Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

In Italy, corporate risk and compliance management play an increasingly key role. Italy was one of the first countries to enact laws on legal entities’ criminal responsibility for offences committed by their directors, representatives, executives, managers, agents and employees. Legislative Decree 231/2001 has placed such responsibilities on legal entities for more than 15 years, and embraces a large variety of crimes that go far beyond anti-bribery and corruption. At the same time, enforcement of privacy rules has become increasingly effective. Naturally, sensitive legal sectors, such as banks, insurance companies and listed companies, are very specifically regulated and deeply scrutinised (according to the Banking Act 385/1993, the Insurance Act 209/2005 and the Financial Act 58/1998).

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

Article 2381 of the Italian Civil Code vests with the chief executive officer (under the continuing supervision of the board of directors) the task of ensuring the adequacy of the organisational, administrative and accounting set-up of the corporation. The above provision, which is interpreted as a general principle and is therefore applied to limited liability companies too, is intended to establish the duty of the directors to organise the business in a way that reduces the risk of non-compliance.

As far as listed companies are concerned, the Italian legal and regulatory framework provides for certain additional corporate bodies and procedures aimed at addressing corporate risk and compliance management. In particular:

  • pursuant to article 154-bis of the Financial Act 58/1998, listed companies shall appoint a manager in charge of preparing the company’s financial reports and ensuring that appropriate administrative and accounting procedures are put in place in connection therewith;
  • pursuant to article 123-bis of the Financial Act 58/1998, the board of directors of listed companies shall publish, on a yearly basis, a report on corporate governance providing information on, inter alia, the risk management and internal audit systems adopted by the company in relation to the financial reporting process; and
  • article 7 of the Code of Conduct for Listed Companies - which sets forth best practice standards for listed companies’ corporate governance on a ‘comply or explain’ approach - recommends adoption of an internal control and risk management system that shall consist of policies, procedures and organisational structures aimed at identifying, measuring, managing and monitoring the main risks concerning listed companies.

Moreover, pursuant to the above-mentioned provisions, it is recommended that listed companies set up a control and risk committee. The committee shall be charged, among other things, with supporting the evaluations and decisions made by the board of directors in relation to the company’s internal control and risk management system. For further information concerning the laws and regulations on corporate risk and compliance management of listed companies, see questions 6 and 7 below.

With respect to banks, the Bank of Italy’s Regulation 285/2013 establishes a comprehensive regulatory framework in connection with banks’ risk and compliance management. The general aim of the relevant provisions is setting up an integrated and effective internal control system in order to:

  • regularly monitor business operations and ongoing compliance with the applicable laws and regulations, and check the adequacy of the banks’ organisation and accounting arrangements;
  • adequately monitor all business risks; and
  • ensure information flows that allow management to make informed decisions.

Also, with regard to insurance companies and in line with the new Solvency II regulatory framework, Legislative Decree 209/2005 and Institute for the Supervision of Private Insurance and Collective Interest (ISVAP) Regulation 20/2008 provide for the implementation of an appropriate internal controls system, ensuring:

  • the efficiency and effectiveness of corporate processes;
  • adequate control of present and perspective risks;
  • the reliability and integrity of accounting and management information;
  • protection of assets from a medium and long-term perspective; and
  • compliance of the insurance companies’ activities with current legislation.

Large undertakings are also subject to Legislative Decree 39/2010 (on the auditing of their accounts), which, effective from 1 January 2017, now provides, for those exceeding certain dimension thresholds, the obligation to publish a non-financial statement containing information on the undertaking’s activity impact on environmental, social and employee matters, respect for human rights, anti-corruption and bribery matters.

Compliance violations may trigger a broad range of consequences. First of all, pursuant to article 2049 of the Italian Civil Code and article 185 of the Italian Criminal Code, legal entities are responsible for civil damages resulting from violations committed by their representatives and employees in the exercise of their functions or roles.

