Laws and regulations - CONSOB AND ITS ACTIVITIES
Legal Framework
« Back Printable version
- in force from 14 September 2018
Resolution no. 20570
Adoption of the Regulation containing provisions for the implementation of Legislative Decree no. 231 of November 21, 2007 and subsequent amendments and additions for statutory auditors and auditing firms with assignments to audit public-interest bodies or entities subject to intermediate regime
THE NATIONAL COMMISSION FOR COMPANIES AND THE STOCK EXCHANGE
HAVING REGARD TO Law no. 216 of June 7, 1974 and subsequent amendments;
HAVING REGARD TO Legislative Decree no. 58 of February 24, 1998 and subsequent amendments;
HAVING REGARD TO Legislative Decree no. 39 of January 27, 2010 providing for the implementation of Directive 2006/43/EC on the statutory audits of annual and consolidated accounts, amending Directives 78/660/EEC and 83/349/EEC, repealing Directive 84/253/EEC, and subsequent amendments and integrations;
HAVING REGARD TO EU Directive 2015/849 of the European Parliament and Council of 20 May 2015 on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing, amending Regulation (EU) no. 648/2012 of the European Parliament and Council repealing Directive 2005/60/EC of the European Parliament and Council and Commission Directive 2006/70/EC;
HAVING REGARD TO Legislative Decree no. 231 of November 21, 2007 and subsequent amendments implementing Directive 2005/60/EC on the prevention of the use of the financial system for the purpose of laundering the proceeds of crimes and terrorist financing, as well as Directive 2006/70/EC containing the measures for its implementation;
HAVING REGARD TO Legislative Decree no. 90 of May 25, 2017 implementing the EU Directive 2015/849 on the prevention of use of the financial system for the purpose of money laundering and terrorist financing, containing the amendment of Directives 2005/60/EC, 2006/70/EC and implementation of Regulation (EU) no. 2015/847 concerning the information that accompanies the transfer of funds, repealing EC Regulation (ECno. 1781/2006;
HAVING REGARD TO resolution no. 20465 of May 31, 2018, with which Consob adopted the Regulation containing provisions for the implementation of Legislative Decree No. 231 of November 21, 2007 and subsequent amendments and integrations on the organisation, procedures and internal audits of statutory auditors and auditing firms with assignments to audit public-interest bodies or entities subject to intermediate regime for the purposes of preventing and combating the use of the economic and financial system for the purposes of money laundering and terrorist financing;
HAVING REGARD TO the combined provisions of Article 1, para. 2, letter c) and of articles 7, para. 1, letter a), 23, para. 3, 24, para. 4 and 34 and para. 3 of Legislative Decree no. 231 of November 21, 2007 and subsequent amendments, whereby CONSOB adopts interim arrangements implementing the aforementioned decree concerning due diligence and storage of documents, data and information with regard to statutory auditors and auditing firms with assignments to audit public-interest bodies or entities subject to intermediate regime;
HAVING ASSESSED the observations made in response to the reference document, published on May 25, 2018, on the Regulation containing implementing provisions on customer due diligence and storage of documents, data, and information by statutory auditors and auditing firms with assignments to audit public-interest bodies or bodies subject to intermediate regime;
HAVING CONSIDERED the possibility of issuing a single Regulation that governs in an organic manner the provisions applicable to statutory auditors and auditing firms with assignments to audit public-interest bodies or entities subject to intermediate regime on the matter of organisation, procedures and internal audits, as well as due diligence and storage of documents, data and information, for the purposes of preventing and combating money laundering and terrorist financing;
H E R E B Y R E S O L V E S:
Article 1
(Adoption of the Regulation containing provisions for the implementation of Legislative Decree no. 231 of November 21, 2007)
1. The annex "Regulation containing the implementing provisions of Legislative Decree no. 231 of November 21, 2007 and subsequent amendments and integrations for statutory auditors and auditing firms with assignments to audit public-interest entities or bodies subject to intermediate regime" is hereby adopted.
2. This resolution is published, together with the annexed Regulation, in the Official Journal of the Italian Republic[1].
Article 2
(Repeals)
1. The "Regulation containing the implementing provisions of Legislative Decree no. 231 of November 21, 2007 and subsequent amendments and integrations for statutory auditors and auditing firms with assignments to audit public-interest entities or entities subject to intermediate regime for the purposes of preventing and combating the use of the economic and financial system for money laundering and terrorist financing ", adopted by CONSOB with Resolution no. 20465 of May 31, 2018, is repealed.
2. The "Measure containing the implementing provisions on customer due diligence by statutory auditors and auditing firms with assignments to audit public interest bodies, pursuant to Article 7, para. 2 of Decree Legislative no. 231 of 21 November 21, 2007", adopted by CONSOB with Resolution no. 18802 of February 18, 2014, is repealed.
Article 3
(Transitional and final provisions)
1. The provisions under Titles I and II of the annexed Regulation shall enter into force from the date of publication of this resolution in the Official Journal of the Italian Republic.
2. For the purposes of Article 6, para. 4 of the Regulation, the first self-assessment of risks shall be sent to CONSOB:
˗ by January 15, 2019, for auditing firms that have closed or will close the most recent financial year between January 1, 2018 and June 30, 2018;
˗ within 6 months of the closing date of the financial year, for auditing firms that will close the financial year between June 30, 2018 and December 31, 2018.
3. The provisions under Title III of the Regulation shall enter into force from January 1, 2019. They shall also apply to the engagements existing as at that date, even if they were established before the entry into force of Legislative Decree no. 231 of November 21, 2007 and subsequent amendments.
4. Until December 31, 2018, the Auditors shall apply the obligations of due diligence and storage provided for by Title II, Chapters I and II of Legislative Decree no. 231 of November 21, 2007 and subsequent amendments, and may continue to use the computerised archives already established in compliance with the Provision of the Bank of Italy of April 3, 2013.
September 4, 2018
THE PRESIDENT
Mario Nava
Note:
[1] The Resolution and the annexed Regulation are published in the Official Journal no. 214 of September 14, 2018, and in the fortnightly CONSOB's Bollettino no. 1.9 of September 2018. It enters into force on September 14, 2018.
Regulation containing provisions for the implementation of Legislative Decree no. 231 of November 21, 2007 and subsequent amendments and additions for statutory auditors and auditing firms with assignments to audit public-interest bodies or entities subject to intermediate regime
INDEX
TITLE I – REGULATORY SOURCES AND RECIPIENTS OF THE PROVISIONS
Article 1 Regulatory sources
Article 2 Recipients of the provisions
Article 3 Definitions
TITLE II – PROVISIONS ON ORGANISATION, PROCEDURES AND INTERNAL AUDITS
Chapter I – General provisions
Article 4 Scope
Article 5 Purposes and principles
Article 6 Analysis and assessment of risks
Chapter II – Provisions on auditing firms
Article 7 Body with administrative functions
Article 8 Body with control functions
Article 9 Supervisory board as under Legislative Decree no. 231 of June 8, 2001
Article 10 Organisation and responsibilities of the anti-money laundering function
Article 11 Anti-money laundering function
Article 12 Provisions on outsourcing the anti-money laundering function
Article 13 Quality control function
Article 14 Specific provisions on reporting suspicious transactions
Article 15 Engagement partner
Article 16 Personnel training
Article 17 Belonging to a “Network”
Chapter III – Provisions on statutory auditors
Article 18 Statutory auditors
TITLE III – PROVISIONS ON DUE DILIGENCE AND CONSERVATION
Article 19 General priciples
Article 20 Elements for assessing the risk of money laundering and terrorist financing
Article 21 Customer profiling
Article 22 Customer due diligence obligations
Article 23 Fulfilment of due diligence obligations
Article 24 Customer identification
Article 25 Beneficial owner dentification
Article 26 Verification of data concerning the customer and the beneficial owner
Article 27 Acquisition of information on the purpose and nature of professional services
Article 28 Continuous monitoring during the engagement
Article 29 Impossibility of performing due diligence - Obbligation of abstention
Article 30 Simplified measures of due diligence
Article 31 Reinforced measures of due diligence
Article 32 Fulfilment of due diligence obligations by third parties
Article 33 Storage obligations
ANNEXES
ANNEX 1 - Low risk factors
ANNEX 2 - High risk factors
ANNEX 3 - Fulfilment of due diligence obligations by third parties
TITLE I
REGULATORY SOURCES AND RECIPIENTS OF THE PROVISIONS
Article 1
(Regulatory sources)
1. These provisions shall be adopted by CONSOB pursuant to Article 7, para. 1, letter a) and to Articles 23, para. 3, 24, para. 4 and 34, para. 3 of Legislative Decree no. 231 of November 21, 2007 and subsequent amendments and integrations.
