GUIDELINES FOR THE FIGHT AGAINST
MONEY LAUNDERING AND TERRORIST
FINANCING AND FOR THE HANDLING OF
EMBARGOES
Legislation concerning sensitive areas pursuant to Italian Legislative Decree no. 231/01
Risk area: Offences against the Public Administration
Protocols: Management of relations with the Supervisory Authorities
Risk area: Crimes with the purpose of terrorism or subversion of the democratic order,
organised crime, transnational crimes and crimes against the person
Risk area: Handling stolen goods, money laundering, handling of illegally gained assets or
cash, and self-money laundering
Protocols: Financial fight against terrorism and money laundering
Risk area: Computer crimes
Protocols: Management and use of the Group’s computer systems and Information Assets
Issuer:
Managing Director
Target:
Intesa Sanpaolo Group
Path:
Foreign Network - Headquarter Governance Documents – Governance Documents – Guidelines
February 2016
This document is the property of Intesa Sanpaolo S.p.A.
Unauthorised reproduction of part or all of this document in any form outside the is prohibited.
This document has been published in two versions, one in Italian and the other in English.
In the event of a discrepancy, the version in Italian shall prevail.
1
1.1
INTRODUCTION....................................................................................................... 3
Law and regulations for preventing and combating money laundering and terrorist
financing.................................................................................................................... 3
1.2
The regulatory framework for the handling of embargoes ......................................... 6
2
OBJECTIVES, DEFINITIONS AND GUIDING PRINCIPLES ................................... 9
2.1
Objectives ................................................................................................................. 9
2.2
Definitions ................................................................................................................. 9
2.2.1 The risk of money laundering and terrorist financing ........................................... 9
2.3
Guiding principles.................................................................................................... 10
3
ROLES AND RESPONSIBILITIES ......................................................................... 11
3.1
Corporate Bodies .................................................................................................... 11
3.1.1 Supervisory Board ............................................................................................. 12
3.1.2 Control Committee and Supervisory Body pursuant to the Italian Legislative
Decree no. 231/2001 .................................................................................................. 13
3.1.3 Management Board ........................................................................................... 14
3.1.4 Managing Director and CEO .............................................................................. 15
3.2
Intesa Sanpaolo Group’s committees ..................................................................... 15
3.2.1 Internal Control Coordination and Operational Risk Committee ........................ 15
3.3
Parent Company Structures .................................................................................... 16
3.3.1 Chief Compliance Officer ................................................................................... 16
3.3.2 Anti-Money Laundering Department .................................................................. 16
3.3.2.1 Head of the Anti-Money Laundering Function ......................................... 20
3.3.2.2 AML Reporting Officer ............................................................................. 20
3.3.3 Compliance Retail and Corporate Banking Department .................................. 21
3.3.4 Compliance Governance and Controls Department .......................................... 22
3.3.5 Coordination of Compliance Initiatives .............................................................. 22
3.3.6 Internal Auditing Department ............................................................................. 22
3.3.7 Human Resources Department ......................................................................... 23
3.3.8 Banca dei Territori Division ................................................................................ 23
3.3.9 Corporate and Investment Banking Division ...................................................... 23
3.3.10
Network Units.............................................................................................. 24
3.4
Intesa Sanpaolo Group Services............................................................................. 25
3.4.1 Legal Affairs Department – Group General Counsel ......................................... 25
3.4.2 Staff and Organization Department ................................................................... 26
3.4.3 Operations Department ..................................................................................... 26
3.4.4 ICT Systems Department .................................................................................. 27
4
MACRO PROCESSES FOR COMBATING OF MONEY LAUNDERING AND
TERRORIST FINANCING ................................................................................................. 28
4.1
Customer due diligence .......................................................................................... 28
4.2
Processes connected with records keeping and retention obligations .................... 29
4.3
Control processes ................................................................................................... 29
4.4
Transaction monitoring............................................................................................ 29
4.5
Reporting, training and information management across the Group ....................... 30
4.6
Cross and supporting processes ............................................................................. 31
5
GROUP GOVERNANCE ........................................................................................ 33
5.1
General principles ................................................................................................... 33
5.2
The centralised management model ....................................................................... 33
5.3
The direction, coordination and control model ........................................................ 35
6
ANNEXES ............................................................................................................... 38
6.1
Legend of acronyms................................................................................................ 38
6.2
List of network units ................................................................................................ 38
2
1 INTRODUCTION
1.1
Law and regulations for preventing and combating money
laundering and terrorist financing
Over recent years there has been a significant move towards international harmonisation of the
framework rules governing the prevention and combating of money laundering and terrorist
financing, a process which proves essential in today’s increasingly open and competitive market.
At Community level, the main legislative framework governing the prevention and combating of
money laundering and terrorist financing consists of:
•
•
Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015, on the
prevention of the use of the financial system for the purposes of money laundering or terrorist
financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the
Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council
and Commission Directive 2006/70/EC. The Directive came into force on 27 June 2015 (Fourth
Anti-Money Laundering Directive);
Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on
information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 .
At national level the main legislative framework consists of:
•
•
•
Italian Legislative Decree no. 109 of 22 June 2007 and subsequent amendments and
integrations, containing measures to prevent, combat and repress international terrorist
financing, which has allowed greater systemisation of the intermediaries’ obligations to provide
notification of frozen assets and resources and to report suspicious activity;
Italian Legislative Decree no. 231 of 21 November 2007 and subsequent amendments and
integrations, containing implementation of Directive 2005/60/EC, which revised the entire
legislative framework for prevention of money laundering and assigned the Bank of Italy
regulatory and control powers and powers to impose penalties on supervised persons.
Specifically, the Bank of Italy is required to issue instructions on customer due diligence,
registration of related data and organisation, procedures and internal controls directed at
fulfilling anti-money laundering obligations;
Italian Law no. 186 of 15 December 2015, containing provisions on “voluntary disclosure” and
increasing the fight against tax evasion, and provisions on self-money laundering.
In carrying out the powers granted to it, the Bank of Italy has issued:
o provisions containing operating instructions for performing enhanced controls against
financing programmes for the proliferation of weapons of mass destruction1;
o the provisions containing anomaly indicators for intermediaries to facilitate identification of
suspicious activities2;
o the Implementing Rules for organisation, procedures and internal controls concerning antimoney laundering, which came into effect on 1 September 20113;
o the Implementing Rules for customer due diligence, which came into effect on 1 January
20144
1
Bank of Italy Order adopted with resolution no. 357 of 27 May 2009.
Bank of Italy Order adopted with resolution no. 616 of 24 August 2010.
3
Bank of Italy Order of 10 March 2011 containing implementing rules for organisation, procedures and
internal controls directed at preventing the use of intermediaries and other persons/entities performing
financial activity for money laundering and terrorist financing purposes, pursuant to Article 7, paragraph 2, of
Italian Legislative Decree no. 231 of 21 November 2007.
2
3
o the Implementing rules for keeping the Single Electronic Archive (AUI Archivio Unico
Informatico) and for the simplified registration procedures, which is scheduled to come into
effect on January 20145.
The main requirements of this legislative framework concern:
• customer due diligence obligations, with indication of “when” (e.g. establishment of a business
relationship, execution of an occasional transaction for an amount above the thresholds
established by the law, etc.) and of “how” (e.g. procedures for identifying the customer, the
beneficial owner6, the purpose and intended nature of the business relationship, etc.) to fulfil
these obligations;
• risk-based approach, according to which customer due diligence obligations are divided into
different levels of due diligence proportionate to the customer’s risk profile (e.g. simplified
customer due diligence for Financial Institutions and Public Administration and enhanced
customer due diligence for customers who are not physically present when the relationship is
being established, politically exposed persons – foreign PEP7 and high risk national PEP8 –
credit and financial institutions of not equivalent third Countries9, customers with a high money
laundering risk profile, etc.);
• obligation to refrain from establishing a business relationship, executing an occasional
transaction or maintaining an existing business relationship if it is not possible to correctly fulfil
the customer due diligence obligations or if there is a suspicion of money laundering or terrorist
financing10;
• obligation to record the transactions and operations executed by customers in the AUI;
• obligation to report suspicious activities;
• limitations established for the use of cash and bearer instruments (other than bank and postal
checks, banker’s drafts, postal orders and promissory notes, etc.);
4
Bank of Italy Order of 3 April 2013 containing implementing rules for customer due diligence, pursuant to
Article 7, paragraph 2, of Italian Legislative Decree no. 231 of 21 November 2007.
5
Bank of Italy Order of 3 April 2013 containing implementing rules for keeping the Single Electronic Archive
and for the simplified registration procedures referred to in Article 37, paragraphs 7 and 8, of Italian
Legislative Decree no. 231 of 21 November 2007, which repeals the previous Bank of Italy Provisions
adopted by resolution no. 895 of 23 December 2009.
6
For the definition of Beneficial Owner see Article 1, paragraph 2 letter u) of Italian Legislative Decree no.
231/2007 and Article 2 of the Technical Annex to Italian Legislative Decree no. 231/2007, as well as the
Enacting Provision in force at the time on customer due diligence that define, as ”beneficial owner”: (i) the
natural person (s) on whose behalf the customer makes a transaction (“beneficial owner sub 1”); (ii) if the
customer and/or the subject on whose behalf the customer makes a transaction are not natural person(s),
the natural person(s) who, in the final analysis, owns or controls the entity or in other words they are the
beneficiaries according to the criteria set out in the Technical Annex to the AML decree (“beneficial owner
sub 2”).
7
The acronym PEP stands for Politically Exposed Person. For the definition of PEP see Article 1, paragraph
2 letter o) of Italian Legislative Decree no. 231/2007 and Article 1 of the Technical Annex to Italian
Legislative Decree no. 231/2007, as well as the Supervisory Instructions in force at the time on customer due
diligence.
8
Person resident in the Country who are or who have been entrusted with prominent public position
according to the criteria set out in the Technical Annex to Legislative Decree 231/2007.
9
The enhanced measures are prescribed in cases of cross-frontier correspondent banking current,
accounts, of payable-through accounts and similar accounts. For not equivalent third Country we mean a noEU country which is not included in the list of third Countries with an anti-money laundering regulation
equivalent to the EU, as enacted by MEF decree.
10
With reference to the application and operational procedures relating to the abstention obligation, as
prescribed by art. 23 of Italian Legislative Decree no. 231/2007 modified by Italian Legislative Decree no.
169/2012, please refer to the circular issued by the MEF on 30 July 2013 and to the FIU Provisions of 6
August 2013.
4
•
•
•
monitoring of all the transactions executed with countries that threaten international peace and
security (countries included in the Sanction Lists11);
adoption of adequate staff training measures to guarantee correct assimilation and application
of legislative provisions;
extension to the Control Bodies and to the Supervisory Body pursuant to Italian Legislative
Decree no. 231/2001 of the obligation to report any infractions of which they become aware in
performing their duties.
For the purposes of correct fulfilment of the aforesaid obligations and efficient governance of
money laundering and terrorist financing risks, the legislative framework also requires clear
identification of organisational functions, resources and procedures that are consistent and
proportionate to the type of activity performed, the size, organisational complexity and operating
characteristics of the addressees.
In this regard, specific provision is made for the setting up of a special Function in charge of
preventing and combating the execution of money laundering and terrorist financing transactions
(Anti-Money Laundering Function) and for appointment of its Head (Head of the Anti-Money
Laundering Function). It is also necessary to formally assign responsibility for suspicious activity
reporting.
The following measures must be implemented according to the aforementioned principle of
proportionality:
• clear definition, at the various levels, of roles, duties and responsibilities, and drawing up of
procedures to guarantee observance of customer due diligence and suspicious activity
reporting obligations as well as obligations to preserve documentation and records of business
relationships and transactions;
• a control functions structure of which the components are coordinated even also through
suitable reporting flows and which is also consistent with the structure, complexity and size of
the company, the type of services and products offered as well as the level of risk associated
with the customers’ characteristics;
• control activity to monitor compliance by personnel and collaborators with internal processes
and with all the legislative obligations, with specific regard to active collaboration and ongoing
analysis of customers’ operating activity;
• heightening awareness of subordinate personnel and external collaborators.
