Integrity in corporate conduct

The "Group Anti-Corruption Guidelines" identify the principles, the sensitive areas and define the roles, responsibilities and macro-processes for managing the risk of corruption and define the commitment to comply with the regulatory provisions aimed at combating corruption in all its forms (the principle of "zero tolerance"). They are approved by the Corporate Bodies. The Chief Compliance Officer is responsible for overseeing the matter. They must be complied with by company representatives and all Group people and apply to all companies and countries in which the Group operates, with the exception of entities that exclusively carry out ancillary services and research activities. They also address external parties (suppliers, agents, consultants, professionals, business partners, self-employed or para-subordinate workers, etc.) who give their collaboration to the Group for the implementation of its activities. For this reason, they are made available to all stakeholders through the Group's institutional website and to counterparties benefiting from charitable or sponsorship initiatives as well as to third parties, who collaborate with the Group, when formalizing the related relationships.

At the operational level, Group personnel must immediately report violations of the provisions of the “Anti-Corruption Guidelines” to their Manager, who in turn is required to forward the report received to the Company Anti-Corruption Officer and to the Internal Audit function for the relevant assessments. The possibility of using the reporting systems provided for under the specific rules concerning internal whistleblowing systems for reporting violations remains unaffected.

The Group is subject to the UNI ISO 37001:2016 Anti-bribery Management Systems certification procedure, which represents the relevant international standard (valid until 2025), carried out by an external company.

The main actions implemented in the area of corruption prevention consist of the continuous review of the “Group Anti-Corruption Guidelines” (latest update approved by the Board of Directors during 2025), the updating of rules governing gifts and entertainment expenses, and the planning of adjustments in line with the recommendations of the certification body for the purposes of ISO 37001:2016 compliance.

The Group obtained renewal of the certification during 2025.

The “Anti-Corruption Guidelines” are reviewed annually.

At Intesa Sanpaolo, anti-corruption and anti-money laundering training is mandatory and follows multi-year cycles, also based on local regulations. In 2025, a total of 452,194 training hours on anti-corruption and anti-money laundering topics were delivered to 87,113 Group employees (96% of the total workforce).

In 2025, there were no convictions and/or sanctions for violations of anti-corruption and anti-extortion laws; consequently, no fines or penalties were imposed on the Intesa Sanpaolo Group.

Intesa Sanpaolo constantly oversees and promotes free competition and spreads the culture of compliance to antitrust legislation also through the establishment of a specific internal team aimed at overseeing compliance with antitrust rules, the adoption of a Policy and a training and information program. In 2025, 69,474 Group employees were trained (76.5% of the total), and 1,291,710 training hours were delivered.

The Intesa Sanpaolo Group has always maintained a high and constant commitment to the protection of the personal data of the people with whom the Group interacts, ensuring the collection and processing of data in compliance with current legislative provisions. The same commitment is also reflected in the protection of customers' personal data.

The regulatory framework for the protection of personal data is Regulation (EU) 2016/679 (the so-called General Data Protection Regulation, GDPR) which came into force on 25 May 2018, the new precepts of which have been assimilated by the Group and formalised in the main internal governance documents consisting of the Code of Ethics, which outlines the principles and values on which the Group bases its choices and activities  and by the Internal Code of Conduct which defines the conduct that employees and collaborators of the same are required to observe to ensure the correct processing of data. The relevant requirements are set out in the Guidelines on the protection of personal data of natural persons and in the Company Rules for the processing and protection of personal data of natural persons.

The Guidelines define the model for managing the risk of non-compliance with regard to the protection of the personal data of all people with whom the Group interacts, including employees and collaborators, establishing the general principles and setting out the roles and responsibilities of the corporate bodies and structures involved, the macro-processes of risk oversight and control, as well as the Group's policy and coordination model. In addition, they set out the requirements for the processing and protection of personal data and establish the application of sanctions in the event of non-compliance with the provisions. 

The privacy notice was updated in March 2025 with new elements concerning:

• the processing of data carried out by the Bank through the use of artificial intelligence systems; the automated assessment of the financial sustainability of transactions (so-called Affordability); the legal basis of legitimate interest in the management of corporate and strategic transactions; communication among Group companies regarding suspicious transaction reports; profiling for anti-fraud purposes and IT security protection; and joint controllership between the Bank and S.W.I.F.T. in international payment transactions. The privacy notice, published on the institutional website, specifies that the Intesa Sanpaolo Group processes personal data solely for the purposes described and explicitly indicated therein, and made available to data subjects. No processing is carried out for secondary purposes that are not explicitly stated. With regard to the processing of personal data for marketing purposes, the data subject’s free, explicit, and unambiguous consent is required; if the data subject refuses consent or does not make any choice, the collected data will in no way be processed or used for such purposes. Failure to comply with external or internal regulations concerning privacy protection by an authorized person triggers a process aimed at verifying the actual non-compliant conduct. In cases of confirmed and unjustified violations, the relevant functions are always informed to initiate disciplinary proceedings, which generally result in the application of one of the measures provided for by the applicable regulations.