Article 2
(Recipients of the provisions)
1. These provisions are intended for statutory auditors and auditing firms with assignments to audit public-interest bodies or entities subject to intermediate regime.
Article 3
(Definitions)
1. Without prejudice to the definitions referred to in Article 1 of Legislative Decree no. 231 of November 21, 2007, this Regulation shall as adopt the following definitions:
a) "professional activity": statutory audit as defined by the legislation in force or any other professional service rendered by the Auditors;
b) "Anti-Money Laundering Decree": Legislative Decree no. 231 of November 21, 2007, as amended by Legislative Decree no. 90 of May 25, 2017;
c) "bodies of public interest": the companies identified pursuant to Article 16 of Legislative Decree no. 39 of January 27, 2010;
d) "entities subject to intermediate regime": the companies pursuant to Article 19-bis of Legislative Decree no. 39 of January 27, 2010;
e) "terrorist financing": the conduct provided for by Article 1, para. 1, letter d) of Legislative Decree no. 109 of June 22, 2007;
f) "MoneyVal": Committee established within the Council of Europe, acting as regional body of the FATF for the Euro-Asian area;
g) “body with administrative functions”:
1. the Board of Directors (for joint-stock companies that have adopted the traditional or one-tier model of corporate governance and, where relevant, for limited liability companies);
2. the Management Board (for joint-stock companies that have adopted the dual model of corporate governance);
3. the director shareholders with management mandates (for ordinary limited partnerships, unlimited partnerships and limited liability companies where there are multiple directors with separate powers, within the limits of any mandates conferred to them with reference to the tasks listed in Article 7 of the Regulation);
4. general partners (for limited partnership companies and unlimited companies);
5. other corporate bodies with administrative functions, such as executive committees and/or managing directors, within the limits of any mandates conferred to them, with reference to the tasks listed in Article 7 of the Regulation;
h) “bodies with control functions”:
1. the Board of Statutory Auditors (for joint-stock companies that have adopted the traditional model of corporate governance and possibly for limited liability companies);
2. the Supervisory Board (for joint-stock companies that have adopted the dual model of corporate governance);
3. the management control committee (for joint-stock companies that have adopted the one-tier corporate governance model);
4. director shareholders, provided that they do not have managerial powers likely to affect their independence in the performance of the control function (for simple partnerships, unlimited partnerships and limited liability companies without a Board of Statutory Auditors);
5. limited partners (for limited partnerships and unlimited companies);
i) "EU countries": countries belonging to the European Economic Area;
l) "Third countries": countries not belonging to the European Economic Area;
m) "fourth anti-money laundering directive": Directive (EU) 2015/849 of the European Parliament and Council of May 20, 2015 concerning the prevention of the use of the financial system for the purposes of laundering the proceeds from criminal activities and terrorist financing;
n) "Network": the structure referred to in Article 1, para. 1, letter l) of Legislative Decree no. 39 of January 27, 2010;
o) "Auditors": "statutory auditors" and "auditing firms" as defined in this article;
p) "statutory auditors": the natural persons authorised to perform statutory audits in Italy pursuant to Legislative Decree no. 39 of January 27, 2010, with assignments to perform the statutory audit of public-interest bodies or entities subject to intermediate regime;
q) "money laundering": the conduct envisaged by Article 2, para. 4 of the Anti-Money Laundering Decree;
r) "whistleblowing systems": the procedures for the internal reporting, pursuant to Article 48 of the Anti-Money Laundering Decree, of potential or actual infringements of the provisions laid down regarding the prevention of money laundering and terrorist financing;
s) "auditing firm": the companies, authorised to perform statutory audits in Italy pursuant to Legislative Decree no. 39 of January 27, 2010, with statutory assignments to perform the statutory audit of public-interest bodies or entities subject to intermediate regime.
2. In addition, for the purposes of the provisions under this Regulation:
a) "customer" is understood to mean the individual for whom the Auditors provide a professional service following the conferral of an assignment. In the case of assignments conferred by the Board of Statutory Auditors pursuant to Article 2403-bis of the Italian Civil Code, the professional service shall be understood to be provided to the individual with regard to whom the inspections and audits referred to in the aforementioned article 2403-bis are performed. If the assignment is conferred by the Network, the professional service is understood to be provided to the entity subject to the assignment, except in cases where the service assumes scope and range such as not to give rise to any relevant and direct relationship between the Auditor and the entity subject of the assignment;
b) the "beneficial owner" is understood to be: a) the natural person or persons on whose behalf the customer establishes a professional relationship (in short, "beneficial owner sub 1"); b) in the event that the customer and/or the individual on behalf of whom the customer establishes a professional relationship are entities other than a natural person, the natural person or persons to whom, ultimately, the direct or indirect ownership of the entity or its control can be attributed or who are its beneficiaries (in short, " beneficial owner sub 2"). In particular, in the case of joint-stock companies or other private legal persons, even if registered abroad, and express trusts, regardless of their place of establishment and the law applicable to them, the beneficial owner sub 2) is identified according to the criteria laid down in Articles 20 and 22, para. 5 of the anti-money laundering decree; the same criteria apply, where applicable, in the case of partnerships and other legal entities, whether public or private, even if without legal personality.
TITLE II
PROVISIONS ON ORGANISATION, PROCEDURES AND INTERNAL AUDITS
Chapter I
General provisions
Article 4
(Scope)
1. The general provisions of Chapter I shall apply to auditing firms and, where compatible, to statutory auditors.
2. In particular, the provisions of Chapter I shall apply to statutory auditors in accordance with their nature as individual professionals and in proportion to any organisational unit on which they rely, as provided for in Chapter III.
Article 5
(Purposes and principles)
1. Statutory auditors and auditing firms shall adopt adequate organisational and procedural controls and internal audits to prevent, mitigate and manage the risks of money laundering and terrorist financing.
2. In introducing specific controls to mitigate and manage the risks of money laundering and the terrorist financing, statutory auditors and auditing firms shall adopt clearly identified and adequately specialised resources, procedures and organisational functions. These controls shall include at least:
a) the clear definition, at the different levels of the organisational unit, of the roles, tasks and responsibilities relating to the prevention and management of the risks of money laundering and terrorist financing;
b) the establishment of a special function appointed to supervise the commitment to preventing and managing the risks of money laundering and terrorist financing (hereinafter "anti-money laundering function");
c) the definition of procedures for analysing and assessing the risks of money laundering and terrorist financing suitable to ensure compliance with Article 6 of this Regulation;
d) the empowerment of personnel with regard to the prevention of the risks of money laundering and terrorist financing;
e) the provision of internal procedures intended to ensure compliance with the obligations of customer due diligence, storage of documents and data pursuant to Title II, Chapter II of the Anti-Money Laundering Decree, reporting of suspicious transactions, disclosure pursuant to Title II, Chapter VI of the Anti-Money Laundering Decree;
f) the definition of internal control systems that are consistent with the structure, complexity and size of the activity performed, with the type of the services offered and the extent of the risk associated with the characteristics of the customer, and that are able to identify promptly any shortcomings in the procedures applied and in the behaviours that are likely to lead to infringements by personnel of the obligations of prevention and management of the risks of money laundering and terrorist financing and of related internal procedures.
3. The adopted controls must be appropriate to the legal form, size and organisational structure of the statutory auditors and auditing firms and must be proportionate to the risks of money laundering and terrorist financing to which the same are exposed in relation to the type of customer on whose behalf the professional activity is performed and to the characteristics and complexity of this customer.
4. The application of the principle of proportionality cannot exempt from establishing the anti-money laundering function. Statutory auditors and auditing firms with customers at low risk of money laundering and the terrorist financing may, in application of the principle of proportionality, outline lean organisational and control units, without prejudice to the requirement to adopt comprehensive internal procedures appropriate to the operational environment and to ensure the proper training of personnel.
5. The internal procedures must indicate clearly and in detail the operating rules and the concrete modes of conduct with which the statutory auditors and the auditing firms must comply to fulfil the regulatory obligations of prevention and management of the risks of money laundering and terrorist financing and cannot consist of a mere list of the aforementioned obligations.
Article 6
(Analysis and assessment of risks)
1. Statutory auditors and auditing firms shall adopt objective procedures for the analysis and assessment of the risks of money laundering and terrorist financing to which they are exposed.
