Welcome to the FMA’s Whistleblowing Reporting Centre

To provide effective technical protection to the reporting person, we have made a communications platform available for submitting anonymous reports, that is protected using state-of-the-art technology using certified encryption procedures.

We specifically use the highly-secure BKMS^® system (which stands for: Business Keeper Monitoring System). This is system is certified in accordance with European data protection law, and does not permit any access to the data in the system, and is reviewed and confirmed by independent bodies by means of regular audit and certification processes.

Every report made through the whistle-blowing system is encrypted, backed up using dedicated secured network routes and stored in an external databank in a high-security datacentre. It is not possible to technically trace messages back to their source, and personal data is not required to be entered at any point in the reporting process. You are able to remain completely anonymous.

A personal protected postbox can also be set up in the system we used, which allows you to communicate anonymously with our whistle-blowing point of contact, to ensure that your anonymity is also protected by technical means during such communications. When setting up a protected postbox, you always choose the access details (username and password).

As long as you do not enter any details that allow information to be traced back to you, the whistle-blowing system also protects your anonymity on a technical level for communications conducted using the postbox.

If at the time of submitting the report based on the actual circumstances and the information available to you adequate grounds are assumed that substantiate that the reports you have made are true, and where they fall within the scope of the HSchG, then as a reporting person you are afforded legal protection.

However, such protection under the HSchG only extends to a specific personal and material scope (Article 2 and Article 3 HSchG). This means that not all reporting persons are provided protection, and that not all thematic areas about which reports are made are covered by the HSchG, and therefore also do not fall under its scope of protection.

This means that protection under the HSchG is only afforded, if all conditions are meet, i.e. if you are legally worthy of protection and fall under the protected group of persons (see “Who is protected?”, personal scope) and the report relates to a sector that is covered by the HSchG (see “What can be reported”, material scope).

Reports that are patently incorrect may trigger damages claims, and may be pursued by courts or as administrative offences.

Caution over your anonymity: Please note that your personal data, where they have become known, or are able to be found out, may in certain cases set out under law may be disclosed. In particular, the provisions of the Code on Criminal Procedure 1975 (StPO; Strafprozessordnung 1975) shall apply once an initial suspicion exists under criminal law pursuant to Article 1 para. 3 StPO.

Anyone who learns or learned of certain breaches in the course of their ongoing or previous professional activity may be a protected person under the HSchG.

Protected persons do not only include employees, but for example also include:

• applicants
• trainees
• volunteers
• the self-employed
• members of management bodies (e.g. administrative board or the supervisory board)
• temporary contracted workers
• contractors from (sub-)enterprises
• suppliers

Since the personal scope of the HSchG does not extend to cover all natural persons, and especially as its protective rules do not apply for all natural persons, we request when submitting your report that you state whether you learned of the breaches described in your report during the course of your ongoing or past professional activity. We request you to provide this information, so that we are able to assess whether your interests require protecting under the HSchG, so that we are able to make information available to you about the outcomes and follow-up measures.

In particular, you may submit reports to the FMA about the following areas that are in the scope of protection of the HSchG:

• financial services
• financial products and financial markets, as well as
• the prevention of money laundering and terrorist financing
• and related collective consumer protection issues.

The HSchG grants protection against retaliatory measures for a natural person belonging to the personal scope listed in the law that occur in conjunction with a justified report (see “When does a report constitute a justified report”).

Protection against retaliatory measures in particular, but not exclusively relates to unfair dismissal, a temporary employment contract not being extended, being given a proof reference, disciplinary measures or have a licence removed.

The HSchG stipulates that measures that occur in retaliation for a justified report are legally invalid. In the event that you experience such a retaliatory measure as a reaction to your justified report, you are entitled to have such measures repealed, to the restoration of legal compliance, as well as in any case claims for damages for financial losses and any personal impairments sustained. In addition, you also have the right to confidential treatment of your identity. If this is not possible for any reason whatsoever, then you must be informed in advance that this is the case. Should you have further questions in this regard, you may address them to the FMA’s whistle-blowing point of contact.

