Frequent questions

What is Whistler and how does it work?

Whistler is an application for reporting violations or suspicions on them, which allows whistleblowers to submit signed or anonymous reports in good faith, and also enables them to re-access the application (their account), using their username and password.  Users/whistleblowers select their username and password the first time they log in.

The whistleblower’s security and anonymity are guaranteed. If despite the security a whistleblower prefers not to disclose their identity, the application includes an option that conceals their identity even from the investigator with whom the whistleblower will otherwise have unrestricted communication.

Communication between the whistleblower and investigator is essential to the success of the investigation. The investigator needs to obtain the largest amount of the most accurate and most credible information possible. Experience has shown that reports based on anonymous unilateral letters can be unsuccessful, since the whistleblower may inadvertently fail to provide information (e.g. what, when, and where something happened and who the participants were) that could allow the launching of a focused investigation, due to which the investigation could end up following false leads.

Whistler is located on our public website, www.nlb.si, which allows reports to be submitted from outside the bank, e.g. from libraries, cafés, etc.

The application allows the whistleblower to monitor the status of their individual reports and to keep in constant contact with the investigator. In this way, a completely secure communication channel is established between the whistleblower and the investigator. The whistleblower’s security and anonymity are both guaranteed, and at the same time the investigator is able to obtain potentially critical additional information in connection with the individual report. The application allows the whistleblower to receive information about the progress of the investigation and about its conclusion and results.

On their initial login, the whistleblower selects a username and password, regardless of whether they wish to disclose their identity or remain anonymous. Using these two authenticating elements they enter the application, through which they communicate with the investigator and monitor the reporting procedure. They can update their report at any time, add documents or talk with the investigator in a chat window.

It is extremely important that users remember their username and password. The password is not saved and forgotten passwords cannot be reset. A new login is required in order to re-establish contact, and therefore access to the content associated with the previous (forgotten) username and password will not be possible.

However, in the event that you forget your login details you can always register under a new username and password, and in the new (additional) report notify the investigator about the content of the previous report, which will still be visible to the investigator. 


Who should use the system for reporting violations?

The system is designed for bank customers, individuals who are employed by the bank and for other stakeholders who believe that an act has been committed which is damaging to the bank or its employees, and which could have serious consequences with respect to regulatory sanctions, criminal liability or the bank’s reputation.

The system for reporting violations is not intended to deal with general questions about bank operations, customer questions and complaints or the reporting of workplace mobbing.


Who will process the report (who are the investigators)?
The whistleblower’s report is received by the head of investigations, an experienced bank officer with many years of practice in the area of supervision and investigation. The head of investigations carries out his/her duties together with his/her deputies. The detection and prevention of fraud and abuse group includes experienced employees with professional competencies in law, banking and regulatory compliance, economics and investigation.

Why is it necessary to report violations and what information is important to the investigators at the NLB Compliance and Integrity?

In accordance with good management practice, at the bank we would like the identification of deviations, irregularities and even violations to be resolved first and foremost inside the organisational units in which they occur. Therefore, the resolving of such issues is first under the responsibility of the direct supervisor in the organisational unit. However, in real life situations can occur in which for various reasons certain matters cannot be resolved within an individual unit (possible involvement of managers or other similar reasons). In such cases, there are several channels available for reporting observed violations to the NLB Compliance and Integrity, one of which is the Whistler application.

According to the Rules on the procedures for investigating harmful conduct, follow-up and whistleblower protection, each employee is already obliged to report (to their direct superior or directly to the Compliance and Integrity) observed harmful conduct that could lead to serious consequences for the bank (damage, criminal offences, regulatory sanctions, harm to reputation). Only in this way, we can react to serious violations quickly and appropriately, and thereby protect the interests and reputation of the bank and those of its employees and stakeholders. It is also important to identify any systemic weaknesses and adopt systemic measures in order to prevent similar cases in the future.  

Upon submitting a report and sending information to the NLB Compliance and Integrity, the whistleblower ensures that the harmful conduct is appropriately documented, and then checked or investigated, and that the bank can respond appropriately and quickly. Whistleblowers’ reports are therefore important from the perspective of preventing the occurrence and recurrence of damage, identifying urgently needed corrections/amendments to business processes, and the discharge of individual responsibilities.

It is also very important for investigators that the whistleblower attempts to answer as many as possible of the following questions in the report:

  • What happened?
  • Where did it happen?
  • When did it happen?
  • Who committed a violation?
  • How did they do this?
  • What did they do this with?
  • Why did they do this?

Protection of whistleblowers

When receiving, processing, investigating and archiving individual reports, the Compliance and Integrity ensures that the information in the report and thus the personal data of the whistleblower are strictly protected. The whistleblower is therefore completely protected both throughout and after the proceedings.

Protection of internal whistleblowers

The Bank uses various measures to assure the complete protection of whistleblowers who are NLB employees against any retributive measures to which they might be subjected to owing to their whistleblowing activities. To this end, on 10 March 2015 the Management Board of NLB d.d. signed and published the Declaration on the prohibition of retributive measures against whistleblowers. We at the Compliance and Integrity are aware that an individual’s decision to submit a report of a violation is usually exceptionally difficult. Therefore we pay a great deal of attention to whistleblowers who act in good faith.


