Annual Report of BoI’s Governor
On 31 May 2022, BoI published its annual report, from which it appears that:
- international economy, thanks to the vaccination campaigns, is recovering with an increase in demand. Nevertheless, the war in Ukraine has led to a sharp deterioration in growth expectations accompanied by a rise in commodity prices;
- persistent supply bottlenecks of energy goods weakened economic activity in the latter part of the year, however, in almost all euro area countries, deficits and debt have declined from their extremely high levels in 2020;
- Italian economy improved strongly in 2021, GDP increased by 6.6 %. Growth occurred in all Italian regions with excellent results. Household income grew as a result of increased employment and public interventions to combat the pandemic;
- in the area of public finance, there was a significant improvement in public accounts. General government net borrowing fell to 7.2%.
In his final remarks to the Report, BoI’s Governor issued a hopeful warning to the RRF, which “will be able to contribute to the strengthening and expansion of the most dynamic segments of our production system, as well as of the financial industry”.
BoI’s Annual Report 2021, published on the official website on 31 May 2022
Register of beneficial ownership
A Decree has been recently issued by MEF, jointly with MED, which provides for the communication of data and information on the beneficial ownership of companies with legal personality, private legal persons, trusts and similar institutions.
Notification of beneficial ownership must be made to the territorially competent register of companies by:
- directors of companies having legal personality;
- founder, if alive, or persons entrusted with the representation and administration of private legal persons;
- trustee of trusts or similar institutions.
In addition, the above mentioned persons are required to notify:
- any changes in the beneficial ownership within 30 days therefrom; and
- confirmation of the above data and information within 12 months from the first or latest notification and then annually.
Finally, please note that the obligation to file the afore-side communications must be satisfied within 60 days of the entry into force of the Decree on 9 June 2022.
MEF and MED’s Decree of 11 March 2022 no. 55, (published in the Official Gazette on 25 May 2022 no. 121)
On 21 May 2022 entered into force a Decree laying down urgent measures to counter the economic and humanitarian effects deriving from the invasion of Ukraine by the Russian Federation.
Among the main novelties, the modification of the regulation of the so-called “golden power” (i.e., the Government’s special powers to safeguard the ownership structure and management of national companies operating in strategic and national interest sectors).
In particular, the establishment of new companies of strategic importance for defence and national security is subject to a notification requirement. Moreover, in the communication, energy, transport, health, agribusiness and finance sectors, the afore-said notification requirement is extended to the purchase of significant shareholdings made by European entities (including those resident in Italy), to the extent to which it determines the permanent establishment in Italy of the company at issue on the ground of the change of control over the latter.
In order to strengthen the coordination activities leading to the exercise of the golden power, a strategic evaluation and analysis working group has been established within the Department for administrative coordination at the Presidency of the Council of Ministers.
Law of 20 May 2022 no. 51, converting Law Decree of 21 March 2022 no. 21 (published in the Official Gazette on 20 May 2022 no. 117)
National Cybersecurity Strategy
A national cybersecurity authority has been established by means of Law Decree no. 82/2021, for the purpose of protecting national interests in the cyberspace.
In addition, a national cybersecurity strategy for the years 2022-2026 has been defined, which aims at planning, coordinating and implementing measures to make Italy a more secure and resilient country from the risks associated with the digital transition. Among such risks, it is worth mentioning:
- cyber attacks, which exploit software errors, misconfigurations and weaknesses in protocols in order to steal data or damage the IT systems; and
- the spread of fake news, deep-fakes and disinformation campaigns, which tend to confuse and destabilise citizens through cyberspace.
In order to accomplish the afore-said goals (namely, protection of national strategic assets, response to cyber threats, secure development of technologies), the following enabling factors are deemed indispensable:
- training (i.e., creating a solid national workforce of experts and young talents with the necessary skills and competences); and
- promoting a cyber security culture, raising awareness in the public and private sectors and, in particular, in the civil society about cyber risks and threats (including cyber bullying that, although not new, never ceases to create social alarm).