2. These procedures shall be consistent with the criteria and methods prescribed by CONSOB according to Article 15, para. 1 of the Anti-Money Laundering Decree.
3. Statutory auditors and auditing firms shall perform the analysis and assessment of the risks of money laundering and terrorist financing to which they are exposed (so-called "risk self-assessment") at least annually.
4. Risk self-assessment by the auditing companies is performed in the basis of the data in financial statements and must be documented and submitted for approval by the body with administrative functions of the company, having consulted the body with control functions. The relative documents shall be submitted to CONSOB by the end of the fifth month following the closing date of the financial year.
5. Risk self-assessment by statutory auditors must be documented and the relative documents shall be made available to CONSOB promptly upon request.
6. All information, analysis and data that form the basis of the self-assessment process shall be stored by the auditing firms and statutory auditors for five years and shall be submitted promptly to the supervisory authorities that request it.
Chapter II
Provision on auditing firms
Article 7
(Body with administrative functions)
1. In performing its tasks of strategic supervision, the body with administrative functions shall:
a) draft and update periodically strategic guidelines and policies of government of the risks of money laundering and terrorist financing consistent with a risk-based approach and taking into account the risk analysis and assessment approved under the aforementioned article 6;
b) ensures continuously that the tasks and responsibilities for the prevention and management of the risks of money laundering and terrorist financing are assigned in a clear and appropriate manner, guaranteeing that control functions are not performed by persons vested with managerial powers capable of affecting their independence in the performance of the function and that in any case the operational and control functions are provided with qualitatively and quantitatively adequate resources;
c) ensure the definition of a system of adequate, comprehensive and timely information flows towards and within the corporate bodies, in compliance with the obligations of confidentiality as under Articles 38 and 39 of the Anti-Money Laundering Decree
d) define an organic and coordinated system of internal controls that ensures the timely detection and management of the risks of money laundering and terrorist financing, and shall guarantee that this system of controls remains effective over time;
e) examine, at least once a year, the reports concerning the activity of the head of the anti-money laundering function and the controls carried out by the quality control function;
f) ensure that any shortcomings and irregularities found as a result of controls of various levels are brought to its knowledge immediately and monitors their timely overcoming.
2. In the performance its managerial tasks, the body with administrative functions shall:
a) establish the responsibilities of the company's units and functions;
b) prepare the procedures for the analysis and assessment of the risks of money laundering and terrorist financing and the operational procedures and organise their implementation and updating, taking into account the guidelines and instructions issued by the competent authorities and by the various international bodies, as well as any changes in the regulatory framework, including auditing standards;
c) govern the controls of the risks of money laundering and the terrorist financing to be adopted with reference to the customers for whom the person responsible for the anti-money laundering function performs professional activities;
d) ensure the adoption of customer due diligence measures that are proportional to the magnitude of the risks of money laundering and terrorist financing, taking into account the general criteria set out in Title II, Chapter I of the Anti-Money Laundering Decree and the related implementing provisions;
e) define the procedures for fulfilling the obligation of storage in compliance with the regulations set out in Title II, Chapter II of the Anti-Money Laundering Decree and its implementing provisions;
f) define the procedures for fulfilling the obligations of reporting suspicious transactions in order to ensure certainty of reference, homogeneity of conduct and generalised application to the whole structure, in accordance with the regulations laid down in Title II, Chapter III of the Anti-Money Laundering Decree, as well as in Article 14 of this Regulation;
g) define the procedures to ensure the timely fulfilment of the obligations of disclosure referred to in Title II, Chapter VI of the Anti-Money Laundering Decree;
h) define the procedures for whistleblowing systems;
i) define the information flows aimed at ensuring awareness of the risk factors within all the company units involved and within the bodies responsible for control functions;
j) approve training and education programmes for employees and collaborators on the obligations arising from the regulations on anti-money laundering and combating terrorist financing;
k) adopt suitable instruments to enable the continuous monitoring of personnel activity.
Article 8
(Control bodies)
1. The body with control functions shall:
a) check the adequacy of the procedures for analysing and assessing the risks of money laundering and terrorist financing, and shall be consulted on the periodic self-assessment carried out pursuant to Article 6, para. 4 of this Regulation;
b) be consulted on the appointment of the head of the anti-money laundering function and the definition of the overall configuration of the systems of internal auditing and management of the risks of money laundering and terrorist financing;
c) supervise the compliance with regulations and the comprehensiveness, functionality and adequacy of anti-money laundering and counter-terrorist controls, with the aid of:
- internal units to carry out the necessary checks and investigations;
- information flows from other corporate bodies, from the head of the anti-money laundering function and from other internal control functions, in particular from the quality control function;
d) assess the suitability of the procedures relating to customer due diligence, the storage of documents and data pursuant of Title II, Chapter II of the Anti-Money Laundering Decree the reporting of suspicious transactions, the obligations of disclosure pursuant to Title II, Chapter VI of the Anti-Money Laundering Decree and to whistleblowing systems;
e) promote insights into the causes of any shortcomings, anomalies and irregularities identified and the adoption of the relative corrective measures;
f) promptly fulfils the obligations of disclosure referred to in Articles 46 and 51 of the Anti-Money Laundering Decree.
Article 9
(Supervisory board as under Legislative Decree no. 231 of June 8, 2001)
1. Any organisational and management models adopted by the auditing companies, pursuant to and in accordance with Legislative Decree no. 231 of June 8, 2001, shall include specific provisions for the prevention of money laundering and terrorist financing.
2. The Supervisory Board, appointed pursuant to article 6 of Legislative Decree no. 231 of June 8, 2001, shall monitor the operation and compliance of the organisational and management models and, in coordination with the corporate bodies and control functions, shall verify the effectiveness of the controls and compliance with the procedures for the mitigation and management of the risks of money laundering and terrorist financing, promoting the adoption of the most appropriate corrective measures to overcome any shortcomings.
3. The Supervisory Board is vested with independent powers of initiative and control and, in executing its functions, has unlimited access to all relevant corporate information and exchanges regular information flows with corporate bodies and functions.
4. The activities carried out by the board are documented and the relevant documents, where requested, are submitted promptly to the supervisory authorities of competence and to the FIU (Financial Intelligence Unit).
Article 10
(Organisation and responsibilities of the anti-money laundering function)
1. Auditing firms shall be assisted by a function to prevent and manage the risks of money laundering and terrorist financing.
2. The function is independent and provided with resources qualitatively and quantitatively suitable to the tasks to be performed, consistently with the principle of proportionality.
3. The function reports directly to top management and has access to all corporate information relevant to the performance of its tasks.
4. Without prejudice to the need to appoint a head of anti-money laundering responsible for coordination and supervision, auditing firms – according to their dimensions and degree of organisational and operational complexity – can entrust the different tasks of the function to other organisational units already found within the company; for example, to the units that carry out the function of risk management. However, the duties of the anti-money laundering function cannot be assigned to the function assigned to quality control, which is responsible for verifying periodically the adequacy and effectiveness of the activities of the anti-money laundering function.
5. The head of the anti-money laundering function is appointed and dismissed by the body with administrative functions, after consulting the body with control functions; these decisions shall be promptly communicated to CONSOB.
6. The head of the anti-money laundering function must possess the appropriate requirements of independence, authority and professionalism. The internal regulations shall define the controls to safeguard the stability and independence of the head of the function.
7. The head of the anti-money laundering function must not be directly responsible for operational areas, nor must he/she be, in the performance of the function, hierarchically dependent on the parties responsible for these areas. The responsibility of the function may be attributed to a shareholder or a director, as long as they do not have managerial powers.
8. If the head of the anti-money laundering function performs professional activities for the customer, the company must implement further controls with reference to the customers served.
9. The personnel called to collaborate in the function, even if assigned to operational areas, report directly to the head of the anti-money laundering function for issues relating to these tasks.
10. The anti-money laundering function shall collaborate with the other corporate functions and, in particular, with the functions of quality control, human resources and information systems, with the legal department, the organisation and risk management.
