Protected Disclosures including Whistleblowing and Infringement Reports
Protected Disclosures (Amendment) Act 2022
The Protected Disclosures (Amendment) Act 2022 commenced on 1 January 2023. Firms are required to comply with the provisions of the Act. The Department of Public Expenditure and Reform has developed a document containing the details of the key changes that firms should be aware of. See further information from the Department of Public Expenditure and Reform regarding the legislation.
What is a Protected Disclosure (including Whistleblowing and Infringement Reports)?
In summary:
Where a worker makes a disclosure under the Protected Disclosures Act, 2014 (the 2014 Act) which they believe is substantially true, or a person in good faith makes a disclosure under the Central Bank (Supervision and Enforcement) Act, 2013 (the 2013 Act), to the Central Bank or to one of its employees or one of its authorised officers; and they have reasonable grounds for believing that the disclosure will show that there has been, is being or is likely to be a breach of, or an offence under, financial services legislation or the concealment or destruction of evidence relating to such an offence or breach; then the disclosure is a “protected disclosure” for the purposes of the legislation.
In broad terms, the protections which accompany a protected disclosure are:
- The confidentiality of the identity of the reporting person making the protected disclosure. This is subject to certain exclusions – for example, where disclosure is necessary for the effective investigation of any matter or is required by law.
- The reporting person making the protected disclosure is protected from civil liability.
- The reporting person making the protected disclosure has a right of action in tort.
- Where the reporting person making the protected disclosure is an employee, their employer may not penalise or threaten penalisation for making the protected disclosure and an employer may be prosecuted for penalising an employee. In addition, employees are protected from dismissal.
- Workers can submit anonymous disclosures to the Central Bank and such disclosures can be treated as a protected disclosure under the 2014 Act. However, where anonymous reports are provided by persons other than “workers”, they fall under the 2013 Act. In those circumstances, an anonymous report is not a “protected disclosure” due to the provisions of the 2013 Act.
- Disclosures made under the 2014 Act do not constitute a criminal offence if, at the time the worker made the disclosure, it was, or they reasonably believed it was, a protected disclosure under the 2014 Act.
Confidentiality
The Central Bank has a legal obligation to protect the identity of the reporting person who makes a protected disclosure and not to disclose any information that might identify the reporting person, subject to the exceptions outlined below.
The Central Bank will not inform a regulated financial services firm that a disclosure has been made.
Exceptions
The Central Bank may disclose the identity of the reporting person where the reporting person provides their consent.
There are also certain limited circumstances provided for in the legislation, when the Central Bank may, or may be required to (where there is a legal basis for doing so), disclose the reporting person’s identity and/or identifying information. This may arise as follows:
Where the disclosure is made by a worker under the 2014 Act and:
- The Central Bank demonstrates that it took all reasonable steps to avoid disclosing the identifying information; or
- The Central Bank reasonably believes that disclosing the identity of the reporting person or any such information is necessary for the prevention of serious risk to the security of the State, public health, public safety or the environment; or
- Where the disclosure is a necessary and proportionate obligation imposed by Union law or the law of the State in the context of investigations or judicial proceedings, including with a view to safeguarding the rights of defence of the person concerned; or
- Where the disclosure is otherwise required by law.
Where the disclosure is made under the 2013 Act and:
- It is necessary to disclose the identity of the reporting person for the effective investigation of the matter to which the protected disclosure relates; or
- It is necessary to disclose the identity of the reporting person for the purposes of one of the following in relation to any matter to which the protected disclosure relates:
- An inquiry under section 33AO or 33AR of the 2013 Act;
- An appeal to IFSAT;
- An assessment under Part 5 of the Market Abuse (Directive 2003/6/EC) Regulations
- 2005 (now Part 5 of the European Union (Market Abuse) Regulations 2016 - S.I. No. 349 of 2016);
- An assessment under Part 15 of the Prospectus Regulations 2005;
- An assessment under Part 10 of the Transparency Regulations 2007;
- An investigation or hearing under Part 3 of the Central Bank Reform Act 2010.
Where the disclosure is made under the European Union (Market Abuse) Regulations 2016 (S.I. No. 349 of 2016) (the 2016 Regulations).