The Group, with companies located in various EU and non-EU countries, complies with local regulations as expressly required by them in the field of personal data protection.

In June 2025, the Board of Directors of Intesa Sanpaolo approved the update of the Guidelines on the protection of personal data of natural persons. This update incorporates the clarification of the principle (already present in the previous version and further strengthened in the updated one) whereby the processing of personal data, carried out by authorized personnel, must be relevant to and/or connected with the assigned duties, as well as the principles governing processing carried out through artificial intelligence systems.

Intesa Sanpaolo requires Suppliers and Third Parties to comply with the rules, regulations and internal standards on the protection of personal data, identifying their subjective role in the processing of personal data, assessing the existence of the necessary guarantees, formalising the contractual conditions and assessing their compliance and adequacy.

Failure by an authorized person to comply with external or internal regulations concerning privacy protection triggers the initiation of a process aimed at verifying the actual unlawful conduct. In cases of confirmed and unjustified violations, the competent functions are always informed to initiate disciplinary proceedings, which generally conclude with the imposition of one of the measures provided for in the disciplinary code against the non-compliant individual.

As part of this approach, promoting a culture of privacy at all levels of the organization is essential for overseeing compliance risk. The employee training plan on personal data protection is defined and updated by the Data Protection Officer, who provides and validates the training materials and monitors participation and course outcomes. In 2025, the Group continued its awareness-raising initiatives on personal data protection for employees by offering mandatory courses and monitoring results. The adoption of an internal management platform, facilitating the integrated management of key privacy processes, was also completed. In 2025, 74,618 people were trained on privacy protection topics (82.2% of the total), and 106,261 hours of training were delivered.

Intesa Sanpaolo promotes a transparent, sustainable work organization with clear responsibilities at all levels. Responsibility for management, and consequently also for monitoring the effective application of the trade union agreements, is assigned to the Labour Affairs, Policies & Safety Head Office Department. 

With reference to the Group’s Internal Code of Conduct, during 2025 the Group provided mandatory digital training courses for its employees upon hiring; these courses are always available on dedicated corporate platforms for Group personnel (in Italian and English). Specific training courses were also provided for employees of the International Banks Division.

The planning of audit activities within the Group is coordinated by a dedicated internal structure, the Internal Audit Funcion. In 2025, audit activities were structured on three levels (multi-year strategic, annual operational, and quarterly operational) and covered 269 Risk Areas, with 320 audits completed (including 51 “extraordinary” audits).

As required by international standards, the Internal Audit Function is subject to a regular external Quality Assurance Review (QAR). The most recent QAR was launched in the second half of 2024 and is still ongoing, while the previous review, conducted in 2022, confirmed the continuous development of the Function in line with international standards, as well as an increase in effectiveness compared with previous QAR results.

Audit activities included 82 audits classified as significant pursuant to Legislative Decree 231/2001, 10 of which focused on corruption risk. In addition, as part of the ESG audit program, 68 ESG audits were conducted, addressing topics such as ESG governance, greenwashing risk, EU Taxonomy-aligned financing, reputational risks, physical and hydrological risks, ESG factors in credit processes, management of initiatives from a circular economy perspective, ESG stewardship activities, the social impact of retail credit (in particular Impact initiatives), and the management of sponsorships and charitable donations. These activities confirmed an overall acceptable level of risk, with mitigation measures monitored through dedicated digital tools.

Among the additional initiatives launched in 2025, the SAIL (Strategic Audit Innovation Line-up) program supported the continued evolution of the Internal Audit Function.

The Group has an internal whistleblowing system relating to both national and European regulations which harm the public interest or the integrity of Intesa Sanpaolo and the Group Companies (for example: administrative, accounting, civil or criminal offences; unlawful conduct pursuant to Legislative Decree no. 231/01; rules governing banking activities; conduct giving rise to conflicts of interest) or relating to internal company policies and/or procedures, which the whistleblower has discovered in the work context

The reference internal rules on the matter, which are the responsibility of the Chief Audit Officer Area, are set out in a specific Group rules document on internal whistleblowing systems and are available for consultation by all persons working for the Intesa Sanpaolo Group on the company intranet. In addition, a summary description is also available on the Group’s official website. The system is reserved for:

• employees and self-employed workers who work or have worked for the Group;
• workers or collaborators who provide goods or services or perform work for third parties and work or have worked for the Group;
• freelancers and consultants who work or have worked for the Group;
• volunteers and trainees; 
• shareholders (natural persons); 
• and persons with administrative, control, supervisory or representative functions.

