Organisational model

General Part

The administrative liability regime provided for legal persons, companies and associations

1.1 Legislative Decree no. 231/2001

On 8 June 2001, it was issued - in execution of the delegation referred to in art. 11 of law 29 September 2000 n. 300 – Legislative Decree 231/2001, which came into force on the following 4 July, which aimed to adapt the internal legislation regarding the liability of legal persons to some international conventions to which Italy has already adhered for some time, such as the Brussels Convention of 26 July 1995, Brussels Convention of 26 May 1997 and the OECD Convention of 17 December 1997.

With this Decree, entitled "Discipline of the administrative responsibility of legal persons, companies and associations even without legal personality" (defined by law as "Entities" or "Ente"), a regime of administrative liability (substantially referable to criminal liability) borne by the Entities for certain crimes committed, in the interest or advantage of the same, by natural persons who hold representation, administrative or management functions of the Entities themselves or of one of their organizational units with of financial and functional autonomy, as well as by natural persons who exercise, even de facto, the management and control of the same entities, as well as by natural persons subject to the management or supervision of one of the subjects indicated above. This responsibility is in addition to that of the natural person who physically committed the act.

The expansion of responsibility aims to involve entities in the punishment of certain crimes committed in their interest or to their advantage.

The sanctions provided for by Legislative Decree 231/2001 against the company as a consequence of the commission or attempted commission of the crimes mentioned above are:

- pecuniary sanction up to a maximum of Euro 1,549,370.69 (and precautionary seizure);

- interdictory sanctions (also applicable as a precautionary measure) lasting no less than three months and no more than two years, which, in turn, may consist of:

• ban from carrying out the activity;

• suspension or revocation of authorisations, licenses or concessions functional to the commission of the offence;

• prohibition on contracting with the public administration;

• exclusion from benefits, financing, contributions or subsidies and the possible revocation of those granted;

• prohibition on advertising goods or services;

• confiscation (and precautionary seizure);

• publication of the sentence in case of application of a disqualifying sanction).

Interdictory sanctions are applied only in relation to crimes for which they are expressly provided for (crimes against public administration, certain crimes against public faith such as forgery of currency, crimes relating to terrorism and subversion of the democratic order, as well as crimes against the individual personality) and provided that at least one of the following conditions is met:

1. the entity has derived a significant profit from the commission of the crime and the crime was committed by individuals in top positions or by individuals subject to the management of others when, in the latter case, the commission of the crime was determined or facilitated by serious organizational deficiencies;

2. repetition of the offences.

In the event of commission, in the form of an attempt, of the crimes indicated in Chapter I of Legislative Decree 231/2001 (articles 24 to 25-quinquies), the pecuniary sanctions (in terms of amount) and disqualification sanctions (in terms) are reduced by a third to a half, while the imposition of sanctions is excluded in cases where the entity voluntarily prevents the completion of the action or the realization of the event (art. 26).

The liability provided for by the aforementioned Decree also arises in relation to crimes committed abroad in the following cases:

- if the entity has its main headquarters in the territory of the Italian state;

- if there is legal prosecution in Italy against the natural person who committed the crime;

- if the State of the place where the crime was committed does not take action against the entity1.

As for the type of crimes intended to entail the aforementioned administrative liability regime for entities, the Decree - in its original text - refers to a series of crimes committed in relations with the Public Administration and precisely:

• embezzlement to the detriment of the State or other public body (art. 316-bis of the penal code);
• undue receipt of contributions, financing or other disbursements by the State or other public body (art. 316-ter penal code);
• extortion (art. 317 penal code);
• corruption for an official act (art. 318 penal code);
• corruption for an act contrary to official duties (art.
• corruption in judicial documents (art. 319-ter penal code);
• incitement to corruption (art. 322 penal code);
• fraud to the detriment of the State or other public body (art. 640, first paragraph, no. 1 of the penal code);
• aggravated fraud to obtain public funds (art. 640-bis penal code);
• computer fraud to the detriment of the State or other public body (art. 640-ter penal code).

Subsequently, the art. 6 of law 23 November 2001 n. 409, containing "Urgent provisions in view of the introduction of the euro", included art. 25-bis, which aims to punish the crime of "forgery of coins, public credit cards and revenue stamps".

More recently, the art. 3 of Legislative Decree 11 April 2002 n. 61, in force since 16 April 2002, as part of the reform of company law, introduced the new art. 25-ter of Legislative Decree 231/2001, extending the administrative liability regime of entities also to the so-called corporate crimes, as configured by the same Decree no. 61/2002 (false corporate communications, false corporate communications to the detriment of shareholders or creditors, false statements, false reports or communications from the auditing firm, prevented control, undue return of contributions, illegal distribution of profits and reserves, illicit transactions on shares or quotas of the company or of the parent company, transactions to the detriment of creditors, fictitious formation of capital, undue distribution of company assets by liquidators, illicit influence on the meeting, stock market manipulation, obstacle to the exercise of the functions of public authorities supervisory).

