ORGANISATIONAL, MANAGEMENT AND CONTROL MODEL Pursuant to Legislative Decree no. 231 of 8 June 2001

Transcription

1 ORGANISATIONAL, MANAGEMENT AND CONTROL MODEL Pursuant t Legislative Decree n. 231 f 8 June 2001 Apprved by the Management Bard and by the Supervisry Bard n 6 March 2012

2 TABLE OF CONTENTS CHAPTER 1 THE REGULATORY FRAMEWORK THE ADMINISTRATIVE LIABILITY SCHEME LAID DOWN IN LEGISLATIVE DECREE NO. 231/2001 FOR LEGAL PERSONS, COMPANIES AND ASSOCIATIONS THE ADOPTION OF THE ORGANISATION, MANAGEMENT AND CONTROL MODELS AS A MEANS TO EXEMPT ENTITIES FROM ADMINISTRATIVE LIABILITY... 7 CHAPTER 2 - THE ORGANISATIONAL, MANAGEMENT AND CONTROL MODEL OF INTESA SANPAOLO S.P.A THE EXISTING CORPORATE TOOLS UNDERLYING THE MODEL The Grup s Cde f Ethics and Internal Cde f Cnduct The key features f the internal cntrl system The pwer and delegatin system THE AIMS PURSUED BY THE MODEL KEY MODEL COMPONENTS MODEL STRUCTURE THE ADDRESSEES OF THE MODEL MODEL ADOPTION, EFFECTIVE IMPLEMENTATION AND MODIFICATION ROLES AND RESPONSIBILITIES OUTSOURCED ACTIVITIES MODELS OF THE COMPANIES BELONGING TO THE BANKING GROUP Grup guidelines cncerning the administrative liability f Entities CHAPTER 3 - THE SURVEILLANCE BODY IDENTIFICATION OF THE SURVEILLANCE BODY COMPOSITION, TERM OF OFFICE AND REMUNERATION OF THE SURVEILLANCE BODY Cmpsitin Term f ffice Remuneratin ELIGIBILITY REQUIREMENTS; GROUNDS FOR DISQUALIFICATION FROM OFFICE AND SUSPENSION; TEMPORARY INABILITY Requirements fr standing members Prfessinalism, integrity and independence requirements fr alternate members Verificatin f requirements Grunds fr disqualificatin frm ffice Grunds fr suspensin Temprary inability f the standing member DUTIES OF THE SURVEILLANCE BODY PROCEDURES AND FREQUENCY FOR REPORTING TO THE CORPORATE BODIES CHAPTER 4 - INFORMATION FLOWS TO THE SURVEILLANCE BODY INFORMATION FLOWS IN THE CASE OF PARTICULAR EVENTS PERIODIC INFORMATION FLOWS CHAPTER 5 - THE DISCIPLINARY SYSTEM CHAPTER 6 - INTERNAL TRAINING AND COMMUNICATION INTERNAL COMMUNICATION TRAINING

3 CHAPTER 7 PREDICATE OFFENCES - AREAS, ACTIVITIES AND ASSOCIATED RULES OF CONDUCT AND CONTROL IDENTIFICATION OF THE SENSITIVE AREAS SENSITIVE AREA CONCERNING OFFENCES AGAINST THE PUBLIC ADMINISTRATION Offences Sensitive cmpany activities Signing cntracts with the Public Administratin Intrductin Prcess descriptin Cntrl principles Rules f cnduct Managing cntracts with the Public Administratin Intrductin Prcess descriptin Cntrl principles Rules f cnduct Management f the activities relating t the request fr authrisatin r fulfilment f requirements twards the Public Administratin Intrductin Prcess descriptin Cntrl principles Rules f cnduct Management f public subsidy schemes; Intrductin Prcess descriptin Cntrl principles Rules f cnduct Management f funded training Intrductin Prcess descriptin Cntrl principles Rules f cnduct Management f litigatin and ut-f curt settlements; Intrductin Prcess descriptin Cntrl principles Rules f cnduct Management f relatins with the Supervisry Authrities Intrductin Prcess descriptin Cntrl principles Rules f cnduct Management f the prcedures fr the prcurement f gds and services and fr the appintment f prfessinal cnsultants Intrductin Prcess descriptin Cntrl principles Rules f cnduct Management f gifts, entertainment expenses, dnatins t charities and spnsrships Intrductin Prcess descriptin Cntrl principles Rules f cnduct Management f the staff selectin and recruitment prcess Intrductin Prcess descriptin Cntrl principles Rules f cnduct Management f real-estate assets and f mvable prperty having artistic value Intrductin Prcess descriptin Cntrl principles Rules f cnduct

