Region

Jurisdiction

Regulator

2011-03-10

Provisions on Internal Organization, Procedures, and Controls to Prevent the Use of Intermediaries for Money Laundering and Terrorist Financing

The Bank of Italy issued this decree to implement EU directives and Italian legislation by establishing mandatory internal organization, procedures, and controls for financial intermediaries to prevent money laundering and terrorist financing. The regulation requires intermediaries to appoint a dedicated compliance officer, implement risk-based customer due diligence, maintain records, and report suspicious transactions to the Financial Intelligence Unit. It emphasizes the principle of proportionality, allowing firms to tailor their governance structures to their size and complexity while ensuring robust anti-money laundering safeguards.

Italy

Banca d'Italia

Headquarters Via Nazionale, 91 - P.O. Box 2484 - 00100 Rome - Share Capital Euro 156,000.00 Tel. 06/47921 - telex 630045 BANKIT - VAT No. 00950501007 - www.bancaditalia.it This document conforms to the original contained in the archives of the Bank of Italy

Signed digitally by

DECISION CONTAINING IMPLEMENTING PROVISIONS ON ORGANIZATION, PROCEDURES AND INTERNAL CONTROLS AIMED AT PREVENTING THE USE OF INTERMEDIARIES AND OTHER SUBJECTS CARRYING OUT FINANCIAL ACTIVITIES FOR THE PURPOSES OF MONEY LAUNDERING AND TERRORIST FINANCING, PURSUANT TO ARTICLE 7, PARAGRAPH 2 OF LEGISLATIVE DECREE 21 NOVEMBER 2007, NO. 231

THE BANK OF ITALY Having regard to Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing; Having regard to Law No. 29 of 25 January 2006, containing provisions for the fulfillment of obligations arising from Italy's membership in the European Communities – Community Law 2005, and in particular Articles 21 and 22; Having regard to Commission Directive 2006/70/EC of 1 August 2006, laying down implementing measures for Directive 2005/60/EC; Having regard to Legislative Decree No. 231 of 21 November 2007, implementing Directive 2005/60/EC concerning the prevention of the use of the financial system for the purpose of money laundering of proceeds of criminal activity and terrorist financing as well as Directive 2006/70/EC laying down implementing measures; Having regard to Legislative Decree No. 151 of 25 September 2009, Legislative Decree No. 11 of 27 January 2010, Law No. 122 of 30 July 2010 converting, with modifications, Decree-Law No. 78 of 31 May 2010, and Legislative Decree No. 141 of 13 August 2010, containing supplementary and corrective provisions of Legislative Decree No. 231 of 21 November 2007; Having regard, in particular, to Article 7, paragraph 2, of the aforementioned Legislative Decree No. 231 of 21 November 2007; In agreement with CONSOB and ISVAP; ADOPTS the attached: Decision containing implementing provisions on organization, procedures and internal controls aimed at preventing the use of intermediaries and other subjects carrying out financial activities for the purposes of money laundering and terrorist financing, pursuant to Article 7, paragraph 2 of Legislative Decree 21 November 2007, No. 231.

Rome, 10 March 2011 THE GENERAL MANAGER Dr. Fabrizio Saccomanni

Decision containing implementing provisions on organization, procedures and internal controls aimed at preventing the use of intermediaries and other subjects carrying out financial activities for the purposes of money laundering and terrorist financing, pursuant to Article 7, paragraph 2 of Legislative Decree 21 November 2007, No. 231

PREAMBLE Money laundering and terrorist financing represent criminal phenomena that, also due to their possible transnational dimension, constitute a serious threat to the legal economy and can determine destabilizing effects, especially for the banking and financial system. To achieve the full effectiveness of anti-money laundering regulation, a significant process of international harmonization of prevention rules has become necessary, aimed at avoiding that, in an increasingly open and competitive market, those who move funds of illicit origin can take advantage of gaps in the protection networks set up by various countries. However, there remain geographical areas and territories whose regulation is not yet in line with international best practices, and against which stricter anti-money laundering controls, calibrated on higher risk1, must be applied.

