On 19 June 2017, Legislative Decree no. 90 of 25 May 2017 (hereinafter the “Legislative Decree 90/2017”) which will enter into force on 4 July 2017, was published in the Official Gazette, implementing the Fourth EU Directive 2015/849 on the prevention of the use of financial systems for the purpose of money laundering or terrorist financing.

The new law introduces significant changes to the criminal sanctions system provided for by article 55 of Legislative Decree no. 231 of 21 November 2007 (hereinafter the “Legislative Decree 231/2007”), outlining, serious violations of these conducts: 

  • customer due diligence duties;
  • data retention duties;
  • duty of provision of data for verification;

are to be considered as crimes, if carried out with fraud or falsification. In particular, in case of violation the following subjects are punished with imprisonment from six months to three years and with a fine ranging from Euro 10,000 to Euro 30,000:

  • the subject who is responsible for customer due diligence and falsifies the data and information or uses false data and information about the customer, the actual owner, the performer, the purpose and nature of the ongoing relationship or the professional service and the transaction;
  • the subject who, according to data retention obligations, acquires or maintains false or untruthful information about the customer, the effective owner, or the executor, concerning the purpose and nature of the ongoing relationship or the professional service and on the transactions, or the person that makes use of fraudulent means to endanger the above-mentioned data and information retention;
  • the person who, being obliged to provide the data and information necessary for the due diligence of the customer, provides false data or untruthful information.

The Legislator has partially amended the sanctions for the offense of violating the prohibition to communicate regarding the reporting of suspicious transactions, providing for a maximum fine of 30,000 Euro, less severe than the previous maximum fine of Euro 50,000.

With regard to the offense of misuse or falsification of credit cards or payment cards referred to in article 55, par. 5 of Legislative Decree 231/2007, the Legislator has provided for the confiscation of the things that served or were used to commit the offense, as well as the profit or the result of the crime, or when this is not possible, the equivalent confiscation if it is possible.

In addition, the failure to verify identification data and information about the customer, the real owner, the executor, the purpose and the nature of the relationship or the performance have been decriminalized; such conduct, which previously constituted a crime punishable by a fine ranging from Euro 2,600 to Euro 13,000, is now subject to an administrative penalty from 3,000 to 50,000 Euros (which may be increased threefold in case serious, repeated, systematic or multiple violations occur, or reduced from one third to half in cases which are deemed less serious).

Finally, previously the lack of or a delay in data retention, the documents and information as foreseen by law constituted a crime punishable by a fine from 2,600 to 13,000 Euro, while the Legislator decriminalized it and now it is punished with an administrative sanction from 3,000 to 50,000 Euro.