Integrity in corporate conduct

The "Group Anti-Corruption Guidelines" identify the principles, the sensitive areas and define the roles, responsibilities and macro-processes for managing the risk of corruption and define the commitment to comply with the regulatory provisions aimed at combating corruption in all its forms (the principle of "zero tolerance"). They are approved by the Corporate Bodies. The Chief Compliance Officer is responsible for overseeing the matter. They must be complied with by company representatives and all Group people and apply to all companies and countries in which the Group operates, with the exception of entities that exclusively carry out ancillary services and research activities. They also address external parties (suppliers, agents, consultants, professionals, business partners, self-employed or para-subordinate workers, etc.) who give their collaboration to the Group for the implementation of its activities. For this reason, they are made available to all stakeholders through the Group's institutional website and to counterparties benefiting from charitable or sponsorship initiatives as well as to third parties, who collaborate with the Group, when formalizing the related relationships.

At the operational level, Group personnel must immediately report violations of the provisions of the “Anti-Corruption Guidelines” to their Manager, who in turn is required to forward the report received to the Company Anti-Corruption Officer and to the Internal Audit function for the relevant assessments. The possibility of using the reporting systems provided for under the specific rules concerning internal whistleblowing systems for reporting violations remains unaffected.

The Group is subject to the UNI ISO 37001:2016 Anti-bribery Management Systems certification procedure, which represents the relevant international standard (valid until 2025), carried out by an external company.

The main actions implemented in the area of corruption prevention consist of the continuous review of the “Group Anti-Corruption Guidelines” (latest update approved by the Board of Directors during 2025), the updating of rules governing gifts and entertainment expenses, and the planning of adjustments in line with the recommendations of the certification body for the purposes of ISO 37001:2016 compliance.

The Group obtained renewal of the certification during 2025.

The “Anti-Corruption Guidelines” are reviewed annually.

At Intesa Sanpaolo, anti-corruption and anti-money laundering training is mandatory and follows multi-year cycles, also based on local regulations. In 2025, a total of 452,194 training hours on anti-corruption and anti-money laundering topics were delivered to 87,113 Group employees (96% of the total workforce).

In 2025, there were no convictions and/or sanctions for violations of anti-corruption and anti-extortion laws; consequently, no fines or penalties were imposed on the Intesa Sanpaolo Group.

Intesa Sanpaolo constantly oversees and promotes free competition and spreads the culture of compliance to antitrust legislation also through the establishment of a specific internal team aimed at overseeing compliance with antitrust rules, the adoption of a Policy and a training and information program. In 2025, 69,474 Group employees were trained (76.5% of the total), and 1,291,710 training hours were delivered.

The Intesa Sanpaolo Group has always maintained a high and constant commitment to the protection of the personal data of the people with whom the Group interacts, ensuring the collection and processing of data in compliance with current legislative provisions. The same commitment is also reflected in the protection of customers' personal data.

The regulatory framework for the protection of personal data is Regulation (EU) 2016/679 (the so-called General Data Protection Regulation, GDPR) which came into force on 25 May 2018, the new precepts of which have been assimilated by the Group and formalised in the main internal governance documents consisting of the Code of Ethics, which outlines the principles and values on which the Group bases its choices and activities  and by the Internal Code of Conduct which defines the conduct that employees and collaborators of the same are required to observe to ensure the correct processing of data. The relevant requirements are set out in the Guidelines on the protection of personal data of natural persons and in the Company Rules for the processing and protection of personal data of natural persons.

The Guidelines define the model for managing the risk of non-compliance with regard to the protection of the personal data of all people with whom the Group interacts, including employees and collaborators, establishing the general principles and setting out the roles and responsibilities of the corporate bodies and structures involved, the macro-processes of risk oversight and control, as well as the Group's policy and coordination model. In addition, they set out the requirements for the processing and protection of personal data and establish the application of sanctions in the event of non-compliance with the provisions. 

