On 30 January 2018, the Bank of Italy published a note dated 23 January 2018 containing several “good practice” recommendations in order to adequately and efficiently implement policies in the field of anti-money laundering (“AML”) legislation and politically exposed persons (“PEP”).
Such recommendations aim to help credit and financial institutions—as well as all others obliged entities according to the AML framework—to comply with AML legislation and avoid (or, at least, reduce) risks related to business relationships and transactions performed with PEPs.
I. PEPs Under the AML Directive and Italian AML Decree
Pursuant to the Directive (EU) 2015/849 of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (the so called “AML Directive”), a PEP is defined as a natural person who is or who has been entrusted with prominent public functions.
With respect to transactions or business relationships with PEPs, Article 20 of the AML Directive (under Section 3, related to “enhanced customer due diligence”) provides that Member States shall, in addition to the customer due diligence measures laid down in the directive, require obliged entities to:
a. have in place appropriate risk management systems, including risk-based procedures, to determine whether the customer or the beneficial owner of the customer is a PEP;
b. obtain senior management approval for establishing or continuing business relationships with PEPs;
c. take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with PEPs; and
d. conduct enhanced, ongoing monitoring of those business relationships with PEPs.
Moreover, obliged entities shall take reasonable measures to determine whether the beneficiaries of a life or other investment-related insurance policy and/or, where required, the beneficial owner of the beneficiary are PEPs.
Lastly, the AML Directive provides that where a PEP is no longer entrusted with a prominent public function, obliged entities shall, for at least 12 months, be required to take into account the continuing risk posed by that person and to apply appropriate and risk-sensitive measures until such time as that person is deemed to pose no further risk specific to politically exposed persons (Article 22 of the AML Directive).
Italy transposed the AML Directive into its legal system by means of Legislative Decree no. 90 of 25 May 2017, amending Legislative Decree no. 231 of 21 November 2007 (the “Italian AML Decree”).
According to Article 1 of the Italian AML Decree, a PEP is a natural person who is or who has been entrusted (within a year) with prominent public functions (e.g., Prime Minister, Ministers, Vice-Ministers, etc.) and includes, inter alia, members of a political party’s central body (e.g., the national president of a political party), members of board of directors of companies directly or indirectly controlled by a State, by a Region, or by certain municipalities (e.g., cities with not less than 15,000 inhabitants, provincial capitals, etc.), majors of cities with not less than 15,000 inhabitants, directors of ASLs (i.e., entities in charge of healthcare) and hospitals.
Under Italian AML Decree, and similarly to the provisions of the AML Directive, obliged entities shall conduct an enhanced customer due diligence in case of business relationships, transactions and professional services where clients and/or beneficial owners are PEPs (Article 24, par. 5). Moreover, in case of high risk of money laundering and financial terrorism, enhanced customer due diligence applies even to clients that, originally identified as PEPs, have not been qualified in such a way for more than a year (Article 24, par. 6). The same provision applies in connection with insurance policies, in case the beneficial owner of the beneficiary was a PEP.
Furthermore, as per the AML Directive, Article 25 of the Italian AML Decree provides that obliged entities implement adequate and risk-based procedures to determine whether the customer or the beneficial owner of the customer is a PEP and, in case of business relationships, professional services or transactions with PEPs, adopt the following measures: obtain senior management (or their delegated) approval for establishing or continuing business relationships with PEPs; take adequate measures to establish the source of wealth and source of funds involved in the business relationships or transactions with PEPs; conduct enhanced, ongoing monitoring of those business relationships or professional services with PEPs.
