Banca CF+ Credito Fondiario S.p.A. (the “Bank“) aims to promote a corporate culture characterized by correct behavior and good corporate governance practices.
In compliance with EU and national legislation regarding the protection of individuals reporting breaches of EU law and national laws (hereinafter the “Whistleblowing Legislation“), the Bank has established and activated specific internal reporting channels and adopted its own internal reporting system for violations, governed by the “Regolamento in materia di Segnalazione di Comportamenti Illegittimi” (hereinafter the “Whistleblowing Regulation“).
The following provides the necessary information to make reports in compliance with the Whistleblowing Legislation and the Whistleblowing Regulation, and to benefit from the related protection measures.
WHO CAN MAKE A WHISTLEBLOWING REPORT?
Whistleblowing reports can be made by individuals falling under one of the categories defined in Article 3, paragraph 3, of Legislative Decree 24/2023. Indicatively, but not exhaustively, this category includes:
- internal employees;
- independent workers, collaborators, consultants, and freelancers performing activities on behalf of the Bank;
- supplier personnel;
- shareholders, persons with administrative, control, supervisory or representative functions.
It is clarified that the reporting by employees is free and voluntary, and the Bank ensures compliance with confidentiality obligations set by the relevant external legislation. Furthermore, the Bank adopts measures to encourage and protect individuals who, upon becoming aware of unlawful or illegitimate behavior by others in their work context, decide to report such acts or facts to the designated authorities.
WHAT CAN BE REPORTED?
In accordance with the Whistleblowing Legislation, any act or fact that comes to light within one’s work context can be reported if it constitutes:
I. a breach of regulations governing banking activity;
II. offenses under Legislative Decree 231/2001;
III. violation of the Bank’s Organization, Management, and Control Model under Legislative Decree 231/2001;
IV. offenses under EU or domestic laws specified in the annex to Legislative Decree 24/2023;
V. acts or omissions damaging EU financial interests or the internal market;
VI. acts or violations that nullify the purpose or intent of the provisions listed in points iv) and v).
WHO MANAGES THE INTERNAL REPORTING CHANNELS?
The person responsible for handling whistleblowing reports received through internal channels, tasked with receiving, analyzing, and managing investigations into the reported facts, and performing the necessary verifications, is the Head of Internal Audit (hereinafter also referred to as the ” Head of Whistleblowing“).
It is specified that, in the event of a potential conflict of interest (e.g., if the Head of Whistleblowing is himself the alleged violator or has a potential conflict of interest compromising impartiality), the report may be addressed to the Head of Compliance & AML.
WHAT REPORTING CHANNELS CAN BE USED?
INTERNAL CHANNELS OF BANCA CF+
The Bank has made available the following internal reporting channels:
- “SecureBlowing” IT platform: the platform is provided by the Bank and allows for anonymous reporting, if appropriately substantiated and detailed, ensuring that the facts and situations are related to specific contexts. The platform guarantees confidentiality regarding the identity of the whistleblower, the individual involved or mentioned in the report, and the content of the report and its associated documentation.
- oral report: the IT platform allows for oral reporting via a voice messaging system.
- meeting with the Head of Whistleblowing: the whistleblower may request a meeting, and the recipient is required to fulfill this request within a reasonable time frame.
EXTERNAL CHANNEL OF ANAC
As a priority, whistleblowers are encouraged to use internal channels. However, under certain conditions, they may submit an external report directly to the competent authorities.
In particular, it is possible to make an external report to the National Anti-Corruption Authority (“ANAC”), in accordance with the procedures outlined on the authority’s official website (https://www.anticorruzione.it/), if one of the following conditions applies at the time of the report:
- internal reporting is not mandatory in the workplace, or the internal channel is not active or, even if activated, does not comply with external regulations;
- the whistleblower has already made an internal report that has not been followed up on, where “follow-up” refers to the actions taken by the person entrusted with the management of the reporting channel to assess the reported facts, the outcome of the investigations, and any actions taken;
- the whistleblower has legitimate reasons to believe that internal reporting would not be followed up on effectively or might lead to retaliation;
- the whistleblower has legitimate reasons to believe the violation may constitute an imminent or obvious threat to public interest.