Lastly where a Group is concerned, legislation requires effective guarantee of the necessary
requirements of coordinated oversight measures for preventing and combating money laundering
and terrorist financing. Bearing this in mind and also considering that the Intesa Sanpaolo Group is
present in non-EU states, these Guidelines shall not only comply with community and national
legislation, but also with the non-EU legislations with which suitable links can be made, without
prejudice to observance of the obligations established by the legal system of the host country.
Hence the procedures in force at International Branches and Subsidiaries must be in line with
Group standards and must ensure that information is shared at consolidated level.
The checks that the Bank of Italy is required to carry out on supervised companies as part of its
“supervisory review and evaluation process” (SREP) include the adequacy of oversight measures
adopted by each entity with regard to anti-money laundering.
11
In order to prevent potential threats from arising, the Governments and International Organisations draw
up specific lists – Sanction Lists – of certain countries, persons and entities whose activities are subject to
control and monitoring by Financial Institutions. These lists are defined and updated by Institutions such as
the United Nations Organisation (UNO), the European Union (EU), the Central Banks and, for the United
States, the Office of Foreign Assets Control (OFAC).
5
1.2
The regulatory framework for the handling of embargoes
The United Nations Charter grants the U.N. Security Council the power to make binding decisions
for all United Nations Member States regarding restrictive measures aimed at keeping or restoring
international peace and security.
Accordingly, the European Community adopts restrictive measures and embargoes within the
framework of joint action taken by virtue of the provisions of Article 11 of the European Union
Treaty on common foreign and security policy (CFSP) with the aim of:
safeguarding the common values, fundamental interests, independence and integrity of the
European Union in conformity with the principles of the United Nations Charter;
• strengthening the security of the European Union in all ways;
• preserving peace and strengthening international security;
• promoting international cooperation;
• developing and consolidating democracy, observance of law, and respect for human rights and
fundamental freedoms.
Article 301 of the Treaty establishing the European Community provides for, among the general
and final provisions, the possibility of a common position or joint action to interrupt or to reduce, in
part or completely, economic relations with one or more third party countries, assigning the
Commission the task of ensuring relations with the competent organs of the United Nations.
•
This structured context has formed the basis for community legislation on embargoes and in
general on the restrictions at issue, which is also directed at overseeing the risk of terrorism
financing.
At community level the main legislative framework consists of:
•
•
•
•
Regulation 2580/2001/EC of the Council of 27 December 2001, which establishes an obligation
to freeze capital and a ban on the provision of financial services to certain natural persons,
legal persons, groups or entities that commit, or attempt to commit, any act of terrorism and
legal persons, groups or entities controlled by the foregoing;
Regulation 881/2002/EC of the Council of 27 May 2002, which imposes specific restrictive
measures on certain persons and entities associated with Osama bin Laden, the Al-Qaida
network and the Taliban, and forbids providing them with military assistance;
Regulation 753/2011/EC of the Council of 1 August 2011, concerning additional restrictive
measures against certain individuals, groups, companies and entities in view of the situation in
Afghanistan, also considering the decisions of the "Sanctions Committee" and "1267
Committee" established by the Security Council of the United Nations12;
Regulation 428/2009/EC of the Council of 5 May 2009, on setting up a Community regime for
the control of exports, transfer, brokering and transit of dual-use items (recast of the original
Council Regulation 1334/2000/EC of 22 June 2000 as amended by Regulation 1382/2014 of
22 October 2014).
There are also other European Community sources deriving from the current international
framework that establish a particular regime prohibiting investments in certain industrial sectors or
exporting to the countries referred to in the company regulation as “Group A Countries”.
12
The Sanction Committee has been set up at the United Nations Security Council (UNSC). It was
established according to paragraph 30 of Resolution 1988 (2011) of the UNSC, while the Committee 1267
was set up at the UNSC, according to Resolution 1267 (1999) and 1333 (2000) of the United Nations
Security Council.
6
In addition to the provisions of directly applicable Regulations, at national level the main legislative
framework consists of:
•
•
•
Italian Law no. 185 of 9 July 1990 (as amended by Italian Legislative Decree no. 105 of 22
June 2012, issued in implementation of Directive 2009/43/EC on “New rules on control of
export, import and transit of arms”), which currently represents the basic legislation in the
sector of transfers of strategic assets classified as arms;
Italian Legislative Decree no. 96 of 9 April 2003 which integrates the rules governing the dualuse technologies, establishing (Article 16), criminal penalties for those who carry out
exportation of dual-use items in breach of prevailing laws;
Italian Legislative Decree no. 64 of 14 May 2009, Rules for penalties for breach of the
provisions of Regulation 423/2007/EC (now replaced by Regulation 267/2012/EC), concerning
restrictive measures against Iran.
This legislative framework establishes restrictive and sanctioning measures against governments
of third party countries, as well as non-state entities and natural persons or legal entities and
specifically:
•
•
•
•
•
arms embargoes13;
other specific or general commercial restrictions (ban on export and import);
financial restrictions (freezing of goods and resources, bans concerning financial transactions,
restrictions on export credits or investments);
admission restrictions (ban on visas or travelling);
criminal penalties for those financing terrorist or subversive associations and for those
exporting dual-use items in breach of administrative regulations governing dual-use.
By introducing obligations and related penalties sanctions for parties (natural persons or legal
entities, government or non-government entities) with which the Bank may directly or indirectly
establish a business relationship, based on lending operations, this legislation requires that, with
regard to oversight of the risk of money laundering and terrorist financing and related risks,
measures must be provided to guarantee:
•
•
operational controls on financial transactions related to imports or exports carried out by
customer companies14;
traceability of controls on transactions carried out from/towards countries, natural persons and
legal entities subject to restrictions.
Considering that the Group is also present in non-EU states, these Guidelines shall not only
comply with community legislation and national legislation, but also with the non-EU legislations
with which suitable links may be made, without prejudice to observance of the obligations
established by the legal system of the host country.
In this regard, where necessary, the Intesa Sanpaolo Group applies financial restrictions
established by the external legislative framework (e.g. freezing of assets and resources, bans on
specific financial transactions, bans on documentary transactions linked to the export of dual-use
and/or hazardous goods) and is also subject to embargo provisions issued by the OFAC, whose
duty it is to administer and enforce economic and commercial sanctions issued by the United
13
In Internal Regulation no. 31/2015 of 3 July 2015, the Bank issued the “Rules on granting credit and
operations in the arms sector”.
14
The internal rules of the Parent Company Intesa Sanpaolo, of the Banks and of all the branches and
subsidiaries of Intesa Sanpaolo establish how to identify and isolate incoming and outgoing payments in
every currency, originating from or addressed to parties (natural persons and legal entities, countries)
included in the Sanction Lists of the Intesa Sanpaolo Group.
7
States of America against foreign countries, terrorists, drug dealers and all those suspected of
being involved in the trade, production and use of weapons of mass destruction.
Specifically, mainly as a result of the presence in US territory of the New York Branch, in signing
the “US PATRIOT Act Certification” (Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism), the Parent Company Intesa Sanpaolo is
obliged, like all banks operating with US counterparties to submit to US legislation all
commercial/financial activities carried out in the United States, inclusive of payment orders in
dollars and transnational activities in the broad sense, for our own account and/or for third parties.
The activities which the Bank undertakes for its own account and/or on behalf of its customers with
regard to parties subject to US legislation (e.g. US banks, international branches of US banks and
US Subjects15 in general) also fall under the scope of the aforesaid legislation.
15
Customers of the bank that qualify as “U.S. subjects” according to the criteria specified below are not only
subject to Italian law, but also fully subject, as the applicable jurisdiction, to U.S. law regarding embargoes
and commercial sanctions. Accordingly, such customers are prohibited from undertaking transactions in any
currency with parties (Countries or natural legal persons) placed under sanctions and embargoes by the U.S.
authorities. The criteria that identify a counterparty as a “U.S. subject” are the following:
• a natural person who is a U.S. citizen or permanent resident of the U.S., regardless of that person’s
location;
• a natural person residing in the U.S.;
• a legal entity incorporated under the laws of the U.S. or any U.S. state, territory, possession or district,
regardless of that entity’s location;
• a legal person or entity, regardless of that person’s or entity’s location, owned or controlled by the
foregoing parties to an extent of 25% or more of capital.
8
2 OBJECTIVES, DEFINITIONS AND GUIDING PRINCIPLES
2.1
Objectives
These Guidelines identify the reference principles and define responsibilities, duties and main
processes for Intesa Sanpaolo S.p.A. and the Companies of the Group (and, specifically those who
must fulfil the legislative obligations in question) for managing the risk of money laundering,
combating terrorist financing and handling of embargoes.
2.2
Definitions
Pursuant to Italian Legislative Decree no. 231/2007 the following actions, if performed intentionally
shall constitute “money laundering”:
•
•
•
•
The conversion or transfer of property, carried out knowing that it constitutes the proceeds of
criminal activity or of participation therein with the aim of hiding or dissimulating the illicit origin
of the property or of helping any individual involved in such activity to avoid the legal
consequences of his or her actions. The use or concealing of criminal proceeds by persons
who committed the crime which generated said proceeds (known as “self-money laundering”)
also constitutes money laundering pursuant to Italian Legislative Decree no. 231/2007;
hiding or dissimulating the real nature, origin, location, arrangement, transfer or ownership of
property or rights thereto, carried out knowing that they it constitutes the proceeds of criminal
activity or of participation therein;
the acquisition, detention or use of property, knowing at the time of receiving it that it
constitutes the proceeds of criminal activity or of participation therein;
participation in one of the actions referred to in the preceding subparagraphs, association with
others to perform such actions, attempts to perform them, the act of helping, instigating or
advising someone to perform them or the fact of facilitating their performance.
Pursuant to Italian Legislative Decree no. 109/2007 "terrorist financing" means any activity
directed, by any means, at collecting, providing, intermediating, depositing, keeping safe or
disbursing funds or economic resources, generated in any way, destined to be fully or partially
used to carry out one or more offences for the purpose of terrorism or in any case directed at
facilitating the carrying out of one or more offences for the purpose of terrorism prescribed by the
Italian Criminal Code, regardless of whether the funds and economic resources are actually used
for committing the aforesaid offences.
“Embargo” is generally defined as the ban on commerce and trade with countries subject to
sanctions, in order to isolate and put their governments in a difficult position with regard to their
domestic policy and economy. In these Guidelines “embargo management” means the activities for
implementing the controls and measures illustrated in the paragraph describing the governing
legislation.
2.2.1 The risk of money laundering and terrorist financing
Efficient and adequate corporate oversight measures and procedures allow the Intesa Sanpaolo
Group to mitigate exposure to the risk of money laundering and terrorist financing, defined as
the risk that an activity or a transaction may actually be associated with cases of money laundering
or terrorism financing.
It is also important to contain the risk of money laundering and terrorist financing in order to ensure
compliance with prudential regulations requiring intermediaries to deal with all the risks to which
9
they are exposed by means of a suitable organisation structure and adequate capital. In risk
classification, the risk of money laundering and terrorist financing is generally considered as giving
rise to legal and reputational risk, even though losses on loans or on financial instruments due to
unwitting financing of criminal activities cannot be excluded. Legal risk is included under
operational risks and as such contributes to determination of the capital requirements provided by
the so-called first pillar. Reputational risk is instead considered within the scope of the so-called
second pillar and contributes to estimation of the degree of adequacy of the intermediary’s total
capital.
2.3
Guiding principles
The Intesa Sanpaolo Group governance model for the fight against money laundering and terrorist
financing is based on the value of integrity – pursuing its objectives with honesty, fairness and
responsibility, in full and substantial compliance with rules, with the Group’s Code of Ethics and
with the spirit of applicable legislation – as well as on a number of guiding principles directed at
defining a systematic and functional reference framework.
These Guidelines aim to ensure active collaboration by the Intesa Sanpaolo Group in preventing
the phenomena in question. For the purposes of their implementation, the Group adopts suitable
and appropriate processes and procedures with regard to obligations relating to customer due
diligence, suspicious activity reporting, record keeping and retention, internal controls, risk
assessment and risk management, guaranteeing observance and disclosure of applicable
regulations, to prevent and obstruct operations related to money laundering and terrorist financing.
The Intesa Sanpaolo Group intends to fulfil the obligations established by applicable laws having
regard to the information held or acquired when carrying out its institutional and professional
activity.