In this matter, an essential action of awareness raising and standard setting is carried out by the FATF (Financial Action Task Force), established by the G7 summit in 1989 and composed of representatives of the most important financial markets. The FATF has prepared a set of rules recognized at the international level (the 40+9 Recommendations2) containing an organic set of measures for the prevention and combating of money laundering and terrorist financing aimed at orienting States in the adoption of consequent measures, inter alia, in the sector of money laundering prevention in the financial system and international cooperation.

At the Community level, Directive 2005/60/EC (so-called Third Directive3) aligned European rules with the standards contained in the FATF Recommendations of 2003. The Directive was transposed into the Italian legal system with Legislative Decrees No. 109 of 22 June 2007 and No. 231 of 21 November 2007.

Legislative Decree No. 109 of 22 June 2007 contains measures to prevent and repress terrorist financing; the measure clarified the obligation to report also suspicious transactions of terrorist financing, already implicitly derived from Article 1 of Decree-Law 369/2001, converted into Law 431/2001, and gave greater systematicity to the obligations that intermediaries are required to fulfill in case of contact with subjects suspected of involvement in terrorist activities.

Legislative Decree No. 231 has reorganized the entire money laundering prevention legislation, revisiting the role of the Bank of Italy under multiple profiles:

through the establishment, within its scope, of the Financial Intelligence Unit (UIF), endowed with requirements of autonomy and independence and tasked with the analysis of financial flows and, more specifically, the reporting of suspicious transactions transmitted by all addressees of the anti-money laundering discipline;

1 With Decree of the Minister of Economy and Finance of 18.8.2008, Italy published the list of non-EU countries imposing obligations equivalent to those provided by Directive 2005/60 (so-called White List). With the issuance of this decree, our country gave effect to the agreement reached among Member States at the margin of the meeting of 18 April 2008 of the Committee for the Prevention of Money Laundering and Terrorist Financing provided for by Article 41 of the Directive. 2 In the matter of prevention and combating of money laundering, the FATF issued the 40 Recommendations in 1990, updating them in 1996 and 2003. Following the extension of its mandate to international terrorist financing, the Group issued 9 Special Recommendations on the matter. Recently, the FATF has elaborated guidelines aimed at assisting Member States in the implementation of Resolutions adopted by the United Nations to counter financial flows supporting the development of proliferation of weapons of mass destruction. 3 This directive repeals and replaces the first two directives on the matter (No. 91/308/EEC and No. 2001/97/EC).

through the attribution to Banking and Financial Supervision of regulatory powers and powers of control and sanctioning against supervised subjects. In particular, in the changed legislative framework, Supervision is called upon to issue provisions on adequate customer verification, registration of related data, and organization, procedures and internal controls aimed at fulfilling anti-money laundering obligations.

The new regulation attributes particular relevance to collaboration between authorities, also through the attribution to the Financial Security Committee (CSF) - composed of all authorities involved at the national level in the prevention of money laundering and terrorist financing - of a role of analysis and coordination. The indications of the International Monetary Fund (IMF) have thus found acceptance, which, in 2005, in the context of the evaluation of the Italian system, underlined the need for a control system based on the clear attribution of tasks and responsibilities and on effective mechanisms of collaboration and coordination between Authorities.

The general objective of the new provisions is the protection of the integrity of the banking and financial system and, indirectly, the protection of its stability. According to the traditional approach, the rules are directed to preserve the system from the risk of being, even unknowingly, instrumentalized for the commission of illicit activities, calling addressees to conduct of so-called "active collaboration" namely to report transactions that raise suspicion regarding the illicit origin of transferred funds. Compared to the past, the regulatory approach realizes an anticipation of the threshold of protection: the rules imposed on companies to ensure full and "adequate" knowledge of the customer are detailed and strengthened, up to providing that, in cases where complete disclosure between the parties does not occur, the relationship should not be established or should be interrupted.