The privacy notice was updated in March 2025 with new elements concerning:

• the processing of data carried out by the Bank through the use of artificial intelligence systems; the automated assessment of the financial sustainability of transactions (so-called Affordability); the legal basis of legitimate interest in the management of corporate and strategic transactions; communication among Group companies regarding suspicious transaction reports; profiling for anti-fraud purposes and IT security protection; and joint controllership between the Bank and S.W.I.F.T. in international payment transactions. The privacy notice, published on the institutional website, specifies that the Intesa Sanpaolo Group processes personal data solely for the purposes described and explicitly indicated therein, and made available to data subjects. No processing is carried out for secondary purposes that are not explicitly stated. With regard to the processing of personal data for marketing purposes, the data subject’s free, explicit, and unambiguous consent is required; if the data subject refuses consent or does not make any choice, the collected data will in no way be processed or used for such purposes. Failure to comply with external or internal regulations concerning privacy protection by an authorized person triggers a process aimed at verifying the actual non-compliant conduct. In cases of confirmed and unjustified violations, the relevant functions are always informed to initiate disciplinary proceedings, which generally result in the application of one of the measures provided for by the applicable regulations.

The Group, with companies located in various EU and non-EU countries, complies with local regulations as expressly required by them in the field of personal data protection.

In June 2025, the Board of Directors of Intesa Sanpaolo approved the update of the Guidelines on the protection of personal data of natural persons. This update incorporates the clarification of the principle (already present in the previous version and further strengthened in the updated one) whereby the processing of personal data, carried out by authorized personnel, must be relevant to and/or connected with the assigned duties, as well as the principles governing processing carried out through artificial intelligence systems.

Intesa Sanpaolo requires Suppliers and Third Parties to comply with the rules, regulations and internal standards on the protection of personal data, identifying their subjective role in the processing of personal data, assessing the existence of the necessary guarantees, formalising the contractual conditions and assessing their compliance and adequacy.

Failure by an authorized person to comply with external or internal regulations concerning privacy protection triggers the initiation of a process aimed at verifying the actual unlawful conduct. In cases of confirmed and unjustified violations, the competent functions are always informed to initiate disciplinary proceedings, which generally conclude with the imposition of one of the measures provided for in the disciplinary code against the non-compliant individual.

As part of this approach, promoting a culture of privacy at all levels of the organization is essential for overseeing compliance risk. The employee training plan on personal data protection is defined and updated by the Data Protection Officer, who provides and validates the training materials and monitors participation and course outcomes. In 2025, the Group continued its awareness-raising initiatives on personal data protection for employees by offering mandatory courses and monitoring results. The adoption of an internal management platform, facilitating the integrated management of key privacy processes, was also completed. In 2025, 74,618 people were trained on privacy protection topics (82.2% of the total), and 106,261 hours of training were delivered.

Intesa Sanpaolo promotes a transparent, sustainable work organization with clear responsibilities at all levels. Responsibility for management, and consequently also for monitoring the effective application of the trade union agreements, is assigned to the Labour Affairs, Policies & Safety Head Office Department. 

With reference to the Group’s Internal Code of Conduct, during 2025 the Group provided mandatory digital training courses for its employees upon hiring; these courses are always available on dedicated corporate platforms for Group personnel (in Italian and English). Specific training courses were also provided for employees of the International Banks Division.

The planning of audit activities within the Group is coordinated by a dedicated internal structure, the Internal Audit Funcion. In 2025, audit activities were structured on three levels (multi-year strategic, annual operational, and quarterly operational) and covered 269 Risk Areas, with 320 audits completed (including 51 “extraordinary” audits).

As required by international standards, the Internal Audit Function is subject to a regular external Quality Assurance Review (QAR). The most recent QAR was launched in the second half of 2024 and is still ongoing, while the previous review, conducted in 2022, confirmed the continuous development of the Function in line with international standards, as well as an increase in effectiveness compared with previous QAR results.

Audit activities included 82 audits classified as significant pursuant to Legislative Decree 231/2001, 10 of which focused on corruption risk. In addition, as part of the ESG audit program, 68 ESG audits were conducted, addressing topics such as ESG governance, greenwashing risk, EU Taxonomy-aligned financing, reputational risks, physical and hydrological risks, ESG factors in credit processes, management of initiatives from a circular economy perspective, ESG stewardship activities, the social impact of retail credit (in particular Impact initiatives), and the management of sponsorships and charitable donations. These activities confirmed an overall acceptable level of risk, with mitigation measures monitored through dedicated digital tools.

Among the additional initiatives launched in 2025, the SAIL (Strategic Audit Innovation Line-up) program supported the continued evolution of the Internal Audit Function.