II. Bank of Italy Recommendations
Given the wide definition of PEP provided for under Italian law and aiming at fighting corruption, the Bank of Italy recently issued a note related to enhanced customer due diligence procedures, recommending certain “good practice” to credit and financial institutions in order to comply with AML legislation and avoid risks related to PEPs’ business relationships and transactions. In detail, the Bank of Italy suggested the following “good practice”:
a. implementation of a policy for the management of money laundering and terrorism financing risks approved by the obliged entities’ body with strategic supervision functions and in line with the Risk Appetite Framework. Such policy shall include (i) a highlight of PEP’s matter as one of the cases of high risk for obliged entities, (ii) general principles for the management of risks related to PEPs and (iii) timing and systems for reporting the exposure of obliged entities to risks connected with PEPs;
b. assessing whether a client is a PEP should not be limited to a business database used by obliged entities and should be enriched with further research (in particular, monitoring activities should be carried out through, inter alia, public sources); in that regard, an automatic interface between obliged entities data and the business database used by obliged entities should be adopted. Moreover, the Bank of Italy underlines that a key point of the relevant assessment is in-person information collected at the beginning of the business relationship with the client;
c. adoption of an automatic ranking of risks exposure, in order to place PEPs and persons known to be close associates to PEPs at the top of such ranking; in that regard, a direct link between obliged entities client information lists and the applications developed to assess risks would be useful in order to avoid a manipulation of rankings. Moreover, obliged entities should also include persons linked with PEPs (i.e., those not included under the definition of persons known to be close associates to PEPs; e.g., joint holders of a bank account) at the top of the mentioned ranking;
d. implementation of procedures for each phase of the enhanced customer due diligence, with specification of functions in charge of each phase and the relevant duties (e.g., senior management, AML function, etc.); such procedures should provide examples (e.g., documents to be checked), conduct schemes, and should be clearly differentiated from procedures concerning the ordinary customer due diligence;
e. providing lists of client information to be collected at the beginning of the relationships with PEPs, focused on the following aspects: the origin of funds used in the business relationships; PEPs financial situation; PEPs family members’ financial situation and work activities; other business relationships relevant under AML legislation (e.g., shareholder relationships). Such lists should allow persons in charge of the enhanced customer due diligence to add an evaluation of clients and should be completed with the relevant documents (provided by clients or by public sources). During the evaluation process, the client should not be entitled to operate (i.e., no business relationship should be carried out);
f. in connection with ongoing monitoring, implementation of procedures that allow an in-depth analysis of data available through obliged entities (e.g., information collected at the beginning of the business relationship) and data collected from open sources (e.g., the web); the evaluations following the data analysis should be motivated and formalized in a document;
g. implementation of a complete control of the enhanced customer due diligence, including, inter alia, first level controls (e.g., automatic stop of PEPs evaluation process until a previous phase of the customer due diligence is not completed; persons in charge of the control process provided with adequate roles, powers, and resources; coordination of the control system; automatic monitoring system for the timing of the execution of each phase of the process);
h. a regular assessment by the AML function on the efficiency of the customer due diligence related to PEPs; such evaluations should not be limited to the formal implementation and application of procedures; the AML function should proactively promote an AML culture in connection with PEPs; and
i. internal auditors should expressly take into account the PEPs’ matter and verify the adequacy of the implemented policies and procedures.
The wide definition of PEPs recently adopted by the Italian Legislator has increased the number of business relationships and transactions relevant under the AML legislation. The Bank of Italy’s recommendations are a good way to draw obliged entities’ attention to such matter.
Obliged entities operating in Italy should promptly take into account the Bank of Italy’s recommendations and review their AML policies, procedures, and systems in order to assess whether they are compliant with the mentioned “good practice.”
 See Article 3, no. 9, of the AML Directive. Such definition includes: heads of State, heads of government, ministers, and deputy or assistant ministers; members of parliament or of similar legislative bodies; members of the governing bodies of political parties; members of supreme courts, of constitutional courts, or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances; members of courts of auditors or of the boards of central banks; ambassadors, chargés d'affaires, and high-ranking officers in the armed forces; members of the administrative, management, or supervisory bodies of State-owned enterprises; directors, deputy directors, and members of the board or equivalent function of an international organization.
 See Article 21 of the AML Directive. Those measures shall be taken no later than at the time of the payout or at the time of the assignment, in whole or in part, of the policy. Where there are higher risks identified, in addition to applying the customer due diligence measures laid down in Article 13, Member States shall require obliged entities to: inform senior management before payout of policy proceeds; and conduct enhanced scrutiny of the entire business relationship with the policyholder.
 Pursuant to Article 3, no. 10, of the AML Directive, “family members” include the following: the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person; the children and their spouses, or persons considered to be equivalent to a spouse, of a politically exposed person; the parents of a politically exposed person.
 Pursuant to Article 3, no. 11, of the AML Directive, “persons known to be close associates” means: natural persons who are known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a politically exposed person; natural persons who have sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person.
 Italian AML Decree defines family members of PEPs and persons known to be close associates of PEPs as in the AML Directive.
 Rules similar to those provided for under the AML Directive apply to insurance policy beneficiaries.
 The Risk Appetite Framework is a document that establishes, in connection with the maximum risks of the company, the company business model, and the strategic plan, the risk appetite and relevant limits, the tolerance threshold, risk management policies, and the process in order to define and implement them.