The action of prevention and combating of money laundering is carried out through the introduction of safeguards aimed at guaranteeing full knowledge of the customer, traceability of financial transactions and identification of suspicious transactions.

In particular, the legislation rests on a system of obligations, addressed to a wide range of addressees (financial intermediaries, non-financial enterprises and professionals), inspired by the following three fundamental institutions:

adequate customer verification with which relationships are established or transactions are carried out (customer due diligence);
registration of relationships and transactions and conservation of related supporting documents;
reporting of suspicious transactions.

The adequate customer verification imposes on the addressees of the discipline to calibrate the rigor of customer identification obligations to the money laundering risk deducible from the nature of the counterparty, the type of service requested, the geographical area of reference (so-called risk-based approach). The risk element must therefore be taken into account not only for the identification and reporting of suspicious transactions, but also for the application of differentiated, simplified or enhanced measures of adequate customer verification in relation to hypotheses of lower or higher risk respectively. This is a more extended duty of customer due diligence, to be carried out through information on the customer, beneficial owner of the relationship, nature and purpose of the business relationship, involving continuous monitoring of the course of the relationship.

The possibility of assessing the level of risk, in making the conduct and organizational solutions required on a case-by-case basis more flexible, entails greater autonomy and responsibility for the addressees, who are called to equip themselves with appropriate procedures, tools and controls, whose validity and effectiveness are subject to verification by the supervisory Authorities.

The obligations of registration and the methods of conservation of data acquired during adequate verification are aimed, by explicit legislative indication, to allow the search and use of such data in case of investigations into cases of money laundering or terrorist financing and for the activities of analysis of the UIF or other Authorities. Data registration must be carried out promptly and, in any case, no later than thirty days from the completion of the transaction or from the opening, variation or closing of the continuous relationship or professional service. In application of the principle of adapting burdens to the concrete operability of addressees and their size, the establishment of a single electronic archive (AUI) for the registration of customer data is not provided for all addressees4. The possibility of prescribing simplified methods of registration is contemplated.

The obligation to report suspicious transactions continues to constitute the core of anti-money laundering legislation. Pursuant to Article 41 of the decree, the subjects addressees of the discipline are required to forward a report to the UIF "when they know, suspect or have reasonable grounds to suspect that money laundering or terrorist financing transactions are being carried out or have been carried out or attempted".

The definition of money laundering adopted – for prevention purposes – by Decree 231/2007 receives that contained in Article 1, paragraph 2, of Directive 2005/60/EC and is broader than the case delineated by the penal code in Articles 648 bis and 648 ter. For the penal system, in fact, the crime of money laundering does not apply to who committed the predicate offense: the use and concealment of criminal proceeds by the persons who committed the crime that generated such proceeds (so-called "self-laundering") are in fact considered as post factum non-punishable. The concept of self-laundering is, however, included in the definition contained in Article 2 of Decree 231/2007, albeit solely for the purposes of identifying the scope of application of the obligations and preventive measures identified by the decree itself.

The development of financial markets, technological and financial innovations and globalization have expanded the field of action and the tools available to subjects who intend to realize acts of money laundering or terrorist financing. Consequently, intermediaries must face increasing legal and reputational risks deriving from possible involvement in illicit transactions5.

For the correct fulfillment of the aforementioned obligations and for effective risk management, it is indispensable the preparation of adequate organizational safeguards, whose articulation must be modulated in light of the specificities of the activity carried out by the addressees of the discipline and their relative organizational dimensions and operational characteristics. In the case of groups, to which this legislation reserves specific provisions, coordination needs as well as integrated knowledge of the customer are identified.

4 Cf., in this regard, the "Decision containing implementing provisions for the keeping of the Single Electronic Archive", adopted by the Bank of Italy on 31.12.2009. 5 Article 63 of Decree 231 inserted money laundering into the list of crimes for which administrative liability of legal persons is provided pursuant to Legislative Decree 8 June 2001, No. 231.

