Integrity in corporate conduct

Intesa Sanpaolo has defined the Group Anti-Corruption Guidelines, approved by the Board, and the Model of Organization, Management and Control adopted pursuant to D.Lgs. 231/2001 which, together with the Code of Ethics, define the commitment to comply with the regulatory provisions aimed at combating active and passive corruption in all its forms.  Special attention is paid to complying with national and international legislation on money laundering and terrorist financing, including through processes and procedures relating to the obligations of appropriate customer verification, reporting of suspicious operations and risk assessment and management. 
In 2021,  248,739 hours of training were provided on these issues, involving 75,893 people (78.5% of the total). In addition, there were no dismissals for corruption or disciplinary sanctions for corruption against employees. 
Intesa Sanpaolo obtained confirmation of the ISO 37001 Anti-bribery Management System certification, following the second and last annual audit process (maintenance audit) by the competent certification company.

Intesa Sanpaolo has obtained, among the first banks in Europe, the renewal of the certificate of conformity of its anti-corruption management system - applied to the Italian and foreign companies of the Group - with the ISO 37001 standard. The certificate of conformity - valid until as of May 6, 2025 - relates to Intesa Sanpaolo S.p.A, operating points in Italy and abroad, and to the Group's banking, financial and insurance companies.
The certification, issued by the audit company Rina Services, comes at the end of a process of analysis and verification of the Bank's corruption prevention system and its application to Group companies and concerns all banking and financial operations and services and any other instrumental operation or operation connected to the achievement of the corporate goals.

Intesa Sanpaolo constantly oversees and promotes free competition and spreads the culture of compliance to antitrust legislation also through the establishment of a specific internal team aimed at overseeing compliance with antitrust rules, the adoption of a Policy and a training and information program. In 2021, 1,532,000 hours of training were provided on the topic and 65,336 employees were trained (67.6% of the total).

Intesa Sanpaolo is constantly committed to implementing regulatory, organisational and technological measures, in line with the leading reference standards, aimed at guaranteeing the defence of human rights and to adequately respond to the fundamental need to protect privacy. The adopted measures respond to the principles of the Group's Code of Ethics, which commit Group companies to adopting criteria of absolute transparency in informing customers and collaborators of their rights in this matter and the ways in which their personal information is processed. Intesa Sanpaolo attributes strategic importance to the protection and safeguarding of personal data of individuals beyond the full implementation of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation - GDPR), which came into force on 25 May 2018. This commitment is articulated in the Corporate Rules for the Processing of Personal Data and the Guidelines on the Protection of Personal Data of Individuals, approved by the Board of Directors, which provide the overall framework of conduct addressed to all the Group's people, as well as to those who collaborate with it, and identify the roles and responsibilities for implementing the internal rules.

Intesa Sanpaolo implements the processing of personal data only for the purposes described in the information notice made available to data subjects, exclusively following the collection of their consent to the processing, for the purposes explicitly indicated. No processing is done for secondary purposes that are not explicitly indicated and for which the consent of the data subject has not been collected.

Personal Data Protection Management model

Intesa Sanpaolo defined a governance model for the compliance risk with reference to the protection of personal data as an integral part of the internal control.

The Board of Directors and the CEO, which represent the Data Controller, have the task of defining the control model (players, responsibilities, macro processes and information flows) and ensuring its operation.

The Data Protection Officer, with the support of the Privacy Function of the Safety and Protection Head Office Department, monitors, the compliance risk regarding privacy, according to a risk based approach, by working independently as a specialist Compliance function in line with the Group’s Compliance Guidelines.

The Corporate Bodies of the Parent Company are responsible, each according to their roles and prerogatives, for ensuring a suitable control of the personal data protection non-compliance risk the Group is or could be exposed to.

The Risks and Sustainability Committee shall assist the Board of Directors, in order to ensure the best control of the compliance risks regarding the protection of personal data.

The Chief Risk Officer cooperates with the Chief Compliance Officer and the Data Protection Officer to define the methods of assessing compliance risks, encouraging synergies with the tools and methods of the Operational Risk Management.

The Group Companies established in the European Union are obliged to implement the Guidelines on the Protection of Personal Data, adapting them to their own company situation and, in the case of International companies, to the specific characteristics of their local regulations.

Intesa Sanpaolo requires suppliers and third parties to comply with internal rules, regulations and standards with reference to personal data protection, identifying their subjective role in personal data processing, evaluating existence of necessary safeguards, formalising contractual conditions, and assessing their compliance and adequacy.

