The Legislative Decree No. 90 of May 25, 2017 has been published in the Ordinary Supplement No. 28 of the Italian Official Gazette No. 140 of 19 June 2017 (the Decree). The Decree amends the legislative decrees No 231 dated 21 November 2007 (Decree 231) and No. 109 dated 22 June 2007, implementing the Directive (EU) 2015/849 (IV AML Directive) on «prevention of the use of the financial system for money laundering or terrorist financing» as well as the Regulation (EU) 2015/847 on «information on accompanying transfers of funds».
The transposition of the IV AML Directive implied significant changes to the regulatory framework set forth by the Decree 231, which will require the relevant addressees to carry out a detailed assessment of the policies and procedures currently adopted, in order to verify their adequacy in light of the novelties introduced by the Decree.
The subjective perimeter of application
Among the most important news, it is certainly worth mentioning that the list of addressees of the anti-money laundering obligations set forth by the Decree now includes EU banking and financial intermediaries operating in Italy on a cross-border basis under the freedom to provide services, as well as financial advisers and financial advisor companies referred to, respectively, in Articles 18-bis and 18-ter of the Consolidated Law on Finance.
Gaming service providers
The Decree also confirms the applicability of the anti-money laundering provisions to the "gaming service providers", whose regulation is contained in the "new" Title IV of the Decree 231. In this respect, please note that the obligations of customer due diligence to be fulfilled by those providers are linked to «the opening or the changing of the gaming account» (apertura o modifica del conto di gioco), while the fixed and totalizer numeric game systems, the instantaneous and deferred lotteries and the prizes on a sports and horse racing basis are out of the scope of the mentioned rules.
The new obligations imposed by the Decree could have a non-secondary impact on the activity of the gaming sector operators, in particular, in view of the need to timely ensure the compliance of the internal procedures so far adopted and governing the identification and the retention of the acquired data. Finally, it should be noted that, pursuant to the new Article 54 of Decree 231, the relevant administrations and institutions shall develop regulatory technical standards to support gaming service providers, also on the basis of the national risk assessment of terrorism and money laundering conducted by the Financial Security Committee (Comitato di Sicurezza Finanziaria).
In addition, dealers (concessionari) shall implement, by 4 July 2018, any technological and organizational measure necessary to mitigate and manage the risks of money laundering and terrorism financing to which their distributors and practitioners are exposed, having specific regard to the risks relating to clients, countries or geographical areas, transactions and game types.
Specific identification and verification requirements are also provided for distributors and practitioners for gambling transactions higher than € 2,000 and, in any case, when there is a suspect of money laundering or terrorism financing.
Virtual currency providers
Specific rules have also been set forth with reference to providers operating in "virtual currencies", meaning any "digital representation of value, not issued by a central bank or by a public authority, not necessarily linked to a currency with legal tender, used as a means of exchange for the purchase of goods and services and transferred, stored and negotiated electronically".
In detail, the Decree 231 now qualifies as "other non-financial operators" the virtual currency service providers, defined as "natural or legal persons providing to third parties, on a professional basis, services functional to use, exchange, store virtual currencies as well as to convert them in or from currencies with legal tender". Such providers are required to fulfil specific anti-money laundering obligations with regard to virtual currency conversion activities.
It is worthy of notice the fact that, by amending Legislative Decree no. 141, the Decree requires the virtual currency service providers to be registered in a special section of the register held by the so called "Agents and Credit Brokers Body" (Organismo degli Agenti e dei Metiatori Creditizi) which is responsible for the management of the register of financial agents and credit brokers, in accordance with Article 128-undecies of the Consolidated Banking Act.
This provision shall be implemented by a decree to be issued by the Italian Minister of Economy and Finance, detailing the reporting duties of the virtual currency service providers with regard to the operations carried out in Italy. Such reporting must be considered as an essential condition for the lawful performance of the relevant activity by the aforementioned providers.
Customer Due Diligence
With particular regard to the customer due diligence (CDD), it should be noted that the Decree:
- Modifies the CDD requirements applicable to payment services carried out and e-money issued/distributed via (i) financial agents listed in Article 128-quater, paragraphs 2 and 6 of the Consolidated Banking Act and (ii) contracted parties (soggetti convenzionati) and agents (other than financial agents, engaged by both Italian and EU PSPs and e-money issuers to provide services in Italy), clarifying that the customer due diligence obligations must be complied with even in case of occasional transactions of less than € 15,000
- Allows the addressee to consider performed the identification duties vis-à-vis customers not physically present provided that they have a digital ID or a digital signature
- Clarifies that the obligation to collect additional information concerning, inter alia, the client's financial position as well as the source of his/her funds and resources must be performed on the basis of data "acquired or owned by reason of the exercise of the activity", thereby limiting the scope of the research
The regulator confirmed that customers already identified in connection with other professional relationships or services do not require a new identification, provided that the relevant data are up-to-date and the relevant risk profile is not changed. A careful check of the list of customers already acquired shall be therefore properly carried out.
