Office des Signalements ¦ 2024 Annual Report

Office des signalements 2024: what Luxembourg’s new whistleblowing authority reveals for financial crime compliance

The Office des signalements (Office) began full operations in September 2023 after transposition of the EU Whistleblower Directive into Luxembourg law (Law of 16 May 2023). Its 2024 activity report – the second since creation and the first covering a full year of operations – provides a practical snapshot of how Luxembourg’s institutional architecture for whistleblowing is functioning, how signalements (reports) are being routed and handled, and what this means for the detection and mitigation of financial crime risks such as money laundering, fraud, tax abuse and market misconduct.

Structural role and powers – how the Office fits into the enforcement landscape

The Office’s statutory missions combine individual assistance, public awareness, institutional coordination and supervisory or sanctioning capacity in limited circumstances. It informs and assists persons who wish to make internal or external reports, collects information about potential failures to establish internal reporting channels, raises awareness of the law, informs the competent authorities about identified shortcomings, assists in compiling the annual cross‑authority statistics and, where relevant, participates in external reporting procedures. Importantly, under Article 18 the Office may receive case transfers from a set of 23 designated authorities and, for transfers under paragraph 4, can itself impose administrative fines for a range of violations including obstruction of reporting, breaches of confidentiality and failures to set up required internal channels and procedures. Administrative fines range from €1,500 to €250,000.

Practical intake and guidance – who contacts the Office and why

In 2024 the Office recorded 86 substantive solicitations seeking information and assistance. Most contacts sought procedural guidance on internal or external reporting; a small number related to judicial remedies against retaliatory measures and a single case involved advising persons potentially qualifying as facilitators under the law. Contacts arrived primarily by e‑mail and phone; the Office also began offering a secure MyGuichet channel late in 2024.

Notably, in the majority of contacts the Office learned the identity of the potential whistleblower, but a substantial minority preferred anonymity or pseudonyms. The Office handled follow up through e‑mail, phone, in‑person meetings and the MyGuichet channel. These practical details matter for financial institutions and regulated entities because timely, confidential engagement with potential reporters is essential to preserve evidence and to enable defensible, early remedial measures in suspected financial crime matters.

Bastian Schwind-Wagner _Follow

"The Office des signalements’ 2024 activities show that robust internal reporting channels and strict confidentiality safeguards are essential levers in detecting and addressing financial crime early. Entities that fail to implement or secure these mechanisms risk administrative sanctions and increased exposure to supervisory scrutiny.

Active coordination between the Office, competent authorities and European networks is improving referral pathways from administrative reports to criminal investigation. Compliance teams should integrate whistleblowing governance into AML, tax and market abuse controls to ensure timely escalation and preserve evidentiary value."

Scope, admissibility and sectors – what kinds of allegations reached the system

The Office applied the Directive’s material and personal scope: only information obtained in a professional context can normally trigger statutory protections. Of the 86 contacts, 58 included a professional context; within that group, 35 concerned alleged violations in the private sector, 7 in the state sector, 8 in the para‑state sector and 8 in the communal sector. In 28 cases the Office advised that the allegation likely fell outside the professional scope and therefore outside the Law’s protections. For compliance teams this emphasizes the need to evaluate the source and nature of information before assuming whistleblower protections or the obligation to act under the law.

The authorities’ caseload and financial‑crime relevance

Crucially for financial crime practitioners, the data compiled from the 23 competent authorities show 547 external reports received in 2024, triggering 328 investigations or procedures. Different authorities show widely varying intake and handling practices: some open a formal investigation on every report, others first screen for admissibility and credibility. That heterogeneity affects case flow to financial supervisors and law enforcement.

Areas of alleged wrongdoing with direct relevance to financial crime include:

• Services, products and financial markets: 131 reports, virtually all handled by the Commission de surveillance du secteur financier (CSSF). These reports relate to potential market abuses, prudential issues or other regulated misconduct.
• Prevention of money laundering and terrorist financing: 21 reports, primarily addressed to the CSSF and occasionally to professional bodies.
• Tax matters and corporate taxation: 23 reports handled by the Administration des contributions directes concerning alleged abuses of corporate tax rules and aggressive tax arrangements.

The Inspection du travail et des mines (ITM) received the largest single share of reports (310) – mostly about labour‑related offences – and transmitted many reports to other authorities, illustrating how whistleblowing often intersects multiple regulatory domains. Across the network, authorities transmitted 110 dossiers to other entities and referred 16 matters to prosecutorial or law enforcement bodies (14 to the Public Prosecutor, 1 to financial intelligence, 1 to police). This demonstrates the pipeline from administrative reporting to criminal investigation in a subset of cases.