4 7.3 SENSITIVE AREA CONCERNING THE COUNTERFEITING OF MONEY (AND VALUABLES) Offences Sensitive cmpany activities Management f valuables Intrductin Prcess descriptin Cntrl principles Rules f cnduct SENSITIVE AREA CONCERNING CORPORATE OFFENCES Types f ffences Sensitive cmpany activities Management f relatins with the Supervisry Bard and the Independent Auditrs Intrductin Prcess descriptin Cntrl principles Rules f cnduct Management f peridic reprting Intrductin Prcess descriptin Cntrl principles Rules f cnduct Preparatin f the prspectuses Intrductin Prcess descriptin Cntrl principles Rules f cnduct SENSITIVE AREA CONCERNING CRIMES WITH THE PURPOSE OF TERRORISM OR SUBVERSION OF THE DEMOCRATIC ORDER, ORGANISED CRIME, TRANSNATIONAL CRIMES AND CRIMES AGAINST THE PERSON Types f ffences Sensitive cmpany activities SENSITIVE AREA CONCERNING RECEIPT OF STOLEN GOODS, MONEY LAUNDERING AND USE OF MONEY, GOODS OR BENEFITS OF UNLAWFUL ORIGIN Types f ffences Sensitive cmpany activities Financial fight against terrrism and mney laundering Intrductin Prcess descriptin Cntrl principles Rules f cnduct SENSITIVE AREA CONCERNING CRIMES AND ADMINISTRATIVE OFFENCES RELATING TO MARKET ABUSE Types f ffences Sensitive cmpany activities Management and disclsure f infrmatin and external cmmunicatins fr the purpses f preventin f criminal and administrative ffences in the area f market abuse Intrductin Prcess descriptin Cntrl principles Rules f cnduct Managing market transactins t prevent administrative and criminal ffences linked t market abuse 170 Intrductin Prcess descriptin Cntrl principles Rules f cnduct

5 7.8 SENSITIVE AREA CONCERNING WORKPLACE HEALTH AND SAFETY OFFENCES Types f ffences Sensitive cmpany activities Management f the risks relating t wrkplace health and safety Intrductin Prcess descriptin Cntrl principles Rules f cnduct SENSITIVE AREA CONCERNING COMPUTER CRIMES Types f Offences Sensitive cmpany activities Management and use f the Grup s cmputer systems and Infrmatin assets Intrductin Prcess descriptin Cntrl principles Rules f cnduct SENSITIVE AREA CONCERNING CRIMES AGAINST INDUSTRY AND TRADE AND CRIMES INVOLVING BREACH OF COPYRIGHT Types f ffences Sensitive cmpany activities SENSITIVE AREA CONCERNING OFFENCES AGAINST THE ENVIRONMENT Type f ffence Sensitive cmpany activities Envirnment risk management Frewrd Descriptin f the prcess Mnitring Standards Cnduct standards APPENDIX: BRIBERY ACT

6 Chapter 1 The regulatry framewrk 1.1 The administrative liability scheme laid dwn in Legislative Decree n. 231/2001 fr legal persns, cmpanies and assciatins By way f implementatin f the delegatin under Article 11 f Law N 300 f 29 September 2000, n 8 June 2001 Legislative Decree n. 231 (hereinafter the Decree r Legislative Decree n. 231/2001 ) was adpted, aligning natinal legislatin with the internatinal cnventins n the liability f legal persns. These are, specifically, the Brussels Cnventin n the prtectin f the Eurpean Cmmunities' financial interests f 26 July 1995, the Cnventin n the fight against crruptin invlving fficials f the Eurpean Cmmunities r fficials f Member States f the Eurpean Unin, signed in Brussels n 26 May 1997, and the OECD Cnventin n Cmbating Bribery f Freign Public Officials in Internatinal Business Transactins f 17 December The Decree, which lays dwn Prvisins n the administrative liability f legal persns, cmpanies and assciatins, including thse withut legal persnality, intrduced int the Italian legal rder an administrative liability regime applying t Entities (meaning cmpanies, assciatins, cnsrtia, etc., hereinafter, Entities ) fr a series f specified ffences cmmitted in the interest r t the advantage f the entity: (i) by natural persns hlding representatin, administratin r management psitins in the Entity r in a financially and functinally autnmus rganisatinal unit belnging t the Entity; and by natural persns wh exercise, als de fact, the management and cntrl f the Entity, r (ii) by natural persns subject t the management r supervisin f ne f the abve-mentined persns. The list f predicate ffences was recently expanded by the additin f sme types f administrative breaches. The Entity s liability is additinal t that f the natural persn wh was the perpetratr f the ffence, and is independent f it, as it als exists where the perpetratr has nt been identified r cannt be charged r where the ffence is extinguished fr a reasn ther than amnesty. The administrative liability regime laid dwn in the Decree fr prsecutin f the ffences specifically identified therein, applies t Entities which benefited frm the ffences r in whse interest the predicate ffences - r administrative breaches - identified in the Decree were cmmitted. The penalties applicable t the Entity may include fines, interdictins, cnfiscatin, publicatin f the sentence and appintment f a special administratr. Interdictin measures, which may have a mre severe impact n the Entity than mnetary penalties, cnsist in the suspensin r revcatin f licenses and cncessins, prhibitin n cntracting with the public administratin, prhibitin n cnducting business activities, denial r revcatin f funding and cntributins, and the prhibitin n advertising prducts and services. 6

