Is Romania ready for the EU Whistleblower Protection Directive?
As of the date of this insight, no general regulation for the protection of the whistleblowers is in force in Romania. Moreover, no draft law for implementing the Whistleblower Protection Directive has been published yet. However, some sector-specific legislation in force includes certain protection provisions related to reporting procedures and whistleblowers' protection.
Sector-specific regulations
Public Sector
Since 2004, Romania has a special law for the protection of whistleblowers[1] which covers only the personnel from the public sector. The law provides measures for the protection of individuals who expose or report law infringements within public authorities, public institutions and other establishments, perpetrated by persons in leading or operational positions within public authorities and institutions and within the other budgetary institutions provided by the law.
The law infringement or breach of the ethical and professional norms can be reported alternatively or cumulatively to (a) the superior of the person in breach of the legal stipulations; (b) the leader of the public authority, public institution or budgetary establishment employing the persons in breach of legal stipulations or within which illegal deeds are reported, even if the perpetrator cannot be identified exactly; (c) the disciplinary committees or other similar bodies within the public authority, public institution or other establishment stipulated by the law that employs the person breaching the law; (d) legal bodies; (e) the bodies tasked with establishing and investigating conflicts of interests and incompatibilities; (f) parliamentary commissions; (g) the mass media; (h) professional, trade union or employers’ associations; (i) non-governmental organisations.
Financial Sector
The law on credit institutions and capital adequacy[2] includes special provisions concerning the whistleblowing protection, mentioning that the National Bank of Romania establishes efficient and credible mechanisms for encouraging the reporting of violations (including the potential ones) of the provisions of such law, of the related EU legislation, i.e. Regulation (EU) No. 757/2013, and the regulations issued for their application. Such mechanisms must include, among others, (a) specific procedures for receiving the violation reports, including potential ones, and for tracking them; (b) appropriate protection for the employees of the credit institutions which report the breaches within the credit institutions, at least against reprisals, discrimination or any other unfair treatment, applied as a result of the reporting; (c) personal data protection for both the individuals reporting the violation, and the individuals who are allegedly guilty of the respective violation; (d) clear procedures for assuring the confidentiality of the individuals which report the violations within the credit institution (unless the disclosure takes place in the context of further investigations or subsequent judicial procedures). Also, the credit institutions shall have adequate procedures for the employees for internal reporting through an independent specific channel.
The Romanian Financial Supervisory Authority (the "FSA") published on its website instructions for the individuals which are aware of violations in respect to certain laws (including EU Regulations) and are employed in (a) investment management companies / managers of alternative investment funds; (b) investment companies; (c) depositaries; (d) financial investment services companies; (e) market operators; (f) data reporting service providers; (g) credit institutions in connection with investment services or activities and ancillary services; (h) branches of companies in third countries; and (i) the central depository and the participants in the central depository system.
Also, the Law on issuers of financial instruments and market operations[4] includes provisions concerning the mechanisms for reporting violations in accordance with the provisions of Regulation (EU) no. 596/2014 on market abuse, and Regulation (EU) 2017/1129 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market[5]. It is provided, among others, that FSA is establishing independent and autonomous communication channels, which are secure and ensure confidentiality, for receiving the reports of violations and for the activities carried out, including the measures which were adopted following these violations. The communication channels should allow the reporting of effective or potential breaches, at least in all of the following ways: (a) written reporting of violations, in hard or soft copy; (b) oral reporting of breaches through phone lines, regardless if is recorded or not; (c) meeting with specialized employees of the FSA. The anonymity of the whistleblower is assured by the FSA.
Also, it is provided that the employers which are engaged in regulated activities for the purpose of financial services shall establish appropriate procedures by which their employees will report internally, actual or potential breaches of Regulation (EU) 2017/1129, through a specific, independent and autonomous channel.
The law on financial instruments[6] provides that the reporting to the FSA of the possible (or certain) violations of the provisions of the law, of the Regulation (EU) no. 600/2014 and Regulation (EU) No. 909/2014 shall be carried out in accordance with the regulations issued by the FSA, and that FSA establishes effective mechanisms consisting of independent and autonomous communication channels that are secured and confidential for receiving the violation reports. The law provides the criteria for considering the communication channels as independent and autonomous. Moreover, it is provided that the reporting by employees of a regulated and supervised entity shall not be considered as a breach of any restriction on the disclosure of information imposed by contract or by any statutory or administrative act and shall not entail liability of the notifier in relation to that reporting.