The Group has an internal whistleblowing system relating to both national and European regulations which harm the public interest or the integrity of Intesa Sanpaolo and the Group Companies (for example: administrative, accounting, civil or criminal offences; unlawful conduct pursuant to Legislative Decree no. 231/01; rules governing banking activities; conduct giving rise to conflicts of interest) or relating to internal company policies and/or procedures, which the whistleblower has discovered in the work context

The reference internal rules on the matter, which are the responsibility of the Chief Audit Officer Area, are set out in a specific Group rules document on internal whistleblowing systems and are available for consultation by all persons working for the Intesa Sanpaolo Group on the company intranet. In addition, a summary description is also available on the Group’s official website. The system is reserved for:

• employees and self-employed workers who work or have worked for the Group;
• workers or collaborators who provide goods or services or perform work for third parties and work or have worked for the Group;
• freelancers and consultants who work or have worked for the Group;
• volunteers and trainees; 
• shareholders (natural persons); 
• and persons with administrative, control, supervisory or representative functions.

These individuals may report a violation via channels available 24 hours a day (e-mail or voice messaging) available on the Group’s official website and on the Group’s intranet portal, in Italian or English (international language of reference), or in the language of their country. Information on the channel, procedures and conditions for carrying out reports is available on the Bank's intranet portal and in the specific section of the Group's website.

In 2025, 64 reports were received, of which 10 were deemed not relevant, while 55 led to the initiation of specific investigations. Dedicated whistleblowing channels are also active at the Group’s foreign banks, which received 10 reports, of which 2 were deemed not relevant.

For reports of alleged non-compliance with the code of ethics, the following e-mail address is available: codice.etico@intesasanpaolo.com

In compliance with the Code of Ethics, the entire Group is committed to observing principles based on values of honesty and integrity in managing tax matters, compliance with the tax regulations applicable in the countries in which the Group operates and maintaining a collaborative and transparent relationship with the tax authorities, including through adherence to cooperative compliance schemes.

Intesa Sanpaolo recognises the importance of contributing to the communities of the jurisdictions in which it operates, by paying the right amount of taxes and for this reason it places a particular focus on the evolution of tax regulations, both on a domestic and international level, aimed at countering base erosion and profit shifting, with the ongoing commitment to adhere to those principles.

The Group strengthened its internal tax risk control system, the Tax Control Framework (“TCF”). The TCF serves to monitor the strategic importance of tax risk and to meet the requirements for accessing to the cooperative compliance regime introduced in Italy (pursuant to Italian Legislative Decree 128/2015). At the same time, it updated the Organisation, Management and Control Model, for the purposes of the liability of entities for tax offences, sanctioned by Italian Legislative Decree No. 231 of 2001, in order to monitor the risk of tax fraud.

In December 2017, the Intesa Sanpaolo Group adopted its Principles of conduct on fiscal matters, in order to ensure compliance over time with the tax and fiscal rules of the countries where it operates and to guarantee the financial and reputational integrity of all the Group companies.

Guidelines were also approved for the management of tax risk within the system of collaborative compliance with the Revenue Agency, which govern the criteria and processes that Intesa Sanpaolo must adopt to ensure the adequacy and effectiveness of its Tax Control Framework and related Rules.

The information on taxes is available within the SDGs report on page 127.

Intesa Sanpaolo considers cybersecurity a strategic pillar. To reinforce this commitment, corporate and physical security, cybersecurity and business continuity are managed by the Chief Security Officer Governance Area.

To address the increasing complexity of cyber threats, the bank takes structured measures to strengthen control systems, introducing authentication solutions for secure critical access, as well as monitoring of events and external networks, in order to ensure business continuity.

The bank has also introduced questionnaires to increase customer awareness of fraud risks, in line with the strengthening requirements required at European level on these issues. The anti-fraud platform has also been enhanced with even more advanced technological solutions.

These evolutions aim to support simplified decisions, transparent asset management, regulatory compliance, and alignment with the world's leading security frameworks.

In 2025, the bank blocked around €16.1 million in fraud and €175.7 million in scams, for a total of €191.8 million in fraudulent transactions.