National Cyber Security Strategy 2022-2026, Council of Ministers Presidential Decree of 17 May 2022 (published on the Official Gazette on 1 June 2022 no. 127)
Corporate/Laws of contract
On the “russian roulette clause”: the Supreme Court delves into its validity
In view of the absolute novelty and complexity of the issues raised in the proceedings in question, the Court of Cassation has recently entrusted its office of maxims with the task to carry out an in-depth analysis of the legislative, case-law and doctrinal framework (including United States and Canada) of the regulation of the anti-waiver clause known as “russian roulette clause”, focusing in particular on its validity and effectiveness among the parties to a given contract.
Supreme Court, Civil Section I, Interlocutory Order no. 13545 of 29 April 2022
Online fraud: limits of the bank’s liability
The Criminal Court of Parma has recently rejected an appeal against a fraud allegedly made online. The appellant had also sued the bank in question in order to obtain the return of the sums allegedly stolen.
On the merits, the court has ascertained that the bank cannot be held liable on the ground of the appellant’s negligent behaviour in respect of using such means of payment
Indeed, pursuant to Article 12 of Legislative Decree no. 11/2010, all losses arising from unauthorized payment transactions are attributable to the client who acted fraudulently or failed to fulfill obligations concerning the use of the payment means envisaged under the contract entered into with the bank.
Therefore, in the case at issue the client had violated his contractual obligations, as in the days prior to the disallowed payments he had provided his personal and non-transferable access data to an unknown person during a phone call (followed by many others). In addition, the client had failed to notify the bank of the afore-said situation.
On the same topic, the Supreme Court has recently held liable a bank for lack of debtor’s diligence in fulfilling the contract, since it had not adopted suitable means to counter unauthorised access to its clients’ home banking system. In fact, according to the bank’s professional diligence principle – whereby the bank must comply with the parameters of the so-called “prudent banker” – adequate means of proving a transaction must be put in place, capable of tracing back the client who has carried out such transaction. In the case decided by the Cassation, while the client had correctly alleged the bank’s failure to act (i.e., to counteract the unlawful withdrawal), the bank failed to prove to have been compliant with the prudential rules governing the use of the home banking system.
Criminal Court of Parma, order of 27 April 2022 and Supreme Court, Civil section I, decision of 20 May 2022 no. 16417
The Board of Auditors’ duty of control over internal bodies with administrative functions
In the corporate structure of banks, the system of internal controls does not limit the control obligations and duties of the board of auditors. In fact, persons in charge of internal control activities have a support function of the board of auditors, but do not replace the latter in its task.
The board of auditors is, in any case, required to ensure constant supervision of the work of the persons entrusted with administrative and management functions, with the obligation to verify the correctness, both formal and substantive, of the procedures and processes implemented, monitoring any dysfunctions, anomalies or deficiencies.
Supreme Court, civil section II, decision of 19 May 2022, no. 16276
EBA’s report on shadow banking system
EBA published its final proposal of regulatory technical standards that set out the criteria for identifying shadow banking entities for the purposes of supervisory reporting on large exposures. Entities that perform banking activities or services, authorised and supervised, in accordance with EU law, are not shadow-banking entities.
Similarly, entities established in a third country that are authorised and monitored by a supervisory authority that applies the Basel core principles (for effective banking supervision) or that are subject to a regulatory regime recognised as equivalent to that applied in EU are not shadow-banking entities.
EBA Final Report, Draft regulatory technical standards on criteria for the identification of shadow banking entities pursuant to Article 394, paragraph 4, of Regulation no 575/2013/EU of 23 May 2022
ESMA report on best execution reporting
ESMA has published a report to the European Commission on best execution supervisory reporting for investment firms under the MiFID II, in order to ensure an effective and consistent level of regulation and supervision and to enhance investor protection.
Best execution is the obligation for intermediaries, when executing client orders, to take appropriate and effective steps to achieve the best possible result for clients, with regard to price, cost, speed of execution and type of order.
