Operation guidelines on reporting regulatory breaches


The regulations require the establishment of an internal channel for reporting possible violations of the rules governing the activities of MBFACTA S.p.A. (hereinafter “MBFACTA” or the “Company”).

MBFACTA has therefore drawn up a Whistleblowing Policy that enables the persons listed in the following paragraph to report violations that they know about or suspect are taking place.

Reports will be dealt with in accordance with the Whistleblowing Policy, as summarised below.

1. Who may report

The internal and external reporting channels are available to anyone who falls into one of the following categories:

  • staff member of the Company (regardless of the type of contract and including member under staff leasing arrangements, interns, collaborators who carry out their activities within MBFACTA’s premises or who are in any way part of the Company’s organizational structure);
  • suppliers of the Company;
  • shareholders of the Company;
  • members of the Company’s corporate bodies.

The channels are also available to persons who do not yet fall into one of the above categories yet (if the violation occurred during the selection process) and to persons who no longer have a relationship with the Company (if the violation occurred during the relationship).

Where practicable and in accordance with the principle of proportionality, MBFACTA will deal with reports made by persons other than those listed above in accordance with the principles set out in this notice.

2. What may be reported

Violations of the external and internal rules may be reported through the whistleblowing channels, in particular with regard to:

  • breaches of regulations on: financial services, products and markets; prevention of money laundering and terrorist financing; consumer protection; protection of privacy and personal data; security of network and information systems; environmental protection; public procurement;
  • fraud against the State or the EU; breaches of competition and corporate tax rules;
  • breaches giving rise to vicarious liability (pursuant to Italian Legislative Decree 231/2001) and breaches of MBFACTA’s organisational and management Model.

As defined by the external regulations, complaints relating to a personal interest linked to the reporting person’s personal employment contract are not covered by the whistleblowing channels. Reports relating to human resources issues (e.g. harassment, bullying, equal opportunities) will be dealt with in accordance with the relevant internal regulations, which is in any case consistent with the whistleblowing measures, in accordance with the principle of proportionality.

3. How to make an internal report

It is possible to make an internal report through one of the following channels:

  • by internal or traditional mail (MBFACTA S.p.A., via Siusi 7, 20132 Milano – for the attention of the Chief Compliance Officer).

It is also possible to request a direct meeting with the Chief Compliance Officer to make the report. In this case, with the consent of the reporting person, a minute of the meeting will be drawn up in order to deal with the report.

The report shall include information regarding the name(s) of the person(s) allegedly responsible for the violations and a description of the alleged violation, including the circumstances of when and where it occurred, as well as any third parties involved (e.g. facilitators, other persons who may have knowledge of the facts or who may have been harmed) and description of their involvement. To facilitate the handling of the report, any available supporting documentation should be attached.

The reporting person who is involved in the reported violation shall specify this, as they may be treated differently from other jointly responsible persons, subject to applicable regulations.

Personal data should not be included in the report, except where strictly necessary for the analysis and follow-up of the report.

It is possible to make an internal report anonymously. However, in this case, the Company’s ability to investigate will be limited as it will not be able to establish a direct relationship with the reporting person. Therefore, such reports should be as clear and detailed as possible, to facilitate further analysis.

If the report concerns the Chief Compliance Officer or a member of the Board of Directors, it shall be addressed to the Head of Group Audit unit, either by filling in the relevant filed on the platform or by internal/traditional mail (Mediobanca, p.tta Cuccia 1, 20121 Milan – for the attention of the Head of the Group Audit Unit).

4. MBFACTA’s whistleblowing portal

The platform allows to create a report through a step-by-step procedure, guaranteeing the confidentiality of the reporting person’s identity or total anonymity (if chosen), the security, integrity and confidentiality of the data entered, also using encryption tools.

The report can be sent in written form (by filling in a special report form) or in oral form (via recording mechanism).

When the report is submitted, the platform generates an identification code, known only by the reporting person which allows them to access their report in order to (i) monitor its progress; (ii) contact the Champion directly and/or (iii) answer any further questions.

It will therefore be up to the reporting person to check their report regularly to see its progress and/or whether there are any messages form the Champion.

Reports received outside the platform can also be processed within the platform. In this case, the Champion will provide the reporting person (if not anonymous) with the identification code generated to allow them to access the report and follow its progress.

5. How the Company handles internal reports

The Company has designated the Chief Compliance Office as the person responsible for the whistle-blowing internal channel (the “Champion”).

Once a report has been made, the reporting person will receive an acknowledgment of receipt within seven days. In the case of report sent through the internal mail or traditional post, the Champion will be able to provide such notification if the report is not anonymous.

