On 18 December 2025, the Financial Intelligence Unit for Italy (“FIU”) issued a measure containing new instructions for the detection and reporting of transactions (the “Measure”), intended to replace the previous regulation of 4 May 2011 and its annexes. The Measure is the result of a public consultation in which the Firm actively participated, contributing to the drafting of the guidelines now adopted. The Measure is addressed to all entities subject to the obligations set out in Legislative Decree No. 231/2007, and the new provisions will apply from 1 July 2026.
The Measure is divided into three parts. Part One sets out the principles and rules governing active cooperation, outlining the stages involved in the identification and assessment of anomalies, the operational instructions for submitting suspicious transaction reports (“STRs”), the rules governing the suspension of transactions, and the procedures through which the FIU provides feedback on the outcome of reports. Part Two introduces provisions on organisational requirements applicable to entities not subject to supervision by sectoral supervisory authorities. Finally, Part Three sets out the procedures for accessing the Infostat-FIU portal and provides instructions for completing and submitting STRs.
With particular regard to the principles of active cooperation, the Measure places greater emphasis on the quality, rather than the quantity, of reporting flows. An STR is, in fact, the outcome of an assessment process carried out by the reporting entity, beginning with the identification of customer-related and customer-related anomalies, which must be assessed in light of the information available and the customer’s profile. The Measure expressly excludes automatic or purely precautionary approaches: the mere exceeding of quantitative thresholds, the receipt of requests for information, the existence of adverse information concerning the individual, or the imposition of personal or asset-related measures does not, in themselves, constitute sufficient grounds for submitting an STR.
The assessment process may legitimately conclude with the exclusion of suspicion; in such cases, there is no obligation to submit a report. However, the reporting entity is encouraged to document, even briefly, the reasons supporting that decision, in order to ensure traceability in the event of subsequent checks.
Among the most significant elements introduced by the Measure, the following are worth noting.
Artificial intelligence. The Measure expressly recognises the possibility of using tools based on artificial intelligence systems to identify anomalous transactions. Where such tools are used, they must comply with applicable statutory provisions, be based on objective and verifiable data, and be accompanied by appropriate human oversight, aimed at verifying and validating the anomalies identified. Although the use of artificial intelligence is approached with caution, its explicit recognition in the Measure opens the way for potential applications in areas that have so far been largely unexplored, further highlighting the regulatory challenges arising from technological developments.
Sharing of information between reporting entities. The Measure introduces the possibility for obliged entities to share information regarding identified anomalies in relation to transactions that have common elements, in compliance with the secrecy and confidentiality obligations set out in Legislative Decree 231/2007.
FIU feedback. The system for communicating the outcomes of reports has been strengthened: the FIU will provide reporting entities, at least every six months, with specific feedback on the quality of the active cooperation provided by obliged entities, distinguishing between reports lacking sufficient risk indicators to support suspicion (so-called “List A”) and reports classified as low-risk (so-called “List B”). Obliged entities are required to take these findings into account in order to progressively refine their internal processes.
Through the feedback form, the FIU also provides, at least once a year, summary assessments of the reporting entity’s active cooperation. This form is sent to entities that submitted a significant number of reports during the relevant calendar year.
Suspension of transactions. The reporting entity may submit an STR to the FIU, requesting the FIU to consider exercising its suspension powers, by submitting the STR with the appropriate flag enabled. The suspension may last for a maximum of five working days from serving the relevant measure via certified email.
As noted above, the second part of the Regulation is devoted to organisational requirements.
In particular, the role of the STR contact person is formally regulated. Where the addressee is not a natural person, this role must be identified on the Infostat-FIU portal as the legal representative or a delegate appointed by them, provided that such delegate meets the required standards of independence, authority and professionalism. Delegates may not be external to the reporting entity or the group to which they belong, nor hold responsibility for the internal audit function.
As regards the internal reporting procedure, it must be proportionate to the size and complexity of the obliged entity and ensure effectiveness, timeliness and confidentiality. The decision to submit an STR and the transmission of the report to the FIU may not be outsourced.
Finally, the last part of the Measure is devoted to reporting procedures. STRs must be submitted exclusively via the Infostat-FIU portal and must include: identifying details, structured information relating to transactions, parties and relationships, and a free-text description of the suspicious transaction and the grounds for suspicion. The descriptive section must not be limited to a mere reference to the FIU indicators of anomaly or standard templates, but must clearly set out the logical and deductive reasoning followed by the reporting entity.
In conclusion, the Measure comprehensively redefines the obligation to report suspicious transactions referred to in Articles 35 et seq. of Legislative Decree 231/2007, reinforcing an approach based on the accountability of obliged entities and the quality of active cooperation.
The new guidelines entail a number of operational implications that are particularly significant for regulated entities.
Firstly, the Measure reinforces the central role of the internal assessment process, ruling out automatic or purely precautionary approaches. This requires obliged entities to implement adequate internal procedures capable of enabling an effective assessment of anomalies in light of the customer’s profile, the nature of the transaction and its overall context.
Secondly, the introduction of explicit references to the use of artificial intelligence tools forms part of an increasingly evident trend at both national and European level, aimed at promoting the use of advanced technological solutions, whilst preserving the principle of the reporting entity’s decision-making responsibility. The use of artificial intelligence cannot replace the assessment process required under anti-money laundering legislation, but it can support the identification and management of anomalies, particularly in contexts characterised by a high transaction volume or complex transaction patterns.
In this context, compliance with the new guidance goes beyond a mere formal update of procedures; it requires a comprehensive review of anti-money laundering controls, including – inter alia – the implemntation of internal reporting procedures, the identification of the STR contact person, the updating of anomaly management policies and the training of staff involved in operations.
With the new instructions due to enter into force on 1 July 2026, it is therefore advisable for obliged entities to begin reviewing their anti-money laundering compliance frameworks without delay, in order to ensure full alignment with the new regulatory framework and mitigate the operational and reputational risks associated with the handling of suspicious transactions.
The introduction of the new provisions represents an opportunity to strengthen existing safeguards and adapt them to ongoing regulatory and technological developments affecting the sector.
