBB may contact the reporting person to obtain additional information via the postbox that the latter can create via the platform. The creation of a postbox does not compromise the anonymity of the reporting person.
Processing of personal data
It is possible to use the reporting platform anonymously. When a suspected breach is reported and the personal details of the reporting person are provided, the Compliance Team will register these details and process them solely in the context of the investigation to which the report gives rise and in accordance with the rules in force on the processing of personal data. The Compliance Team treats personal data confidentially. However, the Compliance team cannot rule out the possibility that it may, in certain circumstances, by virtue of a legal obligation, have to communicate this personal data to other individuals, in which case it will inform the reporting person in advance.
Data relating to persons to whom a breach is attributed in a report is also processed in accordance with current legislation on the protection of personal data.