The Italian banking sector is primarily governed by Legislative Decree No 385/1993 (the “Consolidated Law on Banking”), which, among other things, regulates:

• the authorisation regime for banking activity;
• banks’ branches and cross-border services;
• banks’ and banking groups’ supervision;
• transparency and conduct requirements in connection with the provision of banking services and payment services;
• deposit guarantee schemes;
• recovery and administration proceedings; and
• sanctions.

The Consolidated Law on Banking, together with the Bank of Italy’s Circular No 285/2013, transposes the EU bank regulatory framework, including the EU Capital Requirements Directive (the “CRD IV” and the “CRD V”) into Italian law and incorporates the options and discretions provided in the EU Capital Requirements Regulation (the “CRR” and the “CRR II”) into Italian law.

Other key Italian laws and regulations in the banking sector are:

• Legislative Decree No 11/2010, which has implemented the EU Payment Services Directive (the “PSD” and the “PSD II”);
• Legislative Decree No 231/2007, which has implemented the EU Anti-Money Laundering Directive (the “AMLD IV” and the “AMLD V”);
• Legislative Decree No 180/2015, which has implemented the EU Bank Recovery and Resolution Directive (the “BRRD” and the “BRRD II”); and
• Legislative Decree No 58/1998 (the “Consolidated Law on Finance”) and the Commissione Nazionale per le Società e la Borsa (CONSOB) Intermediaries Regulation, which have implemented the EU Markets in Financial Instruments Directive (the “MiFID II”).

Banking supervision is jointly conducted by two main Italian regulators and the European Central Bank (ECB) as follows.

• The Bank of Italy carries out the prudential supervision of banks in co-ordination with the ECB. In particular:
1. the ECB directly supervises “significant” Italian banks and banking groups, identified according to the criteria set out in Article 6(4) of EU Regulation 1024/2013 (the “SSM Regulation”); and
2. the Bank of Italy directly supervises other “less significant” Italian banks and banking groups.
• CONSOB is responsible for the transparency and fairness of banks’ conduct towards investors in the provision of investment services and activities.

Banking supervision in Italy also involves the Unità di Informazione Finanziaria (UIF), which is Italy’s financial intelligence unit. It focuses on preventing and detecting money laundering and terrorist financing. It operates independently of the Bank of Italy.

Secondary national legislation consists of:

• resolutions of the Interministerial Committee for Credit and Savings (CICR), which, upon proposals from the Bank of Italy, provides supervisory guidelines through ministerial regulations;
• circulars, regulations and supervisory rules issued by the Bank of Italy; and
• CONSOB’s regulations.

Authorisation Requirements

“Banking activity” is defined under Italian law as collecting savings from the public and granting loans. The exercising of “banking activity” is exclusively reserved to banks. Financial intermediaries are only authorised to carry out lending activities.

The ECB is the competent authority, together with the Bank of Italy, for granting banking authorisations to Italian banks.

Applicants for banking licences in Italy must meet the following requirements.

• Be a joint stock company (società per azioni) or mutual limited liability company (società cooperativa a responsabilità limitata).
• Have an established registered office and headquarters in Italy.
• Have a minimum initial share capital of:
1. EUR10 million for joint stock companies, banche popolari, and mutual loan guarantee banks (banche di garanzia collettiva); or
2. EUR5 million, for mutual credit banks (banche di credito cooperativo).
• Have an initial business plan that focuses on capital and organisational structure, along with the memorandum of incorporation and articles of association.
• Comply with qualifying shareholders’ requirements.
• Have completed a fitness and propriety assessment for members of the bank’s board of directors, board of statutory auditors and, if appointed, general manager.
• Have no close links with a bank or any entity within or outside the group which could undermine effective supervision.

Authorisation Process

The licensing application must be submitted via the European Information Management System (IMAS) Portal.

The Bank of Italy, in co-operation with the ECB, will then carry out a preliminary assessment of the application.

Based on the preliminary assessment, the Bank of Italy:

• in the case of a positive outcome, will forward a draft authorisation decision to the ECB for its approval; or
• in the case of a negative outcome, reject the application.

If the preliminary assessment is positive, the ECB will make the final decision within 180 days of receiving the completed application, subject to any suspension or interruption and, in any case, within 12 months.

Before submitting an application, applicants may request a meeting with the Bank of Italy.

During its assessment, the Bank of Italy may request additional information and certifications, conduct investigations and seek the opinion of other national or foreign competent authorities.

Applicants are not required to pay any fee or to use a specific submission form. However, licensed banks are required to pay supervisory fees to the ECB to cover the costs related to banking supervision, the amount of which depends on the bank’s size and risk profile.