In particular, ESMA suggests to:
- improve the quality of supervisory reporting by removing the requirement for firms to report on the characteristics of executed orders, as this has not proven effective under the current regulatory framework
- facilitate the use of reporting arrangements.
Final Report, “Review of the MiFID II regulatory framework on best execution reporting by investment firms”, published on ESMA website on 16 May 2022
How to prove the assignment of receivables
Court of Appeal of Ancona, in accordance with other case law, has held that the proof of the title of credit must be provided by means of the assignment contract, from which it is clearly and unequivocally inferred that the disputed credit has actually been assigned.
In accordance with the Court, the publication of the assignment’s notice in the Official Gazette is not sufficient to prove the title of the credit, but it only gives notice of the assignment, without providing for the specific indication of the assigned receivables.
Court of Appeal of Ancona, decision of 3 May 2022
Legislative Decree no. 231/2001
The absence of the organisational model does not automatically determine the administrative liability of the entity
The fourth section of the Supreme Court distinguished the legal entity’s liability from that of the senior officers, perpetrators of the crime.
The Court ruled that the absence or the ineffective implementation of the organisational and management models (Articles 6 and 7 of Decree 231 and Article 30 of Legislative Decree no. 81/2008) do not rise ex se to the constituent elements of the entity’s offence. On the contrary, it is necessary to prove organisational fault (i.e. a set of measures capable of preventing the commission of offences of the type committed), by the Prosecutor, whereas the entity may prove the absence of such fault.
With regard to the liability of senior officers, the Court has found them liable for omissions and violations of preventive regulations; however, such conduct does not automatically result in the liability of the entity.
Supreme Court, criminal section IV, decision of 10 May 2022 no. 18413
Protecting the whistleblower’s privacy
Whistleblowing is a corporate compliance tool through which employees or third parties of a company can report, in a confidential and protected manner, any wrongdoing encountered in the course of their work.
Recently, DPA sanctioned a hospital and the IT companies that operated whistleblowing service for violating the regulations under the GDPR. The companies used systems that recorded and stored users’ browsing data, allowing them to be identified, including potential whistleblowers.
In particular, the healthcare company had not informed workers in advance about the processing of personal data carried out for the purpose of reporting wrongdoing, had not conducted a privacy impact assessment, and had not even entered such operations into the register of processing activities (a useful tool for assessing risks to the rights and freedoms of data subjects).
Privacy Guarantor’s provision no. 134 of 7 April 2022
“Uber” penalty of more than €4 million
DPA has sanctioned Uber B.V, headquartered in Amsterdam, and Uber Technologies Inc, headquartered in San Francisco, for a total of € 4 million and 240,000.
The fines were applied following inspections conducted at Uber Italy Ltd. in connection with a data breach reported by the U.S. parent company in 2017. Companies were sanctioned as joint data controllers, each responsible for violations of privacy law committed against Italian users, about 1.5 million, including drivers and passengers.
The penalties concerned:
- the unsuitability of the information given to users, without the indication of co-ownership of the processing, generic and approximate with unclear and incomplete information. Processing’s purposes were not specified, references to the rights of data subjects were vague and incomplete, and it was unclear whether or not users were obliged to provide their data;
- lack of valid consent to data processing; and
- lack of notification to DPA of data processing for geolocation purposes.
DPA’s provision no. 101 of 24 March 2022
Abuse of a dominant position: CJEU’s qualifying criteria
According to the CJEU, the abuse of a dominant position pursuant to Article 102 of TFEU is triggered when an undertaking exploits its own resources or assets in order to use its position of strength on the market to prevent or hinder competition.