Article 11
(Anti-money laundering function)
1. The anti-money laundering function continuously verifies that corporate procedures are consistent with the objective of preventing and combating the infringement of the laws and regulations on money laundering and terrorist financing. To this end, the function shall:
a) identify the applicable rules and assess their impact on processes and internal procedures;
b) organise the periodic self-assessment of the risks of money laundering and terrorist financing pursuant to Article 6, para. 4 of this Regulation;
c) cooperate in identifying the system of internal controls and procedures for the prevention and management of the risks of money laundering and terrorist financing;
d) verify the suitability of the internal control system and the procedures adopted and propose due organisational and procedural amendments to ensure adequate control of these risks;
e) provide advice and assistance to corporate bodies and top management;
f) verify the adequacy of corporate systems and internal procedures regarding:
1. analysis and assessment of the risks of money laundering and terrorist financing;
2. customer due diligence;
3. storage of documents and data pursuant to Title II, Chapter II of the Anti-Money Laundering Decree;
4. detection, assessment and reporting of suspicious transactions;
5. fulfilment of the obligations of disclosure referred to in Title II, Chapter VI of the Anti-Money Laundering Decree;
6. whistleblowing systems;
g) manage, together with the other corporate functions competent in the field of training, the preparation of an appropriate training plan for the continuous updating of employees and personnel;
h) organise information flows towards corporate bodies and top management.
2. The anti-money laundering function can be called upon to carry out the activities of enhanced customer due diligence in cases where the risk of money laundering is particularly high. Where this task is attributed to the operational units cooperating within the function, the head of anti-money laundering shall help to determine the enhanced measures to be applied and shall control the adequacy of the enhanced due diligence performed by the line units and the relative results.
3. In assessing the adequacy of corporate systems and internal procedures, the function shall carry out checks in situ, including on a sample basis, to verify the effectiveness and the functionality of these systems and procedures and to identify any criticalities.
4. The activities performed by the function are documented and the related documents, where requested, shall be submitted promptly to sector supervisory authorities and to the FIU.
5. At least once a year, the head of the function shall submit a report to the corporate bodies on the initiatives undertaken, the shortcomings detected and the relative corrective measures to be adopted, as well as on personnel training activities.
6. As a specialised anti-money laundering company, the function shall collaborate with the supervisory authorities of the sector and with the FUI.
Article 12
(Provisions on outsourcing the anti-money laundering function)
1. The tasks of the anti-money laundering function can be entrusted to external parties that possess the with due requirements of professionalism, authoritativeness and independence. Responsibility for the correct management of the risks in question shall remain, in any case, that of the auditing firm, which adopts the precautions necessary to ensure the corporate bodies maintain the powers of direction and control over the outsourced function.
2. In the event of outsourcing, the auditing firm shall appoint an internal head of the anti-money laundering function, with the task of monitoring the outsourcer’s performance of the service.
3. Outsourcing must be formalised by written agreement defining at least:
a) full indication of the activities to be carried out and the objectives to be pursued;
b) the minimum frequency of information flows towards the internal head of the anti-money laundering function and of the bodies with administrative and control functions, without prejudice to the obligation of drafting a report at least once a year, to be submitted to the corporate bodies, on the activity carried out, any shortcomings identified and on the corrective measures to be adopted;
c) the methods used by the outsourcer to provide feedback to requests for information, clarifications and advice from the units of the auditing firm;
d) the obligations of confidentiality with regard to the information acquired in the performance of the function;
e) the possibility of reviewing the terms of the service on the occurrence of regulatory or operational changes and changes in the organisation of the auditing firm.
4. The activities carried out by the outsourcer are documented and the related documents, where requested, shall be submitted promptly to the sector supervisory authorities and to the FIU.
Article 13
(Quality control function)
1. The quality control function, as part of its monitoring programmes, verifies compliance with the regulatory provisions and internal procedures for the prevention and management of the risks of money laundering and terrorist financing.
2. In this context, the function shall verify, among other things:
a) continuous compliance with the obligation of due diligence, both in the establishment of the relationship and in the gradual development of the professional service;
b) the effective acquisition and orderly storage of data, information and documents provided for by primary and secondary legislation;
c) the actual performance by personnel of the pre-arranged activities to detect, within the scope of the execution of the professional service, any irregularities potentially relevant to fulfilling the obligation of reporting suspicious transactions
d) the adequacy and effectiveness of the activities performed by the anti-money laundering function and the functionality of the overall internal control system.
3. The interventions are subject to planning in order to allow the professional services to be subjected to controls within a reasonable period of time and ensure that the initiatives adopted are more frequent for assignments characterised by greater exposure to risks of money laundering and terrorist financing.
4. The quality control function also carries out follow-up interventions to ensure that measures to correct the shortcomings and irregularities identified have been adopted and that they are suitable to prevent similar situations from occurring in the future.
5. The controls performed by the function are documented and the related documents, where requested, shall be submitted promptly to sector supervisory authorities and to the FIU.
6. The function shall also draft an annual report to be submitted to the corporate bodies providing complete information on the activity carried out and the related outcomes.
Article 14
(Specific provisions on reporting suspicious transactions)
1. Within the context of the performance of professional services, the body with administrative functions shall adopt procedural provisions to govern the procedures for identifying and analysing irregularities of potential relevance for the purposes of the obligation to report suspicious transactions.
2. The manager of the audit assignment, who is involved in completing the service and who is responsible for customer relations, is required to forward without delay any report of suspicious transactions to the legal representative or his delegate.
3. The legal representative or his delegate shall examine the reports received and, if they are considered well-founded in the light of the overall elements available and of the evidence drawn from the data and information stored, shall forward them to the FIU, without indicating the name of the reporting agent.
4. The internal procedural provisions describe all phases of the process of analysis, representation and assessment of suspicious transactions, requiring that the contribution of the various parties involved be adequately documented even in the event of non-submission of the report to the FIU.
5. The person appointed delegate by resolution of the body with administrative functions, after consulting the body with control functions, must possess the appropriate requirements of independence, authoritativeness and professionalism. The delegate must not be directly responsible for operational areas, nor should he be hierarchically dependent on individuals of these areas.
6. The mandate to assess and transmit the reports received may be attributed to the head of the anti-money laundering function. The same mandate cannot be conferred to the manager of the quality control function or to persons outside the company.
7. The role and responsibilities of the legal representative or his delegate must be duly formalised and publicised within the unit. The name of the legal representative or his delegate must be communicated to the FUI. The internal regulations shall define the controls to be adopted to protect the independence of the legal representative and his delegate, with reference to the customer for whom these parties perform professional activities.
8. The legal representative or his delegate:
a) must have free access to all documents and data relevant to the performance of their tasks, as well as to information flows towards the company bodies and units involved in the prevention and management of the risks of money laundering and terrorist financing, and may acquire useful information from the head of the anti-money laundering function;
b) shall communicate, using duly appropriate organisational methods, the outcome of its assessment to the person responsible for the assignment who made the report;
c) shall, where necessary, dialogue with the FIU and fulfil promptly any requests for further information made by the FIU.
9. The body with administrative functions shall take all appropriate measures to ensure the confidentiality of the identity of reporting agents. The legal representative or his delegate shall be responsible for safeguarding the documents containing the personal information of the reporting agent.
Article 15
(Engagement partner)
1. The internal procedures approved by the body with administrative functions shall describe the tasks, including those of coordination and supervision, assigned to the engagement partner with regard to the prevention and management of the risks of money laundering and terrorist financing.
2. The engagement partner must assess the risk of money laundering and terrorist financing in the stage prior to accepting the customer and the assignment and on the occasion of the periodic evaluation of the assignment, in order to formulate and maintain updated a reasoned judgment consistent concerning both the general audit risk of the customer and the degree of specific risk of money laundering and terrorist financing that can be associated with the customer under assessment.
3. In the case of assigning a high risk of money laundering or terrorist financing, the engagement partner must communicate this situation to the head of the anti-money laundering function and, where existing, to the risk management function, in order both to establish, with the latter, the level of general audit risk to be assigned to the customer and to decide whether to accept/continue providing services to this customer. In the event of the decision to accept/continue the provision of services, the engagement partner shall establish, with the assistance of the head of the anti-money laundering function, the measures of enhanced due diligence to be applied and organise the storage of written evidence of these measures.
4. The engagement partner is also responsible for identifying and assessing, as part of the execution of professional services, any irregularities potentially relevant for the purposes of reporting suspicious transactions, reporting without delay, where required, to the legal representative or his delegate for the subsequent analysis and assessment of respective competence.
Article 16
(Personnel training)
1. The body with administrative functions shall ensure the performance of continuous training programmes to ensure the updated knowledge and correct application of internal rules and procedures for the mitigation and management of the risk of money laundering and terrorist financing.
2. The training programmes shall take account of the specific organisational and operational features of the auditing firm and shall consider the various fulfilments related to customer due diligence, the obligations of storage, the identification and assessment of irregularities relevant for the purposes of reporting suspicious transactions, as well as of reporting violations pursuant to Article 48 of the Anti-Money Laundering Decree.
