Frequent questions

What is Whistler and how does it work?

Whistler is an application for reporting violations which allows whistleblowers to submit signed or anonymous reports in good faith, and also enables them to re-access the application (their account), using their username and password. Users/whistleblowers select their username and password the first time they log in.

The whistleblower’s security and anonymity are guaranteed. If despite the security a whistleblower prefers not to disclose their identity, the application includes an option that conceals their identity even from the investigator with whom the whistleblower will otherwise have unrestricted communication.

Communication between the whistleblower and investigator is essential to the success of the investigation. The investigator needs to obtain the largest amount of the most accurate and most credible information possible. Experience has shown that reports based on anonymous unilateral letters can be unsuccessful, since the whistleblower may inadvertently fail to provide information (e.g. what, when, and where something happened and who the participants were) that could allow the launching of a focused investigation, due to which the investigation could end up following false leads.

Whistler is located on our public website,, which allows reports to be submitted from outside the bank, e.g. from libraries, cafés, etc.

The application allows the whistleblower to monitor the status of their individual reports and to keep in constant contact with the investigator. In this way a completely secure communication channel is established between the whistleblower and the investigator. The whistleblower’s security and anonymity are both guaranteed, and at the same time the investigator is able to obtain potentially critical additional information in connection with the individual report. The application allows the whistleblower to receive information about the progress of the investigation and about its conclusion and results.

On their initial login, the whistleblower selects a username and password, regardless of whether they wish to disclose their identity or remain anonymous. Using these two authenticating elements they enter the application, through which they communicate with the investigator and monitor the reporting procedure. They can update their report at any time, add documents or talk with the investigator in a chat window.

It is extremely important that users remember their username and password. The password is not saved and forgotten passwords cannot be reset. A new login is required in order to re-establish contact, and therefore access to the content associated with the previous (forgotten) username and password will not be possible.

However, in the event that you forget your login details you can always register under a new username and password, and in the new (additional) report notify the investigator about the content of the previous report, which will still be visible to the investigator.

Who should use the system for reporting violations?

The system is designed for individuals who are employed by the bank and for other stakeholders who believe that an act has been committed which is damaging to the bank or its employees, and which could have serious consequences with respect to regulatory sanctions, criminal liability or the bank’s reputation.

The system for reporting violations is not intended to deal with general questions about bank operations, customer questions and complaints or the reporting of workplace bullying.

Who will process the report (who are the investigators)?

The whistleblower’s report is received by the head of fraud prevention Department, an experienced bank officer with many years of practice in the area of supervision and investigation. The head of Department carries out his duties together with his deputies. The detection and prevention of fraud and abuse in group includes experienced employees with professional competencies in law, banking and regulatory compliance, economics and investigation.

Why is it necessary to report violations and what information is important to the investigators at the Security Division in Komercijalna banka?

In accordance with good management practice, at the bank we would like the identification of deviations, irregularities and even violations to be resolved first and foremost inside the organisational units in which they occur. Therefore, the resolving of such issues is first charged to the direct supervisor in the organisational unit. However, in real life situations can occur in which for various reasons certain matters cannot be resolved within an individual unit (possible involvement of managers or other similar reasons). In such cases there are several channels available for reporting observed violations to the Bank's Security Division, one of which is the Whistler application.

In accordance with the Regulation regarding fraud investigations, case handling and protection of whistleblowers, each employee is obliged to report to his/her direct supervisor or to the Security Division, observed harmful conduct that could lead to serious consequences for the bank (damage, criminal offences, regulatory sanctions, harm to reputation). Only in this way we can react to serious violations quickly and appropriately, and thereby protect the interests and reputation of the bank and those of its employees and stakeholders. It is also important to identify any systemic weaknesses and adopt systemic measures in order to prevent similar cases in the future.

Upon submitting a report and sending information to the Bank's Security Division, the whistleblower ensures that the harmful conduct is appropriately documented, and then checked or investigated, and that the bank can respond appropriately and quickly. Whistleblowers’ reports are therefore important from the perspective of preventing the occurrence and recurrence of damage, identifying urgently needed corrections/amendments to business processes, and the discharge of individual responsibilities.

It is also very important for investigators that the whistleblower attempts to answer as many as possible of the following questions in the report:

  • What happened?
  • Where did it happen?
  • When did it happen?
  • Who committed a violation?
  • How did they do this?
  • What did they do this with?
  • Why did they do this?

Protection of whistleblowers

When receiving, processing, investigating and archiving individual reports, the Bank's Security Division ensures that the information in the report and thus the personal data of the whistleblower are strictly protected. The whistleblower is therefore completely protected both throughout and after the proceedings.

Protection of internal whistleblowers

The Bank uses various measures to assure the complete protection of whistleblowers who are Komercijalna bank employees against any retributive measures to which they might be subjected to owing to their whistleblowing activities. We at the Bank's Security Division are aware that an individual’s decision to submit a report of a violation is usually exceptionally difficult. Therefore we pay a great deal of attention to whistleblowers who act in good faith.