7 The abve-mentined liability als applies t ffences cmmitted abrad, prvided that the cuntry in which the ffence was cmmitted des nt initiate prceedings in respect f thse ffences and that the Entity has its head ffice in Italy. 1.2 The adptin f the rganisatin, management and cntrl mdels as a means t exempt Entities frm administrative liability After establishing the administrative liability f Entities, in Article 6 the Decree prvides that an Entity shall nt be liable where it can prve that it adpted and effectively implemented, befre the ffence was cmmitted, an apprpriate rganisatin and management mdel t prevent ffences f the kind that has ccurred. Article 6 als prvides fr creatin f an internal cntrl bdy within the Entity, tasked with mnitring the peratin, effective implementatin and bservance f the mdel, and with updating the mdel. The Organisatinal, Management and Cntrl Mdel (hereinafter als the Mdel ) must meet the fllwing requirements: identify the activities which may give rise t the ffences listed in the Decree; define the prcedures thrugh which the entity makes and implements decisins relating t the ffences t be prevented; define prcedures fr managing financial resurces t prevent ffences frm being cmmitted; establish reprting bligatins t the bdy respnsible fr mnitring Mdel peratin and cmpliance; put in place an effective disciplinary system t punish nn-cmpliance with the measures required by the Mdel. If the ffence is cmmitted by persns hlding a representative, administrative r management rle in the Entity r ne f its rganisatinal units with financial and functinal autnmy and by persns wh, de fact r therwise, manage and cntrl the Entity, the Entity shall nt be liable if it can prve that; (i) management had adpted and effectively implemented an apprpriate rganisatinal and management mdel t prevent ffences f the kind that has ccurred; (ii) the task f mnitring the Mdel implementatin, cmpliance and updating was entrusted t a crprate bdy with independent pwers f initiative and cntrl; (iii) the perpetratrs cmmitted the ffence by fraudulently circumventing the Mdel; (iv) there was n missin r insufficient cntrl by the cntrl bdy. On the ther hand, where the ffence is cmmitted by persns under the management r supervisin f ne f the abve-mentined persns, the Entity is liable if perpetratin f the 7

8 ffence was made pssible by nn-perfrmance f management and supervisry duties. Such perfrmance shall be ruled ut where the Entity, befre the ffence was cmmitted, had adpted and effectively implemented an apprpriate Mdel t prevent ffences f the kind cmmitted, based, f curse, n a priri assessment. Lastly, Article 6 f the Decree prvides that the Mdel may be adpted n the basis f cdes f cnduct prepared by representative trade assciatins and submitted t the Ministry f Justice. This Mdel was prepared and updated als having regard t the guidelines prepared by ABI and apprved by the Ministry f Justice. 8

9 Chapter 2 - The Organisatinal, Management and Cntrl Mdel f Intesa Sanpal S.p.A. 2.1 The existing crprate tls underlying the Mdel In preparing this Mdel, accunt was taken firstly f the current legislatin and f the prcedures and cntrl systems already existing and implemented within Intesa Sanpal S.p.A., insfar as they were apprpriate t als serve as measures fr preventing ffences and unlawful cnduct in general, including thse laid dwn in Legislative Decree n. 231/2001. Intesa Sanpal S.p.A. (hereinafter als the Bank ), which riginated frm the merger by incrpratin f Sanpal IMI S.p.A. int Bank Intesa S.p.A., effective frm 1 January 2007, is a highly cmplex reality, frm bth the rganisatinal and peratinal viewpint. The crprate bdies f Intesa Sanpal S.p.A. have given the highest imprtance t aligning the rganisatinal structures and peratinal prcedures f the tw Banks, bth t ensure efficiency, effectiveness and transparency in the management f activities and the assciated allcatin f respnsibilities, and t minimise any inefficiencies, failures and irregularities (including any cnduct which is unlawful r therwise nt in line with Bank guidelines). The rganisatinal cntext f Intesa Sanpal S.p.A. cnsists f the crpus f rules, structures and prcedures which ensure the Bank s peratin; it is therefre a multifaceted system which is defined and checked internally als with a view t cmpliance with the legislatin applicable t Intesa Sanpal S.p.A. as bth a bank and a listed cmpany (Banking Law, the Bank f Italy s Supervisry Instructins, the Cnslidated Law n Financial Intermediatin and the assciated implementing regulatins). In such capacity, the Bank is als subject t the supervisin f the Bank f Italy and Cnsb, within their respective pwers, which carry ut checks and cntrls n the Bank s activities and rganisatinal structure, as prvided fr by law. Clearly, therefre, this crpus f special rules, tgether with nging supervisin by the cmpetent Authrities cnstitute invaluable tls fr preventing unlawful cnduct in general, including the ffences laid dwn in the specific legislatin n the administrative liability f Entities. The Bank s already existing specific tls laying dwn the prcedures thrugh which the entity makes and implements decisins relating t the ffences and breaches t be prevented include: the rules f crprate gvernance adpted in accrdance with the Crprate Gvernance Cde fr listed cmpanies and the relevant crprate laws and regulatins; internal regulatins and crprate plicies; the Grup s Cde f Ethics and Internal Cde f Cnduct; The internal cntrl system; 9

