Whistleblowing in EU Financial Regulation

Corporate Clients Insights, AML, Blockchain & Cryptocurrency, White collar crimes and investigations

Whistleblowing has ceased to be a peripheral compliance consideration. Across the European Union’s most consequential regulatory regimes – anti-money laundering, crypto-asset regulation, digital operational resilience, financial sanctions, and data protection, it has become a legally mandated governance mechanism whose proper implementation carries significant civil, administrative, and criminal consequences.

The foundational instrument is Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the “Whistleblower Protection Directive” or “WPD”), transposed into Bulgarian Act on Protection of Persons Reporting or Publicly Disclosing Information on Breaches, which entered into force on 4 May 2023. This establishes a minimum harmonised framework: 

• a three-tier reporting model comprising internal channels, external reporting to competent national authorities, and public disclosure as a last resort; 
• prohibition on all forms of retaliation; 
• reversal of the burden of proof in retaliation proceedings; 
• and protection for reporting persons who act in good faith on reasonable grounds, irrespective of whether the reported breach is ultimately established.

What the WPD does not do is operate in isolation. For regulated entities in the financial services, crypto-asset, and critical infrastructure sectors, it is one layer of a dense multi-regulatory architecture. This article examines how the WPD intersects with the AML/CTF framework, MiCA, DORA, EU sanctions law, and the GDPR, and what that intersection means in practice for businesses, individuals, and the professionals who advise them.

AML/CTF: Dual-Track Obligations and the Tipping-Off Risk

The Anti-Money Laundering Regulation (EU) 2024/1624 (AMLR), directly applicable from 2027, and the Sixth Anti-Money Laundering Directive (AMLD6, Directive (EU) 2024/1640) together create a dual-track whistleblowing obligation for AML-obliged entities — credit institutions, financial institutions, CASPs, lawyers engaged in designated financial activities, accountants, auditors, notaries, estate agents, and gambling operators, among others. These entities must maintain WPD-compliant internal reporting channels whilst simultaneously satisfying sector-specific AML requirements for confidential staff reporting of AML/CTF breaches.

A legally significant and frequently misunderstood interaction arises between the Suspicious Transaction Report (STR) obligation under Article 69 AMLR and the whistleblowing framework. Where an employee reports through an internal whistleblowing channel that a colleague or superior has suppressed STRs, structured transactions to avoid reporting thresholds, or otherwise compromised the entity’s AML controls, that report may simultaneously trigger the entity’s own mandatory STR filing obligation with the relevant FIU. The obliged entity must navigate this carefully: information received through a whistleblowing channel must not be used to alert the subject of the report to an impending STR or investigation. To do so constitutes the tipping-off offence under Article 73 AMLR, carrying severe regulatory and criminal consequences. Internal procedures must rigorously separate the whistleblowing management function from the MLRO’s STR process.

AMLD6 raises the stakes further by introducing enhanced personal liability for senior managers of obligated entities. A whistleblowing report implicating a director or MLRO in deliberate AML non-compliance may trigger enforcement action resulting in individual sanctions, disqualification, or criminal prosecution. For reporting persons, this underscores the importance of obtaining independent legal advice before filing, particularly where the report implicates individuals with retaliatory capacity. For organisations, it reinforces the necessity of whistleblowing oversight that is genuinely independent of management.

MiCA: Crypto-Asset Services and Market Integrity Reporting

Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA), applicable to CASPs from 30 December 2024, creates whistleblowing obligations that sit alongside, and interact with, both the WPD and the AML framework. Article 116 MiCA requires CASPs to establish anonymous internal reporting procedures for potential or actual breaches of MiCA, independent and autonomous from other reporting channels. The Financial Supervision Commission (FSC) is designated as the competent NCA for external MiCA reporting in Bulgaria. MiCA expressly incorporates WPD protections, meaning CASP employees enjoy the full suite of statutory protections when reporting MiCA breaches.

The significance of MiCA whistleblowing is amplified by the regulation’s market integrity provisions. Insider trading, unlawful disclosure of inside information, and market manipulation in crypto-assets (Articles 89–92 MiCA) are subject to administrative fines for legal persons of up to EUR 5 million or 3% of total annual turnover and potential criminal referral. Whistleblowing reports in this area carry consequences directly comparable to those in traditional securities regulation.

CASPs present structural compliance vulnerabilities that traditional financial institutions do not. Lean organisational structures, internationally distributed workforces, and governance models that blur the line between senior management and operational staff make it genuinely difficult to satisfy the independence requirement for designated responsible persons under the WPD. CASPs should conduct a specific legal assessment of whether their current governance structure meets this requirement before a report is received, not after.

DORA: ICT Incident Suppression and the Reporting Person’s Dilemma

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, imposes strict timelines for the reporting of major ICT-related incidents: initial notification to the competent authority within 4 hours of classification, followed by a detailed intermediate report within 72 hours. DORA applies to a broad range of financial entities, including CASPs under MiCA.

DORA does not establish its own whistleblowing channels, but it creates a specific and practically significant scenario: an employee responsible for ICT risk management or operational resilience who becomes aware that a major ICT incident is being deliberately misclassified, to avoid triggering DORA’s reporting obligations, holds information about a potential breach of EU law that falls squarely within the WPD’s material scope. Depending on the nature of the incident, the same facts may also engage the GDPR’s data breach notification obligation under Article 33 of Regulation (EU) 2016/679.

The employee’s decision whether to report internally, externally to the NCA, or through both channels requires careful analysis of the materiality of the suppression, the seniority of those responsible, their own contractual and regulatory position, and the specific protections available under each route. This is not a decision to be taken without independent legal advice. The intersection of employment law, DORA, GDPR, and WPD protections in such cases creates a risk matrix that is both complex and highly fact-specific.