3. The training programmes shall also provide personnel and collaborators of the auditing firm with updated knowledge of the evolution of the risks of money laundering and terrorist financing, of the typical methods of criminal financial transactions and take into account the best applicable prevention practices.
4. The head of the anti-money laundering function or, alternatively, the company's legal representative, must organise the preparation of the training programmes, in coordination with the personnel training manager. In any case, the programmes shall be approved by the body with administrative functions.
5. Specific training programmes must be planned for personnel belonging to the anti-money laundering function.
6. A report on the training and education undertaken on anti-money laundering and counter-terrorism legislation must be submitted annually to the body with administrative functions.
7. Support for personnel training and dissemination of the overall regulations may be provided by trade associations or other external bodies through initiatives for the detailed study of the legislation, methods of application and for disseminating the information in a clear and effective manner.
Article 17
(Belonging to a 'Network')
1. The auditing firms that belong to a 'Network', in adopting organisational and procedural controls for the prevention and management of the risks of money laundering and terrorist financing defined inside the 'Network', shall make the additions and/or amendments necessary to ensure full compliance with the applicable national legislation.
Chapter III - Provisions on statutory auditors
Article 18
(Statutory Auditors)
1. Where they rely on the collaboration of third parties for providing their professional services to clients, statutory auditors are responsible for the fulfilment of the obligations set forth by this Regulation. Even in the aforesaid case, statutory auditors shall:
a) appoint a head of money laundering, when they do not take on related responsibilities on themselves;
b) define in a clear, comprehensive and documented way, within the framework of the collaboration agreements, the tasks and responsibilities assigned to collaborators, whatever the type of their collaboration;
c) provide collaborators with the operational tools and procedures, including IT, they need for their activities and related obligations for the prevention of money laundering and terrorist financing;
d) set up an adequate, comprehensive and timely information flow system;
e) exert continuous management, supervision and control such as to ensure that collaborators fulfil anti-money laundering and anti-terrorism obligations correctly and promptly;
f) ensure that collaborators are suitably trained in the prevention of money laundering and terrorist financing.
Title III
PROVISIONS ON DUE DILIGENCE AND STORAGE
Article 19
(General Principles)
1. Auditors shall take due diligence measures commensurate with the risks of money laundering and terrorist financing associated with their customers, on the basis of the customer characteristics and the specific professional services provided ('risk-based approach'). To this end, Auditors shall equip themselves with internal procedures that define in an articulated manner the operating rules and the mode of conduct that each individual party involved must follow, so as to ensure consistency of behaviour and traceability of inspections and assessments. The aforesaid procedures indicate in particular the specific simplified and enhanced due diligence measures to be adopted for the different types of customers and professional activities.
2. Auditors shall apply customer due diligence measures according to the methodologies and processes specific to their profession, taking account of the laws and regulations on statutory auditing, as well as applicable auditing principles.
3. The risk-based approach may not lead not to failure to fulfil the obligations imposed on Auditors by current laws and regulations.
Article 20
(Elements for assessing the risk of money laundering and terrorist financing)
1. Auditors shall fulfil the obligations of customer due diligence on the basis of the data and information acquired through diligent professional practice.
2. In order to assess the risk of money laundering and terrorist financing, Auditors shall consider the general criteria established by Article 17, para. 3, of the anti-money laundering decree, as well as the risk factors described in Annexes 1 and 2.
3. Auditors shall also consider any additional element they may find while practising their profession, which is relevant for the purpose of identifying the risks of money laundering and terrorist financing. In particular, Auditors shall take account of the following:
A) any incompleteness, irregularities or manipulations of accounting documentation, or refusal or reluctance to grant access to accounting records;
(B) abnormal transaction attributable to the cases that the FIU has identified as anomaly indicators within the meaning of Article 6, para. 4, letter e), of the Anti-Money Laundering Decree and the cases that are the subject of communications on prevention of terrorism financing published by the FIU.
Article 21
(Customer profiling)
1. Before accepting an engagement, Auditors shall identify the money laundering and terrorist financing risk profile of the individual customer; this on the basis of overall assessment elements and risk factors described in Annexes 1 and 2, weighted according to their relative importance. As a result of profiling, each customer shall be attributed a pre-set risk class according to which the measures and activities relating to the fulfilment of due diligence and suspect transaction assessment obligations must be scaled.
2. In order to identify the customers’ risk profiles, Auditors shall adopt classification systems that make use as far as possible of IT procedures and pre-set algorithms enabling the automatic identification of the risk class. However, should consider it more appropriate and prudent, Auditors may assign customers a risk class higher than that resulting from the automatic procedures. If in exceptional cases a customer is assigned a risk class lower than that resulting from the automatic procedures, this decision must be explained and justified in writing.
3. Auditors shall retain evidence of the assessments carried out on the various parties involved in the identification of the customer risk profile.
4. If the computerised procedure is provided by external parties, Auditors must be duly aware of and familiar with the operation of the procedure and the criteria it uses to identify risk classes.
5. Auditors shall set an ordinary frequency for updating customer profiles, on the basis the risk level assigned to customers. Should in the performance of their professional activities Auditors detect activities or events that may affect the risk profile of the customer, they shall promptly change the risk class previously assigned to that customer and adapt accordingly the measures and activities relating to the fulfilment of due diligence and suspect transaction assessment obligations.
Article 22
(Customer due diligence obligations)
1. Customer due diligence consists of the following activities:
a) identification of the customer;
b) identification of any beneficial owner;
c) verification of the identity of the customer and of any beneficial owner on the basis of documents, data or information obtained from a reliable and independent source;
d) acquisition of information on the purpose and nature of the professional service requested, if not already apparent in the light of the laws and regulations on statutory auditing;
e) continuous control for the entire duration of the professional services diligently provided to the customer.
Article 23
(Fulfilment of due diligence obligations)
1. Auditors shall fulfil the customer due diligence obligations referred to in the preceding Article, letters a) to d):
a) before being appointed to provide their professional services;
b) when they suspect money laundering or terrorist financing, regardless of any derogation or exemption. To this end, Auditors shall make use of the anomaly indicators and anomalous behaviour pattern issued by the FIU pursuant to Article 6, para. 4, letter e), of the Anti-Money Laundering Decree and the Communications on terrorist financing prevention published by the FIU;
c) when there are doubts about the truthfulness, reliability or completeness of previously acquired information or documentation.
2. Auditors shall fulfil due diligence obligations in respect of both new and well-established customers for which due diligence is required due to regulatory changes or changes in their money laundering and terrorist financing risk levels.
3. The obligations relating to the identification of the customer and the beneficial owner as well as the verification of their data may be considered fulfilled if the said identification and verification have already been carried out on occasion of previous professional services, provided that the information are updated and adapted with respect to the customer risk profile and the characteristics of the new professional engagement.
4. Customer due diligence obligations are not applicable to:
a) educational or scientific activities (e.g., teachers or editorial collaborators);
b) professional engagements conferred in the context of legal proceedings.
Article 24
(Customer identification)
1. If the customer is a natural person, the Auditors shall identify the customer by acquiring identification data from the identity document or equivalent document showed by the customer themselves, pursuant to current legislation; the Auditors shall acquire a hard or electronic non-editable copy of the said document.
2. If the customer is not a natural person, the Auditors shall identify it by acquiring its identification data and information on the type, legal form, corporate purposes, aims pursued and the essential data of its registration (if any) into the companies register and the registers managed by Supervisory Authorities of the sector. Auditors shall also verify that the person appointing them on behalf of the customer actually have the power of representing the customer for this purpose. In the case of non-profit organisations, information shall also be acquired about the class of the beneficiaries of the activities to be performed; in the case of a trust, a copy of the trust deed, in order to collect information about the aims pursued, the identity of the trust beneficiaries and of the trustee, the mode of execution and any other characteristic of the trust.
