Integrity in corporate conduct

Intesa Sanpaolo has defined the Group Anti-Corruption Guidelines, approved by the Board, and the Model of Organization, Management and Control adopted pursuant to D.Lgs. 231/2001 which, together with the Code of Ethics, define the commitment to comply with the regulatory provisions aimed at combating active and passive corruption in all its forms.  Special attention is paid to complying with national and international legislation on money laundering and terrorist financing, including through processes and procedures relating to the obligations of appropriate customer verification, reporting of suspicious operations and risk assessment and management. 
In 2022,  297,227  hours of training were provided on these issues (+20% vs 2021), involving 74,539 people (78.5% of the total). In addition, there were no dismissals for corruption or disciplinary sanctions for corruption against employees. 

Intesa Sanpaolo has obtained, among the first banks in Europe, the renewal of the certificate of conformity of its anti-corruption management system - applied to the Italian and foreign companies of the Group - with the international standards of the ISO 37001 regulation. The modified certificate of conformity envisaged an extension of the perimeter which includes the Group entities included in the Compliance and Anti-Financial Crime risk assessment. In particular, the certification concerns Intesa Sanpaolo (including the foreign branches), the banking entities and the main financial and insurance companies. The certification is valid until May 2025, subject to two maintenance audits which will take place respectively in 2023 and 2024.

Intesa Sanpaolo constantly oversees and promotes free competition and spreads the culture of compliance to antitrust legislation also through the establishment of a specific internal team aimed at overseeing compliance with antitrust rules, the adoption of a Policy and a training and information program. In 2022, 1,520,274  hours of training were provided on the topic and 73,962 employees were trained (77.9% of the total).

Intesa Sanpaolo is constantly committed to implementing regulatory, organisational and technological measures, in line with the leading reference standards, aimed at guaranteeing the defence of human rights and to adequately respond to the fundamental need to protect privacy. The adopted measures respond to the principles of the Group's Code of Ethics, which commit Group companies to adopting criteria of absolute transparency in informing customers and collaborators of their rights in this matter and the ways in which their personal information is processed. Intesa Sanpaolo attributes strategic importance to the protection and safeguarding of personal data of individuals beyond the full implementation of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation - GDPR), which came into force on 25 May 2018. This commitment is articulated in the Corporate Rules for the Processing of Personal Data and the Guidelines on the Protection of Personal Data of Individuals, approved by the Board of Directors, which provide the overall framework of conduct addressed to all the Group's people, as well as to those who collaborate with it, and identify the roles and responsibilities for implementing the internal rules.

Intesa Sanpaolo implements the processing of personal data only for the purposes described in the information notice made available to data subjects, exclusively following the collection of their consent to the processing, for the purposes explicitly indicated. No processing is done for secondary purposes that are not explicitly indicated and for which the consent of the data subject has not been collected.

Personal Data Protection Management model

Intesa Sanpaolo defined a governance model for the compliance risk with reference to the protection of personal data as an integral part of the internal control.

The Board of Directors and the CEO, which represent the Data Controller, have the task of defining the control model (players, responsibilities, macro processes and information flows) and ensuring its operation.

The Data Protection Officer, with the support of the Privacy Function of the Safety and Protection Head Office Department, monitors, the compliance risk regarding privacy, according to a risk based approach, by working independently as a specialist Compliance function in line with the Group’s Compliance Guidelines.

The Corporate Bodies of the Parent Company are responsible, each according to their roles and prerogatives, for ensuring a suitable control of the personal data protection non-compliance risk the Group is or could be exposed to.

The Risks and Sustainability Committee shall assist the Board of Directors, in order to ensure the best control of the compliance risks regarding the protection of personal data.

The Chief Risk Officer cooperates with the Chief Compliance Officer and the Data Protection Officer to define the methods of assessing compliance risks, encouraging synergies with the tools and methods of the Operational Risk Management.

The Group Companies established in the European Union are obliged to implement the Guidelines on the Protection of Personal Data, adapting them to their own company situation and, in the case of International companies, to the specific characteristics of their local regulations.

Intesa Sanpaolo requires suppliers and third parties to comply with internal rules, regulations and standards with reference to personal data protection, identifying their subjective role in personal data processing, evaluating existence of necessary safeguards, formalising contractual conditions, and assessing their compliance and adequacy.