Activities Covered by the Banking Authorisation

The banking authorisation covers a wide range of activities and services, which have to be carried out in compliance with their respective rules under Italian law. They are:

• taking deposits or other repayable funds from the public and granting of loans;
• payment services;
• electronic money issuance;
• all other financial activities; and
• related or ancillary activities.

Services Requiring Additional Authorisations

In order to provide certain financial services, Italian banks will need additional authorisations. They are as follows.

• For investment services and activities under the MiFID II framework, an authorisation by the Bank of Italy upon consultation with CONSOB is required.
• For issuing, offering to the public (and/or seeking admission to trading of) asset-referenced tokens under MiCAR, a notification to the Bank of Italy is required at least 90 business days in advance.
• For issuing, offering to the public (and/or seeking of admission to trading of) electronic money tokens under MiCAR, a notification to the Bank of Italy is required at least 40 business days in advance.
• For carrying out crypto-asset services under MiCAR, an authorisation by CONSOB is required and the authorisation must be granted or refused within 40 working days from the date of receipt of a complete application.
• For acting as depositary bank of collective investment undertakings, an additional Bank of Italy authorisation is required and the authorisation must be granted or refused within 120 days from the date of receipt of a complete application.

EU Passporting

The exercise of banking activities in other EU member states by Italian banks requires:

• in the case of establishment, an advance notice to the Bank of Italy, which will inform the ECB (in case of “significant” banks). If no contrary decision is made by the Bank of Italy or the ECB within two months of the receipt of such notification, the branch may be established and start its activities; and
• in the case of the cross-border provision of services, Italian banks must notify the Bank of Italy, which will give advance notice to the ECB and the host country authority.

Prior Approval Requirements

A prior ECB approval, upon a proposal by the Bank of Italy, is required when a prospective acquirer, or more prospective acquirers acting in concert, intends to:

• acquire a direct or indirect holding in a bank which represents 10% or more of the capital or the voting rights or which makes it possible to exercise significant influence or control over the bank’s management (“qualifying holding”);
• increase an existing “qualifying holding”, when the voting rights or share capital reaches or exceeds 20%, 30% or 50%, or when the increase results in control over the bank; and
• acquire, in any form, without purchasing shares (including through an agreement with the bank or a provision in its articles of association) control or significant influence over the bank, or a percentage of voting rights or capital of at least 10%, 20%, 30% or 50%, taking shares already owned into account.

Required Regulatory Filings

For the acquisition of a “qualifying holding” in an Italian bank, the proposed acquirer is required to submit an advance application to the Bank of Italy and the ECB through the IMAS Portal.

The information and documentation to be provided includes:

• a description of the transaction and any other authorisations required in connection thereto;
• information on the proposed acquirer, including its business, the individuals who effectively direct its business, qualifying shareholders, reputation and group;
• information on the persons that will direct the business of the target bank;
• information on the financial soundness and compliance with regulatory requirements, including information on the financing of the transaction and its impact on the supervision of the target bank;
• information on compliance with AML/CFT legislation; and
• additional information depending on the amount of the shareholding to be acquired, including a business plan in case the shareholding reaches or exceeds 20%.

Foreign applicants may also be required to:

• file a separate notification to the Italian government under the foreign direct investments regime; and
• provide additional documentation concerning their group, shareholders and financial soundness, especially when incorporated in non-EU jurisdictions, which are not considered equivalent to Italy in terms of AML and tax treatment.

Approval Process

The Bank of Italy assesses the proposed and then submits a draft decision to the ECB to refuse or approve the acquisition.

The approval process lasts 60 working days from the date of the Bank of Italy’s acknowledgement of receipt of the application. The term may only be suspended once for up to 30 working days where the acquirer is a non-EU person or a non-regulated EU entity, or 20 working days in all other cases.

Post-Acquisition Filings

The acquirer(s) must inform the Bank of Italy of the completion of the proposed acquisition within ten days. They must file an advance notice with the Bank of Italy of their intention to reduce their “qualifying holding” below the relevant thresholds.

Alternative Corporate Governance Systems

Italian corporate law contemplates three different governance and supervision systems that stock corporations, including banks, may choose to adopt. These are as follows.

• The traditional and most common Italian model comprising:
1. a board of directors, which is responsible for the bank’s management;
2. a board of statutory auditors, composed of independent members monitoring the board of directors’ operations; and
3. a shareholders’ meeting, which is primarily responsible for the appointment of corporate bodies and for the approval of the financial statements.
• A one-tier model, only consisting of a board of directors, which includes a management audit committee (comitato per il controllo sulla gestione) composed of a majority of independent directors.
• A two-tier model comprising:
1. a supervisory board (consiglio di sorveglianza); and
2. a management board (consiglio di gestione).