3. Identification shall be carried out in the presence of the customer - or, if the customer is not a natural person, in the presence of its legal representative or other person delegated by it for this purpose - before the Auditors are appointed for the professional service. In the following cases, identification obligations are considered fulfilled even without the customer being physically present:
a) the customer’s identification data are found in public documents, notarised private agreements or qualified certificates used for the generation of a digital signature associated to computerised documents pursuant to Article 24 of the Legislative Decree no. 82 of March 7, 2005;
b) the customer is equipped with a digital identity of the maximum security level in the context of the System referred to in Article 64 of the aforesaid Legislative Decree no. 82 of 2005 and subsequent amendments and related implementing provisions, as well as with a digital identity of the maximum security level or a certificate for the generation of a digital signature, issued within the context of an electronic identification system included in the list published by the European Commission pursuant to Article 9 of Regulation (EU) no. 910/2014;
c) the customer’s identification data are found in a declaration issued by Italian diplomatic or consular authorities pursuant to Article 6 of Legislative Decree no. 153 of May 26, 1997;
d) the Auditor relies on a customer due diligence performed by third parties pursuant to Article 26 et seq of the Anti-Money Laundering Decree.
Article 25
(Beneficial owner identification)
1. Auditors shall carry out identification of the beneficial owner - with no need for the latter to be physically present - at the same time as they carry out identification of the customer and based on the identification data provided by the customer or beneficial owner.
2. Upon identification, the customer other than a natural person will be required by Auditors to provide, under its own responsibility, all information necessary for beneficial owner (sub 2) identification.
3. In the context of constant control, Auditors shall assess any element that may suggest that the customer is operating on behalf of persons other than those indicated.
4. If beneficial owners are more than one, the fulfilments indicated above must be carried out for each of them.
Article 26
(Verification of data related to the customer and the beneficial owner)
1. Verification of data related to the customer and the beneficial owner requires the identification data found in the documents and information acquired at the moment of identification to be checked against documents, data or information obtained from a reliable and independent source.
2. With reference to the natural person customer, Auditors shall perform all checks required to verify the authenticity and validity of the identity document or equivalent document acquired; this as a part of their professional diligence.
3. As regards non-EU persons, Auditors shall perform all checks required to verify the authenticity and validity of passports, residence permits, alien’s travel documents issued by the Italian Police or other document to be considered equivalent under Italian legislation. By way of example, for stateless persons who are not in possession of the said documents, the identification data may be verified through the stateless person's travel document issued pursuant to the Convention related to the Status of Stateless Persons signed in New York on September 28, 1954. For persons with the status of ‘refugee’ or of ‘subsidiary protection’, pursuant to Legislative Decree of no. 251 of November 19, 2007, the identification data can also be verified through the travel documents referred to in Article 24 of the above mentioned Decree. If the original documents are in a foreign language, Auditors shall adopt professional diligence measures aimed at checking the contents of these documents (including a sworn translation of the original when deemed necessary).
4. For minors, in lack of an identity document or equivalent, identification data must be checked through the birth certificate or measures (if any) issued by a tutelary judge. Identification data may also be verified through a notarised photograph; in this case, the essential information from the birth certificate must be recorded.
5. When doubts, uncertainties or inconsistencies emerge from the verifications carried out pursuant to paragraphs 2 to 4 of this Article, Auditors shall carry out any other check deemed necessary to verify the acquired identification data and information. By way of example, they may be consult the public system for identity theft prevention referred to in Legislative Decree no. 64 of April 11, 2011.
6. If the customer is an entity other than a natural person, Auditors shall:
a) check customer identification data with reference to information taken from reliable and independent sources among those indicated in paragraph 7 of this Article, copies of which must be acquired - autonomously or by means of the customer - and stored in paper or electronic format; Auditors shall also ensure the existence and extent of the power of representation of the person that appoints them on behalf of the customer;
b) adopt measures proportionate to the risk profile of the customer and that of the professional service provided, aimed to reconstruct the ownership and control structures of the customer in a reasonably reliable way. To this end, Auditors shall consult any source of information which may help identify the beneficial owner sub 2) and verify related data in a reasonably reliable way. By way of example, Auditors can consult the specific section of the companies’ register provided for in Article 21 of the Anti-Money Laundering Decree. Copies of the pieces of evidence used for these verifications must be acquired and stored in paper or electronic format.
7. Independent and reliable sources for verifying the identification data of the customer other than a natural person and of the beneficial owner include the following:
a) the Italian companies register;
b) registers and lists of authorised entities, incorporation deed, bylaws, financial statements or equivalent documents, communications made to the public pursuant to the rules and regulations governing the sector (such as prospectuses, notifications of acquisition of major holdings or inside information);
c) the registers of beneficial owners established in other EU countries in implementation of Articles 30 and 31 of the Fourth Anti-Money Laundering Directive;
d) information from public bodies and authorities, including public administration, also of other EU countries; such information may also be acquired through websites.
8. Auditors shall assess the extension and the depth of the checks to be made according to a risk-based approach.
9. If the risk of money laundering or terrorist financing is low, the provisions referred to in Article 18, para. 3, of the Anti-Money Laundering Decree apply.
Article 27
(Acquisition of information on the purpose and nature of professional services)
1. Without prejudice to the provisions on statutory auditing set forth by current legislation and auditing principles, Auditors shall acquire information on the purpose and nature of each professional service for which they are appointed; this using methods and to such an extent that are proportionate to the money laundering and terrorist financing risk profile established.
Article 28
(Continuous monitoring during the engagement)
1. During the engagement, Auditors shall perform continuous controls of the data and of the information acquired, in order to:
A) update the customer’s risk profile when needed;
B) identify any anomalies or inconsistencies requiring implementation of suitable actions (adoption of reinforced due diligence measures, reporting suspect transactions) and assess if the conditions are met not to continue the engagement.
2. Constant control must be exerted in a way that is proportionate with the customer’s risk level, by examining the data and information acquired during the engagement, by gathering information to ascertain the customer’s and beneficial owner’s identity or updating related news and information or verifying the nature and purpose of the engagement.
3. Auditors shall establish, based on the risk profile, the timing and frequency of updating of the data and information acquired, even using automated alert notification systems for being reminded of expiry of documents, certificates, powers of representation, contractual relationships, as well as automated procedures for the acquisition of specific statuses (e.g., PEP), i.e., for the inclusion in lists or registers (e.g., provided for by EU regulations or ministerial decrees adopted pursuant to Legislative Decree no. 109 of June 22, 2007, to combat international financing). Data and information must be updated upon renewal of the engagement and when the Auditor finds that previously acquired due diligence information are no longer reliable and need updating.
4. On the basis of findings from constant control, Auditors shall, where appropriate, adopt suitable measures such as updates of data, information and risk profiles, performance of more extensive and in-depth checks (or application of reinforced due diligence), detection of anomalies and inconsistencies that can lead to suspect transaction reporting and resignation from the engagement.
Article 29
(Impossibility of performing due diligence. Obligation of abstention)
1. Auditors, in case they are not able to meet customer due diligence obligations, shall not accept the engagement or shall terminate the current contractual relationship and resign from the engagement. In the case of a statutory audit, the resignation letter shall be submitted in accordance with the procedures laid down by the Minister of Economy and Finance with the regulation adopted in implementation of Article 13, paragraph 4 of Legislative Decree of no. 39 of January 27, 2010.
2. Auditors are also subject to the obligation of abstention set by Article 42, para. 2, of the Anti-Money Laundering Decree and, if requirements are met, must send a suspect transaction report pursuant to Title III, Chapter III, of the Anti-Money Laundering Decree.
Article 30
(Simplified measures of due diligence)
1. In the presence of a low risk of money laundering and terrorist financing, Auditors can apply simplified due diligence measures.
2. The low risk factors of money laundering and terrorist financing provided by Article 23 of the Anti-Money Laundering Decree that are relevant for Auditors’ services are summarised in Annex 1 and accompanied by explanatory examples where needed.
3. Simplified due diligence measures reduce the extent and/or frequency of due diligence obligations in the following ways:
a) by modulating the timing for the performance of customer’s or beneficial owner’s identification activities, e.g., immediate collection of identification data and postponement of the acquisition of the copy of the document up to a maximum of thirty days;
b) by reducing the quantity of information to be collected, e.g., providing for the following: (i) the identification and verification of the beneficial owner sub 2) must be made by acquiring a declaration confirming the data, duly signed by the customer under its own responsibility; (ii) use of presumptions in the identification of the purpose and nature of the relationship, when the professional services consist in statutory auditing;
c) by reducing the update frequency of the data collected for due diligence, and requiring updates to be made upon occurrence of specific circumstances (such as, e.g., new engagements). The data must in any case be updated every five years as a minimum.
4. Auditors shall define and formalise specific simplified due diligence measures for the different circumstances and shall duly justify the choice to take into account additional factors that may be indicative of a low risk of money laundering and terrorist financing.
