On 21 July 2015 the Bank of Italy updated the Banks' Supervisory Regulations (Decision n. 285 of 17 December 2013) and set out the rules relating the new whistleblowing obligations imposed by Section 52-bis of the Italian Consolidated Banking Act (Legislative Decree n. 385 of 1st September 1993), implementing Directive 2013/36/EU (the CRD IV Directive).

According to the new rules, Italian banks and their parent companies shall adopt specific procedures to allow their employees to report any fact which may result in a breach of the applicable banking laws. Such procedures shall:

  1. guarantee the confidentiality of the personal data of both the reported person and the whistleblower, whose identity can be disclosed only with his/her consent or when necessary for the defence of the reported person;
  2. protect the whistleblower against retaliation, discrimination or unfair behaviours as a consequence of reporting a wrongdoing; 
  3. provide for the setting up of a specific, autonomous and independent reporting channel, different from any other reporting channel the bank may already have in place, by ensuring that the person in charge of reviewing the allegations (i) is not a subordinate of the reported person, (i) is not the reported person himself/herself, (iii) does not have a potential personal interest in the relevant report which may jeopardize his/her autonomy of judgment, and (iv) does not participate in the adoption of the decisions on the reported wrongdoing; and
  4. be approved by the banks' bodies which are competent for the strategic supervision.

The activity of collecting, analysing and evaluating the allegations can be outsourced to third-party service providers. In any case, banks shall appoint a person in charge of all their internal reporting systems, who shall promptly notify the competent bodies of any material allegation and annually draft a report on the activity carried out in relation to whistleblowing, which shall be approved by the bank's management and be provided to the employees.

The internal reporting systems shall be set up by clearly defining the individuals (employees or other categories of workers) who are allowed to report a wrongdoing and the facts or documents which can be reported. Moreover, the internal reporting system shall set out the procedures through which the allegations can be submitted and the persons who are in charge of receiving and reviewing them, as well as the procedures for the review of the allegations (e.g. phases of the procedures; timeline; individuals involved; cases in which the individual responsible for the review is bound to notify the competent bodies; etc.).  Also the modalities through which the whistleblower and the reported person will be informed of the development of the procedure shall be specified, together with the obligation for the whistleblower to declare whether he/she has a private interest in relation to the reported wrongdoing. Finally, to the extent permitted by applicable laws, the procedure shall foresee a privileged treatment for a whistleblower reporting a wrongdoing in relation to which he/she is in whole or in part jointly liable with other persons.

For the purpose of encouraging the use of whistleblowing, banks shall inform employees on how to use the reporting systems and of the measures adopted to protect the whistleblowers' personal data, by also providing the relevant information required by the Italian Privacy Code.

Banks shall comply with the new regulations by no later than 31 December 2015.