Banks must select the most suitable corporate governance model to enhance operational efficiency and ensure effective controls, while considering the associated costs of each model.

Italian banks adopting the two-tier model are required to set up an “internal controls committee” if the supervisory board is responsible for strategic supervision or has a broad composition.

Italian banks adopting the one-tier model are required to set up a “management control committee”, which is primarily responsible for ensuring compliance with laws, regulations and the bank’s articles of association as well as for proper governance and ensuring the bank has an adequate organisational and accounting framework.

Board Committees

Banks that are large or operationally complex are required to set up:

• a nomination committee (comitato nomine);
• a risks committee (comitato rischi); and
• a remuneration committee (comitato remunerazioni).

Composition of Corporate Bodies

Italian banks must comply with limits on the number of board members, with specific thresholds for traditional models (up to a maximum of 15), one-tier models (up to a maximum of 19) and two-tier models (up to a maximum of 22) that can only be exceeded in exceptional cases.

The management body must include an adequate number of non-executive members. The body with strategic supervisory functions must also include independent members.

Banks must identify and assess over time an optimal qualitative-quantitative composition for their governing bodies and define ideal profiles for candidates in terms of professionalism and independence.

The composition of corporate bodies must reflect an appropriate degree of diversity in terms of skills, experience, age, gender and international background. Members of the underrepresented gender in bodies with strategic supervision and control functions must represent at least 33% of the total number.

Internal Control Functions

Banks must establish three lines of defence as follows.

• Business line controls (first line of defence), intended to ensure the proper execution of operations and conduct by the same operational structures.
• Compliance and risk management controls (second line of defence), intended to ensure:
1. the proper implementation of the risk management process; and
2. the compliance of business operations with laws and regulations, including self-regulation standards to avoid penalties, losses and reputational damage.
• Internal audit controls (third line of defence), intended to detect violations of procedures and regulations and periodically assess the completeness, adequacy, functionality and reliability of the internal control and the ICT system.

Key Suitability Requirements

In order to ensure the sound and prudent management of an Italian bank, all members of its corporate bodies and the general manager (if appointed) must satisfy the following suitability requirements:

• professional experience;
• integrity;
• independence;
• competence;
• fairness; and
• time commitment.

The same requirements and criteria also apply to members of the senior management of listed banks and larger banks.

The remit of each requirement is defined and specified in Italian Ministerial Decree No 169/2020.

• “Professional experience” means:
1. for executive members, relevant experience of at least three years;
2. for the chairman, the chief executive officer and the general manager, relevant experience of at least five years; and
3. for non-executive directors, experience of at least three years in university or professional activities in financial sectors.
• “Integrity” refers to the absence of convictions to specific offences or disqualification measures.
• “Independence” (required for independent directors), means the absence of personal or professional relationships with the relevant banking group. Other members must satisfy independence of judgment requirements.
• “Competence” means having adequate knowledge and practical experience in bank-related matters.
• “Fairness” refers to the absence of situations that could compromise the bank’s sound and prudent management (eg, convictions for certain offences, administrative sanctions or debarment from professional registers management).
• “Time commitment” refers to the requirement that all members of corporate bodies of banks dedicate sufficient time to their offices. For positions at large or operationally complex banks the following alternative limits apply:
1. one executive and two non-executive positions; or
2. four non-executive positions.

Interlocking Directorates Prohibition

Members of the corporate bodies and general managers of Italian banks are subject to the interlocking directorates prohibition under Italian law. This prohibition prevents individuals from holding board or senior management positions in competing companies within the Italian banking, financial and insurance sectors to avoid conflicts of interest and ensure fair competition.

Suitability Assessment Process

The suitability of new members of corporate bodies and general managers of “less significant” banks must be assessed by the competent corporate body (either in advance, if appointed by the board, or within 30 days from the appointment, if appointed by the general meeting).

The relevant assessment must be formalised in detail in the minutes of the meeting of the relevant corporate body and then submitted to the Bank of Italy within the next 30 days. Within the following 120 days, the Bank of Italy may require the corporate body to take appropriate measures, such as training, to improve the skills necessary to successfully perform the role. It also has the power to start an administrative proceeding to remove members that are found to be unsuitable or in breach of the interlocking prohibition.

The suitability assessment must be carried out by the ECB where the bank is “significant”, which may exercise its powers in line with the SSM Regulation.

The remuneration rules in the CRD V and the EBA Guidelines on Sound Remuneration Policies are transposed into Italian law by Articles 53 and 67 of the Consolidated Banking Act and Bank of Italy rules on remuneration and incentive policies and practices in banks and banking groups through Circular No 285/2013.

Scope of Remuneration Requirements

Sound remuneration policies that avoid excessive risk taking and are gender neutral must be applied to all staff members of Italian banks and banking groups.