Compliance implications – what firms and advisers should note

1. Internal reporting channels and procedures are a regulatory baseline. Several cases transferred to the Office involved alleged failures to establish compliant internal channels; after Office intervention many entities remedied deficiencies without administrative sanctions. Firms operating in Luxembourg must ensure their internal channels meet the Law’s requirements: confidentiality safeguards, impartial follow‑up, recordkeeping and designation of a follow‑up officer or service.

2. Confidentiality is not optional and breaches can attract significant fines. The Office and the competent authorities treat unauthorized disclosures of a reporter’s identity seriously. For institutions handling suspicious internal reports that touch AML, tax or market matters, strict compartmentalization and secure systems are therefore necessary to protect reporters and investigative integrity.

3. Third‑party service providers and technology vendors used to operate reporting systems must be integrated in compliance governance with clear contractual provisions on data access, hosting location, confidentiality and security, and with data protection obligations aligned to the CNPD’s expectations. The Office engaged with providers on these issues in 2024, signalling scrutiny of technical and contractual arrangements.

4. Cross‑authority referrals are common. Entities should expect that internal complaints potentially touching financial crime may be shared with supervisors, tax authorities or law enforcement. That increases the importance of early legal triage, controlled disclosure practices and proactive remediation where appropriate.

Institutional coordination and capacity building – strengthening the detection chain

The Office’s work in 2024 demonstrates active coordination: it launched a Réseau des autorités compétentes en matière de protection des lanceurs d’alerte (“Réseau ACPLA”) to share best practices and established an extranet for authorities to exchange material. It also participated in European networks, including NEIWA , and contributed to multidisciplinary dialogues (anti‑corruption committee COPRECO , justice ministry projects, and EU technical assistance efforts). For the fight against financial crime, this institutional networking enhances the chances that evidence from administrative whistleblowing will be identified, routed and escalated appropriately to supervisors and prosecutors.

Enforcement posture – sanctions and incentives to comply

Under Article 18 the Office can impose administrative fines for obstruction, false information, breaches of confidentiality, refusal to remediate, and failure to establish internal channels. In 2024 the Office received 10 transferred dossiers that could fall under its sanctioning remit; three were closed without sanctions and the rest remained under instruction at year end. The pattern suggests the Office uses its sanctioning power partly as a lever to secure compliance rather than as an automatic punitive instrument. Nevertheless, the potential for fines up to €250,000 is material and should be incorporated into risk assessments and control priorities.

Public awareness and accessibility – building reporting culture

The Office invested in public information materials (brochures, posters, video), delivered numerous presentations to professional associations and public bodies, and prepared a dedicated website to go live in 2026. That outreach aims to reduce stigma associated with reporting and increase voluntary disclosure of wrongdoing – a vital behavioural component in detecting complex financial schemes early.

Key takeaways for financial crime practitioners

The Office’s inaugural full year provides concrete lessons:

• Ensure internal reporting channels are fully compliant, well documented and tested; failure to implement channels has already triggered formal attention.
• Protect reporter identity and secure reporting infrastructure end‑to‑end; leaks risk fines and loss of investigative value.
• Treat internal reports as potential sources of evidence for AML, tax and market abuse investigations and coordinate early with legal counsel and, where necessary, competent authorities.
• Include contractual and technical due diligence on third‑party reporting platforms in vendor management, and document data protection safeguards.
• Expect increased institutional cooperation and cross‑referrals; create internal escalation pathways that map to the competent authorities listed by the Law.
• Use the Office’s engagement and training offerings proactively: they are a resource for correct implementation and a way to demonstrate good faith if issues arise.

Conclusion – towards a more integrated detection ecosystem

Luxembourg’s Office des signalements is still operationally young, but its 2024 report shows meaningful activity: hundreds of reports handled across many authorities, dozens of investigations with direct bearing on financial crime risks, cross‑authority referrals and active development of networks and guidance. For regulated entities, the message is clear: investing in robust internal reporting systems, strict confidentiality and rapid, compliant follow up is now not only best practice but also a regulatory necessity with potential administrative penalties. For investigators and compliance teams, whistleblowing channels are becoming an increasingly structured and cooperative gateway into financial crime detection and prosecution – and the Office will be a central node in that ecosystem going forward.

Dive deeper

• Ministry of Justice ¦ Rapport d’activités 2024 de l’Office des signalements ¦ Link
• Ministry of Justice ¦ Whistleblower ¦ Link
• Guichet.lu ¦ Alerting the Office for Whistleblowers ¦ Link