Third Parties who intend to enter into contractual relationships with Intesa Sanpaolo must register via a Supplier Portal which allows them to assess the adequacy and level of maturity based on certain criteria, including those of the Third Party's ability, reliability and experience in the matter of protection of personal data.

As part of the stipulation of supply agreements with Third Parties which provide for the processing of personal data, a specific examination is started to determine the subjective role of the Supplier. If the evaluation shows that the Third Party acts as Data Processor, a letter of appointment is prepared containing the specific binding clauses relating to compliance with the personal data protection requirements.

The suppliers appointed as Data Processors are subjected to periodic assessment activities aimed at ascertaining the adequacy of the privacy safeguards, through monitoring activities carried out with audits on the Supplier or self-assessment activities.

In 2022, 67,228 hours of privacy training were provided - involving 57,696 employees (60.8% of the total) - and 1,672,752 hours of training on the topic of consumer protection - involving 67,286 employees (70.9% of the total).

The Group works to ensure that its working environment is permeated by mutual trust, loyalty and enriched by the contribution of each person, in accordance with the rules and agreements related to national and second level bargaining (Group). In 2022, 54 cases for violations of labour law were notified and around 112 cases were closed. The main types of litigation in progress concern damages from disqualification, appeals against dismissals and sanctions, disciplinary measures, higher duties, termination of the employment relationship (sale of business unit - Intrum). In 2022, there were no cases notified by people of the Group in service that have mobbing as their exclusive object.

In order to ensure that its actions are aligned with principles of integrity, the bank has designed a system of controls aimed at maintaining a constant safeguard in the identification, governance and control of the risks associated with the activities carried out and in this regard it carries out audit activities on a fixed basis in relation to the nature and intensity of the risks.  
With regard to the audits carried out in 2022 in the Central Structures, Banks and Group Companies, the activities regarding the 259 Risk Areas identified in the planning phase were completed, with the completion of 325 audits (66 of which “extraordinary”, originating from specific requests of Corporate Bodies, Supervisory Authorities or from events/circumstances occurring after the completion of the annual planning). In 2022, 135 audits were reported as significant for the purposes of Italian Legislative Decree no. 231/2001. Among these, 7 concerned activities related to corruption risk; these latest audits involved 8 Governance Areas/Divisions (some interventions involved several Governance Areas/Divisions). 
In 2022, there were 36 audits regarding actions that directly or indirectly related to aspects linked to social and environmental policies. 

In the ESG area, the audit activity in 2022 was mainly structured around an Audit Program (10 interventions) concerning the analysis of the evolution of Governance (Reporting, Stress testing, Product Governance) and of the ESG framework (methods for ESG scoring of the Parent Company and Eurizon, ESG impacts in the granting of credit and in the Funding process). A transversal intervention was also carried out on the Social area. As in the past, other interventions envisaged control objectives more marginally connected to ESG aspects and compliance with the principles and values ​​of the Code of Ethics. 

Since 2016, a system for reporting acts or facts that may constitute violations of the rules governing banking activities or other unlawful conduct that may harm the public interest or the integrity of the company has been in place (Whistleblowing).

In accordance with the provisions of Legislative Decree 24/2023, starting from  July 15^th, 2023, the audience of possible whistleblowers will be expanded.

The following subjects can make a whistleblowing report:

• employees and self-employed workers who work or have worked for the Group,
• holders of a professional collaboration relationship referred to the Article 409 of the Code of Civil Procedure (for example, agency relationship) and to the Article 2 of Legislative Decree 81/15 (collaborations organized by the client),
• workers or collaborators who provide goods or services or who carry out works for third parties and perform or have performed their work for the Group,
• freelancers and consultants who work or have worked for the Group,
• volunteers and trainees (paid and unpaid),
• shareholders (natural persons),
• persons with administrative, control, supervisory or representative functions.

The Whistleblowing process, which integrates the other reporting systems and processes active in the Company, allows you to report, with the utmost guarantee of confidentiality, violations of which you have become aware in the workplace, or on the basis of the legal-economic relationship with the Group, protecting the whistleblower from possible retaliatory or discriminatory behaviour.

Whistleblowing reports can be sent using the specific channels available 24 hours a day, 7 days a week, in Italian and English version (email and voice recorder).

The Chief Audit Officer ensures the correct execution of the process.

Information on the channel, procedures and conditions for carrying out reports is available on the Bank's intranet portal and in the specific section of the Group's website.