These individuals may report a violation via channels available 24 hours a day (e-mail or voice messaging) available on the Group’s official website and on the Group’s intranet portal, in Italian or English (international language of reference), or in the language of their country. Information on the channel, procedures and conditions for carrying out reports is available on the Bank's intranet portal and in the specific section of the Group's website.

In 2025, 64 reports were received, of which 10 were deemed not relevant, while 55 led to the initiation of specific investigations. Dedicated whistleblowing channels are also active at the Group’s foreign banks, which received 10 reports, of which 2 were deemed not relevant.

For reports of alleged non-compliance with the code of ethics, the following e-mail address is available: codice.etico@intesasanpaolo.com

In compliance with the Code of Ethics, the entire Group is committed to observing principles based on values of honesty and integrity in managing tax matters, compliance with the tax regulations applicable in the countries in which the Group operates and maintaining a collaborative and transparent relationship with the tax authorities, including through adherence to cooperative compliance schemes.

Intesa Sanpaolo recognises the importance of contributing to the communities of the jurisdictions in which it operates, by paying the right amount of taxes and for this reason it places a particular focus on the evolution of tax regulations, both on a domestic and international level, aimed at countering base erosion and profit shifting, with the ongoing commitment to adhere to those principles.

The Group strengthened its internal tax risk control system, the Tax Control Framework (“TCF”). The TCF serves to monitor the strategic importance of tax risk and to meet the requirements for accessing to the cooperative compliance regime introduced in Italy (pursuant to Italian Legislative Decree 128/2015). At the same time, it updated the Organisation, Management and Control Model, for the purposes of the liability of entities for tax offences, sanctioned by Italian Legislative Decree No. 231 of 2001, in order to monitor the risk of tax fraud.

In December 2017, the Intesa Sanpaolo Group adopted its Principles of conduct on fiscal matters, in order to ensure compliance over time with the tax and fiscal rules of the countries where it operates and to guarantee the financial and reputational integrity of all the Group companies.

Guidelines were also approved for the management of tax risk within the system of collaborative compliance with the Revenue Agency, which govern the criteria and processes that Intesa Sanpaolo must adopt to ensure the adequacy and effectiveness of its Tax Control Framework and related Rules.

The information on taxes is available within the SDGs report on page 127.

Intesa Sanpaolo views cybersecurity as a strategic keystone, vital not only for safeguarding corporate and customer data but also for bolstering the resilience of the national economy. To reinforce this commitment, Corporate & Physical security, Cybersecurity, and Business Continuity are managed by the Chief Security Officer Governance Area.  

To address the growing complexity of cyber threats, the bank adopted structured measures to strengthen control systems, introducing authentication solutions to secure critical access, as well as event and external network monitoring, in order to ensure business continuity. 

The bank also introduced questionnaires to increase customer awareness of fraud risks, strengthening European cooperation on these issues. An anti-fraud platform with advanced technological solutions was also introduced. 

This integration ensures streamlined decision-making, transparent resource management, rigorous regulatory compliance and alignment with the world’s leading security frameworks.

In 2025, the bank blocked approximately 16.1 million euros in fraud and 175.7 million euros in scams, for a total of 191.8 million euros in blocked fraudulent transactions.      

The Group’s cybersecurity framework is built on a clear Strategy and a detailed Action Plan comprending:

• Strengthening Threat Controls: Deploying advanced machine-learning and data-analytics tools to detect and mitigate cyber-attacks and fraud in real time.
• Vulnerability Management: Systematically identifying, prioritizing and remediating weaknesses across all systems.
• Operational Resilience: Enhancing our ability to respond to incidents swiftly, minimizing disruption and ensuring continuity of services.
• Security Culture: Delivering mandatory, role-based training to raise awareness of data-protection best practices and GDPR requirements.
• Regulatory Alignment: Continuously updating policies and procedures to comply with evolving cybersecurity and business-continuity standards.

To reinforce customer trust, the Group has developed an internal Cybersecurity Process Guide. This comprehensive manual maps every stage of the customer-issue lifecycle, from detection through resolution, assigning clear roles, responsibilities and escalation paths. By embedding rigorous processes and cutting-edge technologies, Intesa Sanpaolo remains steadfast in its mission to protect data, secure customer assets and uphold the highest standards of digital trust.