The Intesa Sanpaolo Group shall endeavour to ensure that:
•
•
•
the processes and procedures adopted comply with provisions and guarantees established by
legislation governing confidentiality of reporting and information concerning suspicious activity,
protection of personal data (privacy) and banking secrecy;
the measures taken are proportional to the characteristics and complexity of the activity
performed and to the legal form, size and organisational structure of the various Group entities;
in compliance with the principle of the risk-based approach, the measures taken are objectively
proportional to the risk of money laundering or terrorist financing related to the type of
customer, business relationship and the geographical area concerned.
10
3 ROLES AND RESPONSIBILITIES
With regard to the Parent Company only, oversight of the processes for the fight against money
laundering and terrorist financing and the handling of embargoes involve the following bodies and
structures which liaise together with different roles and responsibilities.
•
Corporate Bodies
• Supervisory Board
• Control Committee and Surveillance Body pursuant to the Italian Legislative Decree no.
231/2001
• Management Board
• Managing Director and CEO
•
Intesa Sanpaolo Group’s Committees
• Internal Control Coordination and Operational Risk Committee
•
Parent Company Structures
• Chief Compliance Officer
• Anti-Money Laundering Head Office Department
• Head of the Anti-Money Laundering Function
• AML Reporting Officer
• Internal Auditing Head Office Department
• Human Resources Head Office Department
• Banca dei Territori Division
• Corporate and Investment Banking Division
• Network Units16
•
Intesa Sanpaolo Group Services
• Legal Affairs Head Office Department – Group General Counsel
• Human Resources and Organization Head Office Department
• Operations Head Office Department
• ICT Head Office Department
A detailed description of the responsibilities assigned to the above corporate bodies is provided
below.
3.1
Corporate Bodies
The duties and responsibilities regarding mitigation of the risk of involvement of the Bank and the
Group in money laundering or terrorist financing are entrusted to the Corporate Bodies in
accordance with the provisions of Bank of Italy Order of 10 March 2011 containing appropriate
implementing rules concerning organisation, procedures and internal controls.
Specifically, the Corporate Bodies of Intesa Sanpaolo are obliged, each within their own area of
expertise and responsibility, to:
• define corporate policies that are consistent with anti-money laundering rules and principles;
• adopt policy lines that can ensure corporate integrity is maintained;
16
The “Network Units” include the business units that carry out transactions, those where customer accounts
are held and those responsible for managing customer relations (for their descriptions see Paragraph 6.2 –
Operating Structures List).
11
•
•
implement organisational and operating measures directed at avoiding the risk of involvement
in episodes of money laundering and terrorist financing;
carry out controls on compliance with legislation on adequate risk oversight.
In order to implement a money laundering and terrorist financing risk management policy, the
strategic decisions at Group level concerning risk management are entrusted to the Parent
Company’s Corporate Bodies. Hence in carrying out their functions they not only consider the
actual corporate situation of the Parent Company, but also assess the Group’s overall operating
activity and the risks to which it is exposed.
3.1.1 Supervisory Board
The powers of this Body are set out in the Articles of Association. In its capacity as Strategic
Supervision Body and with the support of the Control Committee, the Supervisory Board performs
the following functions:
• upon proposal by the Management Board, approves the strategic guidelines and risk
management policies associated with money laundering and terrorist financing. It specifically
approves the Guidelines for the fight against money laundering and terrorist financing and the
handling of embargoes, and reviews them regularly to ensure they continue to be effective;
• upon proposal by the Management Board, approves an organic and coordinated internal
control system, functional to prompt detection and management of the risk of money laundering
and terrorist financing and reviews it regularly to ensure it continues to be effective;
• continually ensures that anti-money laundering and terrorist financing responsibilities are
allocated in a clear and appropriate manner, guaranteeing separation of operating and control
functions and that these functions are provided with adequate resources in terms of both
quality and quantity. It also ensures the setting up of an adequate, complete and timely system
of information flows to and within the Corporate Bodies and that shortcomings and anomalies
found after controls on various levels are promptly brought to its attention, without prejudice to
the need to guarantee protection of the confidentiality of persons involved in suspicious activity
reporting;
• examines, every six months, the report of the Head of the Anti-Money Laundering Function on
inspection activities performed, actions taken, malfunctions found and corrective measures to
be taken as well as on personnel training activity;
• examines, every three months, the report of the Internal Auditing Department on the activity
performed;
• examines issues regarding anti-money laundering, combating terrorist financing and handling
of embargoes considered to be particularly relevant and submitted to its attention without delay
by the Anti-Money Laundering Function on the basis of the level of risk associated.
In its capacity as Control Body and with the support of the Control Committee, the Supervisory
Board:
• monitors observance of legislation and completeness, functionality and adequacy of the antimoney laundering controls, assisted by the internal structures in performing the necessary
inspections and investigations and using the information flows from the other Corporate
Bodies, the Head of the Anti-Money Laundering Function and the other internal control
functions;
In this regard it:
• closely assesses the suitability of existing procedures for customer due diligence, records
keeping and retention and suspicious activity reporting;
• urges in-depth investigation of the reasons behind the shortcomings, anomalies or
irregularities found and furthers adoption of appropriate corrective measures;
• expresses its opinion on the appointment, revocation and remuneration of the Head of the AntiMoney Laundering Function;
• is consulted with regard to definition of the elements forming the overall structure of the money
laundering and terrorist financing risk management and control system;
12
•
•
forwards the reports referred to in Article 52, paragraph 2, letters a), c) and d) of Italian
Legislative Decree no. 231/2007, with regard to all the facts or actions of which it acquires
knowledge independently in performance of its duties, or on the basis of information flows
received from the other Corporate Bodies, from the Head of the Anti-Money Laundering
Function and from the other internal control functions.
The aforesaid reports are signed by the Chairman of the Supervisory Board or by another
member specially delegated by the Board and forwarded to the competent authorities.
If possible, these reports are made jointly with the Supervisory Body pursuant to Italian
Legislative Decree 231/2001. If they are not made jointly, the Supervisory Board shall be
briefed by the Supervisory Body in the next meeting and shall take note of the reports
forwarded directly by said Body to the competent authorities;
forwards to the AML Reporting Officer, and for its information, to the Head of the Anti-Money
Laundering Function the reports referred to in Article 52, paragraph 2, letter b) of Italian
Legislative Decree no. 231/2007 for the infractions in suspicious activity reporting referred to in
Article 41 of Italian Legislative Decree no. 231/2007, detected independently in performance of
its duties.
3.1.2 Control Committee – Supervisory Body pursuant to Italian Legislative
Decree no. 231/2001
The functions of the Control Committee are set forth in the Articles of Association and in the
Regulations governing its functioning. With specific regard to oversight of the money laundering
and terrorist financing risk, it is the Control Committee’s duty to submit proposals, provide advice
and carry out investigations, within the scope of the Supervisory Board’s competences, with the
aim of facilitating exercise of its functions. Hence all the matters indicated in paragraph 3.1.1
submitted to the examination and/or approval of the Supervisory Board, with the exception of
opinions on remuneration, are first submitted to examination by the Control Committee.
Furthermore, the Control Committee, assisted by the appropriate corporate structures, may
proceed at any time to carry out inspections and controls.
The Organisational, Management and Control Model adopted by the Bank pursuant to Italian
Legislative Decree no. 231 dated 8 June 2001, assigns the functions of the Supervisory Body to
the Control Committee.
With regard to combating of money laundering and terrorist financing, the Supervisory Body
performs the functions indicated in the aforesaid Organisational, Management and Control Model.
Specifically, the Supervisory Body:
• contributes to the groundwork for defining the Organisational, Management and Control Model
pursuant to Italian Legislative Decree no. 231/2001 and ensures ongoing monitoring of
observance of the processes set forth therein. If a possible offence is committed, it analyses
the causes in order to identify the most suitable corrective measures. To perform this activity,
the Supervisory Body receives information flows from the various corporate functions and has
unlimited access to all the information that is relevant to fulfilment of its duties;
• pursuant to Article 52, paragraph 1, of Italian Legislative Decree no. 231/2007, the Supervisory
Body monitors the observance of the rules contained in said decree, within the scope of its
authorities and competences;
• provides for forwarding, if possible jointly with the Supervisory Board, the reports referred to in
Article 52, paragraph 2, letters a), c) and d) of Italian Legislative Decree no. 231/2007, of
infractions found with regard to all the facts or actions of which it acquires knowledge
independently in performance of its duties, or on the basis of information flows received from
the other Corporate Bodies, from the Head of the Anti-Money Laundering Function and from
the other internal control functions. If it makes these reports independently, the Supervisory
Body is obliged to inform the Supervisory Board at the next meeting;
• takes note, through the briefing provided in the next meeting, of the reports forwarded directly
by Supervisory Board, pursuant to Article 52, of Italian Legislative Decree no. 231/2007, to the
Supervisory Authority or to the Ministry of Economics and Finance (MEF);
13
•
forwards to the AML Reporting Officer and, for its information, to the Head of the Anti-Money
Laundering Function the reports referred to in Article 52, paragraph 2, letter b) of Italian
Legislative Decree no. 231/2007 for the infractions detected independently in performance of
its duties.
3.1.3 Management Board
The functions of this Body are set forth in the Articles of Association and in the Regulations
governing its functioning. Assisted by the corporate units, the Management Board performs the
following functions:
• on the basis of proposals of the Anti-Money Laundering Function, defines the Guidelines for
anti-money laundering, combating terrorist financing and the handling of embargoes, and
appropriate updates, which it submits to approval of the Supervisory Board;
• assesses the organisational structure and the adequacy of the internal control system with
regard to pertinent obligations, submitting them to review if necessary;
• is responsible for setting up and updating the internal procedures and responsibilities of the
corporate units in order to avoid unwitting involvement in episodes of money laundering and
terrorist financing, taking into account the indications and guidelines issued by the competent
authorities and the various international bodies as well as changes in the legislative framework;
• ensures that the internal processes and procedures allow for:
• correct identification of the customer’s personal details, acquisition and constant update of
all the information required for due diligence;
• fulfilment of the obligations of preserving documents and recording information in the AUI;
• clear references, homogeneous conduct, generalised application to the entire structure of
the processes and procedures established for suspicious activity reporting and maintaining
of maximum confidentiality as to the identity of the persons involved in reporting;
• adoption of tools, including computer tools, for detecting anomalous transactions;
• punctual fulfilment of the reporting obligations to the authorities;
• constant inspection of the activity carried out by employees and collaborators for the
purpose of detecting any anomalies;
• oversight of operating activity carried out through phone or electronic channels with the
adoption of specific computer procedures for compliance with anti-money laundering
regulations, with specific regard to automatic identification of anomalous transactions;
• appoints and revokes the Head of the Anti-Money Laundering Function, taking into account the
opinion expressed by the Supervisory Board;
• defines the information flows aimed at ensuring the Corporate Bodies and control functions
have full awareness and governability of obligations on the matter and related risk factors;
• examines the half-yearly report drawn up by the Anti-Money Laundering Function on inspection
activities performed, infractions found and related corrective measures to be taken, personnel
training activity, and reports forwarded pursuant to Article 52 of Italian Legislative Decree no.
231/2007, by the Supervisory Board and/or by the Supervisory Body. If said reports refer to
breaches considered relevant, information is also provided in the next meeting by the Head of
the Anti-Money Laundering Function;
• examines, every three months, the report of the Internal Auditing Department on the activity
performed;
• approves the training and development programmes for subordinate employees and
collaborators on the obligations arising from rules governing anti-money laundering and
international terrorist financing, with a view to guaranteeing instructive activity that is
continuous and systematic and that takes into account developments in legislation and in
procedures adopted to oversee the risk of money laundering and terrorist financing;
• examines issues regarding anti-money laundering, combating terrorist financing and handling
of embargoes considered to be particularly relevant and submitted to its attention without delay
by the Anti-Money Laundering Function on the basis of the degree of risk associated;
14
•
deliberates on decisions concerning anti-money laundering, combating terrorist financing and
handling of embargoes that are of strategic relevance and submits them to approval by the
Supervisory Board.
3.1.4 Managing Director and CEO
The functions of the Managing Director and CEO are set forth in the Articles of Association.