In 2021, 86.632 hours of privacy training were provided - involving 62,541 employees (64.7% of the total) - and 1,853,422 hours of training on the topic of consumer protection - involving 675,721 employees (78.3% of the total).

The Group works to ensure that its working environment is permeated by mutual trust, loyalty and enriched by the contribution of each person, in accordance with the rules and agreements related to national and second level bargaining (Group). In 2021, 40 cases for violations of labour law were notified and around 149 cases were closed. The main types of pending litigation include the termination of employment relationships – sale of business line (Intrum), compensation for damages for deskilling and mobbing, higher job positions and appeals of disciplinary sanctions (in any event in 2021, no lawsuits were reported by current employees that related solely to cases of mobbing).

In order to ensure that its actions are aligned with principles of integrity, the bank has designed a system of controls aimed at maintaining a constant safeguard in the identification, governance and control of the risks associated with the activities carried out and in this regard it carries out audit activities on a fixed basis in relation to the nature and intensity of the risks.  
With regard to the audits carried out in 2021 in the Central Structures, Banks and Group Companies, the activities regarding the 258 Risk Areas identified in the planning phase were completed, with the completion of 308 audits (69 of which “extraordinary”, originating from specific requests of Corporate Bodies, Supervisory Authorities or from events/circumstances occurring after the completion of the annual planning)1. In 2021, 100 audits were reported as significant for the purposes of Italian Legislative Decree no. 231/2001. Among these, 8 concerned activities related to corruption risk; these latest audits involved 9 Governance Areas/Divisions (some interventions involved several Governance Areas/Divisions). 
In 2021, there were 36 audits regarding actions that directly or indirectly related to aspects linked to social and environmental policies. However, it should be noted that other audits may also cover ESG aspects to a more marginal extent: for example, initiatives relating to loan disbursement and management may also concern aspects related to the rules on transactions in sectors deemed sensitive from an ESG profile. A first transversal audit on ESG issues with the aim of analysing the status of the internal framework and the ongoing projects within a more structured multi-year schedule of checks on these issues was concluded at the end of 2021.

Since 2016, a whistleblowing system has been in place, which allows employees to report actions or occurrences that could constitute breaches of the regulations governing banking activities (whistleblowing). 

Whistleblowing, which ensures the confidentiality of the individual making the report without the risk of retaliatory, unfair or discriminatory behaviour, encourages employees (including suppliers and consultants) to report acts or conduct they become aware of that may constitute a breach of the regulations governing banking activities or related activities that may also be instrumental to a breach or other illicit conduct. The Chief Audit Officer is responsible for ensuring the correct performance of the process.

In 2021 a total of 35 reports were received, of which 2 were judged not pertinent whereas 33 resulted in the launch of specific investigations.

Whistleblowing reports are managed through the Bank's intranet portal, while for reports of alleged non-compliance with the code of ethics, the e-mail address code.etico@intesasanpaolo.com is available.

The Intesa Sanpaolo Group complies with tax regulations in the belief that compliance is a fundamental contribution of citizenry supporting the community in which it operates. Intesa Sanpaolo's positive impact in this respect is confirmed by the disclosed forecast in the Business Plan of a total contribution from 2018 to 2021 of approximately 13 billion euro, an amount comparable to a budgetary stability law.

During 2021, the Group, in addition to indirect taxes of 1.170 million euro recorded accrued income taxes for the year of 1,623 million euro, for the most part in Italy, where the majority of operating income was earned, as per the table below. The Group has strengthened the internal control system for tax risk, known as the Tax Control Framework, to make it capable of covering the strategically important area of tax risk and meeting the requirements for access to the collaborative compliance scheme introduced in Italy, in accordance with Legislative Decree 128/2015.

In December 2017, the Intesa Sanpaolo Group adopted its Principles of conduct on fiscal matters, in order to ensure compliance over time with the tax and fiscal rules of the countries where it operates and to guarantee the financial and reputational integrity of all the Group companies. Guidelines were also approved for the management of tax risk within the system of collaborative compliance with the Revenue Agency, which govern the criteria and processes that Intesa Sanpaolo must adopt to ensure the adequacy and effectiveness of its Tax Control Framework and related Rules.

In compliance with applicable laws, Intesa Sanpaolo publishes a "Country by Country" report, with the following information for each country (according to rules established by the Bank of Italy): the gross income; the number of employees; profit or loss before taxes; taxes on profit or loss. The report is available at this link.

Information on taxes payed Country-by-Country