Reporting channels - whistleblowing system

This section sets out the procedures, for employees and third parties external to REVO Insurance and the companies belonging to the REVO Insurance Group, to report unlawful phenomena and suspicious behavior, irregularities in company management, acts or facts which may constitute a violation of the rules, internal and external, governing the activity of the Company and/or the companies of the REVO Insurance Group.
The internal whistleblowing system adopted aims to safeguard the confidentiality of the identity of the whistleblower and to protect him or her from retaliatory conduct as a result of the whistleblowing, in line with the regulations issued on whistleblowing at national and European level (most recently Legislative Decree no.24 of 15 March 2023, which transposed EU Directive 2019/1937 into Italian law).
To achieve these aims, the Whistleblower Software tool (a platform with features such as end-to-end encryption, metadata removal, voice distortion, and no IP address collection) was identified as the preferred channel for making and handling reports.
The term "Report" refers to the communication made, through the channels identified and described below, by a reporting person in relation to conduct, of which he/she has become aware by reason of his/her duties, concerning violations of internal and external regulations and/or of the Ethics Code. In particular, the following may be the subject of Reporting:
•unlawful conduct relevant pursuant to Legislative Decree No. 231/2001 and violations of the provisions contained in the 231 Organization and Management Model of the Parent Undertaking.
•violations of the principles and rules of conduct contained in the Group&'s Code of Ethics;
• violations of the rules falling within the scope of EU acts;
• criminal, civil, administrative or accounting offences other than those specifically identified as violations of EU law;
•violations of the rules governing the insurance business;
•violations of the rules governing financial activities.

Whistleblowing does not concern complaints, claims or requests related to a personal interest of the whistleblower. Furthermore, the Whistleblowing channel is not intended for reporting complaints or for forwarding requests of a commercial nature.
Roles and responsibilities
• The Head of the Group Internal Audit Function at the time is the Head of the Internal Reporting System. He guarantees adequate competence and independence and is responsible for: i) supervise the process of handling the Reports received; ii) identify from time to time the functions and persons to be involved for the checks to be carried out on the Reports received; iii) ensure the proper handling of the case, ensuring the diligent follow-up of the Reports received iv) guarantee reporting to the Company's top management, directors, control bodies and Supervisory Board.
• The Head of the Group Compliance Function at the time is the Supplementary Manager of the Internal Reporting System (the 'Supplementary Manager'). He has access to the platform and to the Reports received both to assess their relevance pursuant to Legislative Decree no. 231/2001 (also in his capacity as a member of the Parent Undertaking's Supervisory Board), and to ensure the proper management of the Reports with reference to any cases of conflict of interest relating to the figure of the Appointed Manager
How to make a Report
The Whistleblower may make use of the following internal channels
•use of the dedicated Whistleblower Software platform accessible through the link: https://whistleblowersoftware.com/secure/REVO
•paper report, sent in three sealed envelopes (a first one with the identity data of the Reporting Party, a second one, containing the first envelope, with the Report, so as to separate the identity data of the Reporting Party from the Report, and a third sealed envelope, containing the first two), marked 'Confidential Personal', to the attention of:
Head of the Internal Reporting System
To the attention of the Head of the Internal Audit Function
REVO Insurance S.p.A.
Viale dell’Agricoltura 7
37135 Verona (Italy)
With reference to the first modality, it is possible to make the Report either in written or oral form.
Finally, it should be noted that the Report, at the request of the Reporting Party, may also be made through a direct meeting with the Head of the Internal Reporting System (or, in case of conflict of interest, with the Supplementary Manager).
If the Whistleblower considers that there is a risk of conflict of interest concerning the figure of the Head of the Internal Reporting System, he may send the Reports, in the same way, specifying that they should be addressed to the attention of the Assistant Manager. The Company has adopted controls at Group level to ensure proper allocation/management of this case, ensuring - in a logic of "four-eyes principle" - access to internal channels, on a continuous basis, also to the aforementioned Supplementary Manager. For the Whistleblower it is in any case possible to turn to the external channels, referred to below.