Intesa Sanpaolo has therefore adopted a management model that includes:

• Intesa Sanpaolo Group's IT Security Plan: the master blueprint for cybersecurity across the entire Intesa Sanpaolo Group, defining our strategic posture in terms of governance, investment priorities, control schedules and evolutionary projects. Based on a rigorous risk analysis, it specifies the perimeters of the information system to be assessed and tasks our Security Operations Center with coordinating continuous vulnerability management. These efforts encompass both automated scans and manual penetration tests conducted by qualified third‐party experts, covering network and infrastructure components as well as applications on laptops, desktops, smartphones and tablets, whether internet-facing or intranet. Penetration tests are performed to simulate realistic attack scenarios and assess the effectiveness of the implemented defenses, while vulnerability scanning activities are conducted on a regular basis to promptly identify and mitigate any emerging critical issues. The Internal Audit Function has access to the results of vulnerability assessment and patch management activities and leverages the relevant elements within the scope of its audits, systematically reporting to the Audit Committee in support of transparency, regulatory alignment, and the continuous strengthening of security governance.
• Intesa Sanpaolo Business Continuity Management Model: the model encompasses every component necessary to monitor and mitigate risks, defining organizational, infrastructural and technological measures whose usability and maintenance are assured over time through regular testing and controls. Organizational frameworks are detailed in the Business Continuity Plan (BCP), while technological safeguards are laid out in the Disaster Recovery Plan (DRP). Activation of the BCP follows the protocols of the Group Crisis Management Model (CMM), which provides a single, coherent set of rules and processes for handling emergencies and crises in a unified manner. By prescribing clear escalation paths for decision-making, establishing timely communication channels, and assigning defined responsibilities and authorities, the CMM ensures that operations can be restored swiftly and efficiently.
• Security rules for managing security incidents: these security incident management rules define the minimum requirements for monitoring and responding to events affecting the Group’s information assets, ensuring a swift, efficient and effective restoration of normal operating conditions.
• Intesa Sanpaolo Group Crisis Management Model. The model serves as a comprehensive framework for managing critical events across the Group, automatically activating whenever such incidents arise, even concurrently, in one or more subsidiaries. In these situations, the Parent Company assumes coordination of all impact-containment efforts, ensuring that countermeasures are deployed in the most effective and harmonious manner. Cybersecurity activities follow shared Group guidelines, blending a centralized management approach for entities closely integrated with the Parent Company and a coordinated structure for others. By supplementing the crisis-specific procedures already in place, this operational regulatory framework guarantees the timely flow of information, defines an appropriate chain of command and enables rapid, informed decision-making in response to any threat. A clear escalation process guides employees through every stage, detection, classification, incident/emergency/crisis management and eventual return to normal operations, so that the Group can restore stability swiftly and resiliently.

In 2025, three cybersecurity events were identified and effectively managed. In all cases, the actual impacts were negligible, although the events presented a potential risk of exposure of limited information. One event related to a security issue on a user device, while the other two were associated with a security incident involving a third-party service provider that processed information potentially attributable to the Intesa Sanpaolo Group.

The complete Intesa Sanpaolo escalation process is published on the intranet, where the Critical Event Management procedure clearly defines the roles and responsibilities for reporting, identifying, and handling any security-related incident that may affect the Group. The process has been reviewed and updated to streamline event management and to ensure ongoing alignment with evolving regulatory requirements governing incident reporting. The Computer Emergency Readiness Team (CERT), Cybersecurity Incident Response Team (CSIRT), and Emergency Management Operations Centre (EMOC) are fully integrated into the critical-event workflow, ensuring seamless coordination. Regular crisis simulations are conducted to validate and reinforce the effectiveness of escalation and decision-making procedures.

The public page of the Group website dedicated to CSIRT – CERT shows the objectives of the Cyber Security Incident Response Team, its competences, the countries and legal entities of the Group in which it is active, the services offered and the ways in which it is possible to contact the service in order to report anomalous events.

Intesa Sanpaolo is committed to the ethical and responsible use of artificial intelligence, in compliance with the AI Act, the European legislation on AI-Artificial Intelligence.

This commitment is reflected in the recent update of the "Guidelines on the use of AI", which defines roles, responsibilities and governance macro-processes in alignment with current legislation.

The Guidelines define the framework for the adoption of AI in the Group and are periodically updated to reflect regulatory and technological developments. In 2025, Intesa Sanpaolo also updated other internal regulatory documents, such as the "Compliance Rules for the Development and Use of AI" and the "Governance Rules for the Adoption of AI Solutions.