Assisted by the corporate units, the Managing Director and CEO performs the following functions:
• proposes to the Management Board the decisions of strategic relevance concerning antimoney laundering, combating terrorist financing and handling of embargoes, that will then be
submitted to the Supervisory Board;
• arranges for the necessary measures, to be taken in implementation of the Management
Board’s guidelines, to ensure that:
• a complete and timely system of information flows is set up to ensure that all the corporate
units involved and the Bodies entrusted with control functions pursuant to Article 52 of
Italian Legislative Decree no. 231/2007 are aware of the risk factors;
• measures to oversee organisation, management and control of obligations concerning antimoney laundering, combating terrorist financing and handling of embargoes have been
integrated into the decision-making processes and corporate operating activity;
• a culture of awareness of the matters of anti-money laundering, combating terrorist
financing and handling of embargo is spread within the company and the corporate units
are informed of the objectives pursued and the policies implemented with regard to such
matters, also by setting up efficient communication channels and training tools;
• the organisational anomalies and shortcomings in processes or procedures found by the
control functions are removed.
3.2
Intesa Sanpaolo Group’s committees
3.2.1 Internal Control Coordination and Operational Risk Committee
The functions of this Body are described in the “Intesa Sanpaolo Group Committee Regulations”
and in the “Integrated Internal Control System Regulation”. The head of the Anti-Money Laundering
Head Office Department participates in the Integrated Internal Control System Session and the
Operational Risk Session. With regard to monitoring the risks of money laundering and terrorist
financing, this Committee performs the following activities:
• approval by the Corporate Bodies, provision of opinions on adoption of Group Guidelines,
policies and procedures pertaining to oversight of anti-money laundering and terrorist financing
risks;
• decisions on issues regarding anti-money laundering, combating terrorist financing and
handling of embargoes considered to be particularly relevant (e.g. assessment of business
relationships or transactions for which a specific risk has been found) and reported without
delay by the Anti-Money Laundering Function on the basis of the associated level of risk;
• authorisation concerning acceptance or refusal of new customers and keeping of existing
customers following failed agreement between the Anti-Money Laundering Functions and the
Banca dei Territori Division or the Corporate and Investment Banking Division on assessment
of the anti-money laundering profile17;
17
The Internal Control Coordination and Operational Risk Committee is therefore responsible for granting
authorisations to open continuous business relationships, maintain existing relationships and open
transaction accounts, if there is a difference of opinion between the Anti-Money Laundering Function and the
Business Structures.
15
•
periodic examination of the measures to oversee organisation, management and control of
obligations concerning anti-money laundering, combating terrorist financing and handling of
embargoes with proposal of improvements and adjustments following anomalies found or
changes in applicable legislative requirements. For this purpose it receives from the Head of
the Anti-Money Laundering Function the half-yearly report on inspection activities performed,
actions taken, malfunctions found and corrective measures to be taken as well as on personnel
training activity.
3.3
Parent Company Structures
3.3.1 Chief Compliance Officer
The Chief Compliance Officer reports directly to the Managing Director and CEO and ensures
protection against the risk of non-compliance with Group-wide standards, both in terms of
operational risk and reputational risk, including the risk of sanctions, loss or damage resulting from
improper behaviour towards customers or that jeopardise the integrity and orderly functioning of
markets (“conduct risk”). The duties of the Chief Compliance Officer are described in the relevant
Organizational Code, in the "Intesa Sanpaolo Group Compliance Guidelines" and the "Integrated
Internal Control System Regulation".
The Chief Compliance Officer monitors risk related to the phenomena of money laundering and
terrorist financing through the Anti-Money Laundering Head Office Department, which acts as the
Anti-Money Laundering Function. The Compliance Retail and Corporate Banking Head Office
Department, the Compliance Governance and Controls Head Office Department and the
Coordination of Compliance Initiatives, which support the Anti-Money Laundering Head Office
Department in control, governance and reporting activities in the terms indicated in the relevant
functional charts all also report to the Chief Compliance Officer.
3.3.2 Anti-Money Laundering Head Office Department
The Anti-Money Laundering Function, which represents the structure that is specifically entrusted
with preventing and combating the implementation of money laundering and terrorism financing
transactions, is performed by the Anti-Money Laundering Head Office Department, which reports
directly to the Chief Compliance Officer.
Within the Anti-Money Laundering Function, the following roles are allocated:
• the role of Head of the Anti-Money Laundering Function to the Head of the Anti-Money
Laundering Head Office Department;
• the role of the AML Reporting Officer to the Head of the AML, Suspicious Reporting and
Authorizations Sub-Department of the Anti-Money Laundering Head Office Department.
Specifically, the Anti-Money Laundering Function:
• is a specialised second level control function;
• is independent from the network units, as it reports to the Chief Compliance Officer, and is
provided with resources that are adequate to its duties in terms of both quality and quantity,
including its economic resources, which may even be activated independently;
• must be provided with staff that is adequate in terms of numbers, technical and professional
skills and that is kept updated, including through inclusion in ongoing training programmes;
• reports directly to Top Management;
• has access to all corporate activities as well as to any information relevant to performance of its
duties.
16
When defining and assessing the measures for overseeing control and mitigation of the anti-money
laundering and terrorist financing risk, the Anti-Money Laundering Function also performs the
following activities:
• monitoring, with the assistance of the Legal Affairs Head Office Department – Group General
Counsel, developments in the national and international legislative framework, identification of
applicable rules and assessment of their impact on internal processes and procedures, with
consequent formulation of proposals for review of internal regulations and methods used,
including risk profiling algorithms. In this context, the Anti-Money Laundering Function draws
up and updates the Guidelines on anti-money laundering, combating terrorist financing and
handling of embargoes, and detailed operating rules, submitting them to the competent Bodies
and/or units and guarantees their availability and easy access by all staff;
• ongoing verification of the effectiveness of corporate processes and procedures, based on the
information flows received from the other control structures, and proposal, in collaboration with
the competent corporate functions, of organisational and procedural amendments proving
necessary or advisable in order to ensure adequate oversight of the money laundering and
terrorist financing risk;
• identification, in agreement with the competent corporate structures, of first and second level
controls directed at preventing and combating the risk of money laundering and terrorist
financing, and of the control objectives to be assigned respectively to the competent
organizational units of the Banca dei Territori Division and to the competent structures of the
Corporate and Investment Banking Division. On the basis of developments in the reference
context and in consideration of the outcome of control activities, the Anti-Money Laundering
Function also defines and arranges with the structures involved, any corrective measures on
the first and second control system and on its control objectives, coordinating, in the issue
phases, the various corporate structures involved;
• collection and analysis of the results of first level controls performed by the competent units of
the Banca dei Territori Division and the Corporate and Investment Banking Division as well as
the second level controls conducted by the Chief Compliance Officer’s control units; analysis of
inefficiencies found and of possible corrective measures suggested by the Internal Auditing
Head Office Department following the inspection activities performed;
• overall analysis of the outcome of controls performed and definition of appropriate corrective
measures to be implemented to mitigate the risk of money laundering and terrorist financing;
• management of relations with the FIU (Financial Intelligence Unit), the MEF and the
Supervisory Authorities, with the exception of reports pursuant to Article 52 of Italian Legislative
Decree no. 231/2007 which are made by the Supervisory Board and by the Supervisory Body;
• advice and assistance to the Corporate Bodies and to Top Management;
• assistance and support to the central operating units and to the Bank’s network units with
regard to application of legislation governing anti-money laundering, combating terrorist
financing and handling of embargoes;
• definition, in collaboration with the competent corporate units, of the requisites for development
and implementation of new procedures required for managing pertinent obligations;
• ex ante assessment, for its area of competence, of compliance of new processes / procedures
/ products / services;
• assessment of the money-laundering and terrorist financing residual risk for the Bank18.
With specific regard to the prescribed customer due diligence, the Anti-Money Laundering Function
performs the following activities:
• enhanced due diligence and authorisation pursuant to Article 28 of Italian Legislative Decree
no. 231/2007, with regard to the opening of a new business relationship, execution of an
18
For this purpose an AML Risk Assessment Model has been introduced for orienting the strategies of risk
mitigation, that are designed to overcome the regulatory/ organizational / procedural gaps, which can
determine the total exposure to money laundering risk.
17
•
•
•
•
occasional transaction or maintaining of an existing business relationship for customers
assigned as high risk19 and for medium risk customers20 when specific request is submitted by
the network units, in concert with the Banca dei Territori Division and the Corporate and
Investment Banking Division and without prejudice to the prerogatives of the Group Control
Coordination and Operational Risk Committee;
evaluation and authorization for opening new relationships, for executing occasional
transactions or for maintaining relationships already in place with customer at medium risk if
that staff in charge of the evaluation activities or authorization is in conflict of interest (also
potential);
Group-level definition of requirements of the support tools for the due diligence processes and
for customer risk profiling at Group level;
preparation and certification of the standard questionnaire relating to the internal processes
and the procedures adopted by the Bank with regard to anti-money laundering and terrorism
financing generally requested by other Financial Institutions21 for the opening of cross-frontier
correspondent banking relationships;
assessment of customers positively matched against Sanction Lists during the identification
process or the updating of their anagraphical data, confirmed after investigations have been
carried out by the competent corporate units.
With specific regard to the records keeping, the Anti-Money Laundering Function performs the
following activities:
• definition of requirements for data input and management of the AUI and verification of
reliability of the IT system used for data entry, based also on controls carried out by other
corporate units. Specifically the Anti-Money Laundering Function provides assistance in the
phase involving analysis of IT activities on the AUI and coordinates activities to remove any
anomalies found in its management;
• sample control on the quality of statistical data sent to the FIU. In this regard, following this
control or following request from the network units, the Anti-Money Laundering Function
coordinates corrections to the information recorded in the AUI;
• monthly transmission to the FIU of aggregate data concerning recordings made in the AUI.
With specific regard to transaction monitoring, in addition to the activities for which the AML
Reporting Officer is responsible, the Anti-Money Laundering Function performs the following
activities:
• examination and preservation of copy of the reports of violations of regulations concerning
restrictions on the use of cash and bearer instruments, forwarded by the network units to the
MEF;
• check of payments and documents representing goods found positive during initial assessment
by the Operations Head Office Department, also performed on the basis of evidence of
anomalies generated automatically by the filtering system. Following this check, it confirms any
blocking of the transactions;
19
High risk customers are those characterised by a combination of factors (e.g. country of residence, volume
and frequency of transactions, etc.) which denote the possible presence of money laundering or terrorism
financing phenomena, as well as the categories for which enhanced due diligence obligations are prescribed
by regulations (foreign PEPs; national PEPs who also have other risk factors, credit and financial institutions
established in not equivalent third Countries, with reference to correspondence banking current accounts,
payable-through accounts and similar accounts, even if they are hold by the bank through subsidiaries
entities located in non-EU States).
20
Medium risk customers are those characterised by a number of money laundering risk factors and who do
not fall within the categories for which enhanced due diligence obligations are prescribed by regulations.
21
The Anti-Money Laundering Function also replies to specific requests for further investigation made by
other Financial Intermediaries in relation to anti-money laundering and terrorism financing procedures and
measures adopted by the Bank or by the Group.
18
•
•
preventive authorisation to issue or extend guarantees towards Group A countries22;
definition of requirements of the support tools for ensuring transaction monitoring.
The Anti-Money Laundering Function also guarantees periodic reporting and direct information
flows to the Corporate Bodies and Top Management.
Specifically:
• every six months, prepares and submits to the Supervisory Board, the Management Board, the
Control Committee and the Supervisory Body a report on inspection activity performed, actions
taken, malfunctions found and corrective measures to be taken as well as on personnel training
activity;
• every six months, prepares and submits to the Management Board a specific report on training
and development activity on anti-money laundering legislation;
• analyses evidence of possible violations pursuant to Article 52, paragraph 2, letters a), c) and
d) of Italian Legislative Decree no. 231/2007, received by the Internal Auditing Department
and/or by other corporate functions, or found directly and provides pertinent report to the
Supervisory Board and to the Supervisory Body every quarter, or in the case of particularly
serious violations, in the next meeting, to allow subsequent report to the Supervisory Authority
or to the MEF.
In the preliminary investigation phase the Internal Auditing Head Office Department will be
involved in cases that prove important for reasons of their value or repetitiveness and where
there is evidence that employees’ conduct is not in line with guidelines. In all other cases, the
Anti-Money Laundering Function will apply directly to the competent structures to obtain the
missing documentation.
