1. Introduction. The compliance and fairness in business are fundamental to the conduct of the attivita 'banking, which by its nature and' based on trust. The evolution of financial markets, in terms of product innovation, risk transfer and international projection, makes it more 'complex identification and control of practices which may result in violations of standards, operational standards, the principles and ethical conduct of the attivita 'banking. In the changed context and 'must, on the one hand, promote a corporate culture based on principles of honest', fairness and respect not only the letter but also the spirit, of the rules; on the other, to prepare specific organizational controls designed to ensure strict compliance with the regulatory requirements and self-regulation. To that end, it is of particular importance in the establishment of banks and banking groups to a specific function dedicated to the presidium and the verification of compliance '. These provisions lay down general principles, aimed at identifying the purpose 'and the main tasks of the compliance function', while acknowledging the banks full discretionary 'in the choice of organizational solutions piu' suitable and effective for achieving them. They apply to banks and banking groups on the principle of proportionality ', in line therefore with the specific dimensional and operational characteristics. The compliance function 'plays an important role in creating business value through the strengthening and preservation of the good name of the bank and public confidence in its operations and management. In pursuit of questiobiettivi, banks are required to pay attention especially to users of the services, not only through the timely and consistent application of the rules for the protection of customers, but also ensuring full information that promotes conscious assumption of financial choices . For the performance of services and activities 'investment by banks, also will apply the provisions transposing the Directive 2006/73 / EC concerning the compliance function' in art. 6 of the directive. Pending adoption of the mentioned discipline, detect the provisions on internal controls under Intermediaries Regulation adopted by Consob with resolution no. 11522/1998. 2. The risk of non-compliance 'with the standards. The risk of non-compliance 'with the rules and' the risk of incurring legal or administrative sanctions, significant financial losses or reputational damage as a result of violations of mandatory rules (laws or regulations) or self (eg. Statutes, codes of conduct, codes of conducts). Said risk and 'spread to all levels of the organization, especially in the context of the operational lines; the attivita 'of prevention must take place in the first place where the risk is generated: and' requires adequate accountability of all staff. In general, the most 'relevant rules for the purposes of risk of non-compliance' are those that relate to the exercise of the 'brokerage, management of conflicts of interest, transparency towards the client and, piu' in general , the rules for the protection of the consumer. An effective and efficient risk management of non-compliance ', in addition to the empowerment of all employees, requires, among other things: a clear and formal identification and separation of roles and responsibilities' to the various levels of the organization of the bank; the establishment of a special unit in charge of managing the risk of non-compliance '; the appointment of a person responsible for compliance 'within the bank; the establishment of an internal document indicating responsibility ', tasks, mode' operational, information flows, planning and results of the attivita 'carried out by the compliance function'. 3. The role of the top management of the bank's organs. The management board and the supervisory board are responsible for the overall supervision of the risk of non-compliance 'with the standards management system. In the event that banks adopt a different from the traditional model, it said task: in the two-tier system, the supervisory board and the management board; the one-tier model, the board of directors.
In particular, the Board of Directors, after consulting the board of auditors, by resolution (non-delegable) approves the risk management policy in question, including the establishment of a compliance function 'with the standards, permanent and independent. For banks that adopt the two-tier system of management and control, and 'appropriate that the statutes to provide such materials on a resolution of the supervisory board, on a proposal of the management board. In the case of one-tier model, the resolution must be approved not only by the Board of Directors as a whole, also by the Committee for the management control. At least once a year the Board of Directors, after consulting the board of auditors, evaluates the adequacy of the compliance function 'to the rules and to this end can' make use of a committee within it; the two-tier model, and that assessment 'carried out by the management board and the results thereof shall be communicated to the supervisory board, or a committee established within it. The delegated bodies (or dual model the management board) and the Director General - the particular powers defined in general terms with reference to the internal control system - should ensure effective compliance of risk management '. To this end: define adequate compliance policies and procedures'; establish effective communication channels to ensure that staff at all levels of the organization is aware of compliance principals 'related to its tasks and responsibilities'; ensure that policies and procedures are observed within the bank; if violations emerge, ensure the bringing forward the necessary remedies; outline reporting mechanisms to ensure to the governing bodies of the company 'full knowledge on how' risk management of non-compliance '. In