Article 2381 of the Italian Civil Code vests with the chief executive officer (under the continuing supervision of the board of directors) the task of ensuring the adequacy of the organisational, administrative and accounting set-up of the corporation. The above provision, which is interpreted as a general principle and is therefore applied to limited liability companies too, is intended to establish the duty of the directors to organise the business in a way that reduces the risk of non-compliance.
As far as listed companies are concerned, the Italian legal and regulatory framework provides for certain additional corporate bodies and procedures aimed at addressing corporate risk and compliance management. In particular:
- pursuant to article 154-bis of the Financial Act 58/1998, listed companies shall appoint a manager in charge of preparing the company’s financial reports and ensuring that appropriate administrative and accounting procedures are put in place in connection therewith;
- pursuant to article 123-bis of the Financial Act 58/1998, the board of directors of listed companies shall publish, on a yearly basis, a report on corporate governance providing information on, inter alia, the risk management and internal audit systems adopted by the company in relation to the financial reporting process; and
- article 7 of the Code of Conduct for Listed Companies - which sets forth best practice standards for listed companies’ corporate governance on a ‘comply or explain’ approach - recommends adoption of an internal control and risk management system that shall consist of policies, procedures and organisational structures aimed at identifying, measuring, managing and monitoring the main risks concerning listed companies.
Moreover, pursuant to the above-mentioned provisions, it is recommended that listed companies set up a control and risk committee. The committee shall be charged, among other things, with supporting the evaluations and decisions made by the board of directors in relation to the company’s internal control and risk management system. For further information concerning the laws and regulations on corporate risk and compliance management of listed companies, see questions 6 and 7 below.
With respect to banks, the Bank of Italy’s Regulation 285/2013 establishes a comprehensive regulatory framework in connection with banks’ risk and compliance management. The general aim of the relevant provisions is setting up an integrated and effective internal control system in order to:
- regularly monitor business operations and ongoing compliance with the applicable laws and regulations, and check the adequacy of the banks’ organisation and accounting arrangements;
- adequately monitor all business risks; and
- ensure information flows that allow management to make informed decisions.
Also, with regard to insurance companies and in line with the new Solvency II regulatory framework, Legislative Decree 209/2005 and Institute for the Supervision of Private Insurance and Collective Interest (ISVAP) Regulation 20/2008 provide for the implementation of an appropriate internal controls system, ensuring:
- the efficiency and effectiveness of corporate processes;
- adequate control of present and perspective risks;
- the reliability and integrity of accounting and management information;
- protection of assets from a medium and long-term perspective; and
- compliance of the insurance companies’ activities with current legislation.
Large undertakings are also subject to Legislative Decree 39/2010 (on the auditing of their accounts), which, effective from 1 January 2017, now provides, for those exceeding certain dimension thresholds, the obligation to publish a non-financial statement containing information on the undertaking’s activity impact on environmental, social and employee matters, respect for human rights, anti-corruption and bribery matters.
Compliance violations may trigger a broad range of consequences. First of all, pursuant to article 2049 of the Italian Civil Code and article 185 of the Italian Criminal Code, legal entities are responsible for civil damages resulting from violations committed by their representatives and employees in the exercise of their functions or roles.
Moreover, pursuant to article 197 of the Italian Criminal Code and article 6 of Law 689/1981, legal entities are jointly liable for the fines levied against their representatives and employees for offences committed in the exercise of their functions or roles.
Since 2001, pursuant to Legislative Decree 231, a legal entity is also criminally liable for certain offences committed by its directors, representatives, executives, managers, agents and employees when the crime has been committed in the interests or to the benefit of the legal entity. Legal entities may exculpate themselves from such criminal responsibility only if very strict conditions are satisfied. The long list of crimes that trigger the criminal responsibility includes bribery; corporate crimes; forgery; money-laundering; health and safety and environmental crimes; cybercrimes; conjuring; insider trading and market abuse; copyright crimes; and many others. Legislative Decree 231 applies to legal entities incorporated in Italy, Italian branches of foreign legal entities, partnerships and associations with or without legal personality.
Specific additional rules apply to state-owned companies (Law 190/2012) that must adopt specific anti-corruption measures.
From 25 May 2018, the General Data Protection Regulation 679/2016 has direct application in Italy.
Back to top