10 the pwers and delegatin system. The rules, prcedures and principles set ut in the abve-mentined instruments are nt described in detail in this Mdel but are integrated in the Mdel s brader rganisatin, management and cntrl system which all internal and external parties are required t respect, in accrdance with their relatinship with the Bank. The fllwing paragraphs prvide an verview f the reference principles f the Grup s Cde f Ethics and Internal Cde f Cnduct, f the internal cntrl system, and f the pwers and delegatin system The Grup s Cde f Ethics and Internal Cde f Cnduct In line with the imprtance assigned t ethical issues and t pursuing a cnduct cnsistently inspired by criteria f rigur and integrity, the Bank has adpted a Grup-wide Cde f Ethics and Internal Cde f Cnduct. The Cde f Ethics is the cnstitutinal charter f the Intesa Sanpal Grup. It lays dwn the pillars f its crprate culture and values which underline the cncrete rules f cnduct t be fllwed by all internal and external stakehlders having direct r indirect relatins with the Bank: firstly custmers, sharehlders and emplyees but als suppliers, business partners, the cmmunity, the lcal areas and the envirnment in which the Grup perates. The Grup s Internal Cde f Cnduct, applicable t all Grup Cmpanies, is an intentinally lean set f rules. It includes general prvisins defining the essential rules f cnduct fr cmpany representatives, staff and external cllabratrs wh, in perfrming their duties, must perate with prfessinalism, diligence, hnesty and crrectness and mre specific prvisins, such as the prhibitin t engage in certain persnal transactins. 10

11 2.1.2 The key features f the internal cntrl system Intesa Sanpal S.p.A., t ensure sund and prudent management, cmbines business prfitability with an attentive risk-acceptance activity and an perating cnduct based n fairness. Therefre, the Bank, in line with legal and supervisry regulatins in frce and cnsistently with the Cde f cnduct f listed cmpanies, has adpted an internal cntrl system capable f identifying, measuring and cntinuusly mnitring the risks typical f its business activities. Intesa Sanpal S.p.A. s internal cntrl system is built arund a set f rules, prcedures and rganisatinal structures aimed at ensuring cmpliance with Cmpany strategies and the achievement f the fllwing bjectives: the effectiveness and efficiency f Cmpany prcesses; the safeguard f asset value and prtectin frm lsses; reliability and integrity f accunting and management infrmatin; transactin cmpliance with the law, supervisry regulatins as well as plicies, plans, prcedures and internal regulatins; The internal cntrl system is characterised by a dcumentary infrastructure (regulatry framewrk) that prvides rganised and systematic access t the guidelines, prcedures, rganisatinal structures, and risks and cntrls within the business, incrprating bth the Cmpany plicies and the instructins f the Supervisry Authrities, and the prvisins f the law, including the principles laid dwn in Legislative Decree 231/2001. The regulatry framewrk cnsists f Gvernance Dcuments as adpted frm time t time, which versee the peratin f the Bank (Articles f Assciatin, Cde f Ethics, Grup Internal Cde f Cnduct, Cmmittee Regulatin, Regulatin n Related Party Transactins, Authrities and pwers, Plicies, Guidelines, Functin/Organisatinal Charts, Organisatinal Mdels, etc.) and f mre strictly peratinal regulatins that gvern business prcesses, individual peratins and the assciated cntrls (Service Orders, Service Ntes, Circulars and Operating Guidelines). Mre specifically, the Cmpany rules set ut rganisatinal slutins that: ensure sufficient separatin between the peratinal and cntrl functins and prevent situatins f cnflict f interest in the assignment f respnsibilities; are capable f adequately identifying, measuring and mnitring the main risks assumed in the varius peratinal segments; enable the recrding f every peratinal event and, in particular, f every transactin, with an adequate level f detail, ensuring their crrect allcatin ver time; 11