Protection of personal data

How is the protection of the whistleblower’s personal data ensured and who will have access to the whistleblower’s personal data?

If the whistleblower discloses their identity when registering, the bank in accordance with the provisions of the General Data Protection Regulation (GDPR) must provide appropriate protection of the personal data of persons submitting reports of harmful conduct. All data on the whistleblower is considered confidential.

The bank does not disclose whistleblowers’ personal data to third parties without their explicit consent.

Upon receipt of a report, in the event that the whistleblower wishes protection, all of the whistleblower’s personal data and other data from which the identity of the whistleblower could be determined is removed from the report and kept separately from the investigation file, and protected from unauthorised access.

An audit trail is created for every instance of accessing the whistleblower’s personal data.

If the report is signed, only the investigator processing the individual report and the head of investigations have access to the whistleblower’s personal data.

The whistleblower’s personal data and the information on the violation are kept for 10 years after the conclusion of the case.

If a supervisory procedure is initiated on the basis of an individual investigation, the data will be kept for a further 5 years after the conclusion of those proceedings or judicial proceedings.

Does the whistleblower have to state his/her personal data in the report?

Whistleblowers are not obliged to disclose their personal data and may submit anonymous reports. The application is designed first and foremost so that whistleblowers can submit anonymous reports in such a way that an investigation can proceed without obstruction (feedback).

When filling out the form for reporting violations and when filling out the enclosures, whistleblowers who wish to remain anonymous should make sure that they do not provide data that could directly or indirectly disclose their identity. Whistleblowers may disclose their identity at any time during their anonymous communication with the investigator, should they so choose. We are aware that this requires a considerable amount of mutual trust.

What types of personal data does Komercijalna banka collect?

In order to identify and investigate suspicions of violations, Komercijalna banka collects data on whistleblowers (if they provide it) and data on other participants in the harmful conduct.

Can I review my personal data that is collected by Komercijalna banka?

In connection with the personal data collected by Komercijalna banka, every individual has the right to be apprised of their personal data in accordance with the provisions of the GDPR.

How will the procedure of reviewing the violation report proceed at Komercijalna banka?
  1. Receipt and anonymisation of report

    Every report of a violation submitted via Whistler is received directly by the head of fraud prevention Department at the Bank's Security Division. After review by the head of fraud prevention Department and the carrying out of the initial activities, the report is assigned to one of the investigators. If the whistleblower wishes to protect their identity, the investigator to whom the report is assigned will remove all of the whistleblower’s personal data from the report when preparing the investigation file.

    The investigation will be carried out in several prescribed steps, which each have their own action plans and prescribed deadlines. The whistleblower is notified about the conclusion of the investigation via the Whistler application.

    The Security Division investigates reports of violations using its own employees or external contractors.
  2. Conducting the investigation and communication with the whistleblower

    The Investigation Group has all of the required measures, mechanisms and means at its disposal at the bank for the effective conducting of the investigation and determination of the facts. During the investigation, the investigators are authorised to access all documents and areas in the bank, and to hold discussions with various persons within the legally permissible framework. In order to ensure that the investigation is effective and successful, additional communication with the whistleblower is also frequently required, since particularly at the beginning of an investigation there are usually a lot of uncertainties. Whistleblowers who know where and how a violation was committed make it possible for investigators to conduct focused, rational investigations with effective conclusions. Only the investigator to whom the individual report was assigned and the head of fraud prevention Department can communicate with the whistleblower via Whistler.
  3. Conclusion of investigation and follow-up

    Every investigation is structured and documented according to a prescribed procedure. After the conclusion of each investigation, the investigator drafts a separate report setting out the relevant circumstances and facts. On the basis of proposals made at the appropriate levels with regard to investigation the Bank adopts appropriate measures which correspond to the established violations (labour law proceedings, criminal complaints, civil lawsuits, other appropriate measures, etc.).

What other avenues/channels for submitting reports does the bank provide?
  1. Email

    A permanent email account is provided. Access to that email account is exclusively restricted to persons authorised to receive reports.
  2. Mail

    A letter containing an information regarding irregularity (with an stated note the »NR Director of the Department«, or DO NOT OPEN) may be sent to the Bank Security Division / Fraud Prevention Department. Access to the letter will be restricted exclusively to persons authorized to receive applications.

    Location for sending letters: Komercijalna banka, Belgrade, Svetog Save 14, III floor-annex
  3. Personal contact

    We are aware that personal contact is particularly important in order to establish mutual trust. Employees always have the option of reporting violations in person by talking to persons authorised to receive reports. The person authorised to receive reports drafts a record of the received report, which serves as the basis for the initiation of the investigation. In the event of specific circumstances, we also always provide conversations with authorised persons outside of bank premises in a place where the whistleblower feels most safe and secure.

    Contact information on persons authorized to receive applications is published on the bank's intranet.