This decision contains rules on organization, procedures, articulations and competences of corporate control functions, which take into account the specificities of the anti-money laundering matter. It is adopted, in agreement with CONSOB and ISVAP, pursuant to Article 7, paragraph 2, of d.lgs. 231/07.

Legal Sources The matter is regulated: • by Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering of proceeds of criminal activity and terrorist financing; • by Commission Directive 2006/70/EC of 1 August 2006, laying down implementing measures for Directive 2005/60/EC; • by Legislative Decree No. 109 of 22 June 2007 containing measures to prevent, combat and repress terrorist financing and the activity of countries threatening peace and international security, in implementation of Directive 2005/60/EC; • by Legislative Decree No. 231 of 21 November 2007 (implementing Directive 2005/60/EC as well as Directive 2006/70/EC) and in particular by Article 7, paragraph 2 of the aforementioned decree according to which the supervisory authorities, in agreement with each other, issue provisions regarding the methods of fulfillment of obligations concerning the organization, procedures and internal controls aimed at preventing the use of intermediaries and other subjects carrying out financial activities referred to in Article 11 and those provided by Article 13, paragraph 1, letter a), of the same decree for purposes of money laundering or terrorist financing.

Addressees of the provisions These provisions are addressed to the following subjects: a) banks; b) electronic money institutions; c) payment institutions; d) securities intermediation companies (SIM); e) savings management companies (SGR); f) variable capital investment companies (SICAV); g) branches established in Italy of the subjects indicated in the preceding letters having legal headquarters in a foreign State6; h) financial intermediaries registered in the list provided for by Article 106 of the TUB; i) fiduciary companies referred to in Article 199 of the TUF; j) Poste Italiane S.p.A.; k) Cassa Depositi e Prestiti S.p.A; l) currency exchange agents;

6 The provisions of Chapter 1 apply with reference to the representatives of the branches referred to in letter g).

m) subjects governed by Articles 111 and 112 of the TUB; n) credit mediators registered in the list provided for by Article 128-sexies of the TUB; o) financial activity agents registered in the list provided for by Article 128-quater, paragraph 2, of the TUB and the agents indicated in Article 128-quater, paragraph 7, of the same TUB.

The addressees have been indicated based on the modifications made to d.lgs. 231/07 by Article 27 of d.lgs. 13 August 2010, No. 141. With regard to the transitional regime of the reform, these provisions apply to subjects registered in the lists referred to in Article 10, paragraphs 1 and 2, and Article 26, paragraph 1, of d.lgs. 141/10, until registration in the register or lists provided for by Titles III and IV of the same Decree 141/10 (cf. Article 27, paragraph 1 bis of d.lgs. 141).

Article 56 of Legislative Decree No. 231/2007 attributes to the Bank of Italy the power to impose administrative fines on the addressees of the decision in cases of non-compliance with the provisions governing administrative organization and internal control procedures. The procedure governed by Article 145 TUB applies, insofar as compatible. The person responsible for the administrative sanctioning procedure is the Head of the External Relations and General Affairs Service.

PRINCIPLE OF PROPORTIONALITY These provisions apply to a wide range of subjects; for some of them, governance, organization and control structures are regulated by sectoral regulations, which require the adoption of articulated structures; for others, such structures are left exclusively to the choices of the subjects themselves, within the framework of the general rules of the legal system. The provisions have been prepared taking into account the structural setups that present greater complexity, due to the adjustment to the prescriptions of sectoral legislation or the choices made by the subjects. They should not be interpreted as imposing the adoption of structures more complex than those in place, but rather aiming to ensure the presence of suitable safeguards against money laundering and terrorist financing. Therefore, the addressee subjects apply these provisions according to the principle of proportionality, in coherence with the legal form, size, organizational articulation, characteristics and complexity of the activity carried out. The tasks and functions provided for must be carried out effectively to pursue the purposes for which they are intended, despite the diversity of the structural configurations of the company and the concrete identification of the tasks entrusted to the bodies and organisms that make up the governance, organization and controls7.

