Integrity in corporate conduct

The "Group Anti-Corruption Guidelines" identify the principles, the sensitive areas and define the roles, responsibilities and macro-processes for managing the risk of corruption and define the commitment to comply with the regulatory provisions aimed at combating corruption in all its forms (the principle of "zero tolerance"). They are approved by the Corporate Bodies. The Chief Compliance Officer is responsible for overseeing the matter. They must be complied with by company representatives and all Group people and apply to all companies and countries in which the Group operates, with the exception of entities that exclusively carry out ancillary services and research activities. They also address external parties (suppliers, agents, consultants, professionals, business partners, self-employed or para-subordinate workers, etc.) who give their collaboration to the Group for the implementation of its activities. For this reason, they are made available to all stakeholders through the Group's institutional website and to counterparties benefiting from charitable or sponsorship initiatives as well as to third parties, who collaborate with the Group, when formalizing the related relationships.

The Group's approach to combating corruption is inspired by the founding principles contained in the relevant conventions as well as by international best practices (OECD, Convention on Combating Bribery of Foreign Public Officials in International Business Transactions; United Nations Organization, Convention Against Corruption, Global Compact; Council of Europe, Criminal Law Convention on Corruption and Civil Law Convention on Corruption Council of the European Union). In addition, the Group is subject to the UNI ISO 37001:2016 Anti-bribery management systems certification procedure, which is the international standard on the subject (valid until 2025) by an external company.

The main actions implemented in the field of corruption prevention consist of the constant revision of the "Group Anti-Corruption Guidelines" (last update approved by the Board of Directors in 2024), the updating of the rules on the management of gifts and entertainment expenses and the planning of compliance with the recommendations of the certification body for ISO 37001:2016 purposes. It should be noted that the Group will proceed with the renewal of the aforementioned certification in 2025.

The revision of the "Anti-Corruption Guidelines" takes place on an annual basis.

Reporting to corporate bodies on anti-corruption matters is an integral part of the reports prepared by the Chief Compliance Officer Area on the basis of the information flows provided for by the "Regulation of Integrated Internal Control Systems and other communications". These include, on an annual basis, the identification, risk assessment and planning of management interventions as well as, on a six-monthly basis, the description of the activities carried out, the critical issues detected and the remedies identified.

Finally, the Group directs specific training initiatives on the subject, in favour of company representatives and staff. The planned initiatives are mandatory and traceable; in particular, they aim to develop the ability to grasp the salient aspects of the regulatory provisions aimed at combating corruption and the application of the Guidelines in order to promote conduct consistent with the provisions contained therein.

At Intesa Sanpaolo, training in anti-corruption and anti-money laundering is mandatory and follows multi-year cycles, also based on local regulations. In 2024, a total of 342,157 hours of training were provided to 88,109 Group people (95% of the total)

In 2024, no convictions and/or sanctions were reported for violation of anti-corruption and anti-bribery laws, consequently no fines and sanctions were imposed to the Intesa Sanpaolo Group.

Intesa Sanpaolo constantly oversees and promotes free competition and spreads the culture of compliance to antitrust legislation also through the establishment of a specific internal team aimed at overseeing compliance with antitrust rules, the adoption of a Policy and a training and information program. In 2024, 70,299 Group's people were trained. and 1,429,006 hours of training were provided on the topic.

The Intesa Sanpaolo Group has always maintained a high and constant commitment to the protection of the personal data of the people with whom the Group interacts, ensuring the collection and processing of data in compliance with current legislative provisions. The same commitment is also reflected in the protection of customers' personal data.

The regulatory framework for the protection of personal data is Regulation (EU) 2016/679 (the so-called General Data Protection Regulation, GDPR) which came into force on 25 May 2018, the new precepts of which have been assimilated by the Group and formalised in the main internal governance documents consisting of the Code of Ethics, which outlines the principles and values on which the Group bases its choices and activities  and by the Internal Code of Conduct which defines the conduct that employees and collaborators of the same are required to observe to ensure the correct processing of data. The relevant requirements are set out in the Guidelines on the protection of personal data of natural persons and in the Company Rules for the processing and protection of personal data of natural persons.

The Guidelines define the model for managing the risk of non-compliance with regard to the protection of the personal data of all people with whom the Group interacts, including employees and collaborators, establishing the general principles and setting out the roles and responsibilities of the corporate bodies and structures involved, the macro-processes of risk oversight and control, as well as the Group's policy and coordination model. In addition, they set out the requirements for the processing and protection of personal data and establish the application of sanctions in the event of non-compliance with the provisions. 