Differently from the previous provisions of the Decree 231, the Decree does not identify the persons or entities to which the simplified due diligence is applicable, leaving to the addressees to assess whether a simplified procedure can be applied in light of the risk profile of the client. In this respect, the Decree sets out a set of illustrative criteria and factors (relating to client types, products, services, operations, distribution channels or geographic areas) to be taken into account in such assessment.
It should be therefore considered that the entities obliged to CDD shall develop and adopt in the coming months ad hoc models - aiming at identifying "low risk" hypotheses, to which the simplified due diligence can be applied - in compliance with any provisions issued by the relevant supervisory authorities.
In implementing CDD measures carried out through third parties, the Decree states that upon the request of the obliged entity using the CDD carried out by a "third party", the latter will be required to provide without delay copies of the documentation collected at the time of identification of the customer. In addition, it is specified that the third party must "directly" carry out the CDD. Such provision will certainly require some amendments to the agreements to be executed with the third parties, in order to insert ad hoc clauses aimed at governing that new obligation. In any case, the prohibition to use third parties established in country classified states as high risk countries remains.
Ultimate beneficial Owner Register
Among the most significant innovations, it should be highlighted the creation of a single register of the ultimate beneficial owners of enterprises and trusts. In particular, a special section of the Register of Enterprises will be the tool for collecting and storing information on the beneficial owners of legal persons as well as private legal persons other than companies. The directors of all legal persons are required to provide the register with the relevant information and data. In the event of an inactivity or unjustified refusal by the shareholder to provide the necessary information, the voting rights related to the stakes owned by the beneficial owner will be frozen. Similar research and disclosure obligations are required for fiduciaries of trusts with legal effects; in such cases the lack of the information on the beneficial owner is punishable by the monetary administrative penalty referred to in Article 2630 of the Italian Civil Code ("Execution of complaints, communications and deposits", from a minimum of € 103 to a maximum of € 1,032).
The implementation of the above provisions is subject to the issuance by the Italian Ministry of Economy and Finance of a detailed discipline, specifically regarding the type of data and information to be notified, how to access and consult the register and the terms and conditions to which the access to the register upon the request of private individuals with a valid interest is subject.
Single Archive Database (Archivio Unico Informatico)
In terms of obligations, another news concern the Single Archive Database. Pursuant to the Decree, the obligation to create such database and to provide it with the information of the customers has been replaced by a more generic "conservation obligation". However, we should await for the issuance of the secondary legislation, in order to better understand how the mentioned provision will be applied by the supervisory authorities of the relevant sector.
The Bank of Italy Provisions implementing the Single Archive Database will in any case apply until 31st March 2018.
The sanction profile has also been deeply revised, both from a penalty quantifying perspective and in terms of violation hypothesis. Particularly important is the identification of a substantially objective liability for corporate representatives, where omissions in controls entail possible violations of anti-money laundering legislation. In addition, it should be pointed out the introduction of the penalties of imprisonment and fine applicable to the addressees making use of false information and data related to the customer, the ultimate beneficial owner or to the purpose or nature of the on-going relationship or of the professional activity and the transaction.
Moreover, in the context of the obligation to report suspicious transactions, the Decree sets out some criteria to determine the gravity of the violation and to which extent the penalty is applicable. It will be necessary to evaluate, inter alia, the degree and intensity of the subjective element, how significant and evident are the reasons for the transaction being suspect, as well as any cooperation of the addressee with the authorities.
Also in the context of reporting suspicious transactions, the penalty for the late report the control bodies of the addressee are obliged to carry out has been repealed; with particular regard to the supervised entities, the penalty in case of omission of the report of suspicious transactions has been extended also to employees of banking and financial intermediaries and financial operators (as defined in the new Decree 231) who are required to carry out the communication or the reporting activity, responsible "exclusively or competing" with the entity in which they operate.
The obligations on whistleblowing also deserve particular attention: in line with the recent amendments introduced in the Consolidated Banking Act and the Consolidated Finance Act, the addressees are required to adopt internal procedures and processes to encourage the reporting by the staff of potential or actual violations or breach of the anti-money laundering provisions.
Amendment Proposal of the IV AML Directive
Finally, in July 2016, prior to the deadline set to the implement the IV AML Directive in the EU Member States (26 June 2017), the European Commission made a proposal to amend the IV AML Directive, proposing, inter alia: a reduction from 25% to 10% of the percentage of possession that presumes a beneficial ownership relationship; the establishment of an EU centralized register for collecting information on the ultimate beneficial ownership; the extension of the scope of anti-money laundering obligations to currency (virtual and legal) exchange providers and the simultaneous reduction of simplified due diligence hypotheses for e-money transactions.
These amendments, however, have not been confirmed and therefore have not been transposed into national law.
Entry into force and transitional and implementing provisions
The Decree will entry into force next 4th July, but the secondary provisions implementing rules repealed or replaced by the Decree will continue to apply until 31st March 2018.
Within 12 months of the entry into force of the Decree - and therefore by 4th July 2018 - the supervisory authorities and the competent self-regulatory bodies shall issue the secondary legislation regarding the procedures and instruments for mitigating the risk. The respective supervised entities will be required to adopt or, if appropriate, to adapt their internal procedures in compliance with the provisions of Articles 14 and 15 of Decree 231 as amended by the Decree.