They must be approved by the bank’s shareholders’ meeting upon a proposal from the strategic supervision body.

Remuneration requirements vary depending on whether:

• staff members are members of corporate bodies;
• staff members carry out professional activities that have a substantial impact on the bank’s risk profile (ie, so-called “material risk takers”);
• staff members are assigned to control functions;
• staff members are not qualified as so-called “material risk takers”; and
• staff members are other collaborators (eg, financial advisors and agents).

Fixed and Variable Remuneration

For all bank staff, the ratio between the fixed and variable component cannot exceed 100%, although an increase up to 200% is allowed if expressly provided in the articles of association and approved by shareholders’ resolution with a supermajority.

For “material risk takers”, however:

• at least 50% of the variable component must be paid in shares or an equivalent ownership interest;
• a minimum retention period of one year applies to remuneration paid in instruments; and
• the variable remuneration must be deferred at least for 40% or, in case of particularly high amounts of variable remuneration, at least for 60%, over five years.

Bank of Italy’s Supervisory Approach

The Bank of Italy has ample investigation and enforcement powers to ensure compliance with bank remuneration requirements. In practice it is particularly focused on circumvention of remuneration requirements.

Legislative Decree No 231/2007 (the “AML Decree”) (as subsequently amended) sets out Italian rules implementing the AMLD IV and the AMLD V. With respect to credit and financial institutions, the requirements set out in the AML Decree are further specified and clarified in the Bank of Italy’s implementing regulations (the “BoI Regulation”) (collectively known as the “AML Rules”).

Under the AML Rules, certain obliged entities (including credit and financial institutions) are required to comply, among other things, with:

• customer due diligence (or know your customer (KYC)) requirements;
• record-keeping requirements; and
• suspicious transaction reporting requirements, when, among other things, they establish a business relationship; carry out an occasional transaction that amounts to EUR15,000 or more (whether in a single transaction or in several transactions which appear to be linked); and/or make a transfer of funds, as defined in Regulation (EU) 2015/847 on the information accompanying transfers of funds (which, as from 30 December 2024, will be replaced by Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets), exceeding EUR1,000.

Customer Due Diligence Requirements

Under the AML Rules, obliged entities are required to:

• identify the customer and verify the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source;
• identify the beneficial owner (ie, the natural person(s), other than the client, on whose behalf the business relationship is being opened, the activity is being conducted, or the transaction is being carried out, if any) and taking reasonable measures to verify that person’s identity so that the obliged entity is satisfied that it knows who the beneficial owner is;
• obtain and assess information on the purpose and intended nature of the business relationship, as well as, if appropriate based on the relevant risk, additional information including on the customer’s source of wealth and source of funds; and
• conduct ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions are consistent with the obliged entity’s knowledge of the customer, the business and risk profile (including where necessary the source of funds) and ensuring that the documents, data or information held are kept up-to-date.

While obliged entities are required to comply with customer due diligence requirements with respect to all their customers, they may determine the extent of these measures (standard, simplified or enhanced due diligence) on a risk-sensitive basis.

Record-Keeping Requirements

Obliged entities must retain copies of the documents and information which are necessary to comply with the customer due diligence duties and original documents (or copies admissible in judicial proceedings) relating to transactions. This obligation applies for ten years after the end of a business relationship with the customer or after the date of an occasional transaction.

Suspicious Transaction Reporting

Where they know, suspect, or have reasonable grounds to suspect that funds, regardless of the amount involved, are the proceeds of criminal activity or are related to terrorist financing, obliged entities must file a suspicious transaction report with the UIF at the Bank of Italy. Obliged entities must refrain from carrying out the specific transaction before filing the report with the UIF and must keep the filing of a report with the UIF strictly confidential.

Finally, the AML Decree provides that all Italian companies and entities (including credit and financial institutions) must obtain information regarding their beneficial owners and disclose this information in public registers (for example, the Companies House (Registro delle Imprese)). On 11 March 2022, the Italian Ministry of Economic Affairs, in consultation with the Ministry of Enterprises and Made in Italy (formerly the Ministry of Economic Development), adopted a decree implementing this requirement, introducing an ultimate beneficial owner register, and providing for the adoption of further implementing decrees. The overall framework was:

• declared to have been fully implemented by Decree dated 29 September 2023; and
• supposed to become effective as of 11 December 2023.

However, the requirement for Italian companies and entities to disclose information on their beneficial ownership in the register was suspended by the Administrative Court of Rome in an order issued on 7 December 2023 and, subsequently, the Council of State in an order issued on 17 May 2024. The suspension by the Council of State is still in effect.

Deposit guarantee schemes (DGSs) are aimed at avoiding, or at least reducing, systemic impacts of banking crises by either preventing the failure of credit institutions or providing a post-crisis reimbursement function.