A report is considered to be justified, if at the time of submitting the report based on the actual circumstances and the information available to you adequate grounds are assumed that substantiate that the report you have made is true, and falls within the scope of the HSchG.

The protection available under the HSchG applies from the time of submitting the report based on the actual circumstances and the information available to you adequate grounds are assumed that substantiate that the report you have made is true.

You are protected by the HSchG if you submit information that is classified as “confidential”, “secret”, or “top secret” as a report as defined in the HSchG, if

• the justified report could not be pursued effectively without disclosing or analysing such information,
• if they are passed on in observance of the regulations for safeguarding classified information, especially Article 7 of the Information Security Regulation (Informationssicherheitsverordnung) published in Federal Law Gazette II No. 548/2003 as amended in Federal Law Gazette II No. 268/2022, and
• you are able to assume that the whistle-blowing point of contact is qualified to observe rules on safeguarding classified information, especially in the case of their being passed on to another internal or external body.

A justified report that has been submitted in relation to internal as well as external reports while observing the provisions of the HSchG, and which discloses facts or information, which the reporting person is obliged to keep confidential based on a legal regulation or on the basis of a contract, does not breach confidentiality requirements,

• where the report is justified,
• the reporting person has an adequate reason to assume that the report is necessary to uncover or prevent a legal breach, and
• no reasons for exclusion exist, for which this federal act does not apply.

This Directive does not apply to the following:

1. the confidentiality requirements of legally regulated health professions;
2. Information covered by the right to confidentiality of attorneys, notaries as well as those practising tax advising and related professions (Article 9 of the Lawyers Code (Rechtsanwaltsordnung), published in Reich Law Gazette No. 96/1868, Article 37 of the Notarial Code (Notariatsordnung), published in Reich Law Gazette No. 75/1871, Article 80 of the Tax Advising and Related Professions Act 2017 (Wirtschaftstreuhandberufsgesetz 2017), published in Federal Law Gazette I No. 137/2017), including contractual agreements for maintaining confidentiality with partners or supervisory bodies of a law company as well as employees or assistants of lawyers, notaries or tax advisors;
3. procurement procedures that are excluded from the following federal acts in relation to procurement:
   1. procurement procedures that are excluded from the Purchase Contract Awards Act (Bundesvergabegesetz 2018), published in Federal Law Gazette I No. 65/2018, pursuant to Article 9 para. 1 nos. 3, 4 and 5 as well as Article 178 para. 1 nos. 3, 4 and 5 thereof,
   2. procurement procedures that are excluded from the Federal Procurement Act for Concessions 2018 (Bundesvergabegesetz Konzessionen 2018), published in Federal Law Gazette I No. 65/2018, pursuant to Article 8 para. 1 nos. 2, 3 and 4 thereof,
   3. procurement procedures that are excluded from the Purchase Contract Awards Act for Defence and Security 2012 (Bundesvergabegesetz Verteidigung und Sicherheit 2012), published in Federal Law Gazette I No. 10/2012, pursuant to Article 9 para. 1 nos. 1 and 5 thereof,
4. the application of the provisions of the Code on Criminal Procedure 1975 (StPO; Strafprozeßordnung 1975), published in Federal Law Gazette no. 631/1975, once an initial suspicion exists (Article 1 para. 3 StPO);
5. information that is provided to clerics of a legally recognised church or religious society or registered religious denomination during a pastoral conversation.

These provisions regarding the disclosure of classified information (e.g. Information classified as “confidential”, “secret” or “top secret”) shall applay subject to the proviso that the report could not be objectively pursued further without passing on or evaluating this information, that it is passed on in the observance of the standards for protection classified information, and where the reporting person was able to assume, that the reporting centre that receives the report, is qualified to observe this standard.

The FMA is required to protect your identity as the reporting person, which also appears for any information from which it is possible to deduce your identity. It is forbidden to disclose the content of the report or the identity of the reporting person to anyone other than the competent members of staff. Forwarding the report to the competent body is excluded from this rule.