Subsequently, the art. 3 of Law 14 January 2003, n. 7 introduced the art. 25-quater, which provides for the punishability of the Organization for crimes with the aim of terrorism or subversion of the democratic order, provided for by the penal code and special laws. While the art. 25-quinquies, introduced by art. 5 of Law 11 August 2003, n. 228 has 7 extended the administrative responsibility of the Organization to crimes against the individual personality.

The art. 9 of Law 18 April 2005, n. 62 (hereinafter the “2004 Community Law”) has also inserted art. 25-sexies aimed at extending the administrative responsibility of entities to the new crimes of abuse of privileged information and market manipulation.

On 25 August 2007 the art came into force. 25-septies of Legislative Decree 231/2001 introduced by law 123 of 3 August 2007, with this intervention manslaughter and injuries were also included among the prerequisite crimes for the application of Legislative Decree 231/01 serious or very serious negligence, committed in violation of accident prevention regulations and the protection of hygiene and health at work. Thus, for the first time, entities are punishable (among other things also with disqualifying sanctions referred to in art. 9, paragraph 2, Legislative Decree 231/2001) for crimes punishable by negligence - up to now all the crimes required the existence of malice (consciousness and voluntariness of the criminal action).

Furthermore, the 2004 Community Law modified the TUF by introducing a specific provision, art. 187-quinquies, pursuant to which the Entity is responsible for the payment of a sum equal to the amount of the administrative sanction imposed for the administrative offenses of abuse of privileged information (art. 187-bis TUF) and market manipulation (art. 187-ter TUF) committed in its interest or to its advantage by:

a) people who hold representation, administration or management functions of the Entity or of one of its organizational units with financial or functional autonomy as well as people who exercise, even de facto, the management and control of the same;

b) by persons subject to the management or supervision of one of the subjects referred to in letter a).

Furthermore, Law 28 December 2005, n. 262 (“Provisions for the protection of savings and the regulation of financial markets”) integrated and modified both the TUF and the Civil Code, introducing, among other things, the new art. 2629-bis code. civil relating to the crime of "Failure to disclose conflict of interest". This crime was introduced by the same law no. 262/2005, in the art. 25-ter of Legislative Decree 231/2001.

Furthermore, Legislative Decree 231/2007 transposing Directive 2005/60/EC concerning "the prevention of the use of the financial system for the purpose of laundering the proceeds of criminal activities and terrorist financing" and Directive 2006/70 /EC which contains the "implementation measures" introduced with the art. 63, co. 3, for any type of company, the crimes of receiving, laundering and using money, goods or benefits of illicit origin among those which involve the liability of the entity referred to in the articles. 648, 648-bis and 648-ter of the criminal code. (Legislative Decree 231/01, art. 25-octies). Previously to this legislation, the crimes of money laundering and use of money, goods or benefits of illicit origin were already relevant for the purposes of Legislative Decree 231/2001, but only if carried out transnationally (ex art. 10 L. 146/06) . Following the introduction of the art. 25-octies, the aforementioned crimes - together with receiving stolen goods - also become relevant on a national basis. These crimes may result in the administrative liability of the entity with both pecuniary sanctions (from 200 to 1000 quotas) and disqualification.

Furthermore, this Decree 231/2007 provides for a change in the role of the Supervisory Body, which is responsible for specific communication obligations, pursuant to art. 52, Legislative Decree 231/2007:

1. to the Supervisory Authorities (Consob, Bank of Italy) all violations of the provisions issued by them, relating to customer due diligence obligations,

2. the organisation, registration, procedures and internal controls established to prevent money laundering and terrorist financing;

3. to the owner of the business or to the legal representative for violations of the provisions regarding "Reporting suspicious transactions" (art. 41 of the Decree);

4. to the Ministry of Economy and Finance for infringements of the provisions concerning the "Limitations on the use of cash and bearer securities" (art. 49 of the Decree) and the "Prohibition of anonymous or registered savings accounts and passbooks fictitious" (art. 50 of the Decree) of which they are aware;

5. to the UIF (Financial Information Unit for Italy, which replaces the Italian Exchange Office, with tasks of monitoring and reporting to the competent authorities information regarding hypotheses of money laundering and terrorist financing) violations of the "Obligations registration" (art. 36 of the Decree) and conservation of documents and information previously acquired by the entity to fulfill the "customer due diligence obligations".

