Integrity in corporate conduct

Intesa Sanpaolo has defined the Group Anti-Corruption Guidelines, approved by the Board, and the Model of Organization, Management and Control adopted pursuant to D.Lgs. 231/2001 which, together with the Code of Ethics, define the commitment to comply with the regulatory provisions aimed at combating active and passive corruption in all its forms. Special attention is paid to complying with national and international legislation on money laundering and terrorist financing, including through processes and procedures relating to the obligations of appropriate customer verification, reporting of suspicious operations and risk assessment and management. 

The Corporate Bodies of the parent company are responsible, each according to their competencies and prerogatives, for ensuring the adequate control of non-compliance risks to which the Group is or may be exposed. The tasks and responsibilities assigned to the Corporate Bodies of the parent company are set out in the relevant Regulations and, with reference to the internal control system, in the Group Integrated Internal Control System Regulation. In particular, the Board of Directors, after examination by the Risk and Sustainability Committee and the Management Control Committee, approves the Group Anti-Corruption Guidelines and oversee their implementation through the Managing Director and CEO; examine the information concerning oversight of the risk of corruption provided by the Head of the Chief Compliance Officer Governance Area as part of the periodic reporting. The disclosure concerning oversight of the risk of corruption is also extended to the Supervisory Body established pursuant to Legislative Decree no. 231/01.

The reporting to the Corporate Bodies on anti-corruption matters, presented to the Board of Directors, is an integral part of the reports prepared by the Anti Financial Crime Head Office Department, which include, on an annual basis, the identification and assessment of risks and the scheduling of management interventions and, on a half-yearly basis, reports of actual results, a description of the activities performed, critical issues noted, and remedies identified.

On 29 September 2023, the Board of Directors of Intesa Sanpaolo approved the updated Group Anti-Corruption Guidelines with the following provisions: updating of external regulatory sources and inclusion of the most important sources of “soft law”; refinements of the process through which the areas at greatest risk are identified; inclusion among the disbursements subject to the Guidelines of association activities, which in terms of risk can be equated to donations; inclusion of a focus on “Business Introducers”, with further specific precautions, in consideration of the greater risks associated with this case; integration of the activities carried out by the Anti-Financial Crime Head Office Department; inclusion of a specific reference to the provisions of the ISO 37001 standard regarding the need to acquire periodic declarations of commitment to compliance with the Guidelines by the members of the Board of Directors and the Top Managers of the Parent Company; introduction of the right for the Group Anti-Corruption Officer to authorise exceptions to certain provisions set out in the Guidelines in specific transactions/situations characterised by limited bribery risks.

In 2023, 387,721 hours of training were provided on these issues, 88,485 Group’s people trained (94.4% of the total). Training on anti-corruption and anti-money laundering is mandatory and follows multi-year cycles, also according to local regulations.

In May 2022, Intesa Sanpaolo had already obtained the renewal of UNI ISO 37001:2016 Anti-bribery management systems certification, which sets the international standard on the subject, with an extension of the scope to include the Group entities included in the Compliance and Anti-Financial Crime risk assessment. More specifically, the certification is valid until May 2025 (subject to two maintenance audits) and applies to Intesa Sanpaolo (including the international branches), the banking entities and the main financial and insurance companies. In 2023, the first of the two maintenance audits was completed (the next is scheduled for 2024), which included several audit sessions involving the Parent Company’s Head Office Departments, Regional Governance Centres of the Banca dei Territori Division, Italian branches of said Regional Governance.

There were no cases of disciplinary measures related to corruption incidents. There were no significant penalties for non-compliance with laws or regulations relating to corruption.

Intesa Sanpaolo constantly oversees and promotes free competition and spreads the culture of compliance to antitrust legislation also through the establishment of a specific internal team aimed at overseeing compliance with antitrust rules, the adoption of a Policy and a training and information program. In 2023, 1,340,337 hours of training were provided on the topic and 60,168 employees were trained.

Intesa Sanpaolo is constantly committed to implementing regulatory, organisational and technological measures, in line with the leading reference standards, aimed at guaranteeing the defence of human rights and to adequately respond to the fundamental need to protect privacy. The adopted measures respond to the principles of the Group's Code of Ethics, which commit Group companies to adopting criteria of absolute transparency in informing customers and collaborators of their rights in this matter and the ways in which their personal information is processed. Intesa Sanpaolo attributes strategic importance to the protection and safeguarding of personal data of individuals beyond the full implementation of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation - GDPR), which came into force on 25 May 2018. This commitment is articulated in the Corporate Rules for the Processing of Personal Data and the Guidelines on the Protection of Personal Data of Individuals, approved by the Board of Directors, which provide the overall framework of conduct addressed to all the Group's people, as well as to those who collaborate with it, and identify the roles and responsibilities for implementing the internal rules.