The Champion may contact the reporting person during the internal investigation if additional information is required.

The internal investigation and the handling of reports may involve other persons who are authorised to process the personal data of the reporting person and other persons involved in the report. In any case, no one involved in the report will be involved in these activities.

In all cases, the Champion will update the reporting person within three months of the notification of receipt of the report (or, if no notification could be made, within three months of the seventh day after the report was made). This update will concern the outcome of the investigation and any action taken. If the investigation is not completed within three months, the Champion will provide further feedback to the reporting person at the conclusion of it.

6. How the Company protects the confidentiality of the reporting person

MBFACTA guarantees the confidentiality of the identity of the reporting person and of the other persons involved in the report, of the contents of the report and of the relevant documents until the end of the proceedings initiated on the basis of the report. However, in case of reports made to Authorities, the confidentiality of the identity of the persons involved or mentioned in the report may not be guaranteed in the manner and under the conditions provided for by the applicable legislation.

The identity of the reporting person and any information from which it may be inferred may not be disclosed to persons other than those designated to receive and handle reports and authorized to process such data, except with the express consent of the reporting person, or when it is mandatory or legitimate under applicable law or disclosure of the identity is indispensable (e.g. in the context of an investigation by the authorities or legal proceedings). In this case, the reporting person will still be informed by the Company of the reasons justifying the disclosure.

For further information on the personal data processed by the Company when receiving and handling reports, please refer to information notice on the processing of personal data pursuant to articles 13 and 14 of EU Regulation 2016/679 (“GDPR”) below and applicable national data protection regulations. The information notice applies to the processing of personal data of any persons that may be acquired by the Company as a result of a report (reporting person, person concerned, persons involved, other person mentioned in the report).

In any case – in the reception and handling of reports – the Company carries out the personal data processed in accordance with the provisions of the GDPR and the applicable national data protection legislation.

7. How the Company protects the reporting person against retaliation

MBFACTA undertakes to protect the reporting person and the persons involved in the report against retaliation in connection with the whistleblowing.

In addition, the persons involved in the report are protected against any negative consequences other than disciplinary measures taken as a result of the investigation of a substantiated report.

Facilitators, family and friends of the reporting persons, as well as companies associated with the reporting person, will also be protected from retaliation.

Anyone who acts in a retaliatory, discriminatory and unfair manner against the reporting person and others involved in the report may be subject to disciplinary action, where possible.

8. How to make an external report

An external report may be made through the channels established by the competent authorities if at least one of the following conditions is met:

  • an internal report has not been followed up;
  • there are reasonable grounds to believe that an internal report would not be effectively followed up or it could lead to a risk of retaliation against the reporting person;
  • there are reasonable grounds to believe that the violation may constitute an imminent or manifest danger to the public interest.

The following are the current reporting channels currently set up by the competent authorities for the activities of MBFACTA, in force at the time of publication of this notice. 

It is advisable to consult the websites of the authorities directly in order to check for any additional external reporting requirements and updates on the reporting channels.





ECB –Europe Central Bank


Bank of Italy


As far as possible, MBFACTA undertakes to protect the confidentiality of the reporting person and to protect them against retaliation, even in the case of an external report.

8.    Data protection information notice

Information notice pursuant to Articles 13 and 14 of EU Regulation 2016/679 and current national legislation on personal data protection - Reports of violations of national and European regulations (so-called whistleblowing)

Please be informed that, in accordance with Regulation (EU) 2016/679 (hereinafter referred to as the "GDPR") and the current national legislation on personal data protection (hereinafter, together with the GDPR, the "Privacy Regulations"), MBFACTA S.p.A., with registered office in Milan, Via Siusi 7 (hereinafter, the "Company" or the "Controller"), as the Data Controller, is required to provide information regarding the use of your personal data.

The Controller may process your personal data within the channels established in compliance with applicable regulations to allow for the reporting of violations of national and European regulations that harm the public interest or the integrity of the Company (so-called whistleblowing), as well as for the management of such reports.

This information notice should be read in conjunction with the "Whistleblowing Notice" and, for employees, the "Politca su Whistleblowing", which contain information on the violations that can be reported, the conditions for making a report, and the protections provided by the applicable regulations for individuals involved in the reporting.

This information notice applies to individuals reporting the aforementioned violations, individuals reported as alleged offenders, individuals involved in the violations, and individuals aware of the facts or mentioned in the report.

Purpose and methods of processing: The Controller may process personal data for the receipt and management of reports, including the investigation and examination thereof, the application of corrective measures, monitoring their implementation, and updating the reporter on the results of the proceedings.

The processing of data is carried out through manual, computerized, and telematic tools strictly related to the stated purposes, ensuring the security and confidentiality of the data, in compliance with the provisions of the current legislation.