Furthermore, Law no. 48, art. 7, of 18 March 2008, implemented the Council of Europe Convention on cybercrime, drawn up in Budapest on 23 November 2001, providing for the inclusion as art. 24-bis of Legislative Decree 231/2001 on "IT crimes and illicit data processing" with the application of a financial penalty to the entity ranging from 100 to 500 quotas.
The administrative responsibility of the entities has therefore been extended to the following computer crimes:

- falsehood in a public electronic document or one having probative value (art. 491-bis of the criminal code);

- unauthorized access to a computer or telematic system (art. 615-ter of the criminal code);

- illegal possession and dissemination of access codes to computer or telematic systems (art. 615-quater of the criminal code);

- dissemination and installation of equipment, devices or computer programs aimed at damaging or interrupting an IT or telematic system (art. 615-quinqiues of the criminal code);

- illicit interception, impediment or interruption of computer or telematic communications (art. 617-quater of the criminal code);

- installation of equipment aimed at intercepting, preventing or interrupting computer or telematic communications (art. 617-quinquies of the criminal code);

- damage to information, data and computer programs (art. 635-bis of the criminal code);

- damage to information, data and computer programs used by the State or by another public body or in any case of public utility (art. 635-ter of the criminal code);

- damage to information, data and computer programs used by the State or by another public body or in any case of public utility (art. 635-quater of the criminal code);

- damage to computer or telematic systems of public utility (art. 635-quinquies of the criminal code);

- computer fraud of the electronic signature certifier (art. 640-quinquies of the criminal code).

Legislative Decree 152/2006, art. 192 paragraph 4, established the responsibility of the entity in the event of committing the crime of abandonment and uncontrolled deposit of waste on and in the soil.

With reference to this crime, the law provides that anyone who violates the relevant prohibition is required to proceed with the removal or disposal of waste and, in the event that the responsibility for the illicit act is attributable to administrators or representatives of a legal person, they are jointly and severally held the legal person and the subjects who have taken over the rights of the person itself, according to the provisions of Legislative Decree 231/2001.

Further legislative interventions have extended the liability of companies and entities also to organized crime crimes referred to in art. 2, paragraph 29, of Law 15 July 2009, n. 94, to crimes against public faith referred to in art. 15 paragraph VII, letter a) n. 2 of Law 23 July 2009 n. 99, to crimes against industry and commerce referred to in art. 15, paragraph VII, letter b) of Law 23 July 2009 n. 99, to crimes relating to violation of copyright referred to in art. 15 paragraph VII letter c) of Law 23 July 2009 n. 99 and, finally, the crimes of inducing people not to make false statements to the judicial authorities referred to in art. 4 of Law 116 of 3 August 2009.

1.2 The adoption of the "Organization and Management Model" as a possible exemption from administrative liability

Article 6 of the Decree, in introducing the aforementioned administrative liability regime, provides, however, a specific form of exemption from said liability if the Entity demonstrates that:

a) the management body of the Entity has adopted and effectively implemented, before the commission of the crime, organizational and management models suitable for preventing Crimes and Offenses of the type that occurred;

b) the task of supervising the functioning and observance of the Models as well as ensuring their updating has been entrusted to a body of the Organization with autonomous powers of initiative and control;

c) the persons who committed the Crimes and offenses acted by fraudulently evading the aforementioned Models;

d) there has been no omitted or insufficient supervision by the Body referred to in the previous letter. b).

The Decree also provides that - in relation to the extension of the delegated powers and the risk of committing offenses - the models referred to in letter a) must meet the following needs:

1. identify the activities in which there is the possibility that crimes and offenses may be committed;

2. provide specific protocols aimed at planning the formation and implementation of the Organization's decisions in relation to crimes and offences;

3. identify ways of managing financial resources suitable for preventing the commission of such crimes and offences;

4. establish information obligations towards the Body responsible for supervising the functioning and observance of the Model;

5. introduce an internal disciplinary system suitable for sanctioning failure to comply with the measures indicated in the Model.

The same Decree provides that the Models can be adopted, guaranteeing the above requirements, on the basis of Codes of Conduct drawn up by representative trade associations, communicated to the Ministry of Justice, in agreement with the competent Ministries.

The first association to draw up a guideline document for the construction of the models was Confindustria which, in March 2002, issued the Guidelines, then partially modified and updated before May 2004 and, most recently, in March 2008

All versions of the Confindustria Guidelines were then deemed adequate by the Ministry of Justice (with reference to the 2002 Guidelines, see the "Note from the Ministry of Justice" of 4 December 2003 and, with reference to the 2004 and 2008, see the “Note from the Ministry of Justice” of 28 June 2004 and the “Note from the Ministry of Justice of 2 April 2008). In this version of the Model, the indications formulated by Confindustria in the version of the Guidelines updated in March 2014 were also taken into consideration and implemented.


1 Art. 4 of Legislative Decree 231/2001: “1. In the cases and under the conditions provided for by articles 7, 8, 9 and 10 of the penal code, the entities having their headquarters in the territory of the State are also liable in relation to crimes committed abroad, provided that the State of the place does not take action against them in which the crime was committed. 2. In cases where the law provides that the guilty person is punished at the request of the Minister of Justice, proceedings will be taken against the entity only if the request is also made against the latter.”