Minimum requirements must nevertheless be observed: • the anti-money laundering function must be provided for and the responsible person appointed; externalization and attribution of the responsibility of the function to an administrator is allowed, who, except in the case of the sole administrator, must be devoid of operational delegations; • where the internal audit unit is not established, the related tasks may be assigned to an administrator, who, except in the case of the sole administrator, must be devoid of operational delegations; • the attribution of responsibility for the reporting of suspicious transactions must be formalized.

7 The organizational safeguards provided for by these provisions do not apply to subjects who exercise their activity in an individual capacity, without prejudice to the need for them to respect the obligations in the matter of prevention and combating of money laundering and terrorist financing.

ORGANIZATIONAL SETUPS TO SAFEGUARD AGAINST RISKS OF MONEY LAUNDERING AND TERRORIST FINANCING This discipline follows the growing attention to organizational and internal control issues that characterizes supervision regulation, on the assumption that effective organizational and governance setups constitute an essential condition to prevent and mitigate corporate risk factors. In line with provisions aimed at strengthening the management of compliance risk8, this legislation aims to introduce specific safeguards for the control of money laundering and terrorist financing risk, requiring intermediaries to provide resources, procedures, organizational functions clearly identified and adequately specialized. More specifically, the following are necessary:

the accountability of employees and external collaborators;
the clear definition, at different levels, of roles, tasks and responsibilities as well as the preparation of procedures intended to guarantee the observance of obligations of adequate customer verification and reporting of suspicious transactions and, furthermore, the conservation of documentation and evidence of relationships and transactions;
the establishment of a specific function tasked with overseeing the commitment to prevention and management of the aforementioned risks;
an architecture of control functions that is coordinated in its components, also through adequate information flows, and that is at the same time coherent with the articulation of the structure, the complexity, the corporate size, the type of services and products offered as well as with the entity of the risk associated with the characteristics of the customer base;
a control activity that has as its object the respect by personnel and collaborators of internal procedures and all regulatory obligations, with particular regard to "active collaboration" and the continuous analysis of customer operations.

The containment of money laundering risk also assumes relevance under the profile of respect for prudential regulation9 that imposes on intermediaries to face, with a suitable organizational setup and adequate capital endowment, all risks to which they are exposed. In the classification of risks, money laundering risk is mainly attributed to those of a legal and reputational nature, although losses on credits or financial instruments due to unintentional financing of criminal activities cannot be excluded. Legal risk is included within the scope of

8 In line with provisions aimed at strengthening the management of compliance risk, this legislation aims to introduce specific safeguards for the control of money laundering and terrorist financing risk, requiring intermediaries to provide resources, procedures, organizational functions clearly identified and adequately specialized. 9 The containment of money laundering risk also assumes relevance under the profile of respect for prudential regulation that imposes on intermediaries to face, with a suitable organizational setup and adequate capital endowment, all risks to which they are exposed. In the classification of risks, money laundering risk is mainly attributed to those of a legal and reputational nature, although losses on credits or financial instruments due to unintentional financing of criminal activities cannot be excluded. Legal risk is included within the scope of

legal risk, which is part of the broader category of operational risk, while reputational risk is considered a separate category. The Bank of Italy, in its supervisory activities, will verify that intermediaries have implemented adequate organizational setups capable of identifying, measuring, monitoring and controlling money laundering and terrorist financing risks, in line with the principle of proportionality.

The organizational setups must ensure that:

the anti-money laundering function is independent and has sufficient authority, resources and expertise;
the functions of first line of defense (business units) are clearly responsible for identifying and managing risks in their respective areas;
the functions of second line of defense (compliance and risk management) provide oversight and challenge to the first line;
the functions of third line of defense (internal audit) provide independent assurance to the board of directors and senior management on the effectiveness of the governance, risk management and control processes.

The board of directors and senior management must be actively involved in the anti-money laundering framework, ensuring that the organization has a culture of compliance and that resources are allocated appropriately. The board of directors must approve the anti-money laundering policy and ensure that it is updated regularly to reflect changes in the regulatory environment and the risk profile of the institution.