Violations pursuant to Article 52, paragraph 2, letter b) of Italian Legislative Decree no.
231/2007 concerning suspicious activity reporting: if found directly by the Supervisory Board
and the Supervisory Body, are reported to the AML Reporting Officer and, for its information, to
the Head of the Anti-Money Laundering Function; if found directly by the Internal Auditing
Department and/or by the other corporate units, are reported to the network units concerned
and, for its information, to the Head of the Anti-Money Laundering Function and the AML
Reporting Officer;
• takes note of the reports forwarded pursuant to Article 52 of Italian Legislative Decree no.
231/2007 to the Supervisory Authority, the MEF or to the AML Reporting Officer by the
Supervisory Board and/or the Supervisory Body and reports to the aforesaid Bodies on the
corrective measures taken.
At the same time, in order to allow full oversight of the money laundering and terrorist financing
risk, provision is made for specific information flows addressed to the Anti-Money Laundering
Function from the control structures and the other structures entrusted with duties prescribed for
fulfilment of anti-money laundering obligations.
With specific regard to staff training, the Anti-Money Laundering Function performs the following
activities:
• identification of training objectives and preparation of an adequate training programme,
directed at achieving ongoing update of subordinate employees, in collaboration with the
Human Resources and Organization Head Office Department;
• providing assistance to the Human Resources and Organization Head Office Department in
defining the contents of the training programmes and procedures by which they will be
provided.
22
Countries subject to specific embargo by the European Community, the USA (OFAC) and the UNO with
regard to development of nuclear programmes and technologies for military purposes or for internal
repression of the civilian population.
19
Lastly the Anti-Money Laundering Function collaborates with the other corporate units to develop
risk management procedures that are consistent with corporate strategies and operating activity,
providing assistance in the drafting of processes that comply with legislation and performing an
advisory role.
3.3.2.1
Head of the Anti-Money Laundering Function
The role of Head of the Anti-Money Laundering Function is entrusted to the Head of the AntiMoney Laundering Head Office Department by resolution of the Management Board, subject to the
favourable opinion of the Supervisory Board.
The Head of the Anti-Money Laundering Function:
• must hold adequate requirements of independence, authority and professionalism and must
not have direct responsibilities over operating areas and must not be obliged to report to the
persons in charge of said areas;
• is considered, for all intents and purposes, as one of the heads of the corporate control
functions and executes its functions independently;
• also fulfils the role of Head of Group Anti-Money Laundering for the Group Companies for
which application of the centralised governance model is prescribed;
• receives from the AML Reporting Officer of the Parent Company and of the Group Subsidiaries
a periodic information flow relating to reports forwarded and filed and may request to examine
reports forwarded and filed23;
• performs a supervisory role over all corporate units entrusted with duties prescribed for antimoney laundering purposes, even if the aforesaid structures are different from the Anti-Money
Laundering Function. In performing this role, it also arranges with the competent structures of
the Banca dei Territori Division and of the CIB Division the control activities to be performed
and the procedures for their implementation, with regard to aspects within its competence;
• it avails of the results of the second-level control activities performed by the Chief Compliance
Officer control structures and the findings of the verification activities carried out by the Internal
Auditing Department, in its capacity as independent third-level control structure;
• also monitors adequacy of the internal processes and procedures for detection, assessment
and reporting of suspicious activities, as part of its duty to monitor the effectiveness of the
whole management and internal control system overseeing the risk of money laundering and
terrorist financing.
The Head of the Anti-Money Laundering Function is issued, by Managing Director, in its capacity
as General Director, with delegation to authorise/ maintain the opening of continuous relationships
with foreign PEPs or high risk national PEPs and correspondence banking current accounts,
payable-through accounts and similar accounts with credit and financial institutions established in
not equivalent third Countries, pursuant to Article 28 of Italian Legislative Decree no. 231/2007.
3.3.2.2
AML Reporting Officer
The role of AML Reporting Officer is entrusted to the Head of the AML Suspicious Reporting and
Authorizations Sub-Department of the Anti-Money Laundering Head Office Department, to whom is
assigned delegation pursuant to Article 42 of Italian Legislative Decree no. 231/2007, by the
Chairman of the Management Board, in its capacity as the Bank’s legal representative.
The AML Reporting Officer:
23
With reference to foreign Group subsidiaries, the sharing of detailed information about the suspicious
transaction reports sent to local FIUs takes place subject to any constraints according to the local rules of the
host country where the subsidiary is located.
20
•
•
•
•
•
•
•
must hold adequate requirements of independence, authority and professionalism and must
not have direct responsibilities over operating areas and must not be obliged to report to the
persons in charge of said areas;
exercises its functions independently;
also fulfils the role of Group Delegate, with assignment of the delegation to forward to the FIU
reports of suspicious activity also on behalf of Group Companies for which application of the
centralised governance model is prescribed;
has free access to the information flows addressed to the Corporate Bodies and to the other
structures involved in managing and combating money laundering and terrorist financing;
may acquire from the Head of the Anti-Money Laundering Function information useful to
assessment of suspicious activity;
may allow, taking the necessary confidentiality precautions, and without mentioning the
reporting party’s name, the Heads of the corporate units to know the names of the reported
customers, including through use of suitable data bases, and given the particular significance
that this information may have for the purpose of accepting new customers or assessing
existing customers’ operating activity;
is responsible for:
- providing the network units with advice on obligations regarding preparation of suspicious
activity reports and possible abstention from performing transactions;
- assessing the suspicious activity reports received from the operating structures and the
reports forwarded to it pursuant to Article 52, paragraph 2, letter b) of Italian Legislative
Decree no. 231/2007 by the Supervisory Board and/or the Supervisory Body, and arranging
the related investigation;
- transmitting to the FIU the reports deemed to be founded;
- filing the reports deemed not to be founded providing written motivation;
- communicating the outcome of its assessment to the Head of the network units from which
the report originated, notifying the Head of the Anti-Money Laundering Function through the
prescribed periodic information flow or in response to its request;
- when notice is received that the report has been dismissed by the FIU, notifying the Head
of the network units from which the report originated, also providing notice to the AntiMoney Laundering Function;
- liaising with the FIU and managing requests for further investigation submitted by the
competent authorities24;
- contributing to identification of the necessary measures to guarantee the confidentiality and
preservation of data, information and documentation relating to reports, to be submitted to
approval by the Management Board.
In performing its functions, the AML Reporting Officer is assisted by the personnel of the AML
Suspicious Reporting Office. It may enable the employees of said Office to work, under its
responsibility, in the suspicious activity reporting system, in accordance with the instructions issued
by the FIU.
3.3.3 Compliance Retail and Corporate Banking Head Office Department
The functions of the Compliance Retail and Corporate Banking Department are set forth in the
“Organizational Code” and the “Intesa Sanpaolo Group Compliance Guidelines”. With particular
reference to anti-money laundering issues, the Compliance Retail and Corporate Banking Head
Office Department supports the Anti-Money Laundering Function by:
24
The term authority refers to a series of institutional bodies such as magistrates, the tax police and its
special currency unit which may be involved in the inquiry and further investigation stages following
suspicious reports from the financial system.
21
•
•
monitoring compliance risk of the International Branches of the Parent Company, whose
Compliance Officers report hierarchically to the Department;
guiding, coordinating and monitoring the International Branches that do not report hierarchically
to the Department.
3.3.4 Compliance Governance and Controls Head Office Department
The functions of the Compliance Governance and Controls Department are set forth in the
“Organizational Code” and the “Intesa Sanpaolo Group Compliance Guidelines”. With particular
reference to anti-money laundering issues, the Compliance Governance and Controls Head Office
Department supports the Anti-Money Laundering Function by:
• performing second level controls procedures for the Parent Company and the Subsidiaries
subject to the centralised management model;
• guiding, coordinating and monitoring the subsidiaries that are not subject to the centralised
governance model;
• reporting to Corporate Bodies.
3.3.5 Coordination of Compliance Initiatives
The functions of the Coordination of Compliance Initiatives are set forth in the “Organizational
Code” and the “Intesa Sanpaolo Group Compliance Guidelines”. With particular reference to antimoney laundering issues, the Coordination of Compliance Initiatives supports the Anti-Money
Laundering Function by preparing the AML Risk Assessment and arranging outsourcing contracts
relative to anti-money laundering, combating terrorist financing and embargoes managed centrally
by the Parent Company.
3.3.6 Internal Auditing Head Office Department
The functions of the Internal Auditing Head Office Department are set forth in the “Organizational
Code”. It is the Internal Auditing Head Office Department’s duty to carry out third level independent
controls of all areas, including those relating to combating money laundering and terrorist financing
and handling of embargoes. In this regard the Internal Auditing Head Office Department ensures
ongoing monitoring of the degree of adequacy of the corporate organisational structure and its
compliance with reference laws and oversees the functionality of the entire internal control system.
Specifically, it regularly inspects the adequacy and efficiency of the Anti-Money Laundering
Function and informs the competent Corporate Bodies of the outcome of its assessments.
Through systematic controls and inspections, the Internal Auditing Head Office Department
verifies:
• constant compliance with the customer due diligence obligation, when setting up the business
relationship and throughout its development;
• effective acquisition and ordered preservation of the data and documents prescribed by
legislation;
• correct functioning of the AUI;
• effective degree of involvement of subordinate employees and collaborators as well as of the
heads of central and peripheral structures, in implementing the “active collaboration” obligation.
Furthermore:
• on the basis of the findings of the Audit Risk Assessment and of the outcome of controls
performed by the first and second level control structures, it draws up the control plan for all the
peripheral and central operating structures involved, so as to guarantee enhanced oversight of
structures with greater exposure to the risk of money laundering and terrorist financing;
• periodically checks that the various sector accounting procedures are aligned with those for
AUI data entry and management;
• informs the Anti-Money Laundering Function and the other Corporate Bodies of inefficiencies
found and suggests corrective measures to be taken;
22
•
performs follow-up activities in order to ensure that the necessary actions have been taken and
that they are able to avoid similar problem situations in the future.
Following the controls and assessments performed, the Internal Auditing Head Office Department
independently checks possible breaches:
• pursuant to Article 52, paragraph 2, letters a), c) and d) of Italian Legislative Decree no.
231/2007 and reports them to the Anti-Money Laundering Function, for further analysis on its
part, before forwarding to the Supervisory Board and/or the Supervisory Body;
• pursuant to Article 52, paragraph 2, letter b) of Italian Legislative Decree no. 231/2007 and
informs the network unit concerned, notifying the Head of the Anti-Money Laundering Function
and the AML Reporting Officer.
3.3.7 Human Resources Head Office Department
The functions of the Human Resources Head Office Department are set forth in the “Organizational
Code”. With regard to combating anti-money laundering and terrorist financing, the Human
Resources Head Office Department plays an active role in managing disciplinary procedures
involving resources reported as non-performing, carrying out the following activities:
• ensure an adequate quantitative and qualitative coverage in terms of staff required to fulfil the
obligations prescribed by legislation, on the basis of the defined sizing;
• assess and further disciplinary actions against employees reported as non-performing with
regard to obligations prescribed by legislation;
• evaluate the applicability of the protections provided by collective agreements for the
employees that are under criminal, civil and administrative proceedings for eventual violation of
the law regarding anti-money laundering, fighting of terrorist financing and management of
sanctions, including the formulation of reservations to be dissolved at the time of the judgment.
3.3.8 Banca dei Territori Division
The Banca dei Territori Division is involved in the processes of combating money laundering,
terrorist financing and handling of embargoes, performing both a control role over compliance with
regulatory obligations and a decision-making role in the process of assessing new and existing
customers.
Within the Banca dei Territori Division, the Control Units of the Regional Departments carry out
controls on correct management of obligations entrusted to the network units as agreed with the
Internal Auditing Head Office Department and the Anti-Money Laundering Function. The outcome
of the inspections performed and any shortcomings found are communicated to the specialist
control structures of the Chief Compliance Officer and the Anti-Money Laundering Function and
forwarded to the Internal Auditing Head Office Department for appropriate assessment.
The Control Units also liaise with the network units, reporting the shortcomings found and
requesting that they take action to resolve them.