12 establish reliable infrmatin systems and suitable reprting prcedures fr the varius management levels having cntrl functins; ensure prmpt reprting t the apprpriate levels within the cmpany and the swift handling f any anmalies fund by the business units, by the internal audit functin r by ther cntrl functins. Mrever, the Cmpany s rganisatinal slutins prvide fr cntrl activities at all peratinal levels, which make it pssible t univcally and frmally identify respnsibilities, in particular as cncerns perfrming cntrls and crrecting any irregularities fund. Fllwing the indicatins prvided by the Supervisry Authrities, the Bank has identified the fllwing macr types f cntrl: line cntrls, aimed at ensuring the crrect applicatin f day-t-day activities and single transactins. Nrmally, such cntrls are carried ut by the prductin structures (business r supprt) r incrprated in IT prcedures r executed as part f back ffice activities; risk management cntrls, which help define risk management methdlgies, verify cmpliance with the limits assigned t the varius perating functins and check whether the peratins f individual prductin structures are in line with established risk-return targets. As a rules, these checks are carried ut by ther than prductin structures; cmpliance cntrls, made up f plicies and prcedures t identify, assess, check and manage the risk f nn-cmpliance with laws, Supervisry authrity measures r selfregulating cdes, as well as any ther rule which may apply t the Bank; internal auditing, aimed at identifying anmalus trends, vilatins f prcedures and regulatins, as well as assessing the verall functining f the internal cntrl system. It is perfrmed by different structures which are independent frm prductin structures. The internal cntrl system is peridically reviewed and adapted in relatin t business develpments and the reference cntext. In particular, the internal audit activities in Intesa Sanpal S.p.A. are carried ut by an internal functin (Internal Audit), which reprts directly t the Chairman f the Management Bard and the Chairman f the Supervisry Bard, reprting in particular t the Cntrl Cmmittee. This functin is als tasked with submitting t the Management Bard, the Supervisry Bard, the Tp Management and the Heads f the varius Organisatinal units, prpsals fr pssible imprvements t risk management plicies, measurement tls, prcesses and prcedures. 12

13 2.1.3 The pwer and delegatin system Under the Articles f Assciatin, and in accrdance with the general planning and strategic guidelines apprved by the Supervisry Bard, the Management Bard is vested with all the pwers fr the rdinary and extrardinary administratin f the Bank and has delegated its functins t the Managing Directr and C.E.O, establishing his pwers. The Management Bard has als defined and apprved the decisin-making pwers and expenditure limits f the Heads f the Organisatinal Structures, in accrdance with the rganisatinal and management respnsibilities assigned t them, setting the limits theref and establishing prcedures and limits fr exercise f sub-delegatins. The pwer t sub-delegate is exercised thrugh a cnstantly mnitred transparent prcess, which is calibrated in accrdance with the rle and psitin f the sub-delegate, wh in any case must always reprt back t the delegating functin. Mrever, the prcedures fr signing deeds, cntracts, dcuments and internal and external crrespndence are frmalised, and the relevant signing pwers are assigned t staff members jintly r severally. In particular, jint signatures are usually required fr dcuments issuing rders r accepting bligatins fr the Bank. All the Structures perate under specific Regulatins defining their pwers and respnsibilities, which are available thrughut the Bank. The dcument n autnmus management pwers, apprved by the Management Bard, is als disseminated thrughut the Bank. Lastly, peratinal prcedures, which define hw the different crprate prcesses are t be perfrmed are als disseminated thrughut the Bank by means f specific internal rules. Therefre, all the main decisin-making and implementing prcesses cncerning Bank peratins are spelled ut, bservable and available t the entire rganisatin. 2.2 The aims pursued by the mdel Althugh the crprate tls described in the preceding paragraphs wuld by themselves suffice t prevent the ffences cvered by the Decree, fllwing the same plicy already adpted by Sanpal IMI S.p.A. and Bank Intesa S.p.A. the Bank decided t adpt a specific Organisatinal, Management and Cntrl Mdel pursuant t the Decree, cnvinced that such mdel, besides being an imprtant tl fr raising the awareness f all thse wh perate n the Bank s behalf, leading them t perate with integrity and transparency, is als mre effective in preventing the risk f the ffences and the administrative breaches cvered by the reference legislatin being cmmitted. 13

