Entities
Access the database
Since the entry into force of Regulation (EU) No 468/2014 of 16 April 2014 (SSM Framework Regulation), the CSSF has set up an independent communication channel allowing any person acting in good faith and working or having worked in or with entities of the Luxembourg financial sector to report to the CSSF in a confidential and secure manner any dysfunctions in or irregularities committed by or at entities subject to the supervision of the CSSF.
This page will be updated according to the situations encountered by the CSSF as well as the different interpretations and guidelines given by the Whistleblowing Office (l’Office des signalements). Moreover, the competent jurisdictions will ultimately be in charge of the interpretation of the law. The CSSF declines any liability as to the use and interpretation made of the information stated below.
This channel must not be used for complaints against entities supervised by the CSSF, or for simply establishing contact with the CSSF or for general enquiries.
In Luxembourg, the Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law aiming at creating a uniform European legal framework to protect whistleblowers in certain policy areas of the European Union was transposed by the Law of 16 May 2023 transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (hereinafter the “Law of 16 May 2023”).
The scope of application of the Law of 16 May 2023 extended the protection of whistleblowers to breaches of national law as a whole. Thus, whistleblowers meeting the conditions of the Law of 16 May 2023 who report breaches of the rules of law, be they administrative or criminal, are therefore protected against any form of retaliation.
The rules applicable to the reporting of potential or actual breaches in the financial sector are currently laid down in the Law of 16 May 2023, which is supplemented by provisions in the following sectoral laws:
The CSSF is only competent for handling reports in relation to breaches of the regulations relating to the financial sector, subject to the competences conferred on it by the Law of 23 December 1998 establishing a financial sector supervisory commission (“Commission de surveillance du secteur financier”) (“Law of 23 December 1998”) and by the different “sector-specific” laws applicable to the financial sector. Further information concerning the mission and competences of the CSSF is available on the dedicated page.
You may also contact the Whistleblowing Office for general information on the competent authority according to the type of report.
The Law of 16 May 2023 protects whistleblowers working in the private or public sector who acquired information on breaches in a work-related context (current, past or future work-based relationship), including:
It also protects:
The following are not subject to protection:
It must be noted that the CSSF will handle with the same degree of confidentiality the reports of any person acting in good faith who wishes to report any dysfunctions in or irregularities committed by or at entities subject to the supervision of the CSSF, including of persons not subject to the protections provided for by the Law of 16 May 2023.
The whistleblower may report any breach of national and/or Union law, i.e. acts or omissions that:
The whistleblower may communicate any information, including reasonable suspicions, about:
which occurred or are very likely to occur:
The whistleblower may not disclose information acquired or to which he or she obtained access by committing a criminal offence.
In order to be protected against any form of retaliation within the meaning of the Law of 16 May 2023, the whistleblower must:
The CSSF is committed to protecting the whistleblower’s identity within the limits of the applicable laws. In other words, neither the identity of the reporting employee, nor that of any third persons involved will be disclosed without the explicit consent of the whistleblower.
The CSSF will not disclose:
Where applicable, the CSSF does not use or disclose trade secrets for purposes going beyond what is necessary for proper follow-up.
The confidentiality with respect to the identity of the whistleblower may only be waived where that is a necessary and proportionate obligation under the Law of 8 June 2004 on the freedom of expression in the media or under European Union law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defence of the person concerned.
In such a case, the CSSF informs the whistleblower in writing with a rationale before his or her identity is disclosed, unless such information would jeopardise the related investigations or judicial proceedings.
Where such a report does not fall within the CSSF’s remit, this report is transmitted in a confidential and secure manner to the competent authority referred to in Article 18 of the Law of 16 May 2023. The collected data may be transmitted to other national competent authorities or to bodies, offices or agencies of the European Union that are competent in the framework of the cooperation provided for in Article 19 of the Law of 16 May 2023.
Where a report on allegations addressed to the CSSF must be investigated, the persons with the appropriate access authorisation, transmit that report, according to its object, to the competent departments within the CSSF. Where anonymisation is not possible without compromising the CSSF’s investigatory and supervisory activities, only the personal data necessary for the investigation will be transmitted.
For the purposes of fulfilling the missions conferred on it by the Law of 16 May 2023, and more precisely concerning the handling of reports, the CSSF may need to process personal data.
Any processing of personal data carried out pursuant to the Law of 16 May 2023, including the exchange or transmission of personal data by the competent authorities, is carried out in accordance with Regulation (EU) 2016/679, hereinafter “General Data Protection Regulation” or “GDPR”.
As a public authority processing personal data, the CSSF is required to fulfil its obligations in its capacity as controller.
After examination, where necessary and subject to the confidentiality obligations referred to above, personal data thus obtained may be processed in the framework of the exercise of tasks or investigations falling within the CSSF’s remit. In this context, the processing of your data is necessary for the performance of a task carried out in the public interest of which the CSSF is in charge (Article 6(1)(e) of the GDPR).
Personal data which are manifestly not relevant for the handling of a specific report are not collected or, if accidentally collected, deleted without undue delay.
Personal data obtained through a report that is deemed unjustified by the authorised agents, as it falls outside the CSSF’s remit, are deleted without delay.
The personal data obtained by means of a report are stored for three months following the closure of the investigation conducted by the CSSF in the discharge of its relevant tasks or proceedings with respect to the allegations made in the report until the end of the appeal period.
In accordance with the Law of 17 August 2018 on archiving, the files with heritage value must be stored for archiving purposes in the public interest beyond these durations of administrative usefulness.
