The Italian Government issued the Legislative Decree No. 90 of 25 May 2017 (hereinafter the "Legislative Decree"), published in the Italian Official Gazette on 19 June 2017 , implementing the EU Directive 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.

The Legislative rewrites in full the Legislative Decree no. 231/2007, on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, with the purpose of making the domestic legislation consistent with the European rules.

Among the most significant of the proposed amendments, it worth noting the inclusion, among the entities which must comply with the duties provided for by Legislative Decree no. 231/2007, the banking and financial intermediaries and the insurance companies having their registered office and central administration in another Member State, established without a branch in the territory of the Italian Republic, as well as new duties in terms of risk self-assessment and new provisions on reporting suspicious transactions by obliged entities.

In particular, the Legislative Decree, which will be applicable to intermediaries operating on “cross-border” basis in Italy, provides for:

  • the extension of the so-called risk based approach and a new technical criterion (strengthened or simplified measures) for customer due diligence procedures;
  • measures to ensure a higher level of transparency and accessibility to beneficial owner's information, especially with regards to companies and trusts;
  • obligations to report transactions and to retain the relevant documentation;
  • a complex sanctions regime.

Please find below a summary of the main new measures introduced by the Italian legislator implementing the European rules.

a) Customer due diligence

The Legislative Decree simplifies and rationalizes the fulfillments required by Legislative Decree no. 231/2007, especially in relation to content, modalities and timing of execution of the same. In particular, provides as follows:

  • the obliged entities shall carry out an adequate customers and beneficial owner due diligence (i) in case of business relationship or occasional transaction involving the transfer or the handling of payment of an amount equal to or higher than 15,000 Euro or (ii) in the case of transfer of funds of an amount higher than 1,000 Euro only if they are executed through payments system other than SEPA or (iii), in any case, when there are doubts concerning the truthfulness of the data obtained and, furthermore, also when there is a suspect of money-laundering or terrorism financing.
  • The customers – especially the legal entities and the private legal entities (i.e. associations, foundations and other institutions regulated under DPR 361/2000) – will be subject to double obligations: the information retention and the communication duties. As for the former duty, it is required that the adequate accurate and updated information related to the beneficial owner shall be retained by the customer for a period of at least five years and shall be provided to the obliged entities during the customer's due diligence; whereas, the latter obligation consists in the communication of the data related to its own beneficial owner to the Companies' Registry or to the registry dedicated to private legal entities. Such registries are available both for the Supervisory Authorities and for obliged entities. In this regard, the Minister of Finance and Economy will enact a Ministerial Decree through which it will identify the data and the information to be communicated to the registries above mentioned.
  • The obliged entities, once the customers and the beneficial owners are identified, are required to carry out an ongoing monitoring of the established relationship using a risk based approach.

Specifically, they shall carry out simplified customer due diligence in respect to customers with a low risk profile, and strengthened customer due diligence for customers with a highrisk profile. Therefore, in this latter situation the obliged entities shall apply measures proportionate to the identified risks, in order to prevent or to mitigate the anti-money laundering and the terrorism financing risks. In this regard, the Legislative Decree provides a non-exhaustive list of index and circumstances indicating customers with a high-risk profile, which category include the politically exposed person. In particular, the Legislative Decree provides for some presumption causes, iuris et de iure, of high risk in the presence of which the application of reinforced measures of customers due diligence procedures by the obliged entities is always requested.

b) Data retention duties

According to the new provisions the obliged entities shall retain a copy of the documents collected during the customers due diligence, indicating the relevant date so that the following information can be identified:

- the date on which the business relationship is established or the mandate is given to the obliged entity;

- the personal data of the customer, the beneficial owner and the executor, and the information on the scope and nature of the legal relationship or of the transaction in place;

- means of payment used by the customer.

The data shall be collected in a prompt manner within thirty days from the establishment of the business relationship or the carry out of the occasional transaction and retained for ten days period starting from the termination of the relevant professional relationship. In order to comply with the data retention duties, the obliged entities can be supported by an outsourcer.

The banking and financial intermediaries transfer to UIF ("Unità di Informazione Finanziaria per l'Italia") aggregated data concerning their own operability, in order to consent an analysis targeted to highlight the existence of money-laundering cases.

c) Reporting duties

After having identified, on the basis of specific anomalies indicators adopted and periodically enacted by the UIF for the identification of the so-called suspicious transactions, the objective risk of money laundering or terrorism financing of the transaction carried out by the customer, the obliged entities must, if necessary, notify such risk to the UIF. According to the Legislative Decree the obliged entities shall implement, on the basis of the indications of the Supervisory Authority, objective procedures consistent with the above mentioned criteria and which take into account the risks connected with the type of costumers, geographic area, delivery channels and products and services offered. The criteria adopted by the obliged entities shall be chosen on the basis of their operation and therefore the assessment shall be carried out based on the type of the business relationship in place with the different customers and the type of the transactions carried out.

Within the limits of its own organizational autonomy, each obliged entity should carry out a preliminary self-assessment exercise in order to choose the appropriate measures able to mitigate and manage the money-laundering and terrorism financing risks. For this purpose a double level of risk assessment is provided: (i) the individual in charge of maintaining the relationship with the customer must promptly report at higher level (legal representative, owner of the specific role or other delegate person) those transactions on which there is a suspicion of money-laundering or terrorism financing, (ii) the same individual must report to the delegated person, who further controls those data and decides whether it is necessary to send the information to the UIF without indicating the name of the first reporting person.

Each obliged entity is also required to structure a specific report channel, anonymous and independent, proportionate to its own nature and dimension.

The name of the reporting person shall in any case not be disclosed, unless a Court decision decides otherwise.

In any case, it is forbidden to inform the customer or any third party that the information has been transmitted.

Finally, it should be noted that if the obliged entities are unable to comply with the customer due diligence, they shall neither carry out occasional transactions nor establish business relationships.