Whistleblowers can make use of any of the following channels:

1. The dedicated app, available at this link: https://bancaifis-whistleblowing.integrityline.com/?lang=en;
2. A voice messaging system, at this toll-free number +48 800 011 026;
3. The postal or internal mail service, by sending a written report in a sealed envelope marked “STRICTLY CONFIDENTIAL” to the Head of Internal Audit;
4. A direct report to the Head of Internal Audit, by contacting the following toll-free number  +48 800 011 026;

When they use any of these channels, whistleblowers are guaranteed the following legal protection under the Act on the Protection of Whistleblowers, dated June 14, 2024:

• Confidentiality: the identity of the person making the report, the person he/she is reported on, and any person mentioned in the report is guaranteed at every stage of the process, as well as the content of the report and any relative documentation.
• The processing of personal data: the reports and relative documentation are kept for the time required for processing of the report, and in any event for no more than 3 years after the end of the calendar year in which the follow-up actions were completed, or after the completion of the proceedings initiated by these actions. Any personal data that are clearly not relevant to the processing of a particular report are not gathered or, if gathered accidentally, are immediately deleted. The personal data collected in the reporting process are processed by Ifis Finance sp. z o.o. as data controller in compliance with the principles and obligations set forth in the legislation on personal data protection, in particular in General Data Protection Regulation (EU) 2016/679 GDPR and are protected by adequate security measures. Further information on the processing of personal data can be found in the information notice made available at the following link.
• A prohibition on retaliation: all necessary measures are taken to protect the physical and psychological integrity of the reporting party, ensuring he/she is protected against any form of retaliation, criminalisation, discrimination or threat.

It should be noted that the reporting party will also receive protection before any legal relationship with the Bank has begun (if the report of wrongdoing is made during the selection process or at any stage prior to contract); or during their probationary period, or after the end of their legal relationship (if the report of wrongdoing was made during this relationship). This protection also extends to facilitators; to people working in the same setting as the reporting person; to people with whom they have a stable emotional bond or relatives within the fourth degree of relationship; to colleagues of the reporting person who work in the same setting and who have an on-going relationship with that person; to businesses owned by the reporting person or for whom any of the above persons work, as well as businesses that operate in the same context as the aforementioned persons.

The report may relate to any form of behaviour, action or omission on the part of a person belonging to Ifis Finance sp. z o.o. business organization, which breaches Polish or European Union law and which damages or may damage the public interest or the integrity of the Parent Company and/or its Subsidiaries. The report may concern both violations already committed and those not yet committed that the whistleblower has reasonable grounds for believing may well happen.

By way of example but not limited to, the report may concern conduct, actions or omissions consisting of:

• Violations of Polish law – This category includes, by way of example but not exclusively: criminal (including criminal-fiscal), civil and administrative offences; contraventions of the law with regard to the prevention of money laundering and financing of terrorism; breaches of the rules in relation to financial brokerage and banking procedures.
• Violations of laws and regulations of the Group’s Code of Ethics or other company provisions that can be sanctioned by disciplinary action.
• Violations of European Union law – This category includes, but is not limited to:
  • Offences that fall within the scope of legislation enacted by the European Union or nation states, or domestic legislation that implements acts passed by the European Union in relation to the following: public procurement; financial services, products and markets, and the prevention of money laundering and the financing of terrorism; product safety and compliance; transport safety; environmental protection; protection from radiation and nuclear safety; food and animal feed safety and the health and welfare of animals; public health; consumer protection; protection of privacy, and the protection of personal data and the security of information networks and systems;
  • Actions or omissions that affect the financial interests of the European Union;
  • Actions or omissions that affect the internal market;
  • Actions or conduct which undermine the object or purpose of the provisions of European Union legislation in the areas outlined in the previous three points.

A report by a whistleblower should include the following:

• Confirmation that he/she intends to keep his identity confidential for the purposes of this report, and that he/she wishes to benefit from the protection offered in the event of any retaliation he/she suffers from making a report within the terms of the whistleblowing regulations. This specification rules, where the whistleblowing is mistakenly received by a person who is not competent or through a channel other than those specifically provided for, that the report shall not be treated as an ordinary report and, therefore, without the protections afforded to whistleblowers, but must instead be forwarded by the recipient in a timely manner (no later than seven days) to the Head of Internal Audit;
• The company within the Group to which the report refers;
• The relevant personal data of the whistleblower, indicating the channels where he/she can be contacted for any further discussions (to confirm the receipt of the report and provide feedback). These data are not mandatory as the report can also be anonymous, but if this is the case and if further details are needed, it may be difficult to investigate the report in an effective manner;
• The detailed and verifiable facts (i.e. what happened, when it happened, and where it occurred) and the information and data required for definitely identifying the perpetrators of the illegal action;
• Any conflict of interest between the whistleblower and the content of the report;
• Any way in which the whistleblower bears co-responsibility for the wrongdoings in the report;
• Any items of evidence (including attached documents where available) that can help in assessing the report;
• Any person who works in the same setting, and who helped the whistleblower during the reporting process.

The following annual report on the operation of the internal process is brought to the attention of all our staff. It contains aggregated data on the results of the actions carried out after reports were received: Annual report on the correct functioning of our violation reporting (Whistleblowing) system 2023

We should add that the reporting system also includes the following methods of communication in relation to legal breaches (external and public reporting). In these cases whistleblowers – under certain conditions – enjoy the same guarantees of protection as stated above in relation to confidentiality and data processing.

An external report is the transmission of information about a breach of law to:

• the Ombudsman;
• a public body that accepts external reports regarding violations of the law in areas within the scope of these bodies;
• institutions, bodies or organizational units of the European Union.

External reports may be anonymous or identify the reporter. External reporting may be made orally or in paper or electronic form.

Oral reporting may be made:

• by telephone;
•  via a recorded hotline;
• at the request of the notifier – during a face-to-face meeting held at the headquarters of the authority receiving the report within a specified period of time.

External report in documentary form may be made:

• In paper form – to the mailing address indicated by the Ombudsman or the public body receiving the application;
• in electronic form – to the electronic mail address or electronic delivery box address or electronic delivery address indicated by the Ombudsman or the public body accepting the report, or through a web form intended for this purpose or an application designated by the public body as the appropriate application for filing in electronic form.

The competent public authority shall establish a procedure for receiving external reports and following up on them, which shall determine, in particular, the procedure for handling information on violations of the law reported anonymously.

With regard to external whistleblowing reports which are sent on to the relevant authorities, whistleblowers will receive the protections already described in terms of confidentiality, data processing and retaliation.