14 In particular, by adpting and regularly updating the Mdel, the Bank pursues the fllwing main aims: make all persns perating n the Bank s accunt in the field f sensitive activities (i.e. thse activities which, by their nature, are at risk fr the ffences identified in the Decree), aware f the fact that, shuld they breach the rules gverning such activities, they might incur disciplinary and/r cntractual sanctins, as well as criminal and administrative penalties; stress that any such unlawful cnduct is strngly discuraged since (even where the Bank wuld seem t benefit frm it) such behaviur is in breach nt nly f the law, but als f the ethical principles which the Bank intends t apply t all its activities; enable the Bank, thanks t mnitring f the sensitive activity areas, t take swift actin t prevent r fight any ffences and punish cnduct in breach f its Mdel. 2.3 Key mdel cmpnents The Mdel f Intesa Sanpal S.p.A. was prepared in accrdance with the will f the legislatr, and taking int accunt the guidelines issued by ABI. The key mdel cmpnents may be summarised as fllws: identificatin f the activity areas at risk, i.e. the sensitive cmpany activities where ffences might ccur, t be analysed and mnitred; management f peratinal prcesses ensuring: the separatin f duties by adequately allcating respnsibilities and establishing apprpriate authrizatin levels in rder t avid functinal verlaps r perating allcatins that cncentrate activities n a single persn; clear and frmalised allcatin f pwers and respnsibilities, expressly indicating the limits f thse pwers and cnsistent with the duties assigned and psitins cvered within the rganisatinal structure; apprpriate prcedures fr perfrming the activities; traceability f the acts, peratins and transactins thrugh an apprpriate paper r electrnic trail; decisin-making prcesses linked t preset bjective criteria (e.g.: the cmpany keeps registers f apprved suppliers, bjective staff assessment and selectin criteria are in place, etc.); cntrl and supervisry activities n cmpany transactins are in place and traceable; 14

15 safety mechanisms are in place, prviding apprpriate data prtectin/access cntrl t crprate data and assets; adequate rules f cnduct are in place ensuring that crprate activities are carried ut in cmpliance with the laws and regulatins and safeguarding the cmpany's assets; the respnsibilities fr the adptin, amendment, implementatin and cntrl f the Mdel have been defined; the Surveillance Bdy has been identified and specific duties f versight n the Mdel s effective and prper functining have been allcated; the infrmatin flws t the Surveillance Bdy have been defined; an effective disciplinary system has been put in place and implemented t punish nncmpliance with the measures required by the Mdel; staff training and internal cmmunicatin cncerning the cntents f the Decree and f the Mdel, and the assciated cmpliance bligatins. 2.4 Mdel structure T define this Organisatinal, Management and Cntrl Mdel Intesa Sanpal S.p.A. tk as a basis, supplementing them, the internal rules and prcedures already in place in Intesa S.p.A. and Sanpal Imi S.p.A., thereby making the mst f the experience already gained by the tw Banks. Specifically: with regard t Bank Intesa, the Bard f Directrs, by reslutin f 8 March 2004 apprved the Management, Organisatin and Cntrl Mdel, implementing and updating it by the subsequent reslutins f n 8 February 2005 and 6 March 2006; with regard t Sanpal Imi, the Bard f Directrs, by reslutin f 25 March 2003 apprved the Reference Principles fr Adptin f the Organisatin, Management and Cntrl Mdels, subsequently updated and supplemented by the reslutins f 24 January 2006, 28 February 2006 and 20 June After the merger, by means f its reslutin f 2 January 2007 the Management Bard f Intesa Sanpal S.p.A. cnfirmed the validity and effectiveness f the tw Mdels previusly adpted by the tw frmer Banks. Said Mdels were applied within the Business Units riginating respectively frm Sanpal Imi S.p.A. and Bank Intesa S.p.A. until this Mdel was adpted. After the Bank s new rganisatinal setup was defined, t enable the timely adptin f a single Mdel meeting the needs f the new rganisatin, Intesa Sanpal S.p.A. chse t use the 15