With reference to the people of the Group:

• In case of reports concerning privacy issues or requests to exercise rights, employees can contact the DPO, whose contact details are included both in the policy provided to all employees, and on the Group's institutional website, Privacy section, and in the specific internal process guides published on the internal portal.

With reference to customer data protection:

• The Group has issued specific governance documents that give specific instructions on the conduct that employees and collaborators must adopt to ensure the correct collection, use and protection of personal data.
• The above-mentioned guidelines define the model for managing the risk of non-compliance with regard to the protection of the personal data of all people with whom the Group interacts, establishing the general principles and setting out the roles and responsibilities of the corporate bodies and structures involved, the macro-processes for overseeing and controlling risk,  as well as the Group's policy and coordination model. In addition, they set out the requirements for the processing and protection of personal data and establish the application of sanctions in the event of non-compliance with the provisions. 
• The protection of the data of the people with whom the Group interacts is guaranteed through the application of the principle of "privacy by design", aimed at determining from the outset the logic of personal data protection, through the identification of potential risks to the rights and freedoms of the data subjects, the technical and organisational measures suitable for mitigating these risks,  and the performance of a privacy impact assessment for the evalutation of the impact on data protection, before proceeding with one or more processing operations that may present a high risk to the rights and freedoms of people.
• The privacy policy has been restyled in order to ensure greater clarity and transparency, also through the use of special graphics that facilitate its usability and easy understanding. The document, published on the institutional website, specifies that the Intesa Sanpaolo Group processes personal data only for the purposes described and explicitly indicated in the information itself, made available to data subjects. No processing is carried out for secondary purposes not explicitly indicated.  In relation to the processing of personal data for marketing purposes, free, explicit and unambiguous consent is required from the data subject; if the latter denies consent or does not make any type of choice, the data collected will not be processed and used in any way for this purpose.                                                                                                                                                        

Failure to comply with external or internal legislation relating to the protection of privacy by an authorised person will result in the activation of a process aimed at verifying the actual unlawful conduct. In the event of ascertained and unjustified violations, the functions responsible for initiating disciplinary proceedings are always informed, which normally ends by imposing one of the measures provided for by the disciplinary code against the defaulting party.

During 2024, the Chief Security Officer (CSeO) Governance Area was established, which is entrusted with overseeing IT security, business continuity and physical security with the aim of ensuring, for the Group, the definition of the strategy, policies and models on cybersecurity, business continuity (also with a view to business resilience) and corporate and physical security.

In 2024, awareness-raising activities aimed at Group employees and relating to data protection issues continued. This awareness takes place through the provision of compulsory training courses in e-learning mode that include a final test and the provision of new modules to allow staff to learn the legislation in practice and continuously update. The Group, through a special tool, monitors the percentage of use of the courses and the passing of the related tests.

In 2024 54,870 Group people were trained on privacy and 72,798 hours provided. On the subject of consumer protection: 77,573 people trained and 1,639,036 hours provided.

Intesa Sanpaolo promotes a transparent, sustainable work organization with clear responsibilities at all levels. Responsibility for management, and consequently also for monitoring the effective application of the trade union agreements, is assigned to the Labour Affairs, Policies & Safety Head Office Department. 
In 2024, 39 cases of labour lawsuits were reported (11 of which from employees in service) and 92 cases were closed. The main types of ongoing litigation concern deskilling, appeals against dismissal and disciplinary sanctions, higher job positions, and termination of the employment relationship (sale of business unit – Intrum). In 2024, there were no reports of lawsuits exclusively relating to mobbing involving Group’s current employees. With regard to labour litigation, at the end of December 2024 there were no significant disputes from either a qualitative or quantitative standpoint.

The planning of audit activities within the Group is coordinated by a dedicated internal structure, the Internal Audit Funcion. In 2024, audit activities were structured across three levels (multi-year strategic, annual operational, and quarterly operational) and covered 280 Risk Areas, with 322 audits completed (including 42 “extraordinary” audits).

As required by international standards, the Internal Audit Function is subject to a regular external Quality Assurance Review (QAR). The most recent QAR was initiated in the second half of 2024 and is still ongoing, while the previous review, conducted in 2022, confirmed the Function’s ongoing development in alignment with international standards, as well as an increase in effectiveness compared to the previous QAR results.

Audit activities included 91 audits classified as significant under Legislative Decree 231/2001, of which 8 focused on corruption risk. Additionally, 6 ESG audits were conducted as part of the ESG Audit Programme, addressing topics such as ESG governance, greenwashing risk, smart buildings, ESG factors in credit processes, management of pledge policies, and sponsorships. These activities confirmed an acceptable overall risk level, with mitigation measures monitored through dedicated digital tools.

