AML requirements for covered institutions and individuals

Enforcement and regulation

Which government entities enforce the AML regime and regulate covered institutions and persons in your jurisdiction? Do the AML rules provide for ongoing and periodic assessments of covered institutions and persons?

The AML rules strictly provide for ongoing and periodic assessments of covered institutions and persons.

The government entity that enforces Italy’s AML regime is, initially, the Ministry for Economy and Finance, which is responsible for the policies to prevent use of the financial system for the purpose of money laundering and terrorism financing, and which is supported in its task by the Financial Security Committee (articles 4 to 6 of Legislative Decree No. 231 of 21 November 2007 (the 2007 Decree)). In general terms, and with some exceptions, the Ministry for Economy and Finance is also responsible for applying the administrative sanctions provided for by the AML regime.

In this sphere, a crucial function for the purposes of enforcing the AML regime is performed by the Financial Intelligence Unit (FIU), which operates autonomously at the Bank of Italy and is responsible for obtaining, analysing and exploiting the information on suspicious transactions reported to it by the relevant subjects (article 6 of the 2007 Decree). The FIU can also suspend, for a maximum period of five working days, transactions suspected of involving money laundering or terrorism financing.

In addition, a significant role for the purposes of enforcing the AML regime is performed by the Financial Police (in particular, the Special Foreign Exchange Unit), which operates in strict coordination with the FIU and carries out investigations (including inspections) relating to the ‘suspicious transactions’.

Finally, in the frame of the AML regime, a relevant role is also played by financial sector supervisory authorities (such as the Bank of Italy or the Institute for the Supervision of Insurance for insurance companies) and professional associations (with respect to accountants, lawyers, notaries public, etc), which have to cooperate with the above-mentioned AML authorities for the purpose of supervising and assessing the compliance of the relevant subjects with the AML obligations.

Where the suspicious transactions are potentially linked to organised crime, the relevant information must also be reported to the Bureau of Anti-Mafia Investigation, which can consequently carry out its ordinary powers.

Covered institutions and persons

Which institutions and persons must have AML measures in place?

The relevant ‘categories of subjects’ on which the AML measures are imposed are listed by article 3 of the 2007 Decree (and substantially correspond to the categories listed by article 2 of the Third EU Money Laundering Directive (Directive 2005/60/EC (the Third EC Directive)) and by article 2 of the Fourth EU Money Laundering Directive (the Fourth EU Directive)). They are, in essence, the following:

  • banking and financial intermediaries and other financial operators (article 3 of the 2007 Decree): this category is extremely broad and includes banks, Poste Italiane SpA, electronic money institutions, Italian investment firms, insurance companies, stockbrokers, etc, including the Italian branches of these entities that have their registered office in a foreign country;
  • professionals, such as accountants, auditors and, under certain conditions, notaries public and lawyers (article 3 of the 2007 Decree);
  • ‘other non-financial operators’ (ie, those carrying on the activities of the trading of antiquities, the managing of art galleries, the custody and transport of cash and titles, the collection of credits, etc) (article 3 of the 2007 Decree); and
  • providers of gambling services: subjects carrying on the activities of managing gambling houses, offering gambling with cash awards through the internet, etc (article 3 of the 2007 Decree).
Compliance

Do the AML laws applicable in your jurisdiction require covered institutions and persons to implement AML compliance programmes? What are the required elements of such programmes?

The 2007 Decree imposes on relevant ‘categories of subjects’ certain AML obligations, the most significant of which are the following:

  • customer due diligence obligations: such obligations, which are provided for by articles 17 to 30 of the 2007 Decree, are substantially the same as those laid down by articles 6 to 19 of the Third EC Directive and articles 10 to 31 of the Fourth EU Directive. They mainly consist of the following activities:
    • identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source;
    • identifying the beneficial owner and verifying his or her identity;
    • obtaining information on the purpose and the intended nature of the business relationship or professional service; and
    • conducting of ongoing monitoring in the course of the business relationship or professional service;
  • with respect to the beneficial ownership of legal entities and trusts, the provisions of the Fourth EU Directive and of the 2007 Decree (respectively, articles 30 to 31 and articles 20 to 21) impose a specific duty to provide, and to hold in a special central register, relevant information;
  • record-keeping obligations: such obligations, which are provided for by articles 31 to 34 of the 2007 Decree, are substantially the same as (and to a certain extent even stricter than) those laid down by article 30 of the Third EC Directive and articles 40 to 44 of the Fourth EU Directive. They mainly refer to the retention of relevant documents and the recording of relevant information, and to the periodic sending to the FIU of the aggregate data on their business activity; and
  • reporting obligations: according to articles 35 to 42 of the 2007 Decree, the relevant subjects mentioned above must disclose to the Financial Intelligence Unit ‘suspicious transactions’ relating to money laundering and terrorism financing. Failure to report a ‘suspicious transaction’ does not amount to a criminal offence but is penalised by the imposition of fines and other administrative sanctions (articles 58 to 61 of the 2007 Decree).
Breach of AML requirements

What constitutes breach of AML duties imposed by the law?

The 2007 Decree provides that breach of the relevant AML duties is punishable with criminal and administrative sanctions.

Criminal offencesViolation of the ban on communication (article 55, paragraph 4 of the 2007 Decree)

The 2007 Decree provides that the persons subject to reporting obligations must not inform the interested party or third parties that a report of a suspicious transaction has been made or that an investigation is being or may be conducted into money laundering or terrorism financing.

Anyone who violates this ban on communication is punished with imprisonment for between six months and one year and a fine of between €5,000 and €30,000 (unless the act constitutes a more serious crime). The mens rea required is negligence.

Forgery in customer due diligence (article 55, paragraph 1 of the 2007 Decree)

Anyone who, being subject to the provisions on customer due diligence, falsifies the data and information concerning the client, the beneficial owner, the executor and the scope and nature of the continuous relationship, professional service or transaction is punished with imprisonment for between six months and three years and with a fine of between €10,000 and €30,000. The mens rea required is intent.

Forgery in record-keeping obligations (article 55, paragraph 2, of the 2007 Decree)

Anyone who, being subject to the record-keeping obligations, acquires false data or untrue information concerning the client, the beneficial owner, the executor and the scope and nature of the continuous relationship, professional service or transaction, or who uses fraudulent means for the purpose of jeopardising the correct keeping of such data and information, is punished with imprisonment for between six months and three years and with a fine of between €10,000 and €30,000. The mens rea required is intent.

Further, the 2007 Decree provides as an additional criminal offence the conduct of a client or executor of a transaction who provides false data or untrue information for the purposes of customer due diligence. Punishments are imprisonment for between three months and one year and a fine of between €1,500 and €10,000 (article 55, paragraph 3 of the 2007 Decree).

Administrative violationsFailure to carry out customer due diligence and to comply with the duty to abstain (article 56 of the 2007 Decree)

Subjects who, in violation of the provisions on customer due diligence, fail to acquire and verify the identification data and information on the client, the beneficial owner, the executor and the scope and nature of the continuous relationship, professional service or transaction, or who in situations where a high risk of money laundering or of terrorism financing exists fail to proceed to enhanced customer due diligence, are punished with an administrative fine of between €3,000 and €80,000. The mens rea required is negligence.

The same punishments apply to subjects who, even where it is objectively impossible to carry out the customer due diligence activity, do not comply with the duty to abstain and carry out the relevant transaction or professional services. The mens rea required is negligence.

Such punishments are tripled, both for the minimum and maximum amounts, in cases of serious, repeated, systematic or multiple violations.

Failure to carry out record-keeping obligations (article 57 of the 2007 Decree)

The subjects who, in violation of the record-keeping obligations, fail, totally or partially, to keep the data, documents and information required, or carry out such obligations in an untimely manner, are punished with an administrative fine of between €3,000 and €80,000. The mens rea required is negligence.

Such punishments are tripled, both for the minimum and maximum amounts, in cases of serious, repeated, systematic or multiple violations.

Failure to report ‘suspicious transactions’ (article 58, paragraph 1 of the 2007 Decree)

Failure to report suspicious transactions, or to report them in a timely manner, is punished with an administrative fine of between €30,000 and €300,000. The mens rea required is negligence.

Such punishments are tripled, both for the minimum and maximum amounts, in cases of serious, repeated, systematic or multiple violations.