In Italy, DGSs are mainly governed by Article 96 et seq of the Consolidated Banking Act (as amended to transpose Directive 2014/49/EU on deposit guarantee schemes (the “DGSD”) into Italian Law. The supervisory provisions on DGSs issued by the Bank of Italy on 12 November 2024, were recently implemented with regard to the state aid and resolution frameworks.

Participation Requirements

In line with EU law, Italian law requires credit institutions to be part of one of the recognised DGSs. Specifically, except for mutual credit institutions, which are members of the Depositors’ Guarantee Fund of mutual banks (Fondo di garanzia dei depositanti del credito cooperativo (FGDCC)), all Italian banks, as well as branches of non-EU banks authorised in Italy which are not part of an equivalent deposit protection scheme (DGS), are required to participate in the Interbank Deposit Protection Fund (Fondo Interbancario di tutela dei depositanti (FITD)), which is a private law consortium. Italian branches of EU banks can also join the FITD in order to supplement the guarantee provided by their home DGSs. Both the FITD and the FGDCC are supervised by the Bank of Italy.

Banks are also free to participate in other DGSs set up on a voluntary basis and the rules on mandatory DGSs do not apply to them. The Voluntary Intervention Scheme (Schema Volontario di Intervento (SVI)) was established to overcome the uncertainty raised under the state aid framework as to the asserted public nature of the resources of the FITD. The uncertainty was finally resolved in the Tercas case.

Depositor Guarantee

Italian mandatory DGSs guarantee deposits of up to EUR100,000 per depositor. The limit is valid for each depositor, per individual bank. The protection applies to repayable funds deposited at banks not only in the form of deposits, but also in other forms (eg, deposit certificates) and regardless of the currency. Financial instruments are not included in the guarantee.

Interventions

DGSs intervene to protect deposits in the following ways.

• Where the member bank is in liquidation:
1. by reimbursing depositors within seven working days from the date on which the unavailability of deposits or compulsory administrative liquidation of the bank takes effect; or
2. giving support for the transfer of assets and liabilities, including deposits, to another bank, provided that the cost for the intervention does not exceed the costs of reimbursing depositors (so called “alternative measures”, such as those in favour of Banca Popolare delle Province Calabre in 2016).
• Preventing bank crises, for example by providing loans or purchasing shares so that a bank can carry on its activities, provided that the cost for the intervention does not exceed the costs of other possible interventions in line with the applicable framework (the so called “preventive measures”, such as those in favour of Banca Carige in 2022 and Banca Popolare di Bari in 2020).
• Where the bank is put under resolution, the resolution will be financed in line with applicable rules.

Contributions to DGSs

Member banks are required to make ex ante contributions at least annually, which may include payment commitments for a total share not exceeding 30% of total resources. Contributions have to be proportionate to the amount of member banks’ covered deposits as well as to their risk profile, in order, among other things, to encourage banks to reduce risks linked to their business model. The amount to be contributed by each member bank is determined by the scheme using appropriate models that can be set also taking into account the EBA Guidelines on Methods for Calculating Contributions to DGS and have to be approved by the Bank of Italy.

In case ex ante contributions are not sufficient for the DGS to fulfil its reimbursement obligations, it can require members to make extraordinary ex post contributions not exceeding 0.5% of covered deposits per calendar year. Italian DGSs, like all mandatory DGSs, are required to have financial means available which are kept in a segregated financial endowment equal to at least 0.8% of the amount of the covered deposits of their members. Provided that certain conditions are met, the Italian Ministry of Economy and Finance is allowed, upon approval of the European Commission, to authorise a lower minimum target level (this will however not be allowed to fall below 0.5% of covered deposits).

Legal Framework

As Italy is part of the EU, Italian banks are subject to the capital and liquidity requirements established in the CRR (as amended), which is directly applicable, and in Directive 2013/36/UE (as amended) (the “CRD IV”), which is transposed into Italian law by the Consolidated Banking Act and Bank of Italy Circular No 285/2013 (as amended). The CRR has recently been amended by the CRR III to implement the Basel 3.1 standards which apply from January 2025, with certain phase-in periods.

Minimum “Own Funds Requirements”

The minimum “own funds requirements” (expressed as a percentage of an institution’s risk weighted assets (RWAs) after deductions) are equal to:

• 4.5% Common Equity Tier 1 (CET1);
• 6% including Additional Tier 1; and
• 8% total capital, including Tier 2 capital instruments.

Pillar Two Capital Requirements and Guidance

Pillar Two capital requirements refer to additional capital that banks must hold to address risks not fully covered by Pillar One capital requirements, as determined by the Bank of Italy or the ECB through the Supervisory Review and Evaluation Process (SREP). Pillar Two guidance, on the other hand, is non-binding guidance indicating the level of capital a bank should maintain to ensure resilience during stress scenarios.