Among the additional initiatives launched in 2024, the SAIL (Strategic Audit Innovation Line-up) programme supported the ongoing evolution of the Internal Audit Function. Finally, in Q4 2024, 24 auditors participated in a training course by AIIA (Associazione Italiana Internal Auditors) specifically focused on ESG-related topics.

The Group has an internal whistleblowing system relating to both national and European regulations which harm the public interest or the integrity of Intesa Sanpaolo and the Group Companies (for example: administrative, accounting, civil or criminal offences; unlawful conduct pursuant to Legislative Decree no. 231/01; rules governing banking activities; conduct giving rise to conflicts of interest) or relating to internal company policies and/or procedures, which the whistleblower has discovered in the work context

The reference internal rules on the matter, which are the responsibility of the Chief Audit Officer Area, are set out in a specific Group rules document on internal whistleblowing systems and are available for consultation by all persons working for the Intesa Sanpaolo Group on the company intranet. In addition, a summary description is also available on the Group’s official website. The system is reserved for:

• employees and self-employed workers who work or have worked for the Group;
• workers or collaborators who provide goods or services or perform work for third parties and work or have worked for the Group;
• freelancers and consultants who work or have worked for the Group;
• volunteers and trainees; 
• shareholders (natural persons); 
• and persons with administrative, control, supervisory or representative functions.

These individuals may report a violation via channels available 24 hours a day (e-mail or voice messaging) available on the Group’s official website and on the Group’s intranet portal, in Italian or English (international language of reference), or in the language of their country. Information on the channel, procedures and conditions for carrying out reports is available on the Bank's intranet portal and in the specific section of the Group's website.

In 2024, 40 reports were received on the Parent Company’s Ordinary Channel, of which 3 were judged not pertinent, whereas 37 resulted in the launch of specific investigations. Dedicated whistleblowing channels are also active at the Group’s International Banks, which received 10 reports, 2 of which were judged not pertinent.

Mandatory training courses (one for the Italy perimeter, one for the Insurance business and one for a first portion of the international branches) were prepared and delivered during 2024. The course syllabi covered the characteristics, channels and safeguards related to whistleblowing, as well as the steps to manage the whistleblowing process.

In 2024, a specific training initiative was also carried out, in line with the provisions of Legislative Decree 24/2023, for the staff members who receive whistleblowing reports. The training, delivered by an external lawyer specialised in the subject, examined in depth the different areas of the whistleblowing process, from multiple perspectives.

A total of about 73,000 employees attended training courses on the subject.

For reports of alleged non-compliance with the code of ethics, the following e-mail address is available: codice.etico@intesasanpaolo.com

In compliance with the Code of Ethics, the entire Group is committed to observing principles based on values of honesty and integrity in managing tax matters, compliance with the tax regulations applicable in the countries in which the Group operates and maintaining a collaborative and transparent relationship with the tax authorities, including through adherence to cooperative compliance schemes.

Intesa Sanpaolo recognises the importance of contributing to the communities of the jurisdictions in which it operates, by paying the right amount of taxes and for this reason it places a particular focus on the evolution of tax regulations, both on a domestic and international level, aimed at countering base erosion and profit shifting, with the ongoing commitment to adhere to those principles.

The Group strengthened its internal tax risk control system, the Tax Control Framework (“TCF”). The TCF serves to monitor the strategic importance of tax risk and to meet the requirements for accessing to the cooperative compliance regime introduced in Italy (pursuant to Italian Legislative Decree 128/2015). At the same time, it updated the Organisation, Management and Control Model, for the purposes of the liability of entities for tax offences, sanctioned by Italian Legislative Decree No. 231 of 2001, in order to monitor the risk of tax fraud.

In December 2017, the Intesa Sanpaolo Group adopted its Principles of conduct on fiscal matters, in order to ensure compliance over time with the tax and fiscal rules of the countries where it operates and to guarantee the financial and reputational integrity of all the Group companies.

Guidelines were also approved for the management of tax risk within the system of collaborative compliance with the Revenue Agency, which govern the criteria and processes that Intesa Sanpaolo must adopt to ensure the adequacy and effectiveness of its Tax Control Framework and related Rules.

During 2024, the Group has recorded a significant amount of both indirect taxes and direct taxes for the year, for the most part in Italy, where the majority of operating income was earned, as per the table indicated in, respectively, Part C and Part L of the Notes to the consolidated financial statements.