5. Auditors shall verify the persistence of the conditions for applying the simplified customer due diligence measures; the timing and methods for this verification must be established according with the risk-based approach. Auditors shall store and keep the information collected and the results of the checks made to establish whether the simplified customer due diligence procedure is applicable to a customer for the entire duration of their engagement.
6. Provided that they do not intend to refrain from accepting an engagement or continuing it, and with no prejudice to their obligation of reporting suspect transactions, Auditors shall refrain from applying simplified due diligence measures and shall comply with ordinary or reinforced due diligence obligation in the following case:
a) there are doubts, uncertainties or inconsistencies on the identification data and information acquired in the process of identification and verification of the customer or the beneficial owner;
b) the conditions required for assigning a low level to money laundering and terrorist financing risks are no longer met, as determined by Auditors based on the assessment elements they acquired during their professional activity, or due the non-applicability of the risk indexes summarised in Annex 1;
c) there is a suspect of money laundering or terrorist financing, regardless of any derogation or exemption applicable pursuant to Article 17, paragraph 2, letter a), of the Anti-Money Laundering Decree.
Article 31
(Reinforced measures of due diligence)
1. Auditors apply reinforced customer due diligence measures when according to specific rules - in particular, Article 24, para. 5, of the Anti-Money Laundering Decree - or the Auditor’s independent assessment, the money laundering or terrorist financing risks are high level.
2. The money laundering and terrorist financing high risk factors referred to in Article 24 of the Anti-Money Laundering Decree and which are relevant for the Auditors services are summarised in Annex 2, accompanied by explanatory examples when needed. Pursuant to Article 24, para. 4, of the aforesaid Decree, Annex 2 also describes additional risk factors that are relevant for the application of reinforced due diligence measures.
3. Auditors shall define and formalise the specific reinforced due diligence measures to be adopted towards customers that are high risk, including because of the type of their professional activity, and shall retain written evidence of the application of these measures.
4. The reinforced due diligence measures may consist of:
a) acquisition of additional information about the customer and the beneficial owner. Particular importance must be given to information on the reputation and any detrimental action of the customer and/or the beneficial owner (even with reference to their past activities), as well as their relatives and the persons or entities with which they have close business relations;
b) in-depth analysis of the elements that are at the basis of the assessment made on the purpose and nature of the relationship;
c) intensification of the frequency of checks aimed at updating information and detecting changes in the risk profile;
d) performance of more accurate, extended and/or frequent analyses and checks during the engagement, in order to detect any possible money laundering or terrorist financing elements.
5. Auditors shall adopt reinforced due diligence measures for customers for which they reported the FIU suspect transactions. These measures shall be applied until the Auditors deem to be able to exclude the existence of a high risk of money laundering or terrorist financing.
6. Pursuant to Article 25, para. 4, of the Anti-Money Laundering Decree, Auditors shall establish appropriate procedures based on the risk associated with their professional engagement, to check if the customer or the beneficial owner is a politically exposed person (PEP). To this end, the Auditors shall, in addition to obtain the relevant information from the customer, use additional sources such as the official internet websites of Italian Authorities or Authorities of the countries of origin of the PEP or commercial databases.
7. If the customer or the beneficial owner falls within the definition of PEP, the start or continuation of the relationship must be authorised by a director, the legal representative or equivalent person equipped with specific power of attorney. The same persons are also competent to on the possible subsequent loss of the status of politically exposed person and the consequent application of ordinary due diligence measures. In addition, the Auditors shall take suitably reinforced measures and ensure constant control of the professional service pursuant to paragraph 4, letter d), of this Article.
8. In the presence of a high risk of money laundering or terrorist financing, the Auditors shall continue to apply reinforced due diligence measures toward persons, originally identified as PEP, who have ceased from office for more than a year.
9. Should the Auditors not be able to apply reinforced due diligence measures, they shall not accept the engagement or terminate the existing contractual relationship, and shall evaluate whether to issue a suspect transaction report.
Article 32
(Fulfilment of due diligence obligations by third parties)
1. Auditors can delegate fulfilment of customer due diligence obligations referred to in Article 18, para. 1, letters a), b) and c), of the Anti-Money Laundering Decree to the third parties referred to in Article 26 of the same Decree.
2. If they resort to third parties, Auditors shall comply with the execution rules referred to in Annex 3. All this bears no prejudice to Article 28 of the Anti-Money Laundering Decree, which means that the final responsibility for the fulfilment of customer due diligence obligations still falls on Auditors; assessment of the elements gathered and checks made by third parties is up to Auditors, as well as verification of the accuracy of the documents; in case of doubts, due diligence must be carried out directly by the Auditors.
Article 33
(Storage obligations)
1. Auditors shall store documents, data and information acquired in the fulfilment of due diligence obligations, in hard or electronic format, in order to:
a) show the Supervisory Authorities the procedures used and the measures adopted to meet their legal obligations;
b) allow analysis and in-depth study by the FIU or any other competent Authority;
c) allow their use in investigations or proceedings on money laundering, terrorist financing or other crimes.
2. The documents, information and data acquired during the professional relationship, including those related to the fulfilment of active collaboration obligations:
a) must be stored in a unitary and complete file and must be readily available at the request of the competent Authorities;
b) must be kept for ten years of the termination date of the professional relationship.
3. In order to ensure immediacy and ease of consultation and use of customer’s data and information, Auditors shall use electronic archives for recording the following:
a) the start date (date of acceptance of the professional engagement) and termination date of the professional relationship;
b) identification data of the customer and the beneficial owner and the information on the purpose and nature of the professional services;
c) the money laundering and terrorist financing risk profile of the customer;
d) the sector of economic activity of the customer (according to the ATECO classification published by ISTAT).
4. The recordings must be made within 30 days of the date of acceptance or termination of the engagement, or of the date when the data referred to in points b), c) and d) of the preceding paragraph changed. These recordings must be kept for ten years from the termination date of the professional relationship.
5. Auditors shall adopt storage and recording methods that efficiently prevent any loss of data, information and documents, and that comply with the requirements referred to in Article 32, para. 2, of the Anti-Money Laundering Decree. The technical recording methods must ensure in particular the correct chronological order of recordings and the traceability of any change and correction as well as of the recordings made prior of any change and correction.
6. The registration obligations referred to in paragraph 3 of this Article, without prejudice to the obligation to store the data and information listed therein, shall not apply to relationships with:
a) banking and financial intermediaries referred to in Article 3, para. 2, of the Anti-Money Laundering Decree, excluding those referred to in letter i), o), s) and v);
b) banking and financial intermediaries in the EU or with registered offices in a third country characterised by a low risk of money laundering and terrorist financing, according to the geographical risk assessment criteria indicated in Annex 1;
c) State provincial treasury or the Bank of Italy.
7. The storage of documents at an independent service centre, possibly identified at the network level of membership or from third parties, is allowed, without prejudice to the responsibilities of the Auditors and provided that this does not undermine the ready availability of these documents and the direct and immediate access to the storage system by the auditors themselves.
ANNEX 1
Low risk factors
a) Customer- and beneficial owner-related low risk factors:
1) companies admitted to listing on a regulated market and subjected to disclosure obligations including obligations to ensure adequate transparency of beneficial ownership;
2) Public Authorities or Institutions or Bodies which carry out public functions, in accordance with the European Union Law; in the presence of a PEP, the simplified measures that can be adopted for these entities are limited to the fulfilment of customer and beneficial owner identification and verification of their identity with the methods referred to in Article 30, para. 3, letter a) and b) (part i) of this Regulation;
3) customers who residing or have their registered offices in low risk geographical areas. This factor applies when the customer and/or the beneficial owner reside, have their principal place of business or relevant links with ‘low risk’ countries or geographic areas, based on the criteria under letter B);
4) banking and financial intermediaries referred to in Article 3, para. 2, of the Anti-Money Laundering Decree - except those referred to in letters i), o), s) and v) - and banking and financial intermediaries in the EU or with registered offices in a third country that has in place an effective system to combat money laundering and terrorist financing. In assessing whether the risk level is actually low, Auditors shall consider, inter alia, the possibility of adopting supervisory penalties or other measures to sanction failure by the intermediary to fulfil anti-money laundering obligations.