The Group's cybersecurity framework is based on a defined strategy and a detailed action plan that includes:

• regulatory alignment: continuous updating of policies and procedures to comply with cybersecurity and business continuity standards;
• vulnerability management: systematically identifying, prioritising and fixing weaknesses across systems;
• strengthening threat controls: implementing advanced machine learning and data analytics tools to detect and mitigate cyberattacks and fraud in real time;
• operational resilience: improving the ability to respond quickly to incidents, minimizing disruptions and ensuring continuity of services;
• Security culture: provide mandatory training, including role-based training, to raise awareness of data protection best practices and GDPR requirements.

To strengthen customer trust, the Group has developed an internal guide to cybersecurity processes.

Intesa Sanpaolo has also adopted a cybersecurity management model that includes:

• Intesa Sanpaolo Group IT Security Plan: defines the strategic setting in terms of governance, investment priorities, control calendars and evolutionary projects. Based on a risk analysis, it identifies the areas of the information system to be assessed and entrusts the Security Operations Center with the task of coordinating the continuous management of vulnerabilities. These activities include both automated scans and manual penetration tests conducted by qualified third-party experts, covering network components and infrastructure, as well as applications on laptops, desktops, smartphones and tablets, oriented to both the internet and intranet. Tests are also carried out to simulate real attack scenarios and validate the effectiveness of defenses; Weekly vulnerability scans are performed using tools such as Tenable and Qualys to detect and resolve emerging issues early. All conclusions and remediation activities are received by the Internal Audit structure, which systematically reports to the Audit Committee with a view to transparency, regulatory alignment and continuous improvement of security governance. Through this structured and risk-driven approach, Intesa Sanpaolo aims to strengthen its cyber defenses, reduce exposure to threats and maintain the highest standards of security management.
• Intesa Sanpaolo Business Continuity Management Model: includes the components necessary to monitor and mitigate risks, defining organisational, infrastructural and technological measures whose usability and maintenance are supported over time by regular tests and checks. The operational framework is detailed in the Business Continuity Plan (BCP), while the technological safeguards are defined in the Disaster Recovery Plan (DRP). The activation of the BCP follows the protocols of the Group Crisis Management Model (CMM), which provides a unique and consistent set of rules and processes to manage emergencies and crises in a unified way. The CMM envisions that operations can be restored quickly and effectively by prescribing clear escalation paths for decision-making, establishing timely communication channels, and assigning defined responsibilities and authorities.
• Rules for the management of security incidents: define the minimum requirements for monitoring and responding to events affecting the Group's information assets, supporting a rapid, efficient and effective restoration of normal operating conditions.
• Intesa Sanpaolo Group Crisis Management Model: it is automatically activated whenever such incidents occur, even simultaneously, in one or more subsidiaries. In these situations, the Parent Company assumes the coordination of all impact containment efforts, with the aim of implementing countermeasures in the most effective and harmonious way. Cybersecurity activities follow the Group's shared guidelines, combining a centralized management approach for entities closely integrated with the Parent Company and close coordination of other entities. Complementing the crisis-specific procedures already in place, this operational framework aims to ensure the timely flow of information, define an appropriate chain of command, and make quick and informed decisions in response to threats. A clear escalation process guides the Group's people through every step: detection, classification, incident/emergency/crisis management and eventual return to normal operations, so that the Group can restore stability quickly and resiliently.

In 2025, three cybersecurity events were identified and effectively managed: the actual impacts were negligible, even though the events entailed a potential risk of exposure of limited information. One event involved a security issue on a user device, while the other two were associated with a security incident involving a third-party service provider, which was processing information potentially attributable to the Intesa Sanpaolo Group.

Intesa Sanpaolo's entire escalation process is published on the company intranet, where the Critical Event Management procedure clearly defines the roles and responsibilities for reporting, identifying and managing security-related incidents that may affect the Group. The process has been revised and updated to simplify event management and ensure ongoing alignment with regulatory requirements governing incident reporting. The Computer Emergency Readiness Team (CERT), Cybersecurity Incident Response Team (CSIRT), and Emergency Management Operations Centre (EMOC) are integrated into the critical event workflow, ensuring smooth coordination. Regular crisis simulations are conducted to validate and strengthen the effectiveness of escalation and decision procedures.

The public page of the Group website dedicated to CSIRT – CERT shows the objectives of the Cyber Security Incident Response Team, its competences, the countries and legal entities of the Group in which it is active, the services offered and the ways in which it is possible to contact the service in order to report anomalous events.