WHISTLEBLOWING PROCEDURES
1. INTRODUCTION AND PURPOSE
1.1 Regulatory context
TESORA S.p.A. (hereinafter “the Company” or “TESORA”), operating under the trading name YourADN, has implemented this Whistleblowing System in compliance with the following regulatory obligations:
• Regulation (EU) 2023/1114 (MiCAr), in particular:
◦ Art. 68, par. 4 (organizational requirements)
◦ Art. 71 (prudential requirements)
◦ Article 74 (Custody of Crypto-Assets and Client Funds)
◦ Art. 116 (Mechanisms for reporting violations)
• Directive (EU) 2019/1937 on the protection of persons reporting breaches of Union law
• Legislative Decree 24/2023 (Italian implementation of the Whistleblowing Directive)
• Regulation (EU) 2016/679 (GDPR)
• Legislative Decree 231/2001 (administrative liability of entities)
• CONSOB regulations applicable to CASPs
• Article 116 of Regulation (EU) 2023/1114 (MiCAr) – which requires crypto-asset service providers (CASPs) to establish effective mechanisms for reporting infringements of the Regulation;
• Legislative Decree 24/2023 – Italian implementation of Directive (EU) 2019/1937 on the protection of persons reporting breaches of Union law;
• Article 68, paragraph 4 MiCAr – which requires effective compliance policies and procedures.
The Company is in the process of obtaining authorization to provide the following CASP services by June 30, 2026, through transformation from VASP to CASP with submission of the application to CONSOB in December 2025:
1. Placement of crypto-assets;
2. Custody and administration of crypto-assets on behalf of third parties;
3. Operating a crypto-asset exchange platform;
4. Receiving and transmitting orders regarding crypto-assets on behalf of third parties;
5. Execution of orders relating to crypto-assets on behalf of third parties;
6. Exchange crypto-assets for funds;
7. Crypto-asset consulting.
1.2 Objectives of the Whistleblowing System
The TESORA Whistleblowing System pursues the following fundamental objectives:
• Prevention: Promptly identify non-compliant conduct or conduct that is potentially harmful to corporate integrity;
• Protection: Protect whistleblowers from any form of retaliation or discrimination;
• Transparency: Ensure a clear, defined process that is accessible to all legitimate parties;
• Continuous improvement: Use reporting as a tool to strengthen compliance controls;
• Regulatory compliance: Comply with the obligations imposed by the MiCAr Regulation and current legislation.
1.3 Scope of application
This document aims to achieve the following objectives:
a) Define the Company’s regulatory compliance system in relation to the MiCAr Regulation and the regulations applicable to CASPs;
b) Establish organizational responsibilities for regulatory compliance;
c) Regulate staff training and awareness programs on legislative and regulatory requirements;
d) Implement a whistleblowing system compliant with Article 116 of the MiCAr Regulation and Directive (EU) 2019/1937;
e) Ensure the protection of whistleblowers and the proper management of reports of regulatory violations.
1.4 Guiding principles
The TESORA Whistleblowing System is based on the following principles:
• Absolute confidentiality of the whistleblower’s identity;
• Prohibition of retaliation of any kind against the whistleblower;
• Accessibility through multiple and easily usable channels;
• Timeliness in managing and responding to reports;
• Proportionality of the actions taken to the seriousness of the violation;
• Traceability of all reports received and actions taken.
2. MiCar REGULATORY COMPLIANCE POLICY
2.1 General principles
The Company bases its business on the following principles of regulatory compliance:
a) Legality and integrity: All activities must be conducted in compliance with laws, regulations, and the provisions of the supervisory authority.
b) Transparency: The Company guarantees maximum transparency in relations with customers, supervisory authorities and stakeholders.
c) Professionalism: The staff operates with competence, diligence and in accordance with best market practices.
d) Culture of compliance: Compliance is the responsibility of all organizational levels and is a central element of corporate culture.
e) Prevention: The Company adopts a proactive approach in identifying and mitigating compliance risks.
f) Continuous improvement: The compliance system is subject to constant review and updating.