The Group has also implemented dedicated programs and tools to promote compliance with the principles of fairness and algorithmic non-discrimination, explainability of AI systems, transparency and traceability of decisions, and effective human oversight.

The Group is committed not to develop and not use AI systems for prohibited purposes, including:

• Creation of facial recognition databases through the indiscriminate and mass collection of images;
• Recognition of emotions in the workplace or in educational settings (except in cases expressly authorized by law, for example for specific medical or safety-related purposes);
• Biometric classification based on sensitive characteristics;
• Real-time remote biometric identification in publicly accessible spaces, except where expressly authorized by law.

Classification procedures have been established to map AI-related initiatives to:

• Support the identification of high-risk systems;
• Support the development of the inventory of AI systems;
• Identify any high-risk AI systems at an early stage;
• Prevent possible prohibited practices.

For high-risk systems, admitted to the European market but subject to specific obligations, the Group has implemented a "Responsible AI by Design" process in order to oversee compliance with regulatory requirements, with mandatory safeguards throughout the system's life cycle (including fairness, transparency and human oversight) and a prior assessment by the relevant committees. Specific protective measures have been developed for generative AI, aimed at mitigating risks such as the generation of toxic or misleading content, hallucinations, privacy violations and malicious prompt-injection attempts.

In accordance with the AI Act, each high-risk AI system is subject to an AI-related Risk Management System (AI) designed to identify, assess and mitigate risks to health, safety and fundamental rights, including reasonably foreseeable misuse. Risk management is overseen with constant monitoring and corrective actions if new risks emerge; safeguards and analyses are subject to prior review by the Non-Financial Risk Control Committee. The business owner is also responsible for monitoring the performance of the system and intervening in the event of degradation or critical issues.

In the case of a high-risk non-classified system, provided by a third party, the deployer is required to verify compliance with legal obligations, including, where technically feasible, indicating or labeling the results as AI-generated or modified content. The person responsible for putting the system into production must ensure adequate information and transparency even for systems that are not classified as high-risk, for example when people are exposed to emotion recognition, biometric classification or deepfake content generated or manipulated by AI.

At the same time, the Group has launched ESG x AI initiatives in order to measure energy consumption related to artificial intelligence and convert it into CO₂ emissions, helping to raise public awareness and guiding future improvements in terms of efficiency and sustainability.

In addition, it has promoted AI Literacy and training initiatives aimed at increasing the awareness of the Group's people on the risks associated with the use of AI and its responsible use.  

These initiatives are part of the AI Pact, of which Intesa Sanpaolo is an active member. It is, in fact, one of the six Italian companies included in the "Living Repository of AI Literacy Practices of the European Commission", which recognizes the contribution in promoting AI culture through training initiatives and knowledge-sharing activities for the Group's people.

Intesa Sanpaolo has created an internal research and innovation ecosystem that allows the Group to anticipate and address the challenges and opportunities related to AI, to contribute to the growth of related knowledge and to consolidate its role through:

• Internal AI Academy, involving 61,000 Group people in Italy and abroad;
• Internal "Data & AI" learning community, with over 10,500 colleagues enrolled; 
• Academic collaborations (including: CETIF – Master Executive Responsible AI, SDA Bocconi EMF Fintech Lab, Berkeley USA SkyLab);
• Strategic partnerships (including: FAIR EU, Horizon TANGO).

Finally, the Group promotes the dissemination of digital culture through initiatives such as Opening Future, a joint project between Intesa Sanpaolo, Google Cloud and TIM Enterprise. The aim is to promote digital culture, leveraging the technological and AI expertise of partner companies, both locally and internationally, through a series of initiatives:

• Development of human capital: implementation of projects aimed at training students, teachers, professionals, SMEs and startups on AI-related issues;
• Involvement of the learning community, with events for knowledge sharing and networking;
• DE&I: training programs aimed at helping to reduce the gender gap in the technology sector, promoting respect for the principles of non-discrimination and equal access to opportunities.

Since 2021, around 5,000 SMEs, startups and fintechs, over 23,500 students and teachers have been involved, and more than 3,300 hours of training have been provided(**).

In addition, the "AIxeleration Program" continued to promote the adoption of artificial AI within the Group. More than 150 use cases have been developed, thanks to 300 specialists dedicated to AI (**), with the aim of a greater understanding of the needs of the Group's people and customers.

(**) Data updated to 31 December 2025.

Further information:

• Group Guidelines for the Use of AI - Abstract
• AI Pact
• Opening Future
• Group AI page
• Academy4Future