MANAGEMENT OF WHISTLEBLOWING REPORTS
The Head of Whistleblowing:
- ensures the correct and diligent handling of the process outlined in the Whistleblowing Regulation;
- manages the stages of a) receiving the report and the investigation process, b) conducting investigative activities, c) concluding the investigation activities;
- issues an acknowledgment of receipt to the whistleblower within seven days of receiving the report, providing feedback within three months of the acknowledgment or, in the absence of acknowledgment, within three months from the expiration of the seven-day period after the report is submitted;
- maintains communication with the whistleblower and may request additional information, if necessary;
- provides clear information on the channel, procedures, and requirements for correctly making reports (e.g., the elements the report must contain), as well as for making external reports;
- immediately reports to the Bank’s Corporate Bodies and the Supervisory Body as per Legislative Decree 231/2001 any relevant information from reports, in compliance with confidentiality obligations under the applicable legislation;
- may involve other specialized Bank structures, if necessary, for the investigation and research activities;
- prepares an annual report on the proper functioning of internal reporting systems, including aggregated information on the outcome of activities following received whistleblowing reports, which is submitted to the Board of Directors for approval, after consulting the Board of Auditors.
PROTECTION OF THE WHISTLEBLOWER AND THE REPORTED PERSON
The Bank ensures specific protections for whistleblowers in line with the relevant legislations, guaranteeing that the whistleblower, even if it turns out to be unfounded, will not be subject to disciplinary action, except in cases of fraud or gross negligence. Protection is also extended to other individuals (besides the whistleblower) as defined in Article 3 of the aforementioned decree.
Ensuring compliance with confidentiality obligations set by relevant legislation, the Bank:
- guarantees that whistleblowers, even if it turns out to be unfounded, will not face any disciplinary action, except in cases of fraud or gross negligence;
- adopts necessary measures to protect the physical integrity and moral personality of whistleblowers, ensuring they are adequately protected from any form of retaliation, penalty, discrimination, or threats;
- adopts appropriate measures to protect the whistleblower from any retaliation or discriminatory acts, either direct or indirect, related to the report. The whistleblower has the right to report retaliation to ANAC, which will inform the National Labor Inspectorate for further action;
- ensures the confidentiality of the whistleblower’s identity, the individual mentioned or involved in the report, and the content of the report and related documentation.
Under the applicable legislation, a whistleblower acting in bad faith may be subject to criminal charges for defamation or calumny, or civil liability for the same reasons if their report is proven to be malicious.
It is further clarified that, unless the act constitutes a crime, the whistleblower will not incur any responsibility, including civil or administrative, for acquiring information about the violation or accessing it. Additionally, no liability arises for revealing or disseminating information regarding:
- matters covered by secrecy obligations, other than professional confidentiality (e.g., legal and medical);
- information concerning the protection of intellectual property;
- information regarding data protection;
- information harming the reputation of the person involved.
In all cases, criminal or other responsibility (civil or administrative) will not be excluded for acts unrelated to the report or disclosure, nor for any acts not strictly necessary to reveal the violation.
DATA PROTECTION AND RECORD KEEPING
The processing of personal data related to the management of whistleblowing reports is carried out by the Bank, as Data Controller, in compliance with EU and national data protection laws (EU Regulation 2016/679, Legislative Decree 196/2003), adopting appropriate measures to protect the rights and freedoms of the individuals concerned.
Documentation related to reports is confidential. This documentation is stored securely in accordance with the Bank’s internal regulations on the classification and handling of confidential information and in compliance with applicable regulations (specifically, reports and related documentation are kept for the time necessary for processing the report, but in no case beyond five years).
The documentation is stored by the Head of Whistleblowing and is accessible only to authorized employees. The documentation includes at least the name, identification code, and the whistleblower’s department, the details of the person reported, statements, activities carried out, the outcome of the investigation, and the actions taken. It is further clarified that personal data that is manifestly irrelevant to the processing of a specific report will not be collected or, if collected accidentally, will be promptly deleted.