2.2 Scope of application
The Regulatory Compliance Policy applies to all of the Company’s activities, with particular reference to:
• Provision of authorized CASP services
• Custody and administration of crypto-assets
• Crypto-asset consulting
• Customer Relationship Management
• Safeguarding crypto-assets and client funds
• Prevention of money laundering and terrorist financing
• Management of conflicts of interest
• Protection of personal data
• Cybersecurity and operational resilience
3. REPORTABLE VIOLATIONS
3.1 Violations of the MiCAr Regulation
Whistleblowing reports include violations or potential violations of Regulation (EU) 2023/1114, including in particular:
• Organizational requirements (art. 68 MiCAr): deficiencies in governance, internal controls, and management of conflicts of interest;
• Prudential requirements (art. 71 MiCAr): insufficient capital, failure to comply with minimum ratios;
• Custody of crypto-assets (Article 74 MiCAr): irregularities in the segregation, storage, or transfer of clients’ crypto-assets;
• Rules of conduct (art. 76-82 MiCAr): improper behavior towards customers, misleading information, unmanaged conflicts of interest;
• Complaints management (art. 85 MiCAr): failure to manage or record customer complaints;
• Reporting obligations (Articles 109-110 of the MiCAr): failure to report or false reporting to the competent authorities.
3.2 Internal procedural violations
Violations of TESORA’s internal operating procedures can also be reported:
• Custody processes not compliant with the Operations Manual;
• Cybersecurity policy violations;
• Behaviors contrary to the company’s Code of Ethics.
3.3 Related regulatory violations
Violations of the regulations related to CASP services also fall within the scope of whistleblowing:
• Anti-money laundering (Legislative Decree 231/2007): failure to identify customers, failure to report suspicious transactions, violations of due diligence obligations;
• Personal Data Protection (GDPR): unlawful data processing, unreported data breaches, violations of data subjects’ rights;
• Digital Operational Resilience (DORA): ICT risk management gaps, unreported incidents;
• Administrative liability of entities (Legislative Decree 231/2001): predicate crimes committed in the interest or to the advantage of the Company;
• Market Abuse: market manipulation, abuse of inside information.
3.4 Exclusions
The following do not fall within the scope of whistleblowing:
• Personal complaints relating to employment relationships (to be handled through internal channels);
• Differences of opinion on management or strategic choices;
• Reports that are unfounded or manifestly specious;
• Information already in the public domain;
• Commercial disputes with suppliers or partners (to be handled through ordinary channels).
4. LEGITIMATE SUBJECTS
The following individuals are authorized to report through the TESORA Whistleblowing System:
4.1 Customers and third parties
• YourADN platform customers;
• Any third parties who have become aware of violations in the context of professional or business relationships with TESORA.
4.2 Definition of "good faith whistleblower"
The protections provided by this Procedure apply exclusively to those who report in good faith, i.e. those who:
• They have reasonable grounds to believe the information reported is true;
• Act in the interests of legality and compliance, without ulterior motives;
• They do not pursue defamatory or slanderous objectives towards other subjects.
Important: Reports that are manifestly false, defamatory, or made in bad faith do not enjoy the protections provided and may result in disciplinary, civil, or criminal liability for the reporter.
5. REPORTING CHANNELS
TESORA guarantees the availability of multiple, secure, and confidential reporting channels, allowing all authorized parties to submit reports easily and securely.
5.1 Dedicated email channel
E-mail address: | compliance@youradn.com |
Management: | Compliance Officer Stefano Cezza (exclusive access) |
Sicurezza: | server systems used by Tesora SpA |
Confirm receipt: | Within 7 working days of receipt |
How to use the email channel
1. Send an email to compliance@youradn.com;
2. Indicate “WHISTLEBLOWING REPORT” in the subject line;
3. Describe the violation in detail (facts, dates, locations, people involved);
4. Attach any supporting documentation (in PDF format);
5. Indicate whether you wish to be contacted and how.
Note: You can also submit reports anonymously (without providing your name). However, providing identifying information facilitates the management of the report and any requests for additional information.
5.2 Confidential letter
Recipient: | Compliance Officer – TESORA S.p.A. |
Address: | Via Riva di Reno 58, 40122 Bologna |
Mode: | Sealed envelope marked “PERSONAL CONFIDENTIAL – WHISTLEBLOWING” |
The Compliance Officer is the only one authorized to open the envelope, ensuring maximum confidentiality.
5.3 Direct interview
You can request a confidential meeting with the Compliance Officer:
• By email: write to compliance@youradn.com indicating the request for an interview (without providing details about the report);
The interview will be conducted in a confidential setting. The whistleblower may be assisted by a lawyer or a trusted union representative.
External channels
The whistleblower may alternatively contact the competent authorities directly:
• CONSOB (Financial Market Supervisory Authority);
• ANAC (National Anti-Corruption Authority);
• Judicial Authority in case of crimes.
6. SIGNAL PROTECTION
TESORA guarantees maximum protection to those who report in good faith, in accordance with Legislative Decree 24/2023 and Article 116 of the MiCAr Regulation.