Failure to comply with the suspension measure (article 58, paragraph 3 of the 2007 Decree)

The FIU has the power to suspend transactions suspected of involving money laundering or terrorism financing for a maximum period of five working days. Failure to comply with this suspension measure is punished with an administrative fine of between €30,000 and €300,000. The mens rea required is negligence.

Such punishments are tripled, both for the minimum and maximum amounts, in cases of serious, repeated, systematic or multiple violations.

Customer and business partner due diligence

Describe due diligence requirements in your jurisdiction’s AML regime.

The most significant customer due diligence obligations are the following:

  1. identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source;
  2. identifying the beneficial owner and verifying his or her identity;
  3. obtaining information on the purpose and the intended nature of the business relationship or professional service; and
  4. conducting ongoing monitoring in the course of the business relationship or professional service.

 

In particular, the due diligence required to initiate a new client relationship comprises (1) and (2). This activity can also be carried out by employees and collaborators of the person concerned (article 19 of the 2007 Decree).

The verification procedure is based on a valid identity document and other documents, data or information obtained from an independent and reliable source. It must be carried out before the continuous relationship begins or before obtaining the mandate for the provision of services or the execution of an occasional transaction (article 18 of the 2007 Decree). If the customer is an entity, identification and verification of its representatives that have the power to sign for the transaction must be carried out.

With respect to the beneficial ownership of legal entities and trusts, provisions of the Fourth EU Directive and the 2007 Decree (respectively, articles 30 to 31 and articles 20 to 21) impose a specific duty to provide, and to hold in a special central register, relevant information that should then be accessed by the relevant ‘categories of subjects’ at the time of customer due diligence.

As far as the concept of beneficial owner is concerned in relation to legal entities, Italian law provides that the beneficial owner is the individual who has direct or indirect ownership of the legal entity or its control. Direct ownership comprises the ownership by an individual holding more than 25 per cent of the capital of the legal entity; ownership is considered indirect where the same sharing of more than 25 per cent is owned through controlled companies, fiduciaries or intermediaries. If the mentioned criteria do not suffice, then additional criteria should be taken into account, such as: control of the majority of the votes in the shareholders’ meeting of the legal entity; control of sufficient votes to exercise a dominant influence in the shareholders’ meeting of the legal entity; or the existence of particular contractual relations that allow the exercise of a dominant influence on the legal entity. If these criteria also do not suffice, the beneficial owner is considered to be the individual who has the power to manage or direct the legal entity (article 20 of the 2007 Decree).

For existing clients, the ongoing due diligence required consists of analysing each transaction performed in the course of the relationship. In that case, the verification procedure comprises ascertaining the consistency of each transaction with information in possession of the person, subject to the obligations of the 2007 Decree (in terms of the business activity and the risk profile of the client, etc), and keeping such information up to date.

Further, customer due diligence must be carried out by the relevant ‘categories of subjects’ as well as for:

  • occasional transactions involving means of a payment of €15,000 or more, even when they are simply go-between entities to transfers among different people;
  • the presence of a suspicion of money laundering or terrorism financing; and
  • the presence of doubts about the veracity or adequacy of the information given by the customer (article 17 of the 2007 Decree).

 

In the case of a low risk of money laundering or terrorism financing, the verification procedure explained above can be postponed to after the start of the continuous relationship or after obtaining the mandate for the provision of services, where this is necessary for the ordinary management of the relevant activity. In that case, however, the verification procedure must be completed as soon as possible, and in any case within 20 days of the start of the relationship or obtaining the mandate. Where there is an objective impossibility to complete the verification procedure within 20 days, the relevant subjects must abstain from carrying out the relevant transaction or professional services, and they must evaluate whether, in the presence of the necessary requirements, to report the existence of a suspicious transaction (article 18, paragraph 3 of the 2007 Decree).

The same procedure explained above for low risks of money laundering or terrorism financing applies to professionals for cases in which they examine the customers’ legal position or perform an activity of defence or representation of the customers in the frame of a legal proceeding before a judicial authority, including advice given on the convenience of starting or avoiding a legal proceeding (article 18, paragraph 4 of the 2007 Decree).