Sanctions: Evasion, Circumvention and the Elevated Risk Profile

The EU sanctions framework, encompassing Regulation (EU) 833/2014 (Russia), Regulation (EU) 269/2014 (Crimea/Donetsk/Luhansk), and Regulation (EC) 765/2006 (Belarus), among others, has been significantly reinforced by Directive (EU) 2024/1226 (the “Sanctions Criminalisation Directive”). The Directive harmonises criminal offences for sanctions violations across the EU and expressly criminalises circumvention of restrictive measures under Article 3(1)(f), a category covering nominee arrangements, layered corporate structures, and financial instruments designed to obscure beneficial ownership and defeat asset freeze obligations.

This creates a direct whistleblowing interface. Employees and intermediaries who become aware of sanctions evasion schemes are potential reporting persons under the WPD framework and the specific external channels of SANS and the Ministry of Finance in Bulgaria. Given that modern sanctions evasion frequently involves cryptocurrency channels, trade-based money laundering, and cross-border corporate layering, internal reporting by operationally informed employees is often the most effective detection mechanism available.

Whistleblowers in the sanctions context face an elevated risk profile. Designated persons, particularly those within the scope of Russia and Belarus measures, may exercise influence through lawfare, reputational attacks, and intermediary pressure. The confidentiality and anonymity protections of the WPD framework are therefore especially critical here. An additional legal risk specific to this area arises where a report touches upon classified intelligence assessments: the reporting person may inadvertently engage with information governed by national security law, which operates independently of and without the protections of the WPD. External disclosure in such circumstances requires specific prior legal advice.

GDPR: Whistleblowing Channels as Personal Data Processing Activities

The GDPR applies in full to the operation of whistleblowing channels. The personal data processed encompasses the identity of the reporting person (unless anonymity is preserved), the identity of implicated persons, the substantive content of the report, which will frequently include criminal offence data under Article 10 GDPR or special category data under Article 9  and records generated during any subsequent investigation.

The legal basis for processing is ordinarily compliance with a legal obligation under Article 6(1)(c) GDPR, read with the WPD transposing legislation. For Article 9 and Article 10 data, the substantial public interest ground under Article 9(2)(g) will typically apply. All whistleblowing channels must be subject to a Data Protection Impact Assessment (DPIA) under Article 35 GDPR, a requirement the CPDP has confirmed it will scrutinise. Organisations that have not completed a DPIA for their whistleblowing system are already in breach.

A persistent area of legal difficulty concerns the GDPR rights of implicated persons. Such individuals are data subjects and in principle hold the right of access under Article 15. However, Article 14(5)(b) GDPR permits restriction of transparency obligations where disclosure would seriously impair the purposes of the processing, directly applicable where notification would enable concealment of evidence or intimidation of the reporting person. The WPD transposing law in Bulgaria further restricts access rights where they would compromise reporter confidentiality. The precise calibration of these restrictions requires case-by-case legal analysis and must be supported by documented internal procedures.

On data retention, the Bulgarian transposing law sets a maximum five-year retention period from the date of receipt of a report, subject to ongoing proceedings. Organisations using third-party whistleblowing platforms must ensure Article 28 GDPR data processing agreements are in place and, where the provider is based outside the EEA, that Chapter V transfer mechanisms, Standard Contractual Clauses, adequacy decision, or Binding Corporate Rules, have been properly implemented.

Risk Analysis: A Consolidated View

For individuals: Reporting persons face retaliation risk that, despite the statutory reversal of the burden of proof, remains real and often subtle. In the AML and sanctions contexts, a reporting person who has participated in the conduct being reported may face personal criminal exposure that the WPD does not immunise. The tipping-off offence under Article 73 AMLR is an ever-present risk for those who disclose the existence of an STR or investigation to the subject, even inadvertently. Reporting persons who include excessive personal data or make unfounded allegations may themselves face GDPR-based complaints from implicated persons.

For businesses: Failure to maintain WPD-compliant channels, acts of retaliation, and confidentiality breaches all carry administrative sanctions under Bulgarian law and, in AML and MiCA contexts, independent regulatory penalties from the BNB, FSC, or the FIU. Under AMLD6, the absence of effective internal controls, including whistleblowing channels, is itself a regulatory breach capable of giving rise to supervisory action and personal senior management liability. Implicated individuals cleared of wrongdoing following an investigation may bring civil claims. The organisation’s exposure is materially reduced where the investigation was conducted fairly and in accordance with documented procedures.

How NBLO Can Assist

New Balkans Law Office is a Sofia-based law firm with focused expertise in AML/CTF regulation, international financial sanctions, and crypto-asset law. We advise regulated entities, CASPs, obliged entities, and individuals across the full lifecycle of whistleblowing compliance, from the design and gap-analysis of WPD, AMLR, MiCA, and DORA-compliant internal channels and GDPR preparation, through to the representation of reporting persons, oversight of internal investigations, and defence in regulatory enforcement proceedings before the BNB, FSC, SANS. 

Conclusions

Whistleblowing compliance is not reducible to a policy document or a reporting hotline. For regulated entities, it requires a structured legal framework calibrated to the WPD’s mandatory requirements, the sector-specific overlays of the AMLR, MiCA, and DORA, the GDPR’s data processing obligations, and the interaction between whistleblowing reports and mandatory STR and incident reporting obligations. For individuals, the WPD’s protections, whilst substantive, are not self-executing, and the risk landscape in AML, sanctions, and crypto-asset matters is genuinely elevated. Expert legal advice at each stage of the process is not a precaution, it is a necessity.