As it is widely known, Italian Legislative Decree No. 231/2001 (Decree 231) governs the liability of legal entities (including Italian subsidiaries of foreign companies) in case certain offenses (the Predicate Crimes) are committed in the interest or to the benefit of the entity by its directors, managers, representatives, or employees under their surveillance.
The legal entity might avoid liability under Decree 231 if, inter alia, (i) it has adopted, effectively implemented, and kept up to date an internal organisational, management and control model (the Model 231), and (ii) it has appointed a Supervisory Board (Organismo di Vigilanza) to monitor and ensure company’s compliance with the Model 231.
The adoption and implementation of a Model 231 is not mandatory under Italian law. However, failure to do so could expose a company to potential risk of liability if a Predicate Crime is committed in its interest or to its benefit, insofar the entity would not have the chance to demonstrate that a compliance system was set in order to prevent offenses of the type occurred (i.e., there was not an organizational fault).
The Italian legislator frequently modifies the list of Predicate Crimes (and/or the definitions of specific Predicate Crimes) for which a company may be held liable under Decree 231.
In this regard, please find below the summary of the main changes, including (direct or indirect) amendments to the list of Predicate Crimes, occurred during last year and half.
- Legislative Decree of March 2, 2023, No. 19 modified Article 25-ter of Decree 231 to include in the list of Predicate Crimes the crime of false or omitted statements for the issuance of the preliminary certificate provided for in the implementing legislation of Directive (EU) 2019/2121 of November 27, 2019.
- Legislative Decree of March 10, 2023, No. 24, implementing Directive (UE) 2019/1937 on the protection of whistleblowers, amended Article 6 of Decree 231. In particular, Article 6 has been changed in order to expressly mention Italian Legislative Decree No. 24/2023. It is now clear that suitable organizational models should include whistleblowing reporting channels with the same requirements provided for under Legislative Decree No. 24/2023.
- Decree Law of August 10, 2023, No. 105, converted into Law of October 9, 2023, No. 137 modified the punitive treatment of most of the environmental crimes and introduced among the Predicate Crimes the crimes of disruption of freedom of tender, disruption of freedom of the procedure for choosing a public contractor, as well as the crime of fraudulent transfer of valuables, the latter subsequently amended by Decree Law of March 2, 2024, No. 19.
- Law of June 28, 2024, No. 90 (Article 20) modified Article 24-bis, para. 1, 2 and 4, and introduced Article 24-bis, para. 1-bis, to take into account certain changes in the definitions of cybercrimes under the Italian Criminal Code (including the substitution of certain crimes with other broader definitions) and to include in the list of Predicate Crimes the new crime of extorsion through the commission of a cybercrime under the new Article 629, para. 3, of the Italian Criminal Code.
- On July 1, 2024, Draft Law No. 808/2023 was finally approved by the Italian Parliament. As soon as it will be enacted by the President of the Republic, it will amend certain Predicate Crimes against the Public Administration provided for under Article 25 of Decree 231. In particular, the new Law will (i) amend the definition of the crime of traffic of influence, and (ii) repeal the crime of “abuse of office”, which was introduced into the list of Predicate Crimes by Legislative Decree No. 75/2020 implementing Directive (EU) 2017/1371, subject to the fact that the act offended the financial interests of the European Union.
Such frequent changes impose on companies the burden to constantly monitor and update their Models 231, in order to assess whether the legislative changes affect Predicate Crimes which may be relevant for their business and, if so, to adopt and implement suitable safeguards to mitigate the relevant risk.
Therefore, companies should routinely conduct a timely and accurate assessment of the potential effects of legislative changes impacting the system of internal controls. This is especially important with reference to the whistleblowing channels, internal procedures on public tenders and how to deal with public officials (in general, any anti-bribery procedures), as well as to procedures on the use of IT systems/devices.