CySEC strengthens whistleblower reporting framework
The Cyprus Securities and Exchange Commission (CySEC) on Tuesday announced the publication of a new practical guide for whistleblowers, aimed at improving the reporting of breaches of European Union and national law in the financial services sector.
The guide has been published to support the implementation of Circular C608, which governs procedures for external reporting under Cyprus’ whistleblower protection framework.
According to CySEC, the document provides practical examples and detailed guidance on how individuals can submit reports concerning violations of EU law that fall within the regulator’s supervisory responsibilities.
The guide is based on the applicable legislative and regulatory framework, as well as relevant directives, guidelines and circulars issued by competent authorities, particularly CySEC itself.
CySEC said the publication seeks to provide clear and specific instructions for reporting breaches in the fields of financial services, products and markets.
The document also outlines the regulator’s responsibilities as the competent authority for receiving and following up on external reports submitted by whistleblowers.
In addition, it sets out the procedures, timelines and actions to be taken at each stage of the reporting process to ensure reports are handled lawfully, efficiently and within the required deadlines.
The legal framework underpinning the guide includes the Protection of Persons who Report Breaches of Union and National Law Law of 2022, as amended in 2024, which transposed the EU Whistleblowing Directive into Cypriot law.
It also incorporates provisions from the Reporting of Actual or Potential Infringements of Regulation (EU) No. 596/2014 to the Cyprus Securities and Exchange Commission Law of 2026, the CySEC Law of 2009 and Circular E608 issued in December 2023.
The guide defines a reporting person as an individual who reports or publicly discloses information about breaches obtained through work-related activities.
Reports may be submitted either in writing or orally and can be made anonymously or under the individual’s name.
The guide also clarifies that whistleblowers are protected from retaliation, which is defined as any direct or indirect act or omission arising from a report or public disclosure that causes, or could cause, unjustified harm to the reporting person.
One of the guide’s most significant features is its broad definition of who may submit a report.
The right to report extends not only to current employees in the public and private sectors, but also to self-employed individuals, shareholders, members of administrative, management or supervisory bodies, volunteers, trainees and workers employed through contractors, subcontractors or suppliers.
Former employees are also covered, regardless of how their employment ended, the commission explained.
The protection framework further extends to prospective employees who become aware of possible wrongdoing during recruitment processes.
To illustrate how the system works, CySEC includes a series of examples drawn from situations that could arise in the financial sector.
One example concerns an employee at a Cyprus investment firm who discovers that a senior executive is repeatedly disclosing confidential inside information regarding forthcoming corporate announcements or merger agreements to a relative.
According to the guide, if that relative then conducts stock market transactions and profits from the information, the conduct could constitute insider dealing in breach of EU market abuse rules and may be reported to CySEC.
Another example involves a board member at an authorised investment firm who becomes aware that senior management is systematically submitting inaccurate or incomplete capital adequacy reports while concealing important information from the regulator.
The guide states that such conduct may represent a serious breach of European capital requirements legislation and can also be reported.
The commission also highlighted scenarios involving trainees and volunteers.
In one example, a trainee law graduate working at a law firm involved in obtaining investment firm licences discovers that an application file contains forged or falsified documents intended to mislead CySEC regarding an applicant’s suitability.
The guide explains that such conduct may amount to fraud and obstruction of regulatory supervision and should be reported.
Another scenario concerns a volunteer participating in investor education programmes who discovers that investment firms are providing misleading information about high-risk financial products while concealing information essential for investors’ decision-making.
The guide further noted that reports can also be made where products appear to be marketed without the necessary regulatory approvals or notifications.
What is more, former employees are specifically recognised as potential whistleblowers under the framework.
One example describes a former accounting employee who discovers evidence that an investment firm failed to accurately report capital and liquidity requirements to CySEC, thereby concealing information about its financial position.
A second example involves a retired senior risk management executive who learns that questionable practices previously under internal investigation are continuing.
The guide cites situations where a financial institution may systematically downgrade investment portfolio risk ratings or deviate from conflict-of-interest rules under MiFID II, potentially exposing clients to unsuitable risks.
The guide also stated that a job applicant who discovers evidence during a recruitment process suggesting that an asset management company lacks adequate safeguards against conflicts of interest may submit a report to CySEC if there are indications that investment decisions are being made to serve private interests at the expense of clients.
CySEC said additional information on whistleblower procedures and reporting mechanisms is available through its website.
Click here to change your cookie preferences