addition, with the collaboration of the compliance function ', the delegated bodies (or dual model the management board and the general manager - within their respective powers - have the following tasks: identify and assess, at least once a year, major risks of non-compliance 'to which the bank and' exposed and schedule the associated management measures. the planning of measures should cover both the possible shortcomings (of policy, procedures, implementation or execution) emerged in the operation 'business, both the need 'to address potential new risks of non-compliance' identified following the annual risk assessment, reporting initiative or upon request, at least once a year, the board of directors (or a committee within it) and supervisory board or the supervisory board (or a committee set up internal) the adequacy of the risk management of non-compliance 'implemented by the bank; provide timely information to the board of directors (or a committee set up internal) and the supervisory board (or supervisory board (1) or to the control committee) on any material breach of compliance 'with the standards (ie. violations that may pose a high risk of regulatory or legal sanctions, major financial losses or reputational damage). ---- (1) The violations must be brought to the attention of the committee set up within the Supervisory Board whose functions relating to internal controls are attributed 4. The compliance function 'with the standards. Dynamic management and aware of the risk of non-compliance 'requires the establishment of a specific function, whose specific task' to verify that internal procedures are consistent with the objective of preventing the violation of external provisions ( laws and regulations) and self-regulation (codes of conduct, ethical codes) applicable to the bank. That function and 'an integral part of the internal control system of banks (Title IV - Chapter 11 - Section II of the supervisory instructions). The main obligations of conformity 'and' call function to perform are: the identification of the rules applicable in the continuous to the bank and measurement / assessment of their impact on business processes and procedures; the proposed organizational and procedural changes aimed at ensuring adequate risk of non-compliance 'identified;
the provision of information flows to the corporate bodies and structures involved (operational risk management and internal audit); checking the effectiveness of organizational adaptations (structures, processes, operational and commercial procedures) suggested for the prevention of compliance risk '. In relation to multiple professional profiles required for the completion of these formalities, the various stages that comprise the activities' of conformity 'function can be assigned to different organizational structures already' in the bank (eg. Legal, organization, operational risk management), as long as 'the process of risk management and the operability' of the function are not brought back to united 'by appointing a manager who coordinate and oversee the various activities', including the preparation of a special program activities'. The conformity 'function must be involved in the ex ante assessment of conformity' with the applicable regulations of all innovative projects that the bank intends to take as well as 'in the prevention and management of conflicts of interest and between the various activities' carried out by the bank both with reference to employees and corporate officers. Another area of ​​intervention of the compliance function 'the scrutiny of the company compensation system (including incentive pay and staff) with the objectives of respect of the rules of the Statute as well as' any ethical codes or other standards of conduct applicable to Bank. Fall under the compliance 'function also advice and assistance in respect of the bank's governing bodies in all subjects with a significant risk of non-compliance' as well as 'collaboration in the attivita' of training of the personnel on the provisions applicable to the activities 'carried out in order to spread a culture guided by the principles of honest', fairness and respect for the spirit and the letter of the rules. Notwithstanding the discretionary 'banks in organizing the function of conformity', in line with its peculiarities' dimensional and operational well 'with the organizational and strategic alignment of risk management, and' still need the same function: both independent. To this end, and 'they must: be formalized status and mandate of the function by indicating the tasks, responsibilities', employees, prerogatives, information flows directly addressed to the governing bodies; He is appointed an independent; It is assured in the presence of appropriate safeguards to prevent conflicts of interest through, in particular, the provision of separate information flows and dedicated; both qualitatively and quantitatively with adequate resources to tasks. In terms of human resources, the activities 'of compliance' may be carried out by personnel entered in a dedicated organizational structure and hierarchically dependent on the manager of the function to be integrated or employees in different operational areas. Regardless of the chosen organizational solution, personnel performing functions of conformity 'shall be adjusted to: number; technical and professional skills; update, including through the inclusion in training programs in the continuous. In addition, through the allocation of economic resources may also be activated independently, it must 'be allowed to function, the use of external expertise, in relation to the particular complexity' of specific regulatory changes and / or operational; has access to all the activities 'of the bank is carried out at the central offices both at the peripheral structures as well as' any information relevant to the performance of its tasks, including through direct conversation with the staff.