Capital Buffers

In addition to the minimum capital requirements, the following prudential capital buffers must be met with CET1 capital.

• A capital conservation buffer: equal to 2.5% of a bank’s total exposures.
• A countercyclical buffer: up to 2.5% of RWAs to be determined by the Bank of Italy based on macroeconomic indicators. The buffer is currently set at 0%.
• Global systemic institution buffer: additional CET1 capital requirement ranging from 1% to 2.5% depending on a bank’s systemic importance.

Liquidity Requirements

Banks must comply with two liquidity ratios.

• The liquidity coverage ratio (LCR), which is intended to measure whether banks hold an adequate level of unencumbered, high-quality liquid assets to meet net cash outflows under a stress scenario lasting for 30 days (its purpose is to improve short-term resilience).
• The net stable funding ratio (NSFR), which measures the amount of stable funding available to a bank to support its assets and activities over a one-year period (its purpose is to improve resilience in the medium term).

TLAC

Under the CRR, the total loss-absorbing capacity (TLAC) applies to EU banks identified as globally systemically important institutions (G-SIIs). These banks are required to maintain sufficient liabilities and own funds to absorb losses and facilitate recapitalisation during resolution, ensuring financial stability and minimising risks to public funds. The CRR (as amended) integrates TLAC into the existing minimum requirement for own funds and eligible liabilities (MREL), ensuring alignment while accommodating EU-specific resolution frameworks.

Output Floor

The output floor under the CRR III, aligned with the Basel 3.1 framework, sets a minimum level for RWAs calculated using internal models at 72.5% of the RWAs calculated using the standardised approach. This measure aims to limit excessive variability in capital requirements across banks. The output floor is being phased in gradually, starting at 50% in 2025 and increasing annually by five percentage points until it reaches 72.5% in 2030.

Origin and Purpose of the Bank Recovery and Resolution Framework

The Italian legal framework on banking crises underwent a significant reform process in 2015 in order to implement the EU harmonised rules set out in response to the financial crisis of 2008-2009 and also in light of the principles envisaged by the Financial Stability Board (FSB) in its 12 Key Attributes of Effective Resolution Regimes of 2011 (as revised in 2014). The EU package included:

• the BRRD;
• the DGSD;
• the SSM Regulation;
• Regulation (EU) 806/2014 (the Single Resolution Mechanism Regulation or SRM); and
• the rules on state aid.

The BRRD has also been amended by the BRRD II, which includes updates on the hierarchy of claims and introduced a general depositor preference.

Ordinary bankruptcy procedures have never been applied to Italian credit institutions in consideration of the “public service” provided by banks. Indeed, banking crises in Italy were originally managed through a pre-insolvency and an insolvency procedure set out in the Consolidated Banking Act, namely:

• special administration (amministrazione straordinaria), which was aimed at avoiding the crisis by means of the replacement of the main bodies of the credit institution; and
• compulsory administrative liquidation (liquidazione coatta amministrativa), which was aimed at winding up the credit institution, possibly through the sale of the business, while the bank was still active. The sale of business or branches of the failing bank was usually financed by the State, which used to step in to pay the difference in value between the assets and the liabilities taken on by the purchaser. Depositor protection was therefore ensured.

The European recovery and resolution framework intends to:

• prevent the crisis and;
• where this is not feasible, ensure that the crisis is managed in an orderly way without the essential activities of the bank (such as granting loans or taking deposits) having to be interrupted, restoring the viability of the healthy part of the bank, and liquidating the remaining parts.

The new framework aims to avoid public interventions in order to protect taxpayers. In particular, with the aim of reducing moral hazard, only shareholders (first) and creditors (after shareholders, following the insolvency creditor hierarchy) have to bear losses. In order to reach these goals, the BRRD has introduced the “bank resolution” as a harmonised administrative procedure which is applicable to banks that are failing or likely to fail when there is a “public interest” for the bank to be resolved, instead of liquidated.

Italian Transposition of the BRRD

The BRRD and the BRRD II have been transposed into Italian law through:

• Legislative Decree No 180 of 2015 of 16 November 2015 that designates the Bank of Italy as the national resolution authority with powers to adopt regulatory measures and includes provisions concerning, among other things, the preparation of resolution plans, resolution powers and tools and the crisis management of cross-border groups. It also establishes a national resolution fund (Fondo di Risoluzione Nazionale), which is funded by the Italian banking sector and managed by the Bank of Italy; and
• Legislative Decree No 181 of 2015 of 16 December 2015, that sets out rules on recovery plans, intra-group financial support, early intervention measures and hierarchy of creditors.