6.1 Confidentiality guarantees
Identity of the whistleblower
• Known exclusively by the Compliance Officer (or by the Board of Statutory Auditors in the case of an alternative report);
• Not disclosed to third parties without the whistleblower’s explicit consent;
• Omitted from all reports and communications to the Board of Directors or other bodies.
Exceptions to the prohibition on disclosure
The whistleblower’s identity may be disclosed only in the following cases:
a) Legal obligation: when requested by the judicial authorities in the context of criminal investigations;
b) Defense necessity: when essential to guarantee the rights of defense of the alleged perpetrator, subject to the authorization of the judicial authorities;
c) Explicit consent: when the whistleblower expressly authorizes the disclosure of his or her identity.
6.2 Prohibition of retaliation
TESORA expressly prohibits any form of retaliation, discrimination, or prejudicial behavior towards the whistleblower.
Prohibited retaliation includes, but is not limited to:
• Dismissal or early termination of employment;
• Suspension or sizing;
• Failure to renew a fixed-term or consultancy contract;
• Forced transfer of office or duties;
• Reduction in pay or company benefits;
• Changes in job descriptions for the worse;
• Negative ratings not justified by objective performance parameters;
• Missing deserved promotions or pay raises;
• Mobbing or isolation in the workplace;
• Pressure, intimidation or threats of any kind.
6.3 Extended protection
The protections provided by this Procedure also extend to:
• Facilitators: people who assist the whistleblower in the reporting process (e.g. union representative, lawyer);
• Colleagues: People who work in the same workplace as the whistleblower and who may suffer retaliation in connection with the report;
• Entities controlled by the reporting party: companies or entities where the reporting party works or in which he or she holds shares.
6.4 Reports in bad faith
Reports that are manifestly false, slanderous, or defamatory do not enjoy the protections provided.
A reporter acting in bad faith may face:
• Disciplinary responsibility (sanctions up to dismissal);
• Civil liability for damages to unjustly accused persons;
• Criminal liability for slander (Article 368 of the Criminal Code) or defamation (Article 595 of the Criminal Code).
7. REPORT MANAGEMENT
TESORA adopts a structured process for managing whistleblowing reports, divided into 6 phases with defined timeframes.
7.1 Complete operational flow
PHASE | DAYS | ACTIVITY | RESPONSIBLE |
1. Reception | Day 0 | Recording, logging, and segregation of confidential data | Compliance Officer |
2. Recognition | Within 7 | Confirmation of receipt to the reporting party, practice code, timeframes | Compliance Officer |
3. Assessment | Within 30 | Analysis of admissibility, severity, and urgency. Request for additional information. | Compliance Officer |
4.Investigation | Within 90 | Document collection, hearings, technical checks, regulatory analysis | Compliance Officer + any consultants |
5. Resolution | Within 90 | Board of Directors report, resolves corrective/disciplinary actions | CdA |
6. Feedback | Within 90 | Communication of outcome to the whistleblower, implementation of actions | Compliance Officer |
Important: All activities are conducted with the utmost confidentiality, without disclosing the identity of the whistleblower. Confidentiality is extended to all parties involved.
7.2 Roles and responsibilities
Compliance Officer
Sole person responsible for the operational management of reports:
• Receives and records all reports;
• Manages reporting channels (emails, letters, interviews);
• Conducts the investigations;
• It guarantees the confidentiality of the whistleblower’s identity;
• Prepares reports for the Board of Directors;
• Keeps the Report Register up to date;
• Communicate the outcome to the reporter.
Requirements:
• Operational independence;
• Direct access to the Board of Directors;
• Specific training on whistleblowing;
• Strengthened confidentiality obligation.
Board of Directors
• Receives quarterly reports on all complaints;
• Decide on significant corrective actions;
• Monitor the effectiveness of the whistleblowing system;
• Ensures protection of whistleblowers;
• Approves changes to this Procedure.
Board of Auditors
• Receives alternative reports in case of conflict of interest of the Compliance Officer;
• It manages such reports with the same guarantees of confidentiality;
• Supervises the proper functioning of the whistleblowing system.
7.3 Management of conflicts of interest
Case 1: Report concerning the Compliance Officer
• The report is handled directly by the Chairman of the Board of Directors;
• The same confidentiality guarantees apply;
• The Compliance Officer is excluded from any investigative activity.
Case 2: Report concerning the Board of Directors or its members
• Option of reporting directly to the Authority;
• Possible involvement of an independent external consultant appointed by the Board of Statutory Auditors.