3.3.9 Corporate and Investment Banking Division
The Corporate and Investment Banking Division is involved in the processes of combating the
phenomena of money laundering, terrorism financing and embargo management performing both a
control role over compliance with regulatory obligations and a decision-making role in the process
of assessing new and existing customers, with the exception of customers of the International
Branches and Group Companies falling within its scope, regulated by the provisions set forth in
paragraph 5 below “Group Governance".
Within the Corporate and Investment Banking Division, the CIB Controls Office of the Quality,
Controls and Operational Coordination Department carries out controls on correct management of
23
obligations entrusted to the operating structures as agreed with the Internal Auditing Head Office
Department and the Anti-Money Laundering Function. The outcome of the inspections performed
and any shortcomings found are communicated to the specialist control structures of the Chief
Compliance Officer and the Anti-Money Laundering Function and forwarded to the Internal Auditing
Head Office Department for appropriate assessment.
3.3.10
Network Units
The network units25 of the Banca dei Territori Division, the Corporate and Investment Banking
Division and Intesa Sanpaolo Group Services perform an active role in executing obligations
regarding anti-money laundering, combating terrorist financing and handling of embargoes.
Specifically, for customer due diligence, the network units perform the following activities:
• identifying the customers and the beneficial owners and gathering the necessary information
and documentation for the customer due diligence phase. The network units also gather
additional information required for risk profiling the credit and financial institutions and ensure it
is periodically updated. The information acquired is checked to certify that it is complete and
truthful;
• preserving the acquired documentation26, assigning the risk profile to be attributed to the
customer on the basis of the evidence produced by the profiling tool and informing the AntiMoney Laundering Function of customers classified as high risk27 for the related authorisation
request. For medium risk customers the network unit makes the decision to refuse the
relationship or execution of the occasional transaction autonomously, involving the Anti-Money
Laundering Function, whenever it sees fit. The network unit also ensure periodic review of the
risk profiling of existing customers or event-based review centred on information arising from
customer and transaction monitoring;
• notifying customers of decision not to open a business relationship or execute a transaction, or
of closure of an existing business relationship (relationships and transactions with credit and
financial institutions are also included);
• gathering requests submitted by credit and financial institutions on documentation certifying the
existence and effectiveness of processes and procedures for combating money laundering and
terrorist financing implemented by the Bank and the Group and their forwarding to the AntiMoney Laundering Function which shall provide a centralised reply;
• line control by the network units’ Head/Manager of the Relationship on customer due diligence.
For the purposes of records keeping, the network units ensure entry into the IT systems of the data
required for correct and complete record of information concerning transactions and business
relationships. Furthermore, when requested by the Anti-Money Laundering Function and by other
control functions, they provide missing information and/or correct/rectify wrong registrations in the
AUI.
For transaction knowledge purposes, the operating structures perform the following activities:
25
See Paragraph 6.2. – Operating Structures List.
With regard to non-EU correspondent Institutions the documentation acquired is sent to the Operations
Head Office Department, for preservation and for data verification.
27
With regard to high risk customers, authorisation is the responsibility of the Anti-Money Laundering
Function, in concert with the Banca dei Territori Division or, within the Corporate and Investment Banking
Division, with the Global Transaction Banking Department, with the Corporate and Public Finance
Department, with the International Network and Global Industries Department or with the Financial
Institutions Department, according to the nature of the customer considered. In the event of difference of
opinion, the Internal Control Coordination and Operational Risk Committee shall be called to make the final
decision.
26
24
•
•
•
•
•
monitoring transactions executed by customers, also considering their assigned risk profile, in
order to identify anomalous transactions28. These transactions, in addition to those reported by
the Control Units of the Regional Departments, the CIB Controls Office of the Quality, Controls
and Operational Coordination Department, the Internal Auditing Head Office Department or any
other of the Bank’s non-operating structures, are subject to assessment by said operating
structures in order to find out if they qualify as suspicious activity to be reported to the AML
Reporting Officer;
identifying breaches in regulations concerning limitation of use of cash and bearer securities,
timely communication to the MEF and dispatching copy of the communications made to the
Anti-Money Laundering Function;
ex-ante control on payments and documents representing goods for countercheck with the
operating provisions established by the Anti-Money Laundering Function for operating activity
with countries at risk;
ex-ante control on the payments in order to verify that there aren’t verified transactions with
subjects included in the Group lists ("Bad Guys") that are considered high risk according to the
criteria of AML customer risk profiling adopted by the Group
line control by the Head of the operating structure on the activity of transaction monitoring and
assessment of breaches to regulations concerning limitation of use of cash and bearer
securities.
3.4
Intesa Sanpaolo Group Services
3.4.1 Legal Affairs Head Office Department – Group General Counsel
The functions of the Legal Affairs Head Office Department of Intesa Sanpaolo Group Services are
set forth in the “Organizational Code”. Through the Finance, Contracts and Special Regulations
Advisory Sub-Department, the Legal Affairs Head Office Department – Group General Counsel
plays a part in managing the anti-money laundering and terrorism financing risk by overseeing the
legal risk, performing the following activities:
• assisting and advising the Anti-Money Laundering Function in ongoing identification of
applicable regulations, monitoring developments, including those in decisions of the court, and
ensuring their interpretation;
• advising the Bank’s central structures on interpretation of Italian legislation concerning antimoney laundering and combating terrorist financing;
• sharing the legal aspects of the Guidelines, internal regulatory provisions and the content of
training courses prepared by the Anti-Money Laundering Function and by the other assigned
structures, formulating proposed amendments and/or integrations;
• advising and assisting the Anti-Money Laundering Function with regard to controversial legal
aspects concerning examination of the conformity of internal processes and procedures,
contracts and forms or the significant cases of malfunctioning found;
• sharing with the Anti-Money Laundering Function standard drafts of communications to be sent
to customers with regard to refusal to open a relationship, suspension of a relationship and
refusal to execute an occasional transaction.
The Criminal, Bankruptcy and Specialized Litigation Sub-Department manages administrative and
judicial litigation concerning breaches of provisions disputed with regard to or by the Bank,
providing the Anti-Money Laundering Function with periodic disclosure on the state of progress of
pending lawsuits and/or the opening of new disputes. It also advises the Anti-Money Laundering
28
For transaction monitoring activity, the managers of the relationship with Financial Intermediaries use the
automatic system exclusively for Financial Intermediaries who do not benefit from simplified due diligence,
whose transactions are inputted to the AUI.
25
Function and the Bank’s other central structures with regard to interpretation of regulations on the
matter of embargoes and shares with the aforesaid Function applicable internal provisions as well
as standard drafts of communications to be sent to customers in the event of non execution of
transactions subject to embargoes or restrictions.
3.4.2 Human Resources and Organization Head Office Department
The functions of the Human Resources and Organisation Head Office Department of Intesa
Sanpaolo Group Services are set forth in the “Organizational Code”. The Human Resources and
Organisation Head Office Department is responsible for implementing organisational rules and
solutions that are consistent with the objectives and guidelines of corporate policies including those
established for anti-money laundering, combating terrorist financing and handling of embargoes
and it has an active role in employees training. Within this context, the Human Resources and
Organisation Head Office Department performs the following activities:
• working with the Anti-Money Laundering Function to provide assistance in analysing and
adopting processes of organisational change and development, also ensuing from new
legislative obligations concerning anti-money laundering, combating terrorist financing and
handling of embargoes;
• defining the correct quantities of resources required to fulfil obligations regarding anti-money
laundering, combating terrorist financing and handling of embargoes;
• working with the process owners to plan corporate processes and overseeing update and
publication of the Bank’s internal regulations and corporate governance documents concerning
anti-money laundering, combating terrorist financing and handling of embargoes;
• identifying with the Anti-Money Laundering and with those competent structure of Intesa
Sanpaolo Group Services, the requirements for the development of information technology
solutions suitable to simplifying and enhancing the efficiency of the processes of competence;
• defining rules and measures for protecting data, information and infrastructures, involved in
anti-money laundering, combating terrorist financing and handling of embargoes, from internal
and external threats in order to guarantee operating continuity and regular performance of
corporate activities and in order to maintain security conditions in line with prevailing
regulations;
• support to the Anti-Money Laundering Function in identifying the training objectives and in
preparing an appropriate training plan, to be approved by the Management Board, aimed at
achieving an update on an ongoing basis to employees with specific training programs for the
staff of the Anti-Money Laundering Function and for those who work in the sales network;
• definition, in collaboration with the Anti-Money Laundering Function, of training courses, in
terms of content, timing, recipients and methodologies, and their subsequent preparation and
delivery;
• support to the Anti-Money Laundering Function in the preparation of the report relating to the
training activities on the anti-money laundering legislation, to be submitted to the Management
Board.
3.4.3 Operations Head Office Department
The functions of the Operations Head Office Department of Intesa Sanpaolo Group Services are
set forth in the “Organizational Code”. With regard to combating money laundering and terrorist
financing, the Operations Head Office Department performs the following activities:
• provides assistance in coordination of requests addressed to the ICT Head Office Department
concerning actions to be taken on the information systems to support the network operating
26
•
•
•
processes, in accordance with the requirements expressed by the Anti-Money Laundering
Function29;
first level controls on the quality of data entered into the AUI, addressing any requests for
corrective measures to be taken to the ICT Head Office Department and guaranteeing a
periodic information flow to the Anti-Money Laundering Function with details of the anomalies
found and the state of progress of the corrective measures implemented. These activities may
be carried out insofar as compatible with the tools provided by the Operations Head Office
Department;
carrying out checks on payments and customers’ personal details, if they are found to be
included in the Sanction Lists and/ or internal lists (“Bad Guys”) by the automatic filtering
system, and applying the rules defined by the Anti-Money Laundering Function, with its
subsequent involvement if the suspicion is confirmed;
carries out checks on payments, documents representing goods and customers’ personal
details, if they are found to be included in the Sanction Lists by the automatic filtering system,
and applies the rules defined by the Anti-Money Laundering Function, with its subsequent
involvement if the suspicion is confirmed.
3.4.4 ICT Head Office Department
The functions of the ICT Head Office Department of Intesa Sanpaolo Group Services are set forth
in the “Organizational Code”. With regard to combating money laundering, terrorist financing and
handling of embargoes, the ICT Head Office Department is involved in the update, development
and oversight of the application components, performing the following activities:
• implementing and maintaining the information systems used for obligations regarding antimoney laundering, terrorist financing and handling of embargoes, in accordance with
requirements set forth by the Anti-Money Laundering Function;30
• controlling integrity and completeness of the flows providing input to the various application
solutions used, with specific regard to the AUI. In the event of anomaly, the ICT Head Office
Department activates the necessary corrective measures, providing appropriate report to the
Anti-Money Laundering Function;
• ensuring periodic maintenance of the Sanction Lists, following report by the Anti-Money
Laundering Function;
• carrying out the corrective measures notified by the Anti-Money Laundering Function and the
Internal Auditing Head Office Department.
29
The relationship with the ICT Systems Department is instead managed by the Anti-Money Laundering
Function in the case of actions on systems directly associated with anti-money laundering, terrorist financing
and handling of embargoes (e.g. systems for AUI management, identifying anomaly indicators, customer due
diligence, risk profiling, transaction filtering, etc.).
30
In this regard specific support is to be provided by the Operations Head Office Department for actions
affecting the tools directly supporting the network operating processes.
27
4 MACRO PROCESSES FOR COMBATING
LAUNDERING AND TERRORIST FINANCING
OF
MONEY
The macro processes for managing obligations concerning anti-money laundering, combating
terrorist financing and handling of embargoes can be divided into four main areas:
• customer due diligence;
• records keeping and retention;
• transaction monitoring;
• reporting, training and information management across the Group.
In addition to these areas there are also some cross processes to support implementation and
execution of activities to prevent, monitor and mitigate the risk of money laundering and terrorist
financing.
