On 15 February 2019, the Italian Institute for Insurance Supervision (IVASS) published the Regulation n. 44 (hereinafter, the “Regulation”), which implements Legislative Decree n. 231 of 21 November 2007, as amended by Legislative Decree 25 May 2017, no. 90 (the “AML Decree”), laying down new provisions on the anti-money laundering and terrorist financing organization, procedures, internal controls and customer due diligence for insurance companies and intermediaries.
Without any claim to being exhaustive, we highlight the main innovations contained in the Regulation.
ii. Scope of application
Consistently with the provisions under AML Decree, the Regulation confirms the extension of the scope of application to EU and EEA insurance undertakings and intermediaries operating in Italy without permanent establishment.
The dimensional and organizational requirements for identifying the entities falling within the Regulation’s scope of application will be defined by IVASS regulation, containing provisions on risk mitigation procedures.
Based on the dimensional and organizational requirements, the entities operating “without permanent establishment” in Italy will be required to adopt the controls and procedures set by the Regulation, assigning the responsibility to assess and manage the AML/CTF risks - to which the undertaking is exposed in relation to insurance products sold in Italy through insurance intermediaries - to the relevant competent function set up in the home country.
iii. Main innovations: internal controls system
General principles. The obligations envisaged in the Regulations for undertakings regarding the objectives of corporate governance and internal controls system, culture of internal control, information flows and communication channels, are now detailed, including the minimum requirements for Italian branches of EEA/non-EEA undertakings.
AML/CTF policies. To ensure consistency with the effective exposure to the AML/CTF risks, undertakings shall define a corporate policy identifying the strategic guidelines, organizational structures, policies and internal controls, data retention, customer due diligence as well as integrity, professional and independence requirements of the head of the AML function and, if different, of the suspicious transactions’ manager.
The approval of such policy lies with the management body (i.e. board of directors or, for companies that have adopted the dualistic model, the management board or, for branches, the general representative); top management (i.e. CEO or general manager, as well as senior management responsible for decision-making and implementation of strategic guidelines), on one hand, takes care of the implementation of the strategic guidelines and of the risk management policy defined by the management body and, on the other, defines in a specific analytical document the concrete decisions adopted.
It is interesting to point out the decisions adopted by the management body of undertakings with registered offices in Italy controlled by a foreign company (or, as appropriate, of Italian branches of EEA/non-EEA undertakings) will prevail over those adopted by the relevant body of the last foreign parent company (or the general management of the undertaking), when they involve the application of more stringent customer due diligence measures, abstention, reporting of suspicious transactions or any communication or transmission of data, documents and information to the Authorities. The same principle of “independence” of the local body is expressed with regards to the control body.
AML organizational safeguards. In order to ensure its independence, the AML function is now expressly guaranteed a direct interlocution with the management body – which retains the responsibility for appointing and revoking the head of the function – as well as the control body.
Another innovation regards the outsourcing of the AML function, since rules have been significantly expanded: while current legislation establishes that a "head" of the outsourced function must be appointed with the task of merely monitoring the performance of the provider, the Regulation now provides that when the AML function is outsourced, it will be necessary to appoint an internal "owner" (instead of a "head"), which will be entrusted with the overall responsibility of the outsourced function.
It is noted that for branches established in Italy the Regulation does not specify whether the general representative can also be the "owner" of the outsourced AML function; however, mutatis mutandis, it seems reasonable to state that if direct responsibility of the function can lie with the general representative, the same can also get the "ownership" of the outsourced function.
Moreover, undertakings shall observe specific outsourcing requirements even if such activity is limited to the acquisition and storage of data, information and documents prescribed by law. In any case, the possibility of relying on outsourcing, even within a group, is subject to the reduced scope and complexity of the intrinsic AML/CTF risks as well as to the failure to fulfil the criteria of economy, efficiency and reliability.
Insurance groups. The parent company - in the exercise of management, coordination and control activities - is asked to guarantee a prompt and homogeneous identification of the AML/CTF risks to which the group is exposed. The obligations to be borne by the parent company are declined in greater detail (e.g. with reference to the obligations on suspicious transactions reporting, the centralized model – with delegation conferred to a group delegate – may be applied by an Italian group only to subsidiaries based in Italy).
Insurance intermediaries. Since the AML Decree included such insurance intermediaries within the definition of "banking and financial intermediaries", this has led to the need to regulate obligations of data protection and record-keeping.
To this end, in compliance with the principle of proportionality, the Regulation: identifies the requirements that insurance intermediaries must comply with in order to outsource – if any – data protection and record-keeping to third parties, including the same reference undertakings; provides for the obligation for Italian undertakings and those established without branch to assume the role of outsourcer, when this is required by the insurance intermediary (taking into account that undertakings bear similar obligations related to the same data, documents and information collected by insurance intermediaries); allows, under certain conditions, insurance intermediaries to avail themselves of EEA undertakings operating in Italy without permanent establishment.
Regarding customer due diligence, it is provided that the activities to be carried out by insurance intermediaries in relation to identification and retention of data, documents and information are carried out by the undertakings, under certain conditions.
iv. Main innovations: customer due diligence
Identification of the beneficial owner. It is established that, at the time of designation, the following identification data must be acquired: name and surname, place and date of birth; in the case of subjects other than a natural person, name, registered office, registration number in the register of companies or in the register of legal entities or, alternatively, tax code number. Therefore, at the time of the liquidation of the provision or of the application of enhanced customer due diligence measures, the remaining beneficial owner identification data must be acquired (i.e. registry office and, if different, domicile; details of the identification document and tax code for natural persons).
Purpose and nature of the relationship / operation. The Regulation mainly specifies the aspects that the obliged subjects should be taken into consideration in order to acquire the information for assessing the purpose and nature of the relationship or transaction.
Remote customer due diligence. In line with provisions adopted by other European countries, the Regulation defines a detailed procedure conducted through digital audio / video recording instruments, when reliable and high-tech solutions are used.
Data-retention obligations. The Regulation details the necessary conditions to outsource the activity of data-retention to third parties, referring, as regards the concrete technical specifications, to subsequent provisions of IVASS on the retention of data and information in computerized systems.
Simplified measures. With reference to the simplified customer due diligence measures, the Regulation has adapted to the AML Decree, which no longer provides for exemptions for the cases ex-lege qualified as of low-risk, but it assigns to the companies the task of identifying specific business relationships and low-risk operations to which simplified measures can be applied, characterized by a lower extension and frequency of requirements.
Enhanced measures. Regarding the enhanced obligations of customer due diligence, the Regulation identifies high risk factors that always require enhanced measures, pursuant to the AML Decree, which states detailed rules in this regard.
Performance by third parties. The most significant innovation consists in the possibility for companies to rely on insurance intermediaries to meet the customer due diligence requirements, apart from ongoing monitoring of the business relationship.
v. Entry into force
The Regulation will become effective as of 1 May 2019 (and will apply also to business relationships existing at that date), except for the new provisions on internal controls which insurance undertakings and intermediaries operating in Italy will have to comply with by 31 December 2019 (the relevant resolutions will need to be adopted by September 2019); such new rules on internal controls will also apply to insurance intermediaries starting from the entry into force of the provisions on risk mitigation procedures (see above).
Furthermore, it is expected that undertakings will have to amend remunerations and outsourcing policies in order to comply with the requirements set by the Regulation; such policies will have to be submitted to the shareholders’ meeting for approval within the deadline for the approval of 2018 financial statement: undertakings may be therefore requested to amend the policies before this May.