A new Resolution and Crisis Management Unit (Unità di risoluzione e gestione delle crisi) within the Bank of Italy has been entrusted with the resolution powers and functions performed by the Bank of Italy as the national resolution authority. It may apply the following resolution tools (either on a standalone basis or in combination):

• sell the business to a private buyer;
• temporarily transfer the assets and liabilities to a “bridge” institution that continues to carry out critical functions, with the objective of selling them on the market;
• separating the assets or transferring non-performing loans (NPLs) to a vehicle that manages their liquidation; and
• write down equity and other liabilities and convert them into shares to absorb losses and recapitalise the bank, provided that the no-creditor-worse-off principle is complied with. This principle states that creditors not incur greater losses than would have been incurred if the resolution entity had been wound up under normal insolvency proceedings (so called “bail-in”).

Depositor Preference

The BRRD II introduced a general depositor preference across the EU. This means all deposits, regardless of whether they are covered (up to EUR100,000) or non-covered, rank above ordinary unsecured claims in insolvency or resolution proceedings.

Deposits are divided into two categories for ranking purposes, where Tier 1 deposits rank higher than Tier 2 deposits.

Tier 1 covers deposits (up to EUR100,000) and deposits by individuals, microenterprises and SMEs above the covered amount.

Tier 2 covers other eligible deposits (eg, those held by large corporate clients).

Even prior to the BRRD II, Italian law provided for an extended depositor preference regime, which prioritises “other deposits” (including those held by corporate clients) over ordinary unsecured claims.

Italian banks are subject to a growing body of ESG requirements driven by EU regulations. These obligations aim to align the banking sector with sustainable finance goals and address climate-related risks.

Key ESG-Related Requirements

Sustainable Finance Disclosure Regulation (SFDR)

While primarily targeting asset managers, the SFDR, which is directly applicable in Italy, affects EU banks offering investment products, requiring disclosures on sustainability risks and adverse impacts.

Corporate Sustainability Reporting Directive (CSRD)

Large corporations and small and medium-sized listed corporations (including banks) must adhere to detailed ESG reporting requirements under the CSRD, which is transposed into Italian law by Legislative Decree No 125/2024 and applies gradually as follows.

• From 2025 (FY 2024) for banks and other public interest entities that have (or are parent companies of groups that on a consolidated basis have) an average of 500 employees per year and a balance sheet total of EUR200 million or net turnover of EUR40 million.
• From 2026 (FY 2025) for companies that (or parent companies of groups that on a consolidated basis) meet two of the following thresholds:
1. 250 employees over the financial year;
2. net annual revenue of EUR40 million; or
3. a balance sheet total of EUR20 million.
• From 2027 (FY 2026) for SMEs that are listed on an EU regulated market and small and non-complex institutions (under the CRR), as well as captive insurance undertakings meeting certain criteria.

Sustainability reports will have to comply with detailed European sustainability reporting standards (ESRS) which include general requirements as well as sector-specific requirements.

CSRD disclosures must consider a “double materiality” perspective, meaning that a company must report how sustainability risks and opportunities affect its financial performance, position and development (so-called “outside-in”) as well as how the company’s performance, position and development affect people and the environment (so-called “inside-out”).

Exemptions apply to individual sustainability reporting requirements if information on a company and its subsidiaries are included in the consolidated sustainability reporting requirements of its parent undertaking.

Taxonomy Regulation

Companies covered by the CSRD will have to include information on how and to what extent the undertakings’ activities are taxonomy-aligned, using specific KPIs, in their sustainability disclosures.

ECB Guidelines on climate risks

As part of the SSM Regulation, Italian banks are subject to the ECB’s expectations for climate-related and environmental risks. They must integrate these risks into governance, strategy and risk management frameworks.

Bank of Italy guidance

The Bank of Italy has issued recommendations for banks to:

• integrate ESG factors into risk management and credit policies;
• enhance transparency through robust non-financial disclosures; and
• support green and social projects through sustainable lending practices.

ESG governance and risk management requirements under the CRD VI

The CRD VI requires banks to integrate robust strategies, policies, processes and systems into their governance and risk management frameworks to identify, measure, manage and monitor ESG risks across short, medium and long-term horizons, conduct resilience testing using credible scenarios and align ESG practices with regulatory objectives. The competent authorities must assess these efforts and the EBA will have to develop detailed guidelines by 2026.

ESG risks disclosure under the CRR III

The CRR III requires banks to disclose information on ESG risks, distinguishing between environmental, social and governance risks and physical risks and transition risks for environmental risks.