In 2022, 28 reports were received, of which 4 were deemed not pertinent while 24 led to the launch of specific investigations.

For reports of alleged non-compliance with the code of ethics, the following e-mail address is available: codice.etico@intesasanpaolo.com

The Intesa Sanpaolo Group complies with tax regulations in the belief that compliance is a fundamental contribution of citizenry supporting the community in which it operates. Intesa Sanpaolo's positive impact in this respect is confirmed by the disclosed forecast in the Business Plan of a total contribution from 2018 to 2021 of approximately 13 billion euro, an amount comparable to a budgetary stability law.

During 2022, the Group, in addition to indirect taxes of 1,147 million euro recorded accrued income taxes for the year of 2,059 million euro, for the most part in Italy, where the majority of operating income was earned, as per the table below. The Group has strengthened the internal control system for tax risk, known as the Tax Control Framework, to make it capable of covering the strategically important area of tax risk and meeting the requirements for access to the collaborative compliance scheme introduced in Italy, in accordance with Legislative Decree 128/2015.

In December 2017, the Intesa Sanpaolo Group adopted its Principles of conduct on fiscal matters, in order to ensure compliance over time with the tax and fiscal rules of the countries where it operates and to guarantee the financial and reputational integrity of all the Group companies. Guidelines were also approved for the management of tax risk within the system of collaborative compliance with the Revenue Agency, which govern the criteria and processes that Intesa Sanpaolo must adopt to ensure the adequacy and effectiveness of its Tax Control Framework and related Rules.

In compliance with applicable laws, Intesa Sanpaolo publishes a "Country by Country" report, with the following information for each country (according to rules established by the Bank of Italy): the gross income; the number of employees; profit or loss before taxes; taxes on profit or loss. The report is available at this link.

Information on taxes payed Country-by-Country 

The figures indicated relate to the 2021 tax period; this is because, in order to meet the GRI standard, the Intesa Sanpaolo Group also uses the data collected for the Country by Country Reporting introduced, in line with the OECD work relating to the Base Erosion and Profit Shifting project (BEPS), by Italian tax legislation (Article 1, paragraph 145 of law no. 208/2015) which must be sent to the local tax authorities within 12 months of the end of the relevant tax period (“OECD CbCR”).

As regards the source of the OECD CbCR data, they are mainly derived from the process for the preparation of the consolidated financial statements (“reporting package”). In line with OECD guidelines, the values of the columns “Revenues from third party sales”, “Revenues from intra-group transactions or with other tax jurisdictions”, “Tangible assets other than cash and cash equivalents”, “Corporate income tax accrued on profit/loss’’ drawn from the OECD CbCR, not being subject to consolidation adjustments, are not reconciled with the data included in the consolidated financial statements.

The value referring to the “Corporate income tax paid on a cash basis” is not included in the reporting package of the consolidated financial statements; consequently, an additional form was sent to all Group entities.

The values indicated in the “Profit/loss before tax” column are instead drawn from the Country by Country Reporting required by the CRD IV Directive [i] and are reconciled with the data included in the consolidated financial statements.

The values indicated in the “Full-time equivalent employees” column are also drawn from the Country by Country Reporting required by the CRD IV Directive. Compared to the disclosure included in the consolidated financial statements, the values are calculated on a full-time equivalent basis, according to the specific instructions given by the Bank of Italy on Country by Country Reporting (Circ. 285, Title III, Chap. 2).

With regard to the differences between the tax on income accrued on profits and the tax due, it is noted that these are mainly due to the effects of the participation exemption; to the reversal of taxes on “consolidated” dividends; to the adjustments of prepaid/deferred taxes also to take into account the filing of supplementary returns relating to previous years; to local tax increases or decreases.

For further information, reference is made to section 21 of the Notes to the consolidated financial statements - Part C - of the Consolidated Financial Statements of the Intesa Sanpaolo Group at 31 December 2021.

*Please consider that, in line with the OECD guidelines related to the Country by Country Reporting, intra-group transactions within the same tax jurisdiction are also reported.

** In these jurisdictions, the Intesa Sanpaolo Group is present only with permanent establishments/branches that do not apply the branch exemption regime, whose income is therefore subject to the taxation of the parent company’s country.

*** In these jurisdictions, the Intesa Sanpaolo Group is present with various entities, including permanent establishments/branches that do not apply a branch exemption regime, whose income is therefore subject to the taxation of the parent company’s country.