- In addition to the above exceptions under the 2014 and 2013 Acts, where the disclosure relates to market abuse under the 2016 Regulations, namely insider dealing, unlawful disclosure of inside information and/or market manipulation, the following specific exceptions to the disclosure of a reporting person’s identity or identifying information may also apply in the following circumstances:
- Where it is a necessary and proportionate obligation required by law subject to the appropriate safeguards in the context of investigations or subsequent judicial proceedings or in circumstances where it is necessary to protect the freedom/rights of others, and in particular, the right to a fair trial; or
- Where there is an exchange of information between national competent authorities within the European Union, in relation to allegations of market abuse, in particular where such information is necessary for legal proceedings; or
- Where information is transmitted to competent authorities in non-EU countries, which will only be done on a case by case basis, provided that the requirements of the Data Protection Acts have been adhered to. Further, it will be on condition that no further transmission of that information will occur without the express written authorisation of the Central Bank and where there has been compliance with the conditions imposed by the Central Bank in relation to the further transmission of the information; or
- In certain circumstances, where information is transmitted to a non-EU country, where a co-operation agreement exists between Ireland and that country.
Procedures
- The Central Bank will acknowledge receipt of the Report to the postal or electronic address indicated by the reporting person.
- The Central Bank may contact the reporting person to clarify the information reported or to request additional information that may be available to the reporting person. This contact will be to the postal or electronic address of the reporting person or by telephone or to the preferred communication channel, if indicated by the reporting person.
- The Central Bank is limited in the feedback it can provide to the reporting person and will only provide feedback where possible.
- Calls to the Protected Disclosures Desk may be recorded.
Protection for Employees
Both the Protected Disclosures Act, 2014 and Part 5 of the Central Bank (Supervision and Enforcement) Act, 2013, provide protections to employees who make protected disclosures. The legislation provides protections and remedies for reporting persons from penalisation and unfair dismissal in relation to their making a protected disclosure.
The Workplace Relations Commission and/or the courts will determine whether or not a disclosure is a protected disclosure under the legislation, not the Central Bank. However, it should be noted that the 2014 Act provides that, in such proceedings, all disclosures are presumed to be protected disclosures unless otherwise proven.
The Central Bank cannot intervene in employment disputes and cannot provide legal advice in relation to employee protections under the legislation. If you are considering making a protected disclosure but are unsure of your legal rights, you should contact a lawyer.
Protected Disclosures Act 2014 (Central Bank of Ireland is a prescribed person)
Where a worker wishes to make a report to the Central Bank under the 2014 Act relating to breaches of financial services legislation by their employer they may make the disclosure through the following channels.
- E-mail: [email protected]
- Phone: 1800 130 014 : Calls are answered Monday to Friday 9.30am - 5.00pm
- Post: Protected Disclosures Desk, Central Bank of Ireland, PO Box 559, Dublin 1.
Should you call the telephone line out of hours and leave a message, including your contact details, we will call you back within one working day to acknowledge receipt of your disclosure. Should you raise your disclosure via e-mail, you will receive an automatic acknowledgement of receipt and we will make further contact with you thereafter, if the need arises. Should you submit your disclosure by post, you will receive a written acknowledgement within three working days of receipt (if you include your return postal address).
Pre-Approval Controlled Function (PCF) Disclosures
Persons holding PCF roles in regulated firms who need to make a disclosure of an alleged offence, breach of financial services legislation or concealment or destruction of evidence of such in their firm are requested to make the disclosure by completing the form below and submitting it either by e-mail or post to the addresses provided.
Should you call the protected disclosures telephone line out of hours and leave a message including your contact details, we will call you back within one working day to acknowledge receipt of your disclosure.
Should you raise your disclosure via e-mail, you will receive an automatic acknowledgement of receipt and we will make further contact with you thereafter, if the need arises. Should you submit your disclosure by post, you will receive a written acknowledgement within three working days of receipt (if you include your return postal address).
- E-mail: [email protected]
- Phone: 1800 130 014; Calls are answered Monday to Friday 9.30am - 5.00pm
- Post: Protected Disclosures Desk, Central Bank of Ireland, PO Box 559, Dublin 1.