By way derogation from this rule, your identity as well as the information from which your identity may be deducted, may only be disclosed, where an administrative authority, court, or the Public Prosecutor’s Office (Staatsanwaltschaft) deems this to be essential within the scope of administrative proceedings or a proceedings in front of a court of law, or in the case of an investigation under the Code on Criminal Procedure (StPO; Strafprozessordnung). At the same time the danger you are placed in as the reporting person must be considered, and deemed to be proportionate with regard to the veracity and severity of the allegations raised.

Where doing so does not jeopardise the respective procedure, and where there is a possibility to contact you (such as through a personal mailbox), we are required to inform you prior to disclosure, and to presents the reasons for the disclosure in writing.

Business secrets that are disclosed on the basis of a report, are only allowed to be processed or disclosed for the purposes of that law and for the extent that is necessary.

Protection is also given to persons affected by a report, since the provisions on disclosure, consideration of the threat caused and weighing up its proportionality are also equally valid for any person that is affected by a report.

The processing of personal data contained in reports is permissible for the purposes of the HSchG. This covers personal data of

• whistle-blowers,
• persons concerned as a result of a report,
• natural persons supporting the reporting persons in making the report,
• natural persons closely association to the reporting persons, who without assisting the report, could be affected by detrimental consequences of the report such as retaliatory measures, as well as
• persons affected by or involved in follow-up measures.

Processing must

• be in the public interest for preventing or pursuing legal breaches and for making reports for this purpose and to check their veracity, and
• be limited to information that is required for determining the occurrence of and pursung a legal breach.

The following shall be authorised to process information:

• reporting persons regarding the information that is required for their report,
• internal and external bodies regarding the information that is submitted to them by a reporting person,
• authorities for processing information that was submitted to them as a consequence of a report, to the extent that the information is required for further investigations or for the initiation of a procedure.

The named natural persons, the internal and external borders or authorities are also considered as controllers pursuant to Article 4 no. 7 of the General Data Protection Regulation (GDPR) or Article 36 para. 1 no. 8 of the Data Protection Act (DSG; Datenschutzgesetz).

As long as and to the extent necessary for protecting the identity of a reporting person, a person pursuant to Article 2 para. 3 no. 1 or no. 2 or pursuant to Article 2 para. 1 no. 4 HSchG and for achieving the purposes stated in Article 1 and para. 2 no. 1 HSchG, the rights listed in nos. 1 to 7 of a natural person affected by a report and the rights of a legal person affected by a legal person affected by a report contained in nos. 1 to 5 and 7 in the DSG shall not apply.

The purposes in particular include, for example, thwarting attempts to prevent, impede, frustrate or slow down reports or follow-up measures related to reports. Such protection is especially necessary for the duration of a procedure being conducted by an administrative authority or a court, or an investigative procedure under the Code on Criminal Procedure (StPO; Strafprozessordnung).

In this context the following rights shall not apply to a concerned legal person affected by a report:

1. The right to information (Article 43 DSG, Articles 13 and 14 GDPR),
2. The right to access (Article 1 para. 3 no. 1 and Article 44 DSG, Article 15 GDPR),
3. The right to access (Article 1 para. 3 no. 1 and Article 45 DSG, Article 16 GDPR),
4. The right to erasure (Article 1 para. 3 no. 2 and Article 45 DSG, Article 17 GDPR),
5. The right to restriction of processing (Article 45 DSG, Article 18 GDPR),
6. The right to object (Article 21 GDPR) as well as
7. The right to the communication of a personal data breach (Article 56 DSG and Article 34 GDPR).

Report pursuant to Article 37 DSG

Personal data

1. must be processed in a lawful and fair manner,
2. must be collected for specific, clear and lawful purposes and not be processed in a way that is incompatible with such purposes,
3. must correspond to the purpose of processing and be relevant and not be permitted to be excessive in relation to the purposes for which they are processed,
4. must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate regarding the purposes for which they are processed, are erased or rectified without delay,
5. must not be kept in a form for longer than is necessary for the purposes for which it is processed that permits identification of data subjects,
6. must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

If you would like to submit a report (either stating your name or anonymously), click on the button marked “Whistleblower-System” in the top right of the FMA’s website’s landing page.