(B) Geographical low risk factors:
1) EU countries;
2) third countries that have in place effective systems for the prevention of money laundering. Reference is made to countries whose anti-money laundering and anti-terrorist financing devices are comparable to those provided by the Fourth Anti-Money Laundering Directive and are associated with low occurrence of these types of crimes;
3) third countries that according to assessments made by authoritative and independent sources, are characterised by a low level of bribery and corruption or low permeability to other criminal activities. Examples of these authoritative and independent sources are the ‘National Risk Assessment’, reports published by investigative and judicial Authorities, OECD reports on the implementation of the Anti-Bribery Convention, World Drug Reports published by the United Nations Office on Drugs and Crime;
4) third countries that according to authoritative and independent sources (e.g., mutual assessment reports, or public detailed assessment reports), are equipped with an effective system for the prevention of money laundering and terrorist financing. Examples of these authoritative and independent sources are mutual assessment reports adopted by the FATF or similar international bodies (e.g., MoneyVal), the FATF list of high risk and non-cooperative jurisdictions, reports adopted by the International Monetary Fund in the context of the Financial Sector Assessment Program.
ANNEX 2
High risk factors
(A) Customer- and beneficial owner-related high risk factors:
1) professional services established or provided in abnormal circumstances. By way of example, circumstances are taken into account in which the customer, in the phase before engagement or in the subsequent phases, is reluctant to provide the information requested, repeatedly changes the information provided, gives incomplete or inaccurate information, is not able to produce documentation on their own identity (except the legitimate cases such as asylum seekers), provides information that do not coincide with those found by the Auditors in the performance of his professional services;
2) customers and/or beneficial owners residing or having their registered offices in high risk geographic areas. This factor applies when the customer and/or the beneficial owner reside, have their principal place of business or relevant links with ‘high risk’ countries based on the criteria under letter B) of this Annex;
3) Negative reputational indexes related to the customer (and the customer’s administration and management function officers) and/or the beneficial owner. Relevant are, inter alia, the following: criminal proceedings, when their existence is generally known or known to the Auditor and is not covered by confidentiality obligations preventing its use by the Auditor pursuant to the Code of Criminal Procedure, tax liability proceedings, administrative liability proceedings pursuant to Legislative Decree no. 231 of June 8, 2001, any administrative sanctions issued against the customer or beneficial owner for infringement of anti-money laundering provisions. Auditors shall assess the soundness and reliability of any negative news from the media or other sources of information on the basis, inter alia, of the quality and independence of these sources of information and on the recurrence of these pieces of information. Information on reputation are also relevant with reference to persons generally known to be linked to the customer and/or to the beneficial owner, e.g., because they are relatives of have business relationships. All this bears no prejudice to the need of verifying the occurrence of the names in the lists of associated persons or bodies for the purposes of the application of the freezing obligations imposed by EU Regulations or by Decrees issued by the Italian Ministry of Economy and Finance pursuant to Legislative Decree no. 109 of June 22, 2007;
4) structures that can be classed as as interposed investment vehicles. This is the case, for example, of trusts, trust companies, foundations and other legal entities that can be structured in such a way as to benefit from anonymity and allow relations with shell banks or nominee shareholders. With reference to trust companies, their supervision by the Bank of Italy is a factor of risk mitigation which can determine the application of ordinary due diligence measures. In the context of securitisation transactions, improper use of the vehicle company aimed to shield the actual beneficial ownership of certain assets, hindering correct reconstruction of the cash flows they generate;
5) companies which issued bearer shares or have nominee shareholders. In the first case, reference is made to companies incorporated or capitalised through bearer instruments;
6) a type of economic activity characterised by high use of cash. It is also relevant whether the types and sectors of economic activities carried out by the customer are particularly exposed to the money laundering risk, such as ‘cash-for-gold’, currency exchange, gambling and betting, activity performed by agents engaged in financial activities and 'affiliated entities and agents' in money remittance services;
7) type of economic activity belonging to sectors that are particularly exposed to the risk of bribery and corruption. In particular, this means economic sectors involved in the provision of public funds, including of EU origin, public procurement, health services, building construction, arms trade, defence, war industry, mining industry, waste collection and disposal, production of renewable energies;
8) customer or beneficial owner that hold offices at public bodies in areas not covered by the concept of the PEP but for whom there is a significant exposure to the risk of corruption. Reference is made, for example, local administrators, subjects with apical roles in the Public Administration or public bodies, consortia and public law associations;
9) ownership structure abnormal or excessively complex with respect to the nature of the activity. It is necessary to consider the legal form chosen by the customer, especially if its particular complexity or opacity prevent or hamper the identification of the beneficial owner or the actual corporate purpose or of any equity or financial links with entities based in high risk geographic areas.
(B) Geographical high risk factors:
1) third countries at high risk identified by the European Commission in the exercise of the powers referred to in Articles 9 and 64 of the fourth directive on money laundering;
2) third countries that authoritative and independent sources consider lacking in effective controls for the prevention of money laundering. Authoritative and independent sources include: relations of mutual evaluation developed by the FATF or by similar international bodies (e.g., MoneyVal); the list published by the FATF in high risk and uncooperative countries; the reports published by the International Monetary Fund in the context of the Financial Sector Assessment Programme (FSAP);
3) countries and geographical areas evaluated at a high level of corruption or of permeability to other criminal activities from authoritative and independent sources. The authoritative and independent sources may include National Risk Assessment; the reports published by investigative and judicial authorities; the reports adopted by the OECD in regard to the implementation of the OECD Convention against corruption practice as well as the World Drug Report published by the United Nations Office on Drugs and Crime;
4) countries subject to sanctions, embargo or similar measures adopted by the competent national and international bodies. In this regard, the Auditors observe the measures issued by the European Union and other restrictive measures adopted pursuant to Article 4 of Legislative Decree no. 109 of June 22, 2007, n. 109 implementing the Resolutions of the Security Council of the United Nations for combating terrorist financing and the financing of programmes for the proliferation of weapons of mass destruction and against the activities of countries that threaten international peace and security;
5) countries and geographical areas which fund or support terrorist activities or in which terrorist organisations operate. The identification of these countries is supported by reports on terrorism published by the FATF or by other international organisations and agencies, such as Europol;
6) countries assessed by authoritative and independent sources as being deficient in terms of compliance with international standards on transparency and the exchange of information for tax purposes. The authoritative and independent sources include reports adopted by the OECD on fiscal transparency and exchange of information; the evaluations on the commitment of the country in the automatic exchange of financial information for tax purposes pursuant to the Common Reporting Standards; they also include the ratings assigned to Recommendations nos. 9, 24 and 25 of the FATF and Immediate Outcomes no. 2 and no. 5 in reports of mutual international evaluation.
ANNEX 3
Fulfilment of due diligence obligations by third parties
The obligations of due diligence are fulfilled through appropriate certification issued by the third party that has seen to fulfil them directly, in the context of an ongoing agreement or the execution of a professional service or the completion of an occasional operation.
The certificate must be univocally attributable to the third party and must be transmitted by the certifying third party (and not by the customer) to the Auditor who requests it.
The certificate must expressly confirm the proper fulfilment of anti-money laundering obligations by the certifying party, based on the checks performed, and that the customer verified by the third party and the party to which the certificate refers are one and the same. The content of the certificate varies depending on the specific obligation of due diligence to whom it is directed; according to this criterion, it must include:
a) the identification details of the customer and the beneficial owner for the purposes of the fulfilment of the obligation of identification;
b) indication of the sources used for the ascertainment and verification of identity;
c) information on the nature and purpose of the professional service.
The Auditor shall ensure that, in addition to the certification, the third parties are able to submit promptly a copy of the documents and information acquired when the Auditor so requests.
Certification may be in paper or electronic format. It falls to the Auditor, responsible for due diligence, to assess whether the evidence gathered and the checks performed by the third parties are suitable and sufficient for the purposes of legal obligations; otherwise the Auditor shall, depending on the cases and circumstances:
- inform the certifying third party of any irregularities or inconsistencies found in the documentation received;
- make the necessary corrections or additions;
- fulfil directly the obligations of due diligence;
- refrain from accepting the engagement, evaluating whether or not to submit a report to the FIU in the event of the existence of the grounds referred to in Article 35 of the anti-money laundering decree (the decision referred to in this paragraph should be made, in particular, where the Auditor is unable to comply with the obligations of due diligence).
Within the scope of the methods for the collection and exchange of information with third parties, the Auditor:
- defines the phases of due diligence delegated to third parties, identifies the data and information that must be submitted by third parties and the modalities and the timing of the submission;
- prepares tools, in paper or electronic format, for the timely exchange of information flows;
- verifies, within the limits of professional diligence, the truthfulness of the documents received and the correctness and reliability of the information taken from these documents;
- acquires, where necessary, additional information from the third parties themselves, from the customer or from other sources.