Pre-approval Controlled Function S.38(2) Disclosure Form | doc 30 KB
Central Bank (Supervision & Enforcement) Act, 2013
Where a person wishes to disclose to the Central Bank an alleged offence, breach of financial services legislation or concealment or destruction of evidence of such, under the Central Bank (Supervision & Enforcement) Act 2013 they may make the disclosure through the following channels.
- E-mail: [email protected]
- Phone: 1800 130 014: Calls are answered Monday to Friday 9.30am - 5.00pm
- Post : Protected Disclosures Desk, Central Bank of Ireland, PO Box 559, Dublin 1.
Should you call the telephone line out of hours and leave a message, including your contact details, we will call you back within one working day to acknowledge receipt of your disclosure. Should you raise your disclosure via e-mail, you will receive an automatic acknowledgement of receipt and we will make further contact with you thereafter, if the need arises. Should you submit your disclosure by post, you will receive a written acknowledgement within three working days of receipt (if you include your return postal address).
European Union (Market Abuse) Regulations 2016
Where a person wishes to report an actual or potential infringement under the 2016 Regulations they may make the Report through the following channels.
- E-mail: [email protected] (please refer to MAR alleged infringement in email)
- Phone: 1800 130 014: Calls are answered Monday to Friday 9.30am - 5.00pm
- Post: Protected Disclosures Desk, Central Bank of Ireland, PO Box 559, Dublin 1.
Should you call the telephone line out of hours and leave a message, including your contact details, we will call you back within one working day to acknowledge receipt of your disclosure. Should you raise your disclosure via e-mail, you will receive an automatic acknowledgement of receipt and we will make further contact with you thereafter, if the need arises. Should you submit your disclosure by post, you will receive a written acknowledgement within three working days of receipt (if you include your return postal address).
European Union (Payment Services) Regulations 2018
Where a person wishes to report an actual or potential infringement under the 2018 Regulations they may make the Report through the following channels.
- E-mail: [email protected] (please refer to PSD2 alleged infringement in email)
- Phone: 1800 130 014: Calls are answered Monday to Friday 9.30am - 5.00pm
- Post: Protected Disclosures Desk, Central Bank of Ireland, PO Box 559, Dublin 1.
Should you call the telephone line out of hours and leave a message, including your contact details, we will call you back within one working day to acknowledge receipt of your disclosure. Should you raise your disclosure via e-mail, you will receive an automatic acknowledgement of receipt and we will make further contact with you thereafter, if the need arises. Should you submit your disclosure by post, you will receive a written acknowledgement within three working days of receipt (if you include your return postal address).
The following details should be included, where possible, when sending a report to the Central Bank:
- Your identity and contact details;
- Confirmation on whether you are a natural or a legal persons
- Confirmation on whether or not you are a payment service user;
- The identity of the payment service provider(s) that has/have given rise to the complaint of an alleged infringement of the Payment Services Directive (Directive (EU) 2015/2366);
- A description of the situation that gave rise to the complaint of an alleged infringement of the Payment Services Directive (Directive (EU) 2015/2366);
- The Payment Services Directive (Directive (EU) 2015/2366) Article or Regulation upon which the complaint is made against.
A person making a Report to the Central Bank can also seek to have a meeting with dedicated staff members of the Central Bank.
Markets in Crypto-Assets Regulations (MiCAR) 2024
- E-mail: [email protected] (please refer to MiCAR alleged infringement in email).
- Phone: 1800 130 014: Calls are answered Monday to Friday 9.30am - 5.00pm.
- Post: Protected Disclosures Desk, Central Bank of Ireland, PO Box 559, Dublin 1.
Should you call the telephone line out of hours and leave a message, including your contact details, we will call you back within one working day to acknowledge receipt of your disclosure. Should you raise your disclosure via e-mail, you will receive an acknowledgement of receipt and we will make further contact with you thereafter, as necessary. Should you submit your disclosure by post, you will receive a written acknowledgement within three working days of receipt (if you include your return postal address).
