Italy recently implemented the IV AML Directive[1] via legislative decree 25 May 2017 n. 90 (“the Decree”).

The Decree has entered into force on 4 July 2017 and materially amended the current AML framework.[2]

In a nutshell, the main points of this Decree relate to the:

  1. Players and transactions falling within the Decree;
  2. Rules on know-your-customer duties, simplified know-your-customer duties, and enhanced know-your-customer duties;
  3. Register on beneficial ownership;
  4. Data and information retention;
  5. Reporting of suspicious transactions and whistleblowing; and
  6. Sanction regime.

These main points are summarized herein.

I. The New Decree Scope

The Decree extends the rules on know-your-customer duties to alternative investment fund managers, banks, financial institutions, and insurance companies active in the life sector operating in Italy on a freedom to provide services basis. This measure is of relevance since the know-your-customer duties previously applied only to alternative investment fund managers, banks, financial institutions and insurance companies active in the life sector operating in Italy via a branch establishment, thereby excluding players operating on a freedom to provide services basis.

SICAFs (so-called “società di investimento a capital fisso”) are alternative investment funds of a corporate nature. Funds of a corporate nature have been recently introduced into Italy following the implementation of the Alternative Investment Fund Managers Directive.[3] The rules on know-your-customer duties apply to SICAFs based on the new AML framework as revised by the Decree.

The Decree materially broadens the notion of politically exposed persons. The following kind of individuals fall within the revised extended notion according to the new AML framework: Regional Chairman (so-called “presidente di Regione”); Regional Officer (so-called “assesore regionale”); Province Major (so-called “sindaco di capoluogo di provincia”); and Managing Directors at national health care entities. This notion is of relevance in connection with the enhanced know-your-customer duties set forth under paragraph two.

Finally, the Decree provides for a dedicated discipline on gambling service providers and strongly enhances the AML discipline on payment service providers.

II. Know–Your-Customer Duties

A. General Rules

As a general rule, obliged entities—such as alternative investment fund managers, banks, financial institutions, and insurance companies active in the life sector[4]—must fulfil the know-your-customer duties pursuant to a risk-based approach:[5]

    1. Prior to entering into an on-going professional relationship with a client;
    2. Upon executing an occasional transaction for an amount higher than €15,000 or lower than €15,000 when case payment services or e-money services are provided.

By departure from the general rule, an obliged entity may delay the fulfilment of any know-your-customer duties up to 30 days from the date upon which a professional relationship is executed, provided there is a low AML risk based on the new Decree measures.

Lawyers defending or representing clients are granted safe harbour from know-your-customer due diligence duties in relation to their clients.

B. Simplified Know-Your-Customer Duties

The Decree introduces a number of amendments to the general rules on simplified know-your-customer duties.

Under the past AML regime, the rules on simplified know-your-customer duties automatically applied to any transactions carried out vis-à-vis certain regulated institutions/listed companies irrespective of any risk-based approach. According to the new AML regime, obliged entities may opt for simplified know-your-customer duties provided only they resolved in advance to go for a simplified know-your-customer duty scenario under a risk-based approach. The resolution must be adopted in case an obliged entity is entering into a relationship with a regulated institution/listed company. This is the main difference between the past and new AML regimes.

Further, according to the Decree the so-called “equivalence regime” set forth under the past AML regime and relating to financial and banking institutions based in a non-EU country adopting AML duties equivalent to those set forth under the IV AML Directive is repealed. Therefore, obliged entities may adopt simplified know-your-customer duties vis-à-vis financial and banking institutions based in a non-EU country, provided they believe this is feasible under a risk-based approach.

C. Enhanced Know–Your-Customer Duties

Enhanced know-your-customer duties shall always be applied in connection with transactions involving players established in third countries carrying out a high risk of money laundering or in case of cross-border transactions with credit institutions based in such third countries; moreover, enhanced customer due diligence duties shall apply in case of transactions and relationships with politically exposed persons.

Obliged entities may entrust third party players to fulfil their know-your-customer duties, provided they remain ultimately responsible for the duties. Obliged entities may not entrust third party players based in countries enjoying a high level of AML risks.

III. Key Principles on Beneficial Ownership

As per the past, AML regime players other than individuals must disclose to obliged entities information on their beneficial ownership so that any obliged entity may fulfil its know-your-customer duties. Any information on beneficial ownership provided to obliged entities must be stored by players for a period of five years.

The Decree enhances the measures on beneficial ownership obliging, inter alia, commercial entrepreneurs (e.g., limited liability companies), foundations and trusts[6] to disclose to the register of enterprises (so-called “registro delle imprese”) information on their beneficial ownership.

The information will be stored in a special section of the register established at the companies register.

The following authorities and entities may access the information on beneficial ownership: the Minister of Economics and Finance; the anti-mafia authority; the anti-terrorism authority; the judicial authority; and the obliged entities (e.g., alternative investment fund managers, banks, financial institutions and insurance companies active in the life sector), taking into account that access to information by any obliged entity does not qualify as a safe harbour exemption from its know-your-customer duties.

IV. Data and Information Retention

The Single Archive Database (so-called “Archivio unico informatico”) previously containing information on customer due diligence has been repealed by the Decree. Nevertheless, obliged entities shall retain information on executed customer due diligence for ten years from the termination date of the professional relationship by employing appropriate means and procedures.

V. Reporting of Suspicious Transactions and Rules on Whistleblowing

Obliged entities must timely report to the national Financial Intelligence Unit[7] regarding any suspicious transactions when they believe, based on reasonable grounds, there is an attempt to carry out money laundering or terrorism financing transactions. A report must be filed prior to executing a transaction and the transaction shall not be performed before the reporting duties are fulfilled.

The new AML regime materially enhances the measures on whistleblowing with the aim to protect whistleblowers. Obliged entities must adopt measures to protect the internal individual whistleblower’s identity. Competent entities’ officers are in charge of retaining the confidential information and data filed by the whistleblower. Furthermore, the whistleblower’s identity shall remain confidential in case of judicial trials.

VI. The Sanctions Regime

The Decree introduces a specific dedicated procedure on the AML sanctioning regime rather than making reference to the rules set forth under other law measures as per the past AML regime.[8]

The Decree provides for a revised sanctioning regime taking into account that the sanctions will be determined by the competent authorities based on a number of criteria defined in advance, such as seniority of the individual carrying out a breach, breach duration and profit achieved via the breach. The criteria are contained directly in the Decree rather than making reference to the rules set forth under other law measures as per the past AML regime.[9]

Depending on the type of AML breach, sanctions are of a pecuniary nature or may provide for imprisonment per the terms and conditions set forth under the Decree. Sanctions will be considerably higher in the event of serious, repeated, systematic, or multiple breaches of the duties provided under the Decree.

This paper summarizes only a number of selected issues arising from the Decree in a non-complete and non-exhaustive manner and may not qualify as a complete and exhaustive discourse on the Decree and on the entire set of AML duties arising from the IV AML Directive.

A number of obliged entities might need to test if their existing policies and procedures still comply with the AML duties arising from the Decree. If their policies and procedures are not proper, obliged entities shall carry out a review and update of their policies in compliance with the rules set forth under the Decree.