Whistleblowing Mechanisms and Whistleblower Protection

The rules for reporting violations and protecting whistleblowers are outlined in two documents: the Procedure for Counteracting Mobbing, Discrimination, Harassment, or Other Undesirable Behaviour at Bank Polska Kasa Opieki Spółka Akcyjna (hereinafter: the “Anti-Mobbing Procedure”) and the Whistleblowing Procedure at Bank Pekao S.A. (hereinafter: the “Whistleblowing Procedure”). The updated version of the Whistleblowing Procedure, aligned with the Whistleblower Protection Act, came into effect on 25 September 2024, replacing the previous regulation. These documents are published on dedicated intranet pages, providing employees with information on how to report observed irregularities. Additionally, all employees are required to confirm their awareness of these procedures by submitting a formal declaration. This ensures that all staff members are familiar with the available reporting mechanisms and dedicated whistleblowing channels.

The Anti-Mobbing Procedure obligates us to prevent and report any unethical behaviour, including mobbing, discrimination, or harassment.

In the event of misconduct, the employee submits a written complaint, either personally signed via traditional mail or electronically to a dedicated email inbox. To review the complaint, the employer appoints a commission, responsible for determining whether a violation occurred. If misconduct is confirmed, the employer decides on the appropriate disciplinary measures against the perpetrator, in compliance with labour law regulations.

If a sanctioned employee does not accept the penalty, the Bank may initiate legal proceedings against them. However, the Bank aims to resolve disputes amicably by seeking out-of-court settlements with employees whenever possible. In cases where a dispute escalates to legal proceedings, the Bank strives for mediation and conciliation before a mediator.

The Whistleblowing Procedure establishes the rules and procedures for reporting legal violations, breaches of internal Bank procedures, and ethical misconduct. The availability of a whistleblowing mechanism is a key component of risk management, helping to maintain the Bank’s integrity and reputation while mitigating legal, financial, and reputational risks. This procedure applies to individuals who have obtained knowledge of a violation in a work-related context, meaning a whistleblower may include:

• By email to a dedicated mailbox: ZglosNaruszenie@pekao.com.pl
• By post to the Bank’s headquarters at ul. Żubra 1, 01-066 Warsaw, addressed to the “Management Board Member designated to receive whistleblowing reports”, with the notation “Whistleblowing Report – Bank Pekao S.A. – Confidential”,
• By post (for reports concerning Management Board Members) to the Chairman of the Supervisory Board, at ul. Żubra 1, 01-066 Warsaw, with the notation “Whistleblowing Report – Bank Pekao S.A. – Confidential”,
• By telephone via a recorded line: (22) 524 52 98,
• In person, through a direct meeting with a designated Compliance Department employee.

A face-to-face meeting with a Compliance Department representative is scheduled within 14 days of the request, using one of the channels mentioned above. Meetings take place at the Bank’s headquarters, except in exceptional cases where an alternative location is agreed upon with the whistleblower. With the whistleblower’s consent, a written protocol of the meeting is prepared. The whistleblower has the right to review, amend, and sign the protocol, with any written submission attached as an annex.

For telephone reports, the whistleblower is informed that continuing the call constitutes consent to recording. The Compliance Department then prepares a full transcript of the conversation.

The verification process concludes with a final report, which is approved by the designated Management Board Member responsible for the whistleblowing procedure. This report includes recommendations for corrective or disciplinary actions against the individual involved, as well as preventive measures to mitigate future violations. The investigator collaborates with relevant departments to implement and oversee the corrective action plan.

We provide whistleblowers with full protection against retaliation, attempted retaliation, or threats of retaliation, even if the report is ultimately found to be unsubstantiated, provided it was made in good faith. Protection extends not only to the whistleblower but also to those assisting in the reporting process and individuals connected to the whistleblower. We guarantee whistleblowers:

• Consideration of every report, including anonymous submission,
• Confidentiality of their personal data, ensuring that their identity cannot be directly or indirectly revealed,
• A fair, impartial, and comprehensive verification process, conducted promptly and objectively,
• Acknowledgment of receipt of the report and feedback on the outcome of the investigation.

To further encourage whistleblowing, the Whistleblowing Procedure includes incentives for whistleblowers, offering:

• Psychological support to help manage the stress associated with reporting;
• Temporary reassignment to another position;
• Full remote work arrangements for a mutually agreed period;
• Paid leave, exempting the whistleblower from work obligations for the duration of the investigation;
• Reassignment to a different organisational unit of the Bank (in cases where the report is substantiated).

As part of the Bank’s Training Policy, we conduct regular introductory and ongoing training for Banks` employees on whistleblowing procedures and receive confirmation of familiarization with the contents of the Procedure. This means that every new employee of the Bank, within three months of starting work, is trained on the Whistleblowing Procedure. All employees receive information about the Procedure through internal communications (twice in 2024). In connection with the entry of the revised content of the Procedure, we have engaged an external company to develop a new online training format, which is currently being prepared. As for the group of employees who are to handle the process of reporting violations – they can use publicly available training courses and webinars; there is no dedicated internal training for this group of employees. Other entities in the Group have their own internal procedures and regulations.

Non-employees in own workforce are informed about the Procedure in force at the Bank, which is available on the website, along with the following appendices: no. 1 – Scope of data to be included in the breach notification and no. 4 – Information on processing of the whistleblower’s personal data.”

The implementation of the Whistleblowing Procedure is not designed to achieve quantifiable sustainability targets for tracking progress. Instead, its primary objective is to ensure a transparent, ethical, and legally compliant work environment.

The objectives of the regulations, including policies that operate in the area of corporate governance and business conduct, were defined before the reporting obligation and do not directly address the requirements of the CSRD Directive. In terms of the minimum disclosure requirements – Policies (MDR-P), we do not disclose standards or initiatives that are respected through implementation of policies. Instead, we present: a description of the key content of individual policies (procedures, rules), their scope, how the interests of key stakeholders affected by the documents are addressed, how they are made available, he organizational units responsible for implementation.

In the case of targets (MDR-T), we take the current reporting period to which the target applies as the base year and disclose a description of the scope of the targets; we do not have information with regard to measurability, methodology and scientific evidence on which the targets were defined, stakeholder involvement in target setting, milestones or any changes and performance against disclosed target.