Intesa Sanpaolo processes personal data only for the purposes described and explicitly indicated in the information made available to interested parties. No processing is carried out for secondary purposes not explicitly indicated.

In relation to the processing of personal data for marketing purposes, the free, explicit and unequivocal consent of the interested party is required; if the latter denies consent or does not make any type of choice, the data collected will not be processed and used for this purpose in any way.

Personal Data Protection Management model

Intesa Sanpaolo defined a governance model for the compliance risk with reference to the protection of personal data as an integral part of the internal control.

The Board of Directors and the CEO, which represent the Data Controller, have the task of defining the control model (players, responsibilities, macro processes and information flows) and ensuring its operation.

The Data Protection Officer, with the support of the Privacy Function of the Safety and Protection Head Office Department, monitors, the compliance risk regarding privacy, according to a risk based approach, by working independently as a specialist Compliance function in line with the Group’s Compliance Guidelines.

The Corporate Bodies of the Parent Company are responsible, each according to their roles and prerogatives, for ensuring a suitable control of the personal data protection non-compliance risk the Group is or could be exposed to.

The Risks and Sustainability Committee shall assist the Board of Directors, in order to ensure the best control of the compliance risks regarding the protection of personal data.

The Chief Risk Officer cooperates with the Chief Compliance Officer and the Data Protection Officer to define the methods of assessing compliance risks, encouraging synergies with the tools and methods of the Operational Risk Management.

The Group Companies established in the European Union are obliged to implement the Guidelines on the Protection of Personal Data, adapting them to their own company situation and, in the case of International companies, to the specific characteristics of their local regulations.

Intesa Sanpaolo requires suppliers and third parties to comply with internal rules, regulations and standards with reference to personal data protection, identifying their subjective role in personal data processing, evaluating existence of necessary safeguards, formalising contractual conditions, and assessing their compliance and adequacy.

Third Parties who intend to enter into contractual relationships with Intesa Sanpaolo must register via a Supplier Portal which allows them to assess the adequacy and level of maturity based on certain criteria, including those of the Third Party's ability, reliability and experience in the matter of protection of personal data.

As part of the stipulation of supply agreements with Third Parties which provide for the processing of personal data, a specific examination is started to determine the subjective role of the Supplier. If the evaluation shows that the Third Party acts as Data Processor, a letter of appointment is prepared containing the specific binding clauses relating to compliance with the personal data protection requirements.

The suppliers appointed as Data Processors are subjected to periodic assessment activities aimed at ascertaining the adequacy of the privacy safeguards, through monitoring activities carried out with audits on the Supplier or self-assessment activities.

In 2023, 117,319 hours of privacy training were provided - involving 76,405 employees (81.5% of the total) - and 1,567,128 hours of training on the topic of consumer protection - involving 76,932 employees (82.1% of the total).

The Group works to ensure that its working environment is permeated by mutual trust, loyalty and enriched by the contribution of each person, in accordance with the rules and agreements related to national and second level bargaining (Group). In 2023, 54 cases for violations of labour law were notified and around 55 cases were closed. The main types of ongoing litigation concern deskilling, appeals against dismissal and disciplinary sanctions, higher job positions, and termination of the employment relationship (sale of business unit – Intrum).. In 2023, there were no cases notified by people of the Group in service that have mobbing as their exclusive object.

In order to ensure that its actions are aligned with principles of integrity, the bank has designed a system of controls aimed at maintaining a constant safeguard in the identification, governance and control of the risks associated with the activities carried out and in this regard it carries out audit activities on a fixed basis in relation to the nature and intensity of the risks.  
With regard to the audits carried out in 2023 in the Central Structures, Banks and Group Companies, the activities regarding the 268 Risk Areas identified in the planning phase were completed, with the completion of 407 audits (67 of which “extraordinary”, originating from specific requests of Corporate Bodies, Supervisory Authorities or from events/circumstances occurring after the completion of the annual planning). In 2023, 96 audits were reported as significant for the purposes of Italian Legislative Decree no. 231/2001. Among these, 4 concerned activities related to corruption risk; these latest audits involved 3 Governance Areas/Divisions (some interventions involved several Governance Areas/Divisions). 
In 2023, there were 96 audits regarding actions that directly or indirectly related to aspects linked to social and environmental policies. 