Legal basis: the processing activities are carried out based on a legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR), as provided by the applicable regulations regarding whistleblowing. If special categories of data are provided within a report, the Controller will process them based on the following exceptions provided for in Article 9 of the GDPR: (i) the necessity of fulfilling obligations and exercising specific rights of the Data Controller or the data subject in the field of employment law, social security, and social protection (Article 9(2)(b) of the GDPR); and (ii) the necessity of establishing, exercising, or defending legal claims or whenever the judiciary exercises its judicial functions (Article 9(2)(f) of the GDPR) concerning the processing of personal data necessary for litigation or pre-litigation purposes to assert or defend a right, including the rights of the Controller or a third party, in judicial, administrative, or arbitration and conciliation proceedings.

Categories of personal data and sources of data: based on the Controller's experience, the following personal data of the data subjects may be processed:

  • identifying data;
  • contact information;
  • data relating to alleged reported conduct attributed to the reported party in which the data subject may be involved or of which they may be aware;
  • images and other documentation attached to the reports;
  • special categories of personal data, if contained in the reports;
  • content of communications exchanged between the reporter and the parties handling the reports.

Personal data of individuals other than the reporter are usually provided by the reporter through the report or by other individuals involved (if they are interviewed during the investigation or examination of the reports).

Communication and dissemination of data: only authorized individuals of the Company, who may be involved in the analysis, investigation, or processing of the report, will have access to the data. However, the identity of the reporter and any other information from which their identity can be inferred may be disclosed to individuals other than the Company's employees or authorized external parties responsible for handling the report or conducting the investigation, only with the reporter's authorization or when required or legitimate under applicable regulations. In exceptional cases, if disclosing the identity is necessary for the defense of the reported party (in the context of disciplinary proceedings) or the involved individual (in internal procedures), the reporter will be informed in writing by the Company regarding the reasons for such communication. The confidentiality of information is also guaranteed to other parties involved, until the conclusion of proceedings initiated as a result of the report, and in compliance with the same guarantees provided to the reporter. However, if the reports are reported to the competent authorities, the obligation to keep the identity of the individuals involved or mentioned in the report confidential may be waived according to the methods and conditions provided by applicable regulations.

Furthermore, the data may be shared with the following external parties, depending on the case, acting either as independent data controllers or data processors:

  • lawyers and consultants providing advisory or investigative services;
  • judicial, supervisory, regulatory, or police authorities, in cases provided by law.

To the extent strictly necessary and subject to appropriate safeguards, the data may also be processed by companies providing information systems to the Controller and/or companies involved in their maintenance and security.

Personal data will not be disclosed, transferred outside the European Economic Area, or subject to fully automated decision-making processes.

Data retention: in accordance with the principles of proportionality and necessity, personal data will be kept in a form that allows the identification of the data subjects for the time necessary to process the report, but no longer than five years from the date of communication of the final outcome of the reporting procedure to the reporter. Specific legal obligations or the subsequent need for the Controller to act or defend itself in legal proceedings may require the processing and retention of data for additional periods.

Mandatory provision of data: it is possible to submit a report anonymously or non-anonymously. In the case of an anonymous report, the Controller may not be able to effectively investigate the report and adequately protect the confidentiality of the identity. Therefore, if applicable, we invite you to report any violation by providing all the requested information (including your identity), allowing the Controller to request further information. In any case, the Controller will ensure that all personal data processed in the context of the report remains strictly confidential.

Data subject rights: You have the right to obtain confirmation of the existence or non-existence of your data at any time and to know their content and origin, verify their accuracy, or request their integration, updating, or rectification (Articles 15 and 16 of the GDPR). Furthermore, you have the right to request erasure, restriction of processing, withdrawal of consent, data portability, lodge a complaint with the supervisory authority, and object to their processing in any case, for legitimate reasons (Articles 17 et seq. of the GDPR).

These rights can be exercised by written communication to be sent to: privacy@mbfacta.it.

The Controller, also through the designated structures, will take charge of your request and provide you with information concerning the actions taken regarding your request, without undue delay. However, please note that the exercise of your rights may be limited or excluded, as provided by Privacy Regulations, if the exercise of such rights could result in an actual and concrete prejudice to the confidentiality of the reporter's identity.

Data Controller and Data Protection Officer: the data controller is MBFACTA S.p.A. with its registered office in Milan, Via Siusi 7.

MBFACTA has appointed a Data Protection Officer. The Data Protection Officer can be contacted at the following addresses: dpo.mediobanca@mediobanca.com; dpomediobanca@pec.mediobanca.com.


Last update March 2024