Senior management must ensure that the anti-money laundering policy is implemented effectively and that employees are trained on their obligations. Senior management must also ensure that the anti-money laundering function has the necessary authority and resources to perform its duties.

The anti-money laundering function must have sufficient authority, resources and expertise to perform its duties. The function must be independent and have direct access to the board of directors and senior management. The function must be responsible for:

developing and implementing the anti-money laundering policy and procedures;
providing training to employees;
monitoring compliance with the anti-money laundering policy and procedures;
reporting suspicious transactions to the Financial Intelligence Unit;
cooperating with supervisory authorities and law enforcement agencies.

The business units must be responsible for identifying and managing money laundering and terrorist financing risks in their respective areas. They must implement the anti-money laundering policy and procedures and report suspicious transactions to the anti-money laundering function.

The compliance and risk management functions must provide oversight and challenge to the business units. They must monitor compliance with the anti-money laundering policy and procedures and report any deficiencies to senior management and the board of directors.

The internal audit function must provide independent assurance to the board of directors and senior management on the effectiveness of the governance, risk management and control processes. The internal audit function must review the anti-money laundering framework and report any deficiencies to senior management and the board of directors.

The organizational setups must be documented and communicated to all employees. The documentation must include the anti-money laundering policy, procedures, roles and responsibilities, and training materials.

The organizational setups must be reviewed regularly to ensure that they remain effective and appropriate. The review must be conducted by the internal audit function or an independent third party.

The organizational setups must be adapted to the specific risks of the institution. The institution must conduct a risk assessment to identify its money laundering and terrorist financing risks. The risk assessment must take into account the nature, size, complexity, and risk profile of the institution.

The organizational setups must be proportionate to the risks of the institution. The institution must ensure that the organizational setups are appropriate to the level of risk. The institution must not adopt organizational setups that are more complex than necessary.

The organizational setups must be effective. The institution must ensure that the organizational setups are implemented effectively and that they achieve their intended objectives. The institution must monitor the effectiveness of the organizational setups and take corrective action if necessary.

The organizational setups must be coherent. The institution must ensure that the organizational setups are coherent with the overall governance structure and risk management framework of the institution. The institution must ensure that the organizational setups are coherent with the regulatory requirements.

The organizational setups must be transparent. The institution must ensure that the organizational setups are transparent and that all employees understand their roles and responsibilities. The institution must communicate the organizational setups to all employees and provide training on their obligations.

The organizational setups must be flexible. The institution must ensure that the organizational setups are flexible and can be adapted to changes in the regulatory environment and the risk profile of the institution. The institution must review the organizational setups regularly and update them as necessary.

The organizational setups must be sustainable. The institution must ensure that the organizational setups are sustainable and that the institution has the resources to maintain them. The institution must allocate sufficient resources to the anti-money laundering function and ensure that it has the necessary authority and expertise.

The organizational setups must be integrated. The institution must ensure that the organizational setups are integrated with the overall business strategy and risk management framework of the institution. The institution must ensure that the anti-money laundering function is integrated with the other risk management functions.

The organizational setups must be documented. The institution must document the organizational setups and communicate them to all employees. The documentation must include the anti-money laundering policy, procedures, roles and responsibilities, and training materials.

The organizational setups must be reviewed. The institution must review the organizational setups regularly to ensure that they remain effective and appropriate. The review must be conducted by the internal audit function or an independent third party.

The organizational setups must be adapted. The institution must adapt the organizational setups to the specific risks of the institution. The institution must conduct a risk assessment to identify its money laundering and terrorist financing risks. The risk assessment must take into account the nature, size, complexity, and risk profile of the institution.

The organizational setups must be proportionate. The institution must ensure that the organizational setups are proportionate to the risks of the institution. The institution must ensure that the organizational setups are appropriate to the level of risk. The institution must not adopt organizational setups that are more complex than necessary.