16 evidence btained thrugh the mapping f the sensitive areas and risk types previusly carried ut by the tw banks befre the merger, cmparing and recnciling them in the light f the Bank's current rganisatinal structure. Accrdingly, fr each categry f predicate ffence, the sensitive crprate areas have been identified. Within each sensitive area the crprate activities mst at risk fr the perpetratin f the predicate ffences laid dwn in the Decree ( sensitive activities) have been identified, and fr each f such activities cnduct and cntrl rules have been established differentiated accrding t the specific ffence-risk t be prevented als taking int accunt the rules in frce at the tw banks prir t the merger. The Mdel is fully and effectively implemented in the Bank s peratins by cnnecting each sensitive area with the crprate structures cncerned and with the dynamic management f prcesses and f the reference internal regulatins, which must be based n the cnduct and cntrl principles spelled ut fr each such activity. The apprach adpted: helps make ptimum use f the stre f knwledge built by the tw banks prir t the merger cncerning the internal plicies, rules and regulatins guiding and gverning the Bank s decisin-making and implementatin cncerning the preventin f unlawful acts, and, mre in general, risk management and the perfrmance f cntrls; makes it pssible t manage the crprate perating rules with univcal criteria, including thse relating t sensitive areas; makes it easier t regularly implement and update in a timely manner the internal prcesses and regulatry system, in respnse t changes in the cmpany s rganisatinal structure and peratins, making the Mdel highly dynamic especially in the current phase, marked by nging changes due t the current rganisatinal and peratinal integratin. Accrdingly, the cntrl r the risks under Legislative Decree n. 231/2001 by Intesa Sanpal S.p.A. is ensured by: this dcument ( Organisatinal, Management and Cntrl Mdel ), and the existing regulatry system, which is an integral and substantive part f this mdel. The Organisatinal, Management and Cntrl Mdel sets ut in particular: the reference regulatry framewrk; the rles and respnsibilities f the structures engaged in the adptin, effective implementatin and mdificatin f the mdel; the specific duties and respnsibilities f the Surveillance Bdy; 16

17 the infrmatin flws t the Surveillance Bdy; the system f sanctins; the training principles; the sensitive areas having regard t the types f ffences identified in the Decree; the crprate activities at risk fr the predicate ffences ( sensitive activities) and the rules f cnduct and cntrls aimed at preventing such ffences. The Bank s regulatry framewrk f the Bank, cnsisting f the Gvernance Dcuments (Articles f Assciatin, Cde f Ethics, Grup Internal Cde f Cnduct, Regulatins, Plicy, Rules, etc.), Service Orders, Service Ntes, Circulars, Handbks, Operating Guidelines and ther tls, gverns at the varius levels the Bank s peratins in the sensitive areas/activities and is fr all intents and purpse an integral part f the Mdel. The regulatry framewrk is held and catalgued, with specific reference t each sensitive activity, in a specific dcument repsitry, which is available thrughut the Bank thrugh the cmpany s Intranet and cnstantly updated by the cmpetent functins in line with the develpment f the peratins. Therefre, by matching the cntents f the Mdel with the crprate regulatry framewrk it is pssible t extract, fr each f the sensitive activities, specific, precise and always up-t date Prtcls that set ut phases f activities, the structures cncerned, cntrl and cnduct principles, and prcess perating rules and which make it pssible t verify and streamline each activity phase. 2.5 The addressees f the Mdel The Mdel and the prvisins it cntains r refers t must be cmplied with by all the managers and staff f Intesa Sanpal S.p.A. and, in particular, by thse wh perfrm sensitive activities. Staff training and the disseminatin f infrmatin n Mdel cntents within the rganisatin are cntinuusly ensured by the prcedures described in detail in Chapter 6 belw. In rder t ensure the effective and efficient preventin f ffences, the Mdel is als addressed t external stakehlders (i.e. self-emplyed r para-subrdinate wrkers, freelance prfessinals, cnsultants, agents, suppliers, cmmercial partners, etc.) wh, under cntractual relatinships, cllabrate with the Bank in perfrmance f its activities. Their cmpliance with the Mdel is ensured by a cntractual clause whereby they undertake t cmply with the 17

18 principles f the Mdel and t reprt t the Surveillance Bdy any case f unlawful acts r breaches f the Mdel they might becme aware f. 2.6 Mdel adptin, effective implementatin and mdificatin Rles and respnsibilities Adptin f the Mdel In accrdance with Article 6, paragraph I, pint (a) f the Decree, the Mdel is adpted by reslutin f the Management Bard, which als supervises its implementatin. The Mdel must als be apprved by the Supervisry Bard in view f its statutry rle in the Bank s gvernance system and f the fact that the Surveillance Bdy is an internal rgan f the Supervisry Bard. The Managing Directr and C.E.O. defines the structure f the Mdel t be submitted t the Management Bard s apprval with the assistance, as t their respective areas, f the Cmpliance, Internal Audit, Legal Affairs, Organisatin and Human Resurces, Anti-Mney Laundering functins, f the Emplyer and f the Principal pursuant t Legislative Decree n. 81/2008, and after cnsultatin with the Surveillance Bdy. Effective implementatin and mdificatin f the Mdel The Management Bard (r the entity frmally delegated by it) is tasked with effectively implementing the Mdel, by assessing and apprving the actins required t implement r amend it. In identifying such actins, the Management Bard is assisted by the Surveillance Bdy. The Management Bard delegates the individual structures t implement Mdel cntents and t regularly update and implement the internal regulatins and crprate prcesses, which are an integral part f the Mdel, in cmpliance with the cntrl and cnduct principles defined fr each sensitive activity. Any changes s made t cmpany prcesses and regulatins are reprted every six mnths t the Management Bard and the Surveillance Bdy. Effective and cncrete Mdel implementatin is als ensured: by the Surveillance Bdy, in exercise f its pwers f initiative and cntrl ver the activities carried ut by the individual rganisatinal units in the sensitive areas; by the heads f the Bank s varius Organisatinal units (Divisins, Gvernance Areas - Chief Operating Officer, Chief Financial Officer, Chief Lending Officer, Chief Risk Officer - Departments and Organisatinal units) having regard t the activities at risk they perfrm. 18