4.1
Customer due diligence
The following processes have been established to guarantee customer due diligence:
• Customer and beneficial owners identification and collection of identification documents,
documents certifying due diligence issued by other Financial Institutions and additional
information required for establishing the risk profile to be assigned to the customer; registration
of customers and beneficial owners in the Bank’s Master File and preservation of the
documentation acquired for identification and due diligence, in accordance with confidentiality
provisions and measures set forth by internal regulations. These phases are entrusted to the
network units which manage customer business relations, as is the issue of certificates of due
diligence to other Financial Institutions, with updated information concerning customers having
ongoing business relationships with the Bank, without indicating the risk profile assigned. If it is
not possible to comply with the obligations on customer due diligence, or the customer due
diligence points out a negative rating or an unacceptable risk, there is the obligation to refrain
from establishing a business relationship or performing the transaction. If this situation
happened with reference to a relationship already in place or to an in progress transaction, the
Bank should stop to carry on the relationship or to execute the transaction31
• customer risk-assessment based on the risk of money laundering and terrorist financing,
carried out by the network units, using (i) information acquired during the customer due
diligence process and (ii) sharing at Group level;
• constant monitoring of ongoing business relationships, carried out by the network units, in
order to update customer due diligence, and of the declared purpose of the business
relationship, in the presence of transactions that are unexpected, anomalous or inconsistent
with the customer’s previously known economic and financial profile or of news of significant
events;
• periodic re-assessment of the risk profile and update of data (identification documents,
chamber of commerce certificates, public registers and lists, information, etc.) carried out by
the network units, with the frequency required by the risk profile previously assigned to the
customer;
• authorisation to open a new business relationship, to execute an occasional transaction or to
maintain an existing business relationship on the basis of the risk profile assigned to the
customer. For customers classified as high risk, authorisation must be provided by the AntiMoney Laundering Function. Failure to provide authorisation requires a binding opinion to be
issued by the Banca dei Territori Division or by the Corporate Investment Banking Division for
31
For further information on “abstention obligation” please see footnote no. 10.
28
•
their own customers. If an agreement is not reached on the decision, the Internal Control
Coordination and Operational Risk Committee shall be called to make the final decision. For
medium risk customers authorisation is provided directly by the network units which may
involve the Anti-Money Laundering Function, whenever they see fit;
authorisation to operate, issued by the Anti-Money Laundering Function, for customers who
during the identification process or its updating and after further investigation by the competent
corporate units, are found to be included in the Sanction Lists.
4.2
Processes connected
obligations
with
records
keeping
and
retention
In order to record customer identification data and the main data on transactions carried out,
information is stored into the AUI, which is managed by the Anti-Money Laundering Function and
by the ICT Head Office Department, each within their area of responsibility and competence, for
the purpose of guaranteeing that information is clear and complete, is suitably preserved and may
be easily consulted. The AUI allows calculation of aggregate data on the Bank’s operating activity,
which is transmitted each month by the Anti-Money Laundering Function to the FIU, which
analyses it in order to identify possible phenomena of money laundering or terrorism financing.
4.3
•
•
•
Control processes
AML Function responsibilities:
o identification of control objectives when designing or reviewing business processes,
functional to the declination of the first-level controls;
o definition of second level controls, by agreement with the Compliance Governance and
Controls Head Office Department;
o analysis of the outcome of controls activities and assessment of the effectiveness of
safeguards;
o define the action plan and provide recommendation to operating structures;
Responsibility of operating structures to perform first level controls;
Execution by Chief Compliance Officer control structures of second-level control activities.
4.4
Transaction monitoring
Three main processes have been established to guarantee control of transactions carried out by
customers:
• ex ante monitoring by the network units carrying out the transactions, of transactions executed
by customers, on the basis of current implementing rules issued by the Supervisory Authorities,
in order to identify, block and report transactions in which money laundering and/or terrorist
financing is suspected. In order to fulfil the obligation of abstention and of assessing the need
for immediate application to the FIU to request a suspension order in cases of evident risk, for
example those involving an outflow of funds and payment means, the network units may seek
advice from the AML Reporting Officer;
• ex ante monitoring of payments and documents representing goods through the scan against
the Sanction Lists and/or Group internal List (“Bad Guy”) and checking the results of control
procedures. These checks firstly involve the Operations Head Office Department and the
network units performing the transactions, which if necessary ask the Anti-Money Laundering
Function to authorise the execution of the transactions;
29
•
ex post monitoring of transactions by the network units in order to identify anomalous
transactions, also with the assistance of the automatic system for managing anomaly
indicators32. After an anomalous transaction has been identified, the network units carry out a
first level investigation and, if it proves necessary, proceed to report the suspicious transaction
to the AML Reporting Officer. It then carries out a second level analysis and assesses whether
to proceed with a suspicious activity report to the FIU.
Furthermore, in order to reduce the risk of money laundering and terrorist financing and the related
reputational, legal and operational risks, taking into account specific regulations on the matter, the
Intesa Sanpaolo Group (i) shall not make cover payments33 in US currency and (ii) shall operate
with payable-through accounts34 only if customer due diligence is guaranteed by the
counterparty bank using said payable through accounts.35
4.5
Reporting, training and information management across the Group
The communication processes prescribed with regard to obligations concerning anti-money
laundering, combating terrorist financing and handling of embargoes are the responsibility of the
Anti-Money Laundering Function and are differentiated on the basis of the addressee and the
purpose of the communication:
• external reporting addressed to the Supervisory Authorities in accordance with requirements
defined by anti-money laundering and embargo regulations36, with:
• monthly transmission to the FIU of aggregate data concerning AUI registrations;
• transmission to the FIU of suspicious activity reports by the AML Reporting Officer;
• information on violations pursuant to Article 52, paragraph 2, letter a), c) and d) of Italian
Legislative Decree no. 231/2007, addressed each month, or in the event of particularly serious
violations, in the first available meeting, to the Supervisory Board and the Supervisory Body, to
allow subsequent communication to the Supervisory Authority or to the MEF;
• report on inspection activities performed, action taken, malfunctions found and appropriate
corrective measures to be taken, as well as staff training activity, addressed every six months
to the Supervisory Board, the Management Board, the Control Committee and the Supervisory
Body;
• specific report on training and development activity on anti-money laundering regulations,
addressed every six months to the Management Board.
32
For transaction monitoring activity, the managers of the relationship with Financial Intermediaries use the
automatic system exclusively for Financial Intermediaries who do not benefit from simplified due diligence,
whose transactions are inputted to the AUI.
33
Cover payment means the transfer of funds used when there is no direct relationship between the orderer
and beneficiary’s payment service providers and it is therefore necessary to use a chain of correspondence
relationships between the payment service providers. A cover payment involves three or more payment
service providers. This payment aims to provide financial coverage of a message sent by the orderer’s
provider to the beneficiary’s provider in which it directly communicates transfer of the funds.
34
Payable-through accounts are cross-border correspondent banking relationships between financial
institutions, used to carry out transactions in their own name and on the customers’ behalf (Article 1,
paragraph 2 letter f) Italian Legislative Decree no. 231/2007).
35
Specifically, Article 28 paragraph 4 letter e) of Italian Legislative Decree no. 231/2007 provides that in the
case of cross-border correspondent banking relationships with a non-EU credit institution the Bank must
ensure that it has verified the identity of the customers who have direct access to the payable-through
accounts, has constantly fulfilled the customer due diligence obligations and, when requested, can provide
the data acquired in fulfilling said obligations.
36
This does not include reports for violations of limitations to the use of cash and bearer instruments
pursuant to Article 49 of Italian Legislative Decree no. 231/2007, transmitted to the MEF directly by the
network units.
30
In order to allow full oversight of the money laundering and terrorist financing risk, specific
information flows are addressed to the Anti-Money Laundering Function by the first and second
level control structures and by other structures entrusted with anti-money laundering related duties.
On the basis of data collected and taking into account information and suggestions provided by the
Internal Auditing Head Office Department after the inspection activities performed, the Anti-Money
Laundering Function defines appropriate corrective measures to be implemented to mitigate the
risk of money laundering and terrorist financing and oversees periodic update of the first and
second level internal controls prescribed and the related control objectives.
Regulations governing anti-money laundering and combating terrorist financing also impose the
duty to adopt adequate staff training measures to guarantee correct application of the prescribed
obligations. For this purpose the Anti-Money Laundering Function, working with the Training,
Management Development and School of Leaders shall draw up a suitable training programme,
directed at achieving ongoing update of subordinate employees, to be submitted to approval by the
Management Board.
With a view to guaranteeing homogeneous management at Group level, the Parent Company’s
Anti-Money Laundering Function also provides centralised management of negative information on
customers, in compliance with local regulations on personal data protection. For this purpose the
other corporate units and the Group Companies communicate said information to the Parent
Company’s Anti-Money Laundering Function using the appropriate computer tools.
4.6
Cross and supporting processes
Although cross and supporting processes are not directed at overseeing specific requirements
imposed by legislation, they are instrumental to correct implementation and performance of the
processes described above. For this purpose the following activities are prescribed:
•
•
advice and assistance to Corporate Bodies and Top Management provided by the Anti-Money
Laundering Function;
advice and consultation to the network units provided on two separate levels:
• first level, requiring the involvement of the Operations Head Office Department (Help Desk
Office), for assistance on duties to be fulfilled when performing operating processes;
• second level, requiring the involvement of the Anti-Money Laundering Function for
assistance and support to the Operations Head Office Department (Help Desk Office) with
regard to application of regulations for anti-money laundering, combating terrorist
financing and handling of embargoes;
• ex ante assessment of compliance of new processes / procedures / products / services,
carried out by the Anti-Money Laundering Function, for its area of competence;
• definition of reference methods and actions to be taken on support tools, by the AntiMoney Laundering Function, assisted by the Operations Head Office Department, the
Human Resources and Organisation Head Office Department and the ICT Head Office
Department37, taking the specific characteristics of the various operating structures into
account;
37
With regard to tools and processes directly associated with combating of money laundering, terrorist
financing and handling of embargoes (e.g. AUI management, functioning of the anomaly indicator
identification system, functioning of tools for customer due diligence, risk profiling and transaction filtering)
the actions are directly defined by the Anti-Money Laundering Function which also follows up their
implementation by the ICT Head Office Department of Intesa Sanpaolo Group Services.
31
•
development of company internal regulations through the issue of policies, rules and
operating processes in accordance with the standards set by the Group, the Anti-Money
Laundering Function and other competent corporate functions.
32
5 GROUP GOVERNANCE
This chapter defines the governance model drawn up to fulfil obligations concerning anti-money
laundering, combating terrorist financing and handling of embargoes at Group level and the
exchange of information flows between Group Companies, the Foreign Branches of Intesa
Sanpaolo S.p.A. and the Parent Company, in compliance with regulations in force.
5.1
General principles
Considering its broad territorial base, the Group intends to systematically adopt a global approach
to anti-money laundering, combating terrorist financing and handling of embargoes, with AML
policies, processes and procedures developed at global level and implemented in a consistent
manner in Italy and abroad.
Hence, without prejudice to compliance with specific obligations established by the legal system of
the host country, the procedures in place at Group Companies and Foreign Branches must be in
line with Group standards and ensure that information is shared at consolidated level.
For this purpose, Group Companies and Foreign Branches are obliged to adopt the provisions
established for the Parent Company by this Guidelines, adjusting them – in concert with the Parent
Company – to their organisational context in order to assign roles and responsibilities and, in the
case of Companies, submitting them to the normal approval process for the purpose of issue of
specific internal regulations.
Strategic decisions to be taken at Group level concerning management of the money laundering
and terrorist financing risk are entrusted to the Parent Company’s Corporate Bodies. The
Corporate Bodies of Group Companies must be aware of the decision made by the Parent
Company’s Corporate Bodies and are responsible, each for their own area of competence, for
implementation within their own corporate context of the strategies and policies for managing the
money laundering and terrorist financing risk. For this purpose the Parent Company involves and
informs, through the Group Head of Anti-Money Laundering, the Corporate Bodies of Group
Companies of decisions made with regard to policies, processes and procedures for managing the
money laundering and terrorist financing risk.
The Companies and the Foreign Branches must also liaise with the competent structures of the
Parent Company in order to assimilate the working methods and standards, adopting the
regulations issued by the Parent Company.
5.2
The centralised management model
For the Italian banks and companies subject to the centralised management model, the Parent
Company’s Anti-Money Laundering Function is responsible for the main obligations relating to
combating money laundering, terrorism financing, and managing embargoes.
The centralised management model requires the appointment of a local AML Representative who,
working in close functional coordination with the Parent Company, oversees the processes linked
to anti-money laundering regulations within each individual Company. The appointment and
revocation of the local AML Representative are submitted to binding opinion of the Group Head of
Anti-Money Laundering.