Please contact the CSSF’s Data Protection Officer (DPO) for any question regarding the processing of your personal data by the CSSF at the following email address: dpo@cssf.lu or by post to:
Commission de Surveillance du Secteur Financier
DPO / Pascal Pirih
283, route d’Arlon
L-1150 Luxembourg
In addition, please read the CSSF’s Terms of Service and Privacy Policy.
The persons wishing to report breaches of the law may report them externally to the CSSF either directly, or after having made an internal report provided that it is possible to address the breach efficiently internally and that they consider that there is no risk of retaliation.
Any person wishing to report breaches of the law that fall within the CSSF’s remit, may address the CSSF in French, Luxembourgish, German or English:
The form should be the preferred channel as it is the best way of ensuring the independence and autonomy requirements for the receipt and handling of reports received in accordance with Article 17 of the Law of 16 May 2023.
The CSSF’s external reporting channels ensure the completeness, integrity and confidentiality of the transmitted information. The access to the information thus transmitted is limited to certain authorised CSSF agents who are bound to professional secrecy pursuant to Article 16 of the Law of 23 December 1998, which refers to Article 458 of the Criminal Code.
The CSSF does not record reports made via phone but may draft precise minutes detailing the main elements of the conversation and give the whistleblower the opportunity to verify, rectify and sign them for approval.
In case of reports made via other channels or other CSSF staff members, the latter are also bound to secrecy as regards the identity of the whistleblower or the person concerned and transmit the report without delay to the staff members in charge of handling reports. As a reminder, all the CSSF staff members are subject to professional secrecy within the meaning of Article 458 of the Criminal Code and in accordance with Article 16 of the Law of 23 December 1998.
Every private sector (counting 50 or more workers) and public sector entity (except local authorities counting fewer than 10,000 residents and entities counting fewer than 50 workers) must propose channels and procedures for internal reporting and for follow-up.
Private sector entities with 50 to 249 workers may share resources as regards the receipt of reports and follow-up of internal reports. The reporting channels must be operational by 17 December 2023.
The persons wishing to report breaches of the law are encouraged to make an internal report before making an external report, unless the internal report would be detrimental to them (retaliation by the employer for instance).
The Whistleblowing Office can inform and help any person wishing to make a report.
The CSSF receives and follows up on the reports falling within its remit. Please remember that further information concerning the tasks and competences of the CSSF is available at “About the CSSF”. The CSSF may request in writing that the entity referred to in the report communicate all information it deems necessary, with due regard to the confidentiality of the whistleblower’s identity.
The CSSF notably ensures:
Due to the legal obligation in respect of professional secrecy under Article 458 of the Criminal Code, the CSSF will not inform the whistleblower on the concrete measures taken following his or her report, unless these measures will be the object of a disclosure in accordance with the applicable legal provisions.
Where the CSSF receives a report for which it is not competent, it transmits this report within a reasonable timeframe, in a confidential and secure manner, to the national competent authority referred to in Article 18 of the Law of 16 May 2023. The latter informs the whistleblower thereof.
Whistleblowers are invited to follow the whistleblowing procedure set up by the European Central Bank (ECB) (Whistleblowing (europa.eu)) to report facts concerning significant banks within the meaning of the Single Supervisory Mechanism (SSM). However, if the CSSF receives a report concerning a significant bank, it transmits this report to the ECB and informs the whistleblower thereof.
Where the CSSF receives a report concerning a breach of regulations or decisions of the ECB by a less significant entity within the meaning of the SSM, it transmits this report to the ECB, without communicating the identity of the reporting person, unless the whistleblower gives his or her explicit consent.
In addition to its powers of investigation, the CSSF may impose an administrative fine on natural and legal persons, that:
1) hinder or try to hinder a report;
2) refuse to provide the information requested by the CSSF in the framework of its mission or who provide incomplete or false information;
3) contravene the confidentiality of the whistleblowers;
4) refuse to address the reported breach;
5) do not establish the channels and procedures for internal whistleblowing and their follow-up, in breach of the Law of 16 May 2023.
Such fine can amount between EUR 1,500 and EUR 250,000. The maximum of the fine may be doubled in case of a repeat offence within 5 years as from the last sanction that has become definitive.
An action for judicial review of the decisions taken by the CSSF in accordance with the Law of 16 May 2023 may be lodged before the Tribunal administratif (Administrative Tribunal) within one month from the date of notification of the decision.
A penalty of imprisonment of 8 days to 3 months and a fine of between EUR 1,500 to EUR 50,000 may be imposed on a whistleblower who knowingly reported or publicly disclosed false information.
A person making a false report will be liable under civil law. The entity that suffered harm may claim compensation for the damage suffered before the competent jurisdiction
A whistleblower who publicly discloses a breach is protected by the Law of 16 May 2023 if:
Whistleblowers who fulfil de conditions for protection do not break the law by disclosing information and do not incur liability of any kind:
They have the right to rely on that reporting or public disclosure to seek dismissal of the case.
Any form of retaliation, including threats and attempts of retaliation against whistleblowers resulting from their report, is prohibited.
The following are automatically null and void:
Are also prohibited:
The whistleblower who suffers retaliation measures may, within 15 days following the notification of the measures, request the competent jurisdiction to declare the measures null and to order them to cease.
The person who has not invoked the nullity of the retaliation measures or who has already obtained their nullity may, furthermore, claim damages.
The CSSF recommends, as regards court proceedings, to use the services of a lawyer.
The persons that retaliate or initiate abusive procedures against whistleblowers may be fined between EUR 1,250 to EUR 25,000.
The whistleblower who suffers adverse measures automatically benefits from the presumption that these measures have been taken against him or her as a retaliation for the report.
It is therefore for the person who has taken retaliatory measures to establish the grounds therefor.