Moreover, pursuant to article 197 of the Italian Criminal Code and article 6 of Law 689/1981, legal entities are jointly liable for the fines levied against their representatives and employees for offences committed in the exercise of their functions or roles.

Since 2001, pursuant to Legislative Decree 231, a legal entity is also criminally liable for certain offences committed by its directors, representatives, executives, managers, agents and employees when the crime has been committed in the interests or to the benefit of the legal entity. Legal entities may exculpate themselves from such criminal responsibility only if very strict conditions are satisfied. The long list of crimes that trigger the criminal responsibility includes bribery; corporate crimes; forgery; money-laundering; health and safety and environmental crimes; cybercrimes; conjuring; insider trading and market abuse; copyright crimes; and many others. Legislative Decree 231 applies to legal entities incorporated in Italy, Italian branches of foreign legal entities, partnerships and associations with or without legal personality.

Specific additional rules apply to state-owned companies (Law 190/2012) that must adopt specific anti-corruption measures.

From 25 May 2018, the General Data Protection Regulation 679/2016 has direct application in Italy.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

Listed companies can voluntary adopt the Code of Conduct for Listed Companies issued by the committee for corporate governance. The Code of Conduct describes, inter alia, the main features of an effective internal control system and risk management; in particular, it requires companies to:

  • adopt a control system consisting of rules, procedures and an organisational structure aimed at identifying, monitoring and managing compliance risks; and
  • promote cooperation and communication between the executives and control bodies (ie, the statutory auditors, internal audit, control and risk committee, etc).

It is important to note that if a listed company decides not to adopt the Code of Conduct (wholly or partially), it is bound to the ‘comply or explain’ principle and the directors will be required to explain the reason for non-application.

The association of entrepreneurs has issued guidelines that provide a methodological approach in order to identify and address compliance risks and draft compliance shields to benefit of the exemption from criminal responsibility pursuant to Legislative Decree 231/2001. Indeed, legal entities can be exempt from criminal responsibility for offences committed by their directors, managers, agents or employees in the interest or to the advantage of the legal entity only if they adopt and effectively implement internal policies, rules and procedures and appoint a special supervisory body (a 231 compliance shield). The association of entrepreneurs’ guidelines require, inter alia:

  • assessing risks of crime, mapping the company’s risk areas and identifying potential gaps;
  • adopting and implementing a code of ethics and a disciplinary code;
  • establishing a whistle-blowing procedure;
  • training employees and executives;
  • carrying out monitoring and inspections; and
  • regularly updating and upgrading the compliance rules and the functioning of the system.

In that respect, it is worth remembering that Italian law 179/2017 has recently implemented a general regulation for whistle-blowing on top of specific provisions already contained in the Financial Act, the Banking Act and the Anti-Money Laundering Act.

As mentioned, banks and insurance companies are required to implement risk management and compliance functions aimed at carrying out risk and compliance management pursuant to mandatory law and regulatory provisions. In relation to banks, on 26 September 2017, the European Banking Authority published its guidelines on internal governance (including internal control systems) under Directive 2013/36/UE (EBA/GL/2017/11). In particular, these guidelines provide that a bank’s risk management function should be established and should:

  • be actively involved in elaborating an institution’s risk strategy and in ensuring that the bank has effective risk management process in place;
  • be involved in the evaluation of the impact of such changes on the bank’s overall risk, before decisions on material changes or exceptional transactions are taken; and
  • ensure that all risks are identified, assessed, measured, monitored, managed and reported on by the relevant units in the institution.

In addition, these guidelines recommend that institutions establish a permanent and effective compliance function to manage compliance risk.

Compliance function should:

  • advise the management body on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards;
  • verify that new products and new procedures comply with the current legal framework; and
  • ensure that the compliance policy is observed.