Also, a 2019 FSA regulation[7] provides specific reporting obligations for compliance officers to inform the management body and the internal auditors of the Financial Investment Service Companies ("S.S.I.F.") when they become aware during the course of their business of any breaches of the legal regime applicable to the capital market, including the internal procedures of the company. Moreover, in the event of violations of the applicable legislation that may fall within the category of offenses or criminal deeds provided by the legislation in force, the management body and internal auditors of S.S.I.F. must notify to, among others, the FSA, the situation ascertained by the person performing the compliance function, and the measures adopted by the management body.
Auditing activities
The Law on the statutory audit of annual financial statements and annual consolidated financial statements[8] provides that the Authority for the Public Supervision of the Statutory Audit Activity (the "APSSAA") issues regulations[9] for establishing effective mechanisms to encourage the reporting to APSSAA of violations of the law on the statutory audit, of Regulation (EU) no. 537/2014, or any other regulations applicable in the field of statutory audit. Such mechanisms must include, among others, (a) specific procedures for receiving notifications regarding the violations; and (b) personal data protection (for both the person who reported the violation, and the person which is suspected or incriminated).
Money laundering
The Romanian AML law[10] provides that the reporting entities shall be obliged to ensure the legal protection of employees and their representatives who report, either internally or to the Office, suspicions of money laundering or terrorism financing, from exposure to threats, retaliation or hostile actions, especially unfavourable or discriminatory actions at work, including ensuring confidentiality as to their identity. Also, the reporting entities shall have the obligation to establish appropriate procedures for employees or persons in a similar position regarding the reporting of violations, internally, through a specific, independent and anonymous channel.
Witness protection
In addition to the above, additional protection might be insured in accordance with the Romanian Criminal Procedure Code; if there is a reasonable suspicion that the life, physical integrity, freedom, assets or professional activity of a witness or of a member of their family could be jeopardized as a result of the data provided by them to judicial bodies or of their statements, the judicial bodies of competent jurisdiction shall grant them the status of threatened witness and shall order one or more of the protection measures provided by the law. Thus, in case of a whistleblower qualified as a threatened witness, relevant protection measures could be applied during the criminal investigation and/or trial. Moreover, if certain criteria are met, the witness could be included in the witness protection program, as detailed in the Law no. 682/2002 on the witness protection.
Conclusion
Although some Romanian regulations include detailed provisions concerning whistleblower protections, Romania needs to prepare for full compliance with the EU Whistleblower Directive. Most importantly, there are currently no regulations obliging companies with over 50 employees to introduce internal whistleblowing channels and no official authority responsible for external reporting for all business sectors.
1. Law No. 571 of 14 December 2004 on the protection of personnel within public authorities and institutions disclosing violations of the law.
2. Art. 2342 of the Emergency Ordinance no. 99/2006 on credit institutions and capital adequacy.
4. Law no. 24/2017 on issuers of financial instruments and market operations.
5. According to the amendments provided by the Law no. 158/2020 on amending, supplementing and repealing certain legislation, as well as for establishing certain measures for the implementation of Regulation (EU) 2017/2402 of the European Parliament and of the Council of 12 December 2017 laying down a general framework for securitisation and creating a specific framework for simple, transparent and standardised securitisation, and amending Directives 2009/65/EC, 2009/138/EC and 2011/61/EU and Regulations (EC) No 1060/2009 and (EU) No 648/2012.
6. Law no. 126/2018 regarding financial instruments.
7. The FSA Regulation no. 5/2019 regarding the regulation of certain requirements regarding the provision of investment services and activities according to Law no. 126/2018 on financial instrument markets.
8. Law no 162/2017 on the statutory audit of annual financial statements and annual consolidated financial statements.
9. Order no. 266/2018 for the approval of the Norms regarding the reporting to the Authority for the Public Supervision of the Statutory Audit Activity of the violations of the regulations in the field of statutory audit.
10. Law no. 129/2019 to prevent and combat money laundering and terrorism financing, as well as to amend and supplement some legislative act.