High-risk categories of customers, business partners and transactions

Do the AML rules applicable in your jurisdiction require that covered institutions and persons conduct risk-based analyses? Which high-risk categories are specified? What level of due diligence is expected in relation to customers assessed to be high risk?

Yes, the Italian AML rules provide that detailed risk-based analyses must be conducted by the relevant subjects. In particular, the customer due diligence obligations (and the related identification procedures) must be calibrated to the risk associated with the type of customer, continuous relationship, professional service, operation, product or transaction in question (articles 15, 16 and 17 of the 2007 Decree). The mentioned relevant subjects must be able to demonstrate that the extent of the measures adopted is appropriate in view of the risk of money laundering or terrorism financing. The risk must be assessed on the basis of the following criteria:

  • with reference to the customer:
    • the legal form;
    • the principal activity;
    • behaviour at the time the transaction was carried out, the continuous relationship was established or the professional service was performed; and
    • the geographical area in which the residence or business office of the customer or counterparty is located; and
  • with reference to the transaction, continuous relationship or professional service:
    • the type of transaction, continuous relationship or professional service;
    • the manner of performing the transaction, continuous relationship or professional service;
    • the amount;
    • the frequency of the transactions and the duration of the existing relationship or professional service;
    • the reasonableness of the transaction, existing relationship or professional service in relation to the customer’s activity and his or her economic resources; and
    • the geographical area of the destination of the product, the object of the transaction, the continuous relationship or the professional service (article 17, paragraph 3 of the 2007 Decree).

 

Further, where there is a greater risk of money laundering and terrorism financing, and always in the specific cases indicated below, the relevant subjects must apply enhanced due diligence measures (article 24 of the 2007 Decree):

  • when the customer is resident in high-risk third countries as identified by the EU Commission;
  • in the case of correspondent accounts with non-EU respondent financial institutions; and
  • in respect of transactions, continuous relationships or professional services with politically exposed persons (PEPs). For the purposes of Italian law, PEPs are individuals who are or have been entrusted with prominent public functions and the immediate family members and persons known to be close associates of those persons.

 

Finally, with respect to shell banks and anonymity, Italian law provides that financial intermediaries cannot open or maintain, even indirectly, correspondent accounts with a shell bank (article 25, paragraph 3 of the 2007 Decree) and that the relevant subjects must pay special attention to products or transactions that might favour anonymity and take measures, if needed, to prevent their use for money laundering or terrorism financing purposes (article 24, paragraph 2 of the 2007 Decree).

Record-keeping and reporting requirements

Describe the record-keeping and reporting requirements for covered institutions and persons.

Record-keeping obligations mainly refer to:

  • the retention of relevant documents and the recording of relevant information (for a period of 10 years after the relationship or professional service has ended, or following the carrying out of the transaction or the end of the relationship or professional service (articles 31 to 32 of the 2007 Decree); and
  • the periodic sending by relevant subjects to the FIU of the aggregate data on their business activity (article 33 of the 2007 Decree).

 

With regard to reporting obligations, the 2007 Decree imposes, in essence, on the relevant subjects, and first of all on the banking and financial intermediaries, the duty to report to the FIU ‘suspicious transactions’ relating to money laundering or terrorism financing (articles 35 to 41 of the 2007 Decree).

In particular, the relevant subjects must send a report of any ‘suspicious transactions’ to the FIU whenever they know, suspect or have reason to suspect that money laundering or terrorism financing is being or has been carried out or attempted. The suspicion may arise from the characteristics, size or nature of the transaction or from any other circumstance ascertained as a result of the function carried out, also taking into account the economic capacity and the activity engaged in by the person in question, on the basis of the information available to reporters, that has been acquired in the course of their work or following the acceptance of assignment (article 35 of the 2007 Decree).

There is an element of suspicion in the frequent or unjustified carrying out of cash transactions, even if these do not exceed the relevant threshold of €2,000, and, in particular, in cash withdrawals or cash deposits through financial intermediaries for amounts that are not coherent with the risk profile of the customer.

For the purpose of facilitating the identification of suspicious transactions, ‘anomaly indicators’ are issued and periodically updated by the FIU.

Reports must be made without delay – where possible, before the transaction is effected – as soon as the person required to make a report has grounds for suspicion.