The reporting process consists of 4 steps:

1. Firstly, you will be asked to read a brief information text. Please click on the respective links for further information. On the first information page you will find a dark blue button “Submit report” in the top left, or if you have already set up a postbox and wish to open it, there is a grey button “Login”.
2. After clicking on the button “Submit report”, you will see security advice about protecting your identity. On this page, there is also a security query, which protects automated access to our system. Here, you will be asked to enter a string of characters appearing in a grey field.
3. On the next page you will then be asked about the thematic focus of your report. Please read the information about the categories and then select the one that applies.
4. On the page for making the reporting you should formulate your report in your own words and should answer a series of questions about the case in hand via a series of dropdowns. The free text response may be up to 5,000 characters long, which is the equivalent of a full A4 page. You may also attach a file of up to 5 megabytes in size to support your report. Remember that documents may contain information about the author of the document. Once you have submitted your report you will receive a reference number. Please note this reference number, as it is the proof that you have sent the report and that we have received it in an orderly manner. You may then also print your report.

We would recommend you to set up a protected postbox, so that we are able to respond to you, and if you wish to also conduct a further protected dialogue.

You can also set up a separate protected postbox in our system. When setting up your protected postbox, you always choose your access details (username and password) yourself.

This protected postbox is your own way to contact the FMA, and you continue to remain anonymous as long as you do not enter any personal details, that permit conclusions to be drawn about your identity. Our whistle-blowing system also technically protects your anonymity when you communicate through your postbox.

We can ask you further questions about the facts through your protected postbox, as well as providing your with responses about your report.

In the event that you already have a protected postbox, you can access this postbox directly using the “login” button. You will need to confirm the security query in this case. Provided that you do not enter data that allows information to be traced back to you, the BKMS^® system protects your anonymity in a technical way.

If you lose your access details, then it is no longer possible to access the postbox, and you are no longer able to see previous communications. If you set up a new postbox about a previously made report, then we would ask you to state the reference number, and where possible also keywords about your report, as we may not otherwise be able to assign the new postbox correctly.

The FMA’s whistle-blowing point of contact is the central point for receiving external reports as well as for communicating anonymously with whistle-blowers through the IT-based whistle-blowing system. The point of contact is staffed by persons with the necessary personal and professional qualifications, who have been specially trained for handling reports.

You may submit reports either in written form, e.g. via the FMA’s IT-based whistle-blowing system, or orally, by phone or in person (see the section on “Channels of communication for whistle-blowing”). If you wish to make your report in person at the FMA’s premises, then you have a right to be given an appointment within 14 days to discuss the report.

All reports are handled in a diligent, comprehensive, impartial, honest and confidential manner, and will be checked regarding their veracity.

We are not obliged to pursue a report further if we arrive at the result, where necessary also having obtained further information, that the report

• does not in the HSchG’s material scope, or
• does not contain any indications that prove its veracity, or
• where it only clearly constitutes a very minor legal breach, or
• where the same information has already been submitted.

You may submit additional information or correct reports made at any time. Where it is possible to communicate with you, patently incorrect reports are rejected. Where a report does not fall in the FMA’s competence, then the information must be passed on to another reporting centre, where possible to do so. Where an option for communication exists, we are required to inform you about it.

Reports that fall within the FMA’s competence are passed on by the whistle-blowing point of contact to the competent specialist divisions for further processing. In the event that the specialist division arrives at the conclusion that measures are required to be taken under supervisory law, then it shall initiate such measures.

Within three months at the latest, or in certain justified instances within six months, where a possibility exists to communicate with you, we are required to inform you:

• about the findings we arrived at
• what follow-ups were taken or are intended to be taken
• or the reasons for not pursuing a report further.

Follow-ups are the measures we have taken following and as a result of the report, such as reviewing the report’s veracity, carrying out subsequent research and investigations, as well as instigating, initiation, conducting or ending a procedure or other measures for pursuing the breach further, for prosecution, or for restoring legal compliance.