Key DORA Requirements

DORA entered into force on 16 January 2023 and applies from 17 January 2025. It requires financial entities, including banks, to increase the digital operational resilience in relation to “ICT services” by:

• establishing an effective ICT risk management framework within their overall risk management system (ICT risk management pillar). This framework must address risk identification, mitigation and monitoring as well as reporting processes to ensure resilience against both internal and external threats;
• implementing comprehensive systems for detection and reporting of ICT-related incidents (incident reporting pillar). Specifically, any significant ICT-related incidents must be reported to the competent authority within specified timeframes to enable prompt response and co-ordination;
• regularly testing their own ICT systems to evaluate the related operational resilience (testing pillar). This implies conducting vulnerability assessments, penetration testing and scenario-based exercises. These tests enable systems to be robust enough to handle cyber-attacks and other ICT-related disruptions;
• ensuring that relevant ICT third-party service providers meet high operational resilience standards, carrying out audits on a regular basis and maintaining adequate oversight on them (ICT third-party risk management pillar);
• developing detailed crisis management plans which ensure the delivery of critical services during ICT-related disruptions (business continuity and crisis management pillar). These plans must address, among other things, data recovery, communication strategies and established escalation procedures; and
• establishing processes for sharing information about ICT-related threats, vulnerabilities and incidents, both within the organisation and with relevant external stakeholders (ICT information sharing pillar).

In order to prepare for complying with DORA, Italian banks should:

• conduct a gap analysis against current ICT incident reporting and risk management requirements under Italian law, to assess their current level of preparedness for DORA;
• establish a cross-functional team (IT, risk management, compliance, legal and operations) to develop an integrated approach in relation to digital operational resilience; and
• invest in cybersecurity technology and related training to ensure that all bank staff are aware of the respective roles and responsibilities under DORA.

ICT Third-Party Risk

In relation to any ICT third-party services, banks must:

• conduct a pre-contractual analysis to assess the suitability of the prospective provider, including an assessment of its substitutability; and
• ensure that the relevant contract, in the form of a written document, includes all the key provisions expressly mentioned by DORA.

In relation to ICT third-party services supporting a bank’s “critical or important” function, meaning any function the disruption of which would materially impair its financial performance, banks must also:

• adopt an internal policy focusing on ex ante risk assessment, due diligence, management of conflict of interest, exit strategies and monitoring of contractual arrangements;
• inform the competent authority about any planned contractual arrangements on the use of these ICT services;
• ensure that the relevant contract, in the form of a written document, includes all the additional key provisions expressly mentioned by DORA; and
• include all the contracts on the use of these ICT third-party services in a dedicated section of a register specifically designed for ICT third-party services arrangements.

Sanctions for Non-Compliance With DORA

In cases of non-compliance with DORA, the related administrative sanctions can consist of:

• monetary fines (up to 10% of a bank’s annual turnover or EUR10 million, whichever is higher; and
• operational restrictions, imposed by the competent supervisory authority.

EU and national regulatory developments impacting Italian banks are expected in the following areas.

Updated Capital and Prudential Requirements

The CRR III will apply from January 2025, with phase-in periods for certain requirements, such as the output floor. The Bank of Italy is consulting on the exercise of national discretions, including the option to apply a preferential treatment to low-risk residential mortgages for the purposes of the output floor. The consultation will end on 3 February 2025.

The CRD VI is scheduled to take effect in January 2026, save for the provisions on third-country branches which will apply from January 2027.

AML Package

The AML legislative package must be transposed into national law by July 2026 while the new European AML authority (AMLA) is preparing to assume direct supervision over a selected number of entities starting in 2027.

Retail Investment Strategy

The European Commission Proposal on the Retail Investment Strategy, which aims to make amendments to the MiFID Directive, the PRIIPs Regulation, the AIFMD, the UCITS Directive, the Insurance Distribution Directive and the Solvency II Directive on important investor-protection topics (such as inducements and product governance), is expected to be finalised and adopted in 2025.

Review of the Consolidated Law on Finance

The Italian government is delegated to undertake a comprehensive and systematic review of the Consolidated Law on Finance, which has governed the financial markets and investment services in Italy for over 25 years. The review is aimed at reforming the legislation to modernise and streamline the legislative framework and address the demands of market changes. This ambitious reform should be completed in 2025.

Alignment of Existing Italian Cybersecurity and ICT Services Requirements to DORA

Efforts are underway to align Italy’s existing national requirements on cybersecurity and ICT services with DORA to avoid inconsistencies and overlaps with the existing frameworks.

MiCAR

The Italian transitional period for existing virtual asset service providers (VASPs) expires at the end of 2025. Italian VASPs have to apply for authorisation as crypto-asset service providers (CASPs) by 30 June 2025.

CSRD

2025 is the first reporting year for large banks that are already subject to Non-Financial Reporting Directive requirements.