Persons required to make a report must not execute the transaction until a report has been made, unless it is impossible not to execute it owing to the existence of duties provided for by law or given the nature of the transaction, or if not executing it could obstruct the investigation (article 35 of the 2007 Decree).

As far as reporting obligations for professionals are concerned (notaries public, lawyers, etc), professionals do not have to report ‘suspicious transactions’ if the relevant information is obtained in the frame of the examination of the customers’ legal position or in the performance of an activity of defence or representation of the customers in the frame of a legal proceeding before a judicial authority, including advice given on the convenience of starting or avoiding a legal proceeding, where such information is obtained before, during or after the mentioned legal proceeding (article 35, paragraph 5 of the 2007 Decree).

With respect to the modalities of reporting for professionals, the 2007 Decree, together with its implementing regulations, provide that they must report directly to the FIU or to the professional association to which they belong (eg, the bar for lawyers), which in turn must report to the FIU, keeping the source confidential (and keeping a record of the data of the reporter, in view of potential additional requests by the FIU or the financial police, or both) (article 37 of the 2007 Decree).

Privacy laws

Describe any privacy laws that affect record-keeping requirements, due diligence efforts and information sharing.

First, the 2007 Decree expressly provides that reports of suspicious transactions carried out in good faith for the purposes of the AML regulations do not constitute a violation of secrecy requirements, professional secrecy or any limits to the communication of information imposed by contract or by laws, regulations or administrative provisions. Additionally, such reports do not generate liability of any kind, even where the person making the report is unaware of the underlining criminal activity and regardless of the performance of a criminal activity (article 35, paragraph 4 of the 2007 Decree).

Second, with respect to the relevant AML authorities, the 2007 Decree provides that all the information in possession of the FIU, financial sector supervisory authorities, interested administrative bodies, professional associations, etc, must be covered by professional secrecy, including in relation to the public administration. However, professional secrecy cannot be invoked with respect to the judicial authorities when the information requested is needed for investigations into criminal matters (article 12, paragraph 7 of the 2007 Decree).

In any case, by way of express derogation to secrecy, the law provides that the financial sector supervisory authorities must cooperate with each other and with the FIU, including by exchanging information, to facilitate the performance of their respective functions.

Further, and always by way of express derogation to secrecy, the law provides that the FIU may exchange information and cooperate with analogous authorities of other states that pursue the same purposes, subject to reciprocity, and may conclude specific protocols to this end. In particular, the FIU may exchange data and information concerning suspicious transactions with analogous authorities of other states (article 13 of the 2007 Decree).

Information received from foreign authorities may be transmitted by the FIU to the competent Italian authorities, except where permission to do so is explicitly denied by the foreign authority (article 13, paragraph 1 of the 2007 Decree).

Finally, with regard to the protection of privacy of the individuals who make reports, the 2007 Decree provides that persons with reporting obligations, the FIU, the financial police, etc, must adopt adequate measures to ensure the maximum protection of the identity of the individuals who make reports (article 38 of the 2007 Decree).

Resolutions and sanctions

What is the range of outcomes in AML controversies? What are the possible sanctions for breach of AML laws?

The 2007 Decree provides that breach of the relevant AML duties is punishable with criminal and administrative sanctions.

As far as the criminal sanctions are concerned, owing to their peculiar nature, plea bargaining is admitted only to a very limited extent.

With regard to the administrative violations, they are not applied by public prosecutors but by the Ministry for Economy and Finance in the course of administrative proceedings governed by administrative law (in particular, Law No. 689/1981 regulating administrative sanctions).

Limitation periods for AML enforcement

What are the limitation periods governing AML matters?

As far as violation of the ban on communication is concerned, the ordinary statute of limitations is four years from the moment of the offence, extended to five years if a qualified activity of investigation is carried out within those four years. On the other hand, with respect to all the other criminal offences provided for in the 2007 Decree, the statute of limitations is six years from the moment of the commission of the offence, extended to seven years and six months if a qualified activity of investigation is carried out within those six years.

Extraterritoriality

Do your jurisdiction’s AML laws have extraterritorial reach?

No, they only apply to the relevant subjects that carry out activity within the Italian territory, including Italian subsidiaries and Italian branches of foreign institutions.