The Whistleblower must provide any useful element to enable the corporate offices to proceed with the verifications for the parts falling within their competence and with the checks to ascertain whether the Report is well-founded. To this end, the Report must meet at least the following minimum requirements:
•clear and complete description of the facts reported, including, the circumstances of time and place in which they were committed
•generalities or other elements that make it possible to identify the person who committed what has been reported;
•particulars of any other persons informed of the facts who can report on them;
•indication of any documents proving the validity of such facts;
•any other useful information that helps to confirm the existence of the facts reported.
Reports must be made in good faith. The platform (equipped with features such as end-to-end encryption, metadata removal, voice distortion, no IP address collection) and the related Reporting procedure are structured to ensure the confidentiality of the identity of the Reporting Party, of the persons involved (to whom the violation is attributed or otherwise implicated in the reported violation) and of the persons mentioned in the Report, as well as the content of the Report and related documentation.
Reports may also be made anonymously, provided they contain specific and circumstantiated information. In such cases, protection is ensured even if the Whistleblower is subsequently identified or his identity is only revealed at a later stage.
While emphasising the importance of using the internal channels indicated above, it is possible to make a Report to the National Anti-Corruption Authority (ANAC), in the manner provided for on the institutional site of the Entity, if, at the time of its submission, one of the following conditions is met:
•there is no mandatory activation of the internal reporting channel within the work context, or the channel is not active or, even if activated, does not comply with the external rules;
•the Whistleblower has already made an internal Report, pursuant to the relevant external legislation, and the same has not been followed up;
•the Whistleblower has well-founded reasons to believe that, if he/she were to make an internal Report, it would not be effectively followed up, or that the same Report could give rise to the risk of retaliation;
•the Whistleblower has reasonable grounds to believe that the breach may constitute an imminent or obvious danger to the public interest.
Timeframe for handling a report
The Reporting Party will receive an acknowledgement of receipt within 7 days of the date of receipt of the Report.
Feedback on the outcome of the Report is provided to the Reporting Party within 3 months of receipt. With reference to the feedback to be provided within the above-mentioned time limit, it should be noted that it may consist in the communication of:
i. archiving, if the Report has elements of non-admissibility (e.g. manifest groundlessness due to the absence of factual elements capable of justifying investigation, ascertained generic content of the Report of wrongdoing such as not to allow comprehension of the facts; Report of wrongdoing accompanied by inappropriate documentation, etc.);
ii. initiation of an internal investigation, the status of which at the time of the communication is:
• concluded. In such a case, evidence will be provided of the relevant findings, any steps taken to address the issue raised and/or referral to a competent authority for further investigation;
• ongoing. In this case, evidence will be given of the activities to be undertaken and the status of the investigation. At the end of the investigation, the final results should in any case be communicated to the reporting person.
Protection of whistleblowers
The processes adopted at Group level guarantee the protection of the identity of the Whistleblower in any context subsequent to the Whistleblowing, except in the cases provided for by the law in force. Therefore, subject to these exceptions, the identity of the Whistleblower may only be revealed with his/her express consent, and this information must be kept confidential by all those who come into possession of it.
Breach of the duty of confidentiality entails disciplinary liability, without prejudice to any further liability provided for by law.
The Whistleblower may in no way suffer retaliation or discriminatory measures, whether direct or indirect. Those who believe they have suffered retaliation for having made a Report of wrongdoing may report the incident to the ANAC.
It should be noted that any person who discloses or disseminates information on Breaches covered by the obligation of confidentiality or relating to the protection of copyrights or personal data, or who discloses or disseminates information on Breaches that offend the reputation of the person involved or reported, shall not be punishable if, at the time of the disclosure or dissemination, there were reasonable grounds for believing that the disclosure or dissemination of the same information was necessary to disclose the Breach and the Reporting or public disclosure was made in the required manner. In the event of the above-mentioned cases, any further liability, including civil or administrative liability, is also excluded.
Please note that Reports sent for the purpose of harming or prejudicing the reported person, as well as any other form of misuse of the Report, are a source of liability for the reporting person, in disciplinary and/or other competent fora.
Finally, the protection measures provided for the Whistleblower also apply to the so-called Facilitators and to the other persons under Article 3(5) of Legislative Decree 24/2023.