The banks of small size or with limited complexity 'operational may entrust the execution of the compliance function' to existing structures responsible for risk management or third parties (eg. Banks or other associative organizations of category), as long as' feature requirements suitable in terms of professionalism 'and independence. In any case, must be appointed a head of the function within the company, with the characteristics and prerogatives mentioned in the following paragraph, to whom all the internal contact person responsible for the entity in charge of the well 'overall supervision function of the attivita' risk management, given that the responsibility 'for properly managing the risk of non-compliance' is retained by the bank. The outsourcing of compliance 'function is to be formalized in an agreement, which defines at least the following aspects: the objectives of the function; the minimum frequency of the information flows to the internal manager of the company and corporate governing bodies, subject to the requirement to respond promptly to any request for information and advice on the part of the latter; obligations of confidentiality of information acquired in the exercise of the function; the chance 'to review the conditions of service upon the occurrence of changes in operations' and in the organization of the bank. 5. The head of the compliance function 'with the standards. In order to ensure the effectiveness of the compliance function 'and' necessary that the controller possesses appropriate requirements of independence, authority and professionalism '. The appointment and dismissal of the head of compliance 'are the responsibility, exclusive and can not be delegated, the board of directors (board of management) consulting the audit board (supervisory board). The banks shall promptly inform the Bank of Italy, the appointment and possible removal of the head of compliance '. The head of compliance 'function must play a role within the bank as to give authority to the same function; You can 'be appointed manager of the function also an administrative organ component purche' is not the recipient of proxies. If the person in charge of the function and 'an exponent of the leadership of the bank should not have responsibility' direct operational areas it 'must be hierarchically dependent on individuals responsible for these areas. The staff in charge of tasks of conformity ', even if added to operational areas, reports directly to the department head for all questions pertaining to these tasks. These separate information flows may not be required in cases in which the staff belongs to independent structures of the bank (eg. Legal, risk management). 6. Relationships with other business functions. The conformity 'function works with other functions in the company (eg. Internal audit, operational risk control, legal function, organization, regulatory body identified under Law no. 231/2001, etc.) In order to develop their risk management methods in a manner consistent with the strategies and the operability 'business, designing processes comply with the regulations and paying advisory help. The independence of the function, in a context characterized by strong inter-relationships, and 'assured by the formalization of the mandate that establishes the autonomy and the operational structures and to those internal control, through the express definition of roles and responsibilities. The conformity 'function is part of the internal control system of banks as part of the control functions on risk management (second level controls), with the aim of contributing to the definition of measurement / assessment of compliance risk ', to identify appropriate procedures for preventing the risks identified and request their adoption. It described the role of the compliance function differs substantially 'from the internal audit (see. Title IV - Chapter 11 - Section II - paragraph 1 of supervisory instructions).
The adequacy and effectiveness of the compliance function 'must be subject to periodic review by the internal audit. It follows that, to ensure impartiality 'of the checks, the compliance function' could not be entrusted to the internal audit function. In any case, given the contiguity 'between the two activities', they are clearly identified and communicated within the bank the duties and responsibilities' of the two functions, in particular as specifically regards the division of responsibilities relating to risk measurement, counseling in the field of adequacy of control procedures as well as 'the activities' verification of the procedures. Specific attention and 'placed in the articulation of information flows between the two functions; in particular, the head of internal audit informs the head of conformity 'for any inefficiencies in risk management emerged during the activity' of jurisdiction occurs. 7. The compliance function 'in group structures. Strategic decisions at group level in the field of risk management of non-compliance 'shall be referred to the parent company's corporate bodies. The choices made take into account the specific operability 'and the associated risks of non-compliance' of each of the companies' members of the group. The corporate bodies of the group members must be aware of the choices made by the governing bodies of the parent company and are responsible, according to their skills, as part of the implementation of its reality 'of corporate risk management strategies and policies not compliance '. For this purpose and 'necessary that the parent company involves and ensuring that they participate, in the manner deemed most' appropriate, the governing bodies of the subsidiaries of the choices made in the field of risk management policies and procedures for non-compliance '. The activities' related to the compliance function 'will be centralized in order to achieve economies of scale, including through the establishment of joint' specialized within the same group; It remains firm, however, that in each bank must 'be the group identified a contact person, which place' support functions for the conformity of the 'group leader, particularly in the application to the specific reality' of the company's management policies set at the level group. Special attention requires the articulation of the function in groups with operability 'international, must comply with the rules in force in all countries in which perform their activities'. In these cases, banks will have to identify the organizational more 'suitable solutions (eg. Local compliance officer) to ensure proper risk management arising from the need' to comply with all the provisions applicable in relation to the respective area of ​​operability '. And 'altresi' should society 'controlled by Italian banks operating abroad adopt the same principals of conformity' of the Italian parent company, even in cases where the legislation of the countries where the subsidiary and 'was set up does not provide similar levels of attention . As a transitional measure, it should be noted that banks that are already 'equipped with facilities responsible for compliance', placing organizationally relevant tasks in the internal audit function, can adapt to these provisions gradually. In particular, within twelve months after the publication of this decision, the two functions must be made organizationally and operationally separate and independent. Rome, July 10, 2007 The Director General: Saccomanni