In the ESG area, the 2023 audit activity consisted mainly of an Audit programme (7 audits) focused directly on issues relating to the analysis of the evolution of Governance (Third Pillar disclosure preparation process, with a focus on ESG factors) and of the ESG framework (ESG impacts in supply chain management; issuance of green bonds on behalf of third parties; integration of “Sustainable and Responsible Investments” (SRI) principles and ESG factors in investment processes, for the Fideuram Intesa Sanpaolo Private Banking scope; Own Emission Plan; “Per Merito – Studio Si” Loans; integration of ESG issues into the market and counterparty risk framework). In addition, the “ESG related” audits were completed, which mainly focused on other aspects, but also included analyses on ESG issues (Consistency of credit strategies with sectoral trends; monitoring of the quality of the loan portfolio with reference also to ESG indicators and compliance with the principles and values of the Code of Ethics; Single adequacy model, Consob 2021 inspection follow-up and advanced advisory services for the Private Banking Division) and other initiatives that more marginally touch on environmental, social and governance issues relating to the Code of Ethics.

Since 2016, a system for reporting acts or facts that may constitute violations of the rules governing banking activities or other unlawful conduct that may harm the public interest or the integrity of the company has been in place (Whistleblowing).

In accordance with the provisions of Legislative Decree 24/2023, starting from  July 15^th, 2023, the audience of possible whistleblowers will be expanded.

The following subjects can make a whistleblowing report:

• employees and self-employed workers who work or have worked for the Group,
• holders of a professional collaboration relationship referred to the Article 409 of the Code of Civil Procedure (for example, agency relationship) and to the Article 2 of Legislative Decree 81/15 (collaborations organized by the client),
• workers or collaborators who provide goods or services or who carry out works for third parties and perform or have performed their work for the Group,
• freelancers and consultants who work or have worked for the Group,
• volunteers and trainees (paid and unpaid),
• shareholders (natural persons),
• persons with administrative, control, supervisory or representative functions.

The Whistleblowing process, which integrates the other reporting systems and processes active in the Company, allows you to report, with the utmost guarantee of confidentiality, violations of which you have become aware in the workplace, or on the basis of the legal-economic relationship with the Group, protecting the whistleblower from possible retaliatory or discriminatory behaviour.

Whistleblowing reports can be sent using the specific channels available 24 hours a day, 7 days a week, in Italian and English version (email and voice recorder).

The Chief Audit Officer ensures the correct execution of the process.

Information on the channel, procedures and conditions for carrying out reports is available on the Bank's intranet portal and in the specific section of the Group's website.

In 2023, 30 reports were received, of which 1 was deemed not pertinent while 29 led to the launch of specific investigations.

For reports of alleged non-compliance with the code of ethics, the following e-mail address is available: codice.etico@intesasanpaolo.com

The Intesa Sanpaolo Group complies with tax regulations in the belief that compliance is a fundamental contribution of citizenry supporting the community in which it operates. Intesa Sanpaolo's positive impact in this respect is confirmed by the disclosed forecast in the Business Plan of a total contribution from 2018 to 2021 of approximately 13 billion euro, an amount comparable to a budgetary stability law.

During 2023, the Group, in addition to indirect taxes of 1,217 million euro recorded accrued income taxes for the year of 3,438 million euro, for the most part in Italy, where the majority of operating income was earned, as per the table below. The Group has strengthened the internal control system for tax risk, known as the Tax Control Framework, to make it capable of covering the strategically important area of tax risk and meeting the requirements for access to the collaborative compliance scheme introduced in Italy, in accordance with Legislative Decree 128/2015.

In December 2017, the Intesa Sanpaolo Group adopted its Principles of conduct on fiscal matters, in order to ensure compliance over time with the tax and fiscal rules of the countries where it operates and to guarantee the financial and reputational integrity of all the Group companies. Guidelines were also approved for the management of tax risk within the system of collaborative compliance with the Revenue Agency, which govern the criteria and processes that Intesa Sanpaolo must adopt to ensure the adequacy and effectiveness of its Tax Control Framework and related Rules.

In compliance with applicable laws, Intesa Sanpaolo publishes a "Country by Country" report, with the following information for each country (according to rules established by the Bank of Italy): the gross income; the number of employees; profit or loss before taxes; taxes on profit or loss. The report is available at this link.

Information on taxes payed Country-by-Country