19 The Management Bard, als with the help f the Surveillance Bdy, must als ensure updating f the sensitive areas and f the Mdel, in view f any updating requirements which might becme necessary in the future. Specific rles and respnsibilities relating t Mdel management are als assigned t the structures indicated belw. Internal Audit functin Internal Audit delivers nging and independent surveillance n the regular perfrmance f peratins and prcesses, in rder t prevent r detect any anmalus r risky behaviur r situatin. It assesses the efficiency f the verall internal cntrl system and its ability t guarantee effective and efficient cmpany prcesses. Internal Audit supprts directly the Surveillance Bdy in mnitring cmpliance with and adequacy f the rules cntained in the Mdel. Whenever prblems are identified, it refers them t the cmpetent functins fr the apprpriate crrective actins. Cmpliance functin The task f the Cmpliance functin is t ensure cnsistently ver time that effective rules, prcedures and peratinal practices are in place t prevent breaches r vilatins f applicable prvisins. With specific reference t the administrative liability risks intrduced by the Decree, the Cmpliance functin supprts the Surveillance Bdy's perfrmance f its cntrl activities by: defining and updating the Mdel, with the supprt f bth the Legal and the Organisatin functins, in line with develpments in the reference legislatin and with changes in bth the Emplyer s and the Principal s rganisatinal structure, under Legislative Decree n. 81/2008, as well as f the Anti-Mney Laundering functin - each as t their respective areas f cmpetence; mnitring, ver time, Mdel effectiveness with reference t the rules and principles f cnduct fr the preventin f sensitive ffences; t this end the Cmpliance functin: - identifies each year thse prcesses felt t be at higher risk bth as t their cntents with respect t the predicate ffences, and as t the existence r inexistence f specific prcedures t mitigate such risk; nce the prcesses have been identified and befre they are published n the cmpany s system f regulatins, the cmpliance functin issues a preliminary apprval as t the crrect applicatin f the cntrl and cnduct principles prvided fr by the Mdel; mrever, by means f a risk-based apprach, it 19

20 implements specific assurance activities t assess the cnfrmity f the prcesses with the prtcls set ut in the Mdel; - analyses the results f the rganisatinal units self-assessment prcess and statement n cmpliance with the cntrl and cnduct principles set ut in the Mdel; examining the infrmatin submitted by Internal Audit n issued detected during its verificatins. Anti-Mney Laundering functin The Anti-Mney Laundering functin cnstantly checks that the cmpany s prcedures are cnsistent with the aim f preventing and cmbating the vilatin f heter-regulating (regulatry laws and rules) and self-regulating cdes n the subject f mney laundering and terrrism financing. T pursue the aims set ut in the Decree, the Anti-Mney Laundering functin, exclusivly with regard t managing risks inherent t anti-mney laundering and terrrism financing: cntributes t the definitin f the Mdel s structure and t its update; prmtes rganisatinal and prcedural amendments aimed at ensuring an adequate mnitring f the risks inherent t mney laundering and terrrism financing; receives and frwards the peridical reprts and the infrmatin flws set ut in the Guidelines fr cntrasting mney laundering and terrrism financing phenmena and fr managing embarges ; sets up, in c-peratin with the cmpany structures respnsible fr training, an adequate training plan aimed at keeping emplyees and cllabratrs cnstantly updated. Legal Affairs functin Legal Affairs pursues the aims set ut in the Decree by prviding assistance and legal advice t the Bank s structures, mnitring the develpment f the relevant legislatin and case law. Other tasks f the Legal Affairs functin are t interpret the legislatin, reslve legal issues and identify types f cnduct which may cnstitute ffences. The Legal Affairs functin cllabrates with Cmpliance, Internal Audit, Organisatin, Anti- Mney Laundering functins, with the Emplyer and the Principal pursuant t Legislative Decree n. 81/2008, in updating the Mdel, als reprting any widening f the scpe f the administrative liability f Entities. Organisatin functin 20