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Italian subsidiaries or branches of foreign legal entities are fully subject to Legislative Decree 231/2001 on criminal responsibilities of legal entities for offences committed by their directors, managers, agents or employees. To exculpate from those criminal responsibilities, Italian subsidiaries and branches of foreign entities must comply with the same requirements as all other undertakings incorporated or operating in Italy. Those requirements include the adoption and implementation of an effective set of internal rules and procedures and the appointment of an independent supervisory body, adequately budgeted and with direct reporting to the board of directors.

Italian branches of EU banks and of Canadian, Japanese, Swiss and US banks shall not apply Italian regulatory provisions to internal control systems (including the risk and compliance process). However, the legal representative of such branches shall attest compliance by the relevant branch with the applicable Italian laws and regulations.

EU banks operating on a cross-border basis are not required to comply with said provisions owing to the circumstance that they shall already comply with their EU home member state regulations (equivalent to Italian provisions).

Italian branches of non-EU banks (different from those referred to above) shall comply with the same regulatory provisions on internal control systems (including the risk and compliance process) applicable to Italian banks. Non-EU banks operating on a cross-border basis are not required to comply with said provisions (however they shall obtain authorisation from the Bank of Italy assessing the equivalence of provisions applicable to non-EU banks, pursuant to their local law).

EU insurances companies operating in Italy through a branch or on a cross-border basis shall comply with Solvency II provisions on risk and compliance management (equivalent to Italian regulations).

Italian branches of non-EU insurance companies shall comply with Italian regulatory provisions on internal control systems (including risk management and compliance). Non-EU insurance companies cannot carry out insurance activities in Italy on a cross-border basis.

The GDPR 679/2016 applies to any processing of data within the context of the activities of the EU establishment of a data controller or data processor, even if the processing is carried out outside of the EU. In many important instances the GDPR also applies to data controllers or processors not established in the EU.

What are the key risk and compliance management obligations of undertakings?

Violation of compliance rules may expose undertakings to actions for civil damages, administrative fines and, in more than one case, to criminal responsibilities. With respect to Legislative Decree 231/2001, in addition to monetary sanctions, courts may order the publication of the judgment on the press, disqualify the undertaking from contracting with public administrations, inhibit the business of the undertaking (or specific lines of business) and even appoint trustees or commissioners that replace the managing bodies of the undertakings. Conditions to go exempt from criminal responsibilities are explained in question 7.

Banks should adopt adequate measures and procedures in order to ensure the proper and sound management of their business. In particular, banks should establish:

  • a second-level control function:
  • a comprehensive risk management function, which would have sufficient authority, stature, and resources taking into account the proportionality criteria, to implement risk policies and the risk management framework within the relevant bank. The risk management function, inter alia, should be actively involved at an early stage in elaborating the bank’s risk strategy and in ensuring that the same bank has effective risk management processes in place; and
  • a permanent and effective compliance function to manage its compliance risk, which should be able to report directly, where appropriate, to the management body in its supervisory function. The compliance function should be independent of the business lines and internal units it controls and have sufficiently authority, stature and resources to carry out its tasks;
  • a third-level control function:
  • an independent and effective internal audit function, in charge of reviewing control activities carried out by the relevant business line and by risk management and compliance functions. Internal audit function should be independent and ensure that the monitoring tools and risk analysis methods are in adequacy with the bank’s size, locations and the nature, scale and complexity of the risks associated with the bank’s model and business activities and risk culture and risk appetite.

It is worth mentioning that the internal governance arrangements and processes mentioned above should apply, mutatis mutandis, to insurance companies. In this regard, insurance companies should establish, in addition to the above, the actuarial function, which shall, inter alia:

  • coordinate the calculation of technical provisions;
  • ensure the appropriateness of the methodologies and underlying models used as well as the assumptions underlying the calculation of technical provisions; and
  • assess the sufficiency and quality of the data used in the calculation of technical provisions.

The GDPR 679/2016 dictates a number of assessments, actions and controls aimed at the protection of personal data. Violations can generate very high fines and may also trigger inhibitions.