How is the protection of the whistleblower’s personal data ensured and who will have access to the whistleblower’s personal data?

Protection of personal data

If the whistleblower discloses their identity when registering, the bank in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (ZVOP-1) must provide appropriate protection of the personal data of persons submitting reports of harmful conduct. All data on the whistleblower is considered confidential.

The bank does not disclose whistleblowers’ personal data to third parties without their explicit consent.

Upon receipt of a report, in the event that the whistleblower wishes protection, all of the whistleblower’s personal data and other data from which the identity of the whistleblower could be determined is removed from the report and kept separately from the investigation file, and protected from unauthorised access.

An audit trail is created for every instance of accessing the whistleblower’s personal data.

If the report is signed, only the investigator processing the individual report and the head of investigations have access to the whistleblower’s personal data. 

The whistleblower’s personal data and the information on the violation are kept for 10 years after the conclusion of the case.

If a supervisory procedure is initiated on the basis of an individual investigation, the data will be kept for a further 5 years after the conclusion of those proceedings or judicial proceedings.

More detailed information about how the Bank handles personal data and rights of individuals are available at https://www.nlb.si/general-information-on-personal-data-protection.pdf and/or in the document General Information on Personal Data Processing.


Does the whistleblower have to state his/her personal data in the report?

Whistleblowers are not obliged to disclose their personal data and may submit anonymous reports. The application is designed first and foremost so that whistleblowers can submit anonymous reports in such a way that an investigation can proceed without obstruction (feedback).

When filling out the form for reporting violations and when filling out the enclosures, whistleblowers who wish to remain anonymous should make sure that they do not provide data that could directly or indirectly disclose their identity. Whistleblowers may disclose their identity at any time during their anonymous communication with the investigator, should they so choose. We are aware that this requires a considerable amount of mutual trust.


What types of personal data does NLB collect?

In order to identify and investigate suspicions of violations, NLB collects and processes data on whistleblowers (if they provide it) and data on other participants in the harmful conduct in accordance with GDPR and ZVOP-1.


Can I review my personal data that is collected by NLB?

In connection with the personal data collected and processed by NLB, every individual has the right to access to and review their personal data in accordance with the provisions of the GDPR and ZVOP-1, as well as the right to rectification and the right to erasure.


How will the procedure of reviewing the violation report proceed at NLB?
  1. Receipt and anonymisation of report

    Every report of a violation submitted via Whistler is received directly by the head of investigations at the Compliance and Integrity. After review by the head of investigations and the carrying out of the initial activities, the report is assigned to one of the investigators. If the whistleblower wishes to protect their identity, the investigator to whom the report is assigned will remove all of the whistleblower’s personal data from the report when preparing the investigation file. 

    The investigation will be carried out in several prescribed steps, which have their own action plans and prescribed deadlines. The whistleblower is notified about the conclusion of the investigation via the Whistler application. 

    The Compliance and Integrity investigates reports of violations using its own employees or external contractors.
     
  2. Conducting the investigation and communication with the whistleblower

    The Investigation Group has all of the required measures, mechanisms and means at its disposal at the bank for the effective conducting of the investigation and determination of the facts. During the investigation, the investigators are authorised to access all documents and areas in the bank, and to hold discussions with various persons within the legally permissible framework. In order to ensure that the investigation is effective and successful, additional communication with the whistleblower is also frequently required, since particularly at the beginning of an investigation there are usually a lot of uncertainties. Whistleblowers, who know where and how a violation was committed, make it possible for investigators to conduct focused, rational investigations with effective conclusions. Only the investigator to whom the individual report was assigned and the head of investigations can communicate with the whistleblower via Whistler.
     
  3. Conclusion of investigation and follow-up

    Every investigation is structured and documented according to a prescribed procedure. After the conclusion of each investigation, the investigator drafts a separate report setting out the relevant circumstances and facts. On the basis of proposals made at the appropriate levels the bank adopts appropriate measures which correspond to the established violations (labour law proceedings, criminal complaints, civil lawsuits, other appropriate measures, etc.).

What other avenues/channels for submitting reports does the bank provide?
  1. Email

    A permanent email account is provided. Access to that email account is exclusively restricted to persons authorised to receive reports.

    prijava.nepravilnosti@nlb.si
     
  2. PO Box

    The Compliance and Integrity maintains a PO box intended exclusively for receiving reports on violations. Access to the PO box is exclusively restricted to persons authorised to receive reports.

    NLB d.d., p.p. 1726, 1001 Ljubljana or

    NLB d.d. Ljubljana, Trg republike 2, 1520 Ljubljana, for Compliance and Integrity – do not open!

     
  3. Personal contact

    We are aware that personal contact is particularly important in order to establish mutual trust. Employees always have the option of reporting violations in person by talking to persons authorised to receive reports. The person authorised to receive reports drafts a record of the received report, which serves as the basis for the initiation of the investigation. In the event of specific circumstances, we also always provide conversations with authorised persons outside of bank premises in a place where the whistleblower feels most safe and secure.

    The contact information of the investigators/persons authorised to receive reports are posted on the bank’s intranet.