In this respect, the CJEU has laid down the following criteria:
- in order to establish whether a given conduct amounts to an abuse of dominant position, it is sufficient to prove that it is capable of affecting competition on the relevant market or consumers’ welfare;
- proof of lack of restrictive effects is not per se sufficient to exclude the abusive character of a conduct;
- a market practice considered lawful may amount to be abusive if carried out by a dominant undertaking, it produces exclusionary effects and involves means other than those considered normally competitive on the relevant market;
- when a dominant position is abused by one or more subsidiaries, the same existence of a group of companies is sufficient to hold the parent company equally liable for the abuse. Indeed, liability is presumed if, during the contested period, almost the whole stock capital of the subsidiaries is owned, directly or indirectly, by the parent company. The latter can be exonerated only if it proves to have no control over its subsidiaries’ conduct and decisions, which were taken autonomously.
CJEU, Sec. V, decision of 12 May 2022, Case C-377/20
Corporate criminal law
Application of market manipulation and obstruction of Consob’s supervision: clarifications from the Court of Cassation
The fifth section of the Supreme Court has recently outlined the application boundaries of the offences of obstructing the functions of supervision, set forth under Article 2638 of the Civil Code, as well as of market abuse, provided by Article 185 of CFA.
Accordingly, the former is a so-called “event crime”, committed when an obstruction of supervisory functions takes place and completed when an actual and significant damage occurs, which derives from an active or omissive conduct consisting in the failure to provide information to the competent supervisory authorities.
Conversely, the latter, which protects the integrity of the financial market and the investor, is deemed as a “crime of conduct” and “actual danger”, consummated when the conduct is capable of producing an alteration in the price of financial instruments.
Supreme Court, criminal section V, decision of 4 May 2022, no. 17789
Second additional protocol to the Budapest Convention on cybercrime
In Strasbourg, on 12 May, Minister of Justice Marta Cartabia signed the second additional protocol to the Budapest Convention on cybercrime.
Budapest Convention is the main multilateral pact aimed at facilitating the fight against cybercrime and establishing an international cooperation regime; currently 66 countries, including 26 EU Member States, are parties to it.
The second protocol is the result of the need felt by all participating states to strengthen cross-border cooperation and the collection of evidence in electronic form for the purpose of criminal investigations or proceedings.
The new legal instrument aims to simplify access, by judicial authorities and the police, to electronic evidence held by internet providers. However, there remains a need to respect fundamental rights, including procedural rights in criminal matters, the right to privacy and the right to protection of personal data.
Second additional protocol to the Convention on cybercrime on enhanced co-operation and disclosure of electronic evidence, Council of EU, Brussels, 29 March 2022
List of abbreviations
BoI: Bank of Italy
CFA: Consolidated Financial Act, Legislative Decree no. 58 of 24 February 1998, Consolidated Law on Financial Intermediation
CONSOB: The national financial markets authority
Decree 231: Legislative Decree no. 231/01
DPA: Data Protection Authority
EBA: European Banking Authority
ECB: European central bank
ESMA: European and Securities Market Authority
EU: European Union
EUCJ: European Court of Justice
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46
Law Decree no. 82/2021: Law Decree no. 82 of 14 June 2021 Urgent provisions on cybersecurity, definition of the national cybersecurity architecture and establishment of the National Cybersecurity Agency
Legislative Decree 81/2008: Legislative Decree no. 81 of 9 April 2008 implementing article 1 of Law no. 123 of 3 August 2007 on the protection of health and safety in the workplace
Legislative Decree 11/2010: Legislative Decree No 11 of 27 January 2010, implementation of Directive 2007/64/EC on payment services in the internal market, amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC, 2006/48/EC, and repealing Directive 97/5/EC
MED: Ministry of Economic Development
MEF: Ministry of Economic and Finance
MIFID II: Directive no. 2014/65/EU on markets in financial instruments
RRF: Law Decree of 6 November 2021 no. 152, entitled Urgent provisions for the implementation of the National Resilience and Recovery Facility and for the prevention of mafia infiltration, converted with amendments into Law of 29 December 2021 no. 233, published in the Official Gazette on 31 December 2021 no. 310
TFEU: Treaty on the functioning of the European Union