The following details should be included, where possible, when sending a report to the Central Bank:
- Your identity and contact details (you can find information regarding anonymous protected disclosures in the sections above this one);
- Confirmation on whether you are a natural or a legal persons;
- Confirmation on whether or not you are a client or another interested party of a offeror, a person seeking admission to trading, an issuer of an asset-referenced token or e-money token, or a crypto-asset service provider;
- The identity of the offeror, person seeking admission to trading, issuer of asset-referenced token or e-money token, or the crypto-asset service provider that has/have given rise to the complaint of an alleged infringement of the Markets in Crypto Assets Regulation (Regulation (EU) No. 2023/1114);
- A description of the situation that gave rise to the complaint of an alleged infringement of the Markets in Crypto Assets Regulation (Regulation (EU) No. 2023/1114);
- The Markets in Crypto Assets Regulation (Regulation (EU) No. 2023/1114) Article upon which the complaint is made against.
A worker making a Report to the Central Bank can also seek to have a meeting with dedicated staff members of the Central Bank.
Overview of the Legislation
Please note that the Central Bank cannot give you legal advice if you are thinking about making a disclosure. You should contact a lawyer if you are unsure of your position.
Part 5 of the Central Bank (Supervision and Enforcement) Act 2013
The Act came into force on 1 August 2013. This introduced new protections for persons making protected disclosures to the Central Bank as well as new obligations on certain categories of persons in firms to disclose breaches of financial services legislation to the Central Bank.
Obligation on PCFs to report breaches of financial services legislation (S. 38 (2) Disclosures)
A person appointed to perform a pre-approval controlled function (“PCF”) is required under Section 38 of the 2013 Act, to disclose to the Central Bank information relating to a breach of, or offence under, financial services legislation or the concealment or destruction of evidence relating to such an offence or breach, which he or she believes will be of material assistance to the Central Bank.
Protected Disclosures Acts 2014
A worker can make a report to the Central Bank under the 2014 Act relating to breaches of financial services legislation which they learned about in connection with their employment, as the Central Bank is a prescribed person by virtue of S.I. No. 339/2014 Protected Disclosures Act 2014 (Section 7(2)) Order 2014.
ECB/Single Supervisory Mechanism Regulation
The EU SSM Regulation establishing the Single Supervisory Mechanism (SSM), which formally commenced on 4 November 2014, includes a provision in respect of reporting of breaches, i.e. whistleblower reports: Article 23. Under the Regulation, persons with information on potential breaches of relevant EU law by banks and/or by competent authorities, including the Central Bank, can report such breaches to the ECB.
Reports received by the Central Bank in respect of the significant supervised entities, i.e., major Banks in Ireland, and in respect of prudential issues, must be submitted to the ECB by the Central Bank for processing, in accordance with the SSM Regulation. Reports in respect of less significant supervised entities, where the report is in respect of an alleged breach of an ECB decision or regulation or where the report is in respect of the Central Bank, will also need to be submitted to the ECB. Where such reports are in respect of breaches of the Central Bank's code of conduct or anti-money laundering these are not sent to the ECB but are assessed by the Central Bank.
Market Abuse - European Union (Market Abuse) Regulations 2016 (S.I. No.349 of 2016)
The 2016 Regulations impose obligations on the Central Bank to have appropriate structures and processes in place to receive reports of actual or potential infringements of market abuse law. The SI does not create a separate type of protected disclosure in respect of infringements of market abuse law, but sits with existing protections for persons making protected disclosures under the 2013 and 2014 Acts.
Where a reporting person makes information available to the Central Bank in accordance with the 2016 Regulations, they are not considered to be: -
- infringing any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision; or
- involved in liability of any kind related to such disclosure.
Payment Services – European Union (Payment Services) Regulations 2018
The 2018 Regulations prescribes that the Central Bank is the competent authority for receipt of reports of infringement with regard to alleged infringements of the 2018 Regulations by payment services providers.
The Central Bank has a range of supervisory and enforcement measures to monitor and ensure effective compliance with the Regulations.
Markets in Crypto-Assets Regulation (MiCAR) 2024
MiCAR impose obligations on the Central Bank to set up procedures to receive complaints with regard to alleged infringements of MiCAR by offerors, persons seeking admission to trading, issuers of asset-referenced tokens or e-money tokens, or crypto-asset service providers. Complaints shall be accepted in writing, including electronically and by telephone.
Please note that where there is any divergence between this information and the legislation then the language of the legislation prevails.