The local AML Representative:
33
•
•
monitors the procedures for fulfilling obligations concerning the combating of money
laundering, terrorist financing and handling of embargoes and oversees the service levels
provided by the Parent Company’s functions that are responsible for the centralised activities,
drawing the attention of the Corporate Bodies, the Group Head of Anti-Money Laundering and
the competent structures to any anomalies in the services provided and improvements made;
informing in a complete and timely manner the Group Head of Anti-Money Laundering, with
regard to aspects of specific interest, on the outcome of control activities carried out at the
Group Companies, as well as on any significant event.
With regard to the functional coordination with the Parent Company, the Local AML Officer is the
local safeguard for the Anti-Money Laundering Group Function. This safeguard is provided
through:
- timely information to the AML Group structures about any significant events which have
occurred in the bank of reference;
- the continuous collaboration with the local control structures;
- the execution of specific analysis or controls required by the Anti-Money Laundering Group
Function for cases detected centrally which require timely and targeted on-site interventions.
The centralised management model not only defines the guiding principles or minimum standards
of conduct that the Companies must adopt in managing the main obligations concerning the
combating of money laundering, terrorist financing and handling of embargoes, but also provides
that the Parent Company’s Anti-Money Laundering Function is responsible for direct performance
of the following activities:
• identification and update of the first and second level control system directed at preventing and
combating the risk of money laundering and terrorist financing: liaising with the competent
corporate units of the Group Company and of the Parent Company, the Parent Company’s
Anti-Money Laundering Function identifies the first and second level control system directed at
preventing and combating the risk of money laundering and terrorist financing and the related
control objectives. According to developments in the reference context and considering the
outcome of control activities, the Parent Company’s Anti-Money Laundering Function also
defines and arranges with the competent corporate units of the Group Company and the
Parent Company any corrective measures to be made to the first and second level control
system and related control objectives, coordinating in the release phases, the various functions
involved;
• opening of business relationships with customers and authorisation procedure: the network
units of the Group Companies ensure timely reporting of high risk customers to the Group
Head of Anti-Money Laundering, which is assigned delegation to authorise the opening and
maintaining of existing business relationships with high38 risk customers even for those
Companies. The Parent Company’s Anti-Money Laundering Function also performs on behalf
of said Companies assessment of customers which during register or update of their personal
data have been found to be included in the Sanction Lists, following investigation by the
competent corporate units of the Group Companies and the Parent Company;
• suspicious activity: the Group Companies’ operating structures carry out first level reporting of
suspicious activity in good time to the Group Delegate, to whom the legal representative of
each Company has assigned delegation for suspicious activity reporting to the FIU. The
Companies’ Control Bodies inform the Group Delegate of the violations referred to in Article 52,
paragraph 2, letter b) of Italian Legislative Decree no. 231/2007, found in performance of their
duties;
The Group Delegate acquires, directly or through the Group Companies’ structures, all the
useful information in their possession, including information contained in the AUI;
38
This authorisation is also required for persons belonging to the foreign PEPs and high risk national PEPs
and to the opening of correspondent banking current accounts, payable-through accounts and similar
accounts with credit and financial institutions of not equivalent third Countries.
34
•
•
•
•
•
•
violations established by Article 52, paragraph 2, letter a), c) and d): the control structures of
the Group Companies detect and report in good time said violations to the Parent Company’s
Anti-Money Laundering Function which through its Head, on the basis of appropriate evidence
and of the second level control activity carried out, informs the Companies’ Control Bodies, to
allow them to then inform the Supervisory Authorities or the MEF. The aforesaid Bodies can
still report violations found autonomously in performance of their duties;
supervision of the Single Electronic Archive (AUI): the Parent Company’s Anti-Money
Laundering Function and the ICT Systems Department, each within their area of responsibility
and competence, manage the AUI of the Group Companies. For this purpose a single service
centre is set up at the Parent Company pursuant to Article 37, paragraph 5 of Italian Legislative
Decree no. 231/2007;
definition of requirements of the support tools for the due diligence processes and customer
risk profiling at Group level;
reporting of payments, documents representing goods and personal data of customers found to
be included in the Sanction Lists: following investigations carried out by the competent
corporate units of the Group Company and the Parent Company, the Parent Company’s AntiMoney Laundering Function performs assessment of the transactions or customers
blocked/reported by the system and may report to the FIU any blocking of operating activity or
of funds;
preparation and certification of the questionnaire relating to the level of compliance of Group
Companies with regard to anti-money laundering and terrorist financing obligations for Foreign
Correspondents Banks, with the collaboration of the AML Representative;
preparation of periodic summary reports or specific reports in the event of particularly serious
events, for the Corporate Bodies and Top Management.
5.3
The direction, coordination and control model
The Companies of the Group and the Foreign Branches subject to the direction, coordination and
control model are required to set up their own Anti-Money Laundering Function and appoint a
Head who, in Italian Companies normally also fulfils the role of AML reporting Officer by virtue of
delegation assigned, pursuant to Article 42 of Italian Legislative Decree no. 231/2007, by the
Company’s legal representative. Appointment, revocation and performance-related pay of the
Head of the Anti-Money Laundering Function at the Group Companies and Foreign Branches are
submitted to a prior binding opinion of the Group Head of Anti-Money Laundering, having been
agreed in advance, to the extent of their expertise, with the governance structures of the Chief
Compliance Officer.
The Head of the Anti-Money Laundering Function at Group Companies and Foreign Branches:
• reports functionally to the Group Head of Anti-Money Laundering for implementation of
decisions made by the Parent Company with regard to policies, processes and procedures for
management of the money laundering and terrorist financing risk, by the Group Head of AntiMoney Laundering; functional reporting is performed by agreement with the governance
structures of the Chief Compliance Officer;
• informs the governance structures of the Chief Compliance Officer, in a complete and timely
manner, on the outcomes of control activities carried out in accordance with macro control
objectives provided by the Group Head of Anti-Money Laundering, as well as on any significant
event. In this regard it also provides half-yearly reports on issues governed by the guidelines
set forth by the Parent Company;39
39
These issues may concern the number and type of transactions reported, the number and type of high risk
customers accepted, scheduled training programmes, developments in the local regulatory context,
violations of provisions found, objections received from the competent authorities, etc.
35
•
in Companies and Branches operating abroad:
• liaises with the local Supervisory Authorities in order to gain knowledge of the legislative
framework and to operate in compliance with regulations in force in the host country,
coordinating with the Governance Structures of the Chief Compliance Officer to guarantee
compatibility with these Guidelines and to facilitate dialogue with the Italian Supervisory
Authorities. The Chief Compliance Officer’s structures assist Group Companies and
International Branches in establishing relations with the local Supervisory Authorities,
without prejudice to the responsibility of each Company/Branch to meet the specific
regulatory requirements of the country of residence;
• promptly informs – via the governance structures of the Chief Compliance Officer – the
Group Head of Anti-Money Laundering if local mandatory legislation does not permit
application of measures for anti-money laundering, combating terrorism financing and
embargo management that are equivalent to those of the European Community, so that the
Group Head of Anti-Money Laundering can in turn provide specific communication to the
Bank of Italy, pursuant to Article 11 of Italian Legislative Decree no. 231/2007.
The AML Reporting Officer of Group Companies and Foreign Branches for which the direction ,
coordination and control model is applied, transmits to the Group Delegate copy of reports sent to
the FIU or to the competent external unit40, and those dismissed, complete with motivation of said
decision, without prejudice to local rules governing banking and/or professional secrecy as was as
other local regulations (on AML) that do not hinder the transmission to the Group Delegate of the
associated reports pertaining to the Group’s relevant international subsidiaries. Transmission is
made using procedures designed to guarantee maximum confidentiality of the identity of the first
level Head making the report. In order to investigate anomalous transactions and relationships at
Group level, the Group Delegate may avail of every structure of the Group Companies, including
those for which the direction, coordination and control model is applied.
The Head of the Anti-Money Laundering Function of Group Companies and Foreign Branches is
entrusted with responsibility for authorising the execution of an occasional transaction or the
opening and maintaining of existing business relationships with high risk customers and for
assessing customers which during registration or update of their personal data are found to be
included in the Sanction Lists.
The Anti-Money Laundering Function of the Parent company defines the requirements of the
support tools utilized for the due diligence processes and customer risk profiling at the Group level.
Each company assumes, for the same customer, the higher risk profile between the profiles
assigned by all the Group companies.
The International Subsidiary Banks Division and the Corporate and Investment Banking Division,
for their areas of competence, play a supporting role to International Companies and Branches, for
the purpose of guaranteeing alignment between objectives and business objectives and the solving
of any problem areas, as well as facilitating and promoting proactive management of pertinent
obligations.
The Parent Company’s Internal Auditing Head Office Department directs and coordinates the
activity of the Auditing structures within the Group Companies and International Branches, in order
to guarantee homogeneous controls and adequate attention to the various types of risk, including
those attributable to failed observance of legislative provisions for preventing and combating
money laundering, terrorist financing and handling of embargoes.
40
Article 22 of Directive 2005/60/EC provides that reports are to be transmitted to the FIU of the Member
State in the territory of which the entity or person transmitting the information is located.
36
Governance structures of the Chief Compliance Officer define Group guidelines and monitor their
correct application by the international subsidiaries and branches covered by the direction,
coordination and control model, according to the model set out in the Group Compliance
Guidelines. Specifically, the governance structures of the Chief Compliance Officer disseminate
the general principles,41 or minimum standards of conduct that they must adopt with regard to:
• macro-objectives to be set with regard to the control system for preventing and contrasting the
money laundering and terrorist financing risk;
• customer due diligence obligations: information set and methods for carrying out customer due
diligence (identification procedures based on the type of customer, stating the data to be
acquired, profiling procedures and review of customer risk, criteria for customer acceptance
and abstention obligations);
• records keeping and retention obligations: procedures for registration, preservation and
management of information and documentation acquired from customers;
• reporting obligations: procedures for assessing suspicious activity (definition of suspicious
activity, procedures for assessing first level reports, timeliness of reports, traceability of the
assessment procedure, clear identification of responsibilities);
• enhanced obligations for transaction due diligence: processes and procedures to be adopted
when monitoring transactions performed by customers (control of customer’s operating activity,
check against the Sanction Lists);
• limitations to use of cash and bearer instruments: processes and procedures for obligations
relating to limitations to use of cash and bearer instruments;
• transaction filtering: processes and procedures relating to control of international operating
activity in compliance with regulations on embargoes (filtering of transactions, checking
counterparties and other elements included in the Sanction Lists);
• staff training: minimum contents for guaranteeing an adequate training level (type of courses
and users to whom they are addressed);
• control system: types of controls to be performed to check compliance with established
obligations and procedures for carrying them out;
• requirements for secondary application solutions.
In order to perform their tasks, the governance structures of the Chief Compliance Officer have
access to all activities of the Group companies and international branches in question, and to all
relevant information in terms of regulatory compliance, including through direct interviews with
staff.
41
International Subsidiary Banks and Foreign Branches are obliged to assess, on the basis of their own
specific characteristics, any divergences from the established organisational model. These divergences must
be assessed with the assistance of the Chief Compliance Officer’s structures and communicated to the AntiMoney Laundering Function, which shall assess and approve them.
37
6 ANNEXES
6.1 Legend of acronyms
A.M.L.
Anti Money Laundering
A.U.I.
Archivio Unico Informatico (Single Electronic Archive)
U.N.
United Nations
O.F.A.C
Office for Foreign Assets Control
U.I.F
Unità di Informazione Finanziaria (Financial Information Unit) c/o
Bank of Italy
M.E.F.
Ministry of Economy and Finance
P.E.P.
Politically Exposed Person
6.2 List of network units
The list of network units includes:
• Retail Branches;
• Corporate Branches;
• Treasury Centers
• Monte Pegni
• Corporate and Public Finance Markets – Corporate and Public Finance Department
• Teams of the International Network & Global Industries Department
• Foreign Branches of the International Network & Global Industries Department
• Corporate Affairs and Shareholdings Head Office Department
• The TEF Reporting & Correspondent Banking, Foreign & Italian Banks and Asset Management
& Insurance functions of the Global Banking & Transaction Department
38