Home - BKMS System

Cookies are disabled in your browser.
Please enable cookies to use BKMS^® System.
For more information about cookies, please click here.

Information about Cookies

During the use of BKMS^® System, a text file (called a “session cookie”) is saved on your computer containing only the number of your session. This is necessary for technical reasons in order to establish the connection to a security-certified server. The “session cookie” does no damage to your computer, it does not access your data and has no relation to the contents of your report. If you close all browser windows after submitting your report, the “session cookie” will expire and be automatically deleted.

Česky
English
Polski
Slovenčina

If you would like to send your first report, please click here:

If you have already set up a postbox, you may login here:

Dear Sirs,

mBank S.A. is a public trust institution observing all business rules and norms. It is of great importance to us that our activity be perceived by all stakeholders as transparent and honest.

We are aware of the fact that sometimes we do not manage to do this. Errors, irregularities and even frauds may occur in our business. We want to know about them because only then we may prevent them effectively.

Therefore we make the whistleblowing system available to you. You can use this simple application to inform us about potential frauds which could be committed by the employees of mBank.

The application must not be used to file complaints!

We guarantee that the information provided by you will be kept secret except for the cases where disclosing the information and data of the persons providing it is required under the applicable law.

Whistleblowing Policy

Whistleblowing Policy

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 Warszawa, entered in the register of enterprises of the National Court Register maintained by the District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register under KRS number 25237 (hereinafter referred to as the “Bank” or “Controller”) is the controller of personal data submitted by the Whistleblower.

It needs to be stressed that disclosure of personal data and identity by the person reporting a violation ( “Whistleblower”) is voluntary and not necessary to report the violation.

Principles of Data Processing

Personal data are processed pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ( “GDPR”).

Data Processing: Scope, Basis and Purpose

Personal data may contain information provided by the Whistleblower on activities undertaken by a given person, including his/her relationships at work as well as business and social behaviours.

Voluntary disclosure of personal data by the Whistleblower means that the Whistleblower consents to processing of the data by the Bank for the purposes described below.

Processing of the personal data indicated in the report is necessary for the Bank to fulfil its legal obligation as the personal data controller, which arises from the Regulation of the Minister of Development and Finance of 6 March 2017 on the Risk Management System, Internal Control System, Remuneration Policy as well as Detailed Method for Banks' Internal Capital Assessment.

Personal data are processed for the following purposes:

reporting of potential violations,
verification whether reported violations are substantiated,
communication with the Whistleblower.

Whistleblower's Rights

The Whistleblower has the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing as well as the right to lodge a complaint with a supervisory authority.

If the Whistleblower has consented to processing of his/her personal data provided in the report, he/she has the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Data Storage Period

Personal data of the Whistleblower are stored for the period necessary to carry out the relevant investigation. Personal data are not stored for longer than required by the purpose of processing.

If, upon admitting the reported violation as substantiated, proceedings before public authorities are instigated or disciplinary measures are applied, personal data are stored until the end of the proceedings before public authorities / application of disciplinary measures and the time limit for appeal.

Should the reported violation be dismissed as unsubstantiated, the Bank immediately erases personal data provided in the violation report from its systems, whereas information contained in the report other than personal data and information about the follow-up measures are stored in the systems for the period of 5 years from the first day of the year following the year in which the report was filed.

If personal data provided by the Whistleblower are not connected with the report allegations (e.g. the Whistleblower discloses information on the health situation of his/her colleague), such data are not further processed and are immediately erased or anonymized.

Information on Data Recipients

Third Parties

The Bank concludes agreements with other companies providing services to anonymize whistleblowing. In certain cases, such partners may be granted access to personal data, but they are contractually obliged to keep the data confidential and use them only for the purpose of providing services to the Bank.

Should such a service provider be registered outside the EEA, the Bank guarantees that transfer of personal data is secured with appropriate safeguards and compliant with data protection requirements.

Public Authorities

Personal data of a natural person may be transferred, in justified cases defined in other legal regulations, to the following recipients: public prosecutors' offices, law enforcement authorities (e.g. the police, Internal Security Agency (ABW), etc.).

Other mBank Group Subsidiaries

Data received via the whistleblowing system may be transferred within mBank Group if such communication is necessary for carrying out an investigation.

Amendments

This Policy may occasionally be amended. The Controller issues relevant information about such amendments and effective date thereof. Any amendment to this Policy will be published on the website.

Contact

In matters connected with personal data processing within the whistleblowing system, you are welcome to contact the Personal Data Protection Inspector appointed by the Bank by e-mail at: inspektorochronydanych@mbank.pl.

Why should I send such a report?

Why should I send such a report?

Under corporate culture one should act in line with the guidelines arising from law and regulations of a banking supervision authority. You may have access to information about frauds committed by the Bank's employees that may pose a threat to our organisation and in the worst case may threaten the existence of the company. By sending a report, you may contribute to the disclosure of illegal practice and thus prevent potential financial losses and damage to the reputation of our Bank.

What reports can be sent in the system?

What reports can be sent in the system?

The system is used for sending reports on frauds committed by the Bank's employees, such as deceit, theft, embezzlement, bribery, money laundering and terrorism financing, market manipulations or using confidential information.

Infringements of the applicable law, internal regulations or procedures adopted by banks may be reported in a traditional way (e.g. through the agency of immediate supervisor or directly to the Internal Audit Department, the Security Department or the Compliance Department).

In the case of complaints and claims, relevant structures of mBank will offer their assistance.

How can I send a report and set up a secured postbox?

How can I send a report and set up a secured postbox?

You will be asked to become familiar with the information about protection of anonymity (if you want to remain anonymous) and enter the displayed characters in the relevant field.

On the next sites there will be questions concerning the scope of your report and other details. On the site devoted to a report, you will be asked to write a report in your own words and give answers to questions concerning the reported issue. A report may have maximum 4096 characters, which corresponds to the A4 page format. In order to supplement a report, you may attach additional data (maximum 5MB). You should bear in mind that the attached documents may contain information identifying the author.

After sending your report you will receive a reference number being a proof of sending the report. Then you may set up your own secured postbox. The secured postbox will enable you to receive feedback, send answers to the questions of the person processing your report and obtain information on the status of your report.

If you already have the secured postbox in the BKMS^® system, please go directly to the secured postbox by pressing the “Login” button. Before registration in the system, you will be asked to enter the displayed characters in the relevant field.

How can I receive feedback and remain anonymous?

How can I receive feedback and remain anonymous?

Information about the status of processing your report is sent by mBank via an secured postbox. Any correspondence relating to your report will be addressed to this postbox. In accordance with your wishes, during the exchange of information you may remain anonymous.

The highest priority of the BKMS^® System is to protect the person sending a report. While setting up the secured postbox you may enter your pseudonym and password. Your report will be anonymous as a result of using encryption and other special technologies ensuring security. At every stage of the process you will not be asked to provide your personal data.

Select country/region

Cancel