Personal commitments: Benefits and risks of signing an attestation with the FCA

• What is an attestation?
• What is the legal basis of an attestation?
• What are attestations used for and who can sign them?
• What are the different types of attestations? 
• What are the benefits and risks of an attestation?
• What are the risks if there is a breach of an attestation?
• Who is the right person to sign the attestation?
• Should I sign an attestation? Steps to mitigate the risks
• Consistency in the FCA's approach
• Publication of data about attestations
• Benefits and risks of signing an attestation with the FCA

1. What is an attestation? 

Attestations are used by the FCA to obtain “a personal commitment from an approved person at a regulated firm that specific action has been taken or will be taken”. The FCA state that this is to show action is being taken “where we would like to see change within firms, often without ongoing regulatory involvement.” The use of attestations also accords with the FCA’s more general ambition to make individuals, and in particular senior management, directly accountable for decisions made on behalf of a firm.

2. What is the legal basis of an attestation?

The legal status of an attestation is unclear -  it is not legislated for in statute and neither the Financial Service and Markets Act 2000 (FSMA) nor the Financial Services Act 2012 give the FCA the right to require senior managers to attest.  The clearest indication from the FCA of their policy concerning attestations including their purpose, when and how they should be used is set out in a letter dated 22 August 2014 from the Head of Supervision at the FCA (the Supervision Letter). That letter describes attestations as a formal supervisory tool and provides a summary of the FCA’s approach to using attestations and the steps they are taking to ensure they are used consistently and clearly. 

3. What are attestations used for and who can sign them?

The use of attestations is not limited to a particular aspect of the FCA’s role but is increasingly used in a variety of scenarios, such as a consequence of a regulatory visit, as a result of a thematic review or as part of (or instead of) formal enforcement action. There is no formal guidance on who could or should provide an attestation – it could be a range of functions from compliance officers, money laundering reporting officers (MLROs) or any other senior individuals.

4.What are the different types of attestations?

The common scenarios in which the FCA may use attestations are set out in the FCA website and the Supervision Letter. The first two are forward-looking but confined to more benign risks (i.e., situations which are unlikely to result in material harm to consumers or impact on market integrity) whereas the last two are backward-looking (i.e., where a risk has been identified and the purpose is to remedy or mitigate that risk).

• Notifications - the attestation may be, for example, to notify the FCA of a change in risk, whether in terms of its nature, magnitude or extent. By implication this will likely require the individual to ensure that appropriate and effective processes are in place to monitor changes to the risk, assess whether the change triggers a requirement to notify and, if so, to make such a notification.
• Undertakings – where the regulator wants a firm to take specific action within a particular time limit and an individual attests that this will be done.
• Self-certifications – these are the preserve of more significant issues but nonetheless the FCA believes the firm can resolve the issue, with the attestation confirming that the issues have been mitigated or resolved.
• Verifications – arise in circumstances where the FCA has allowed the firm to resolve an issue or mitigate a risk but wants an attestation confirming that the action has been done and this has been independently verified, for example by independent audit.

5. What are the benefits and risks of an attestation?

It will often be in both the regulator’s and the firm’s interests to resolve relatively minor breaches or risk issues without requiring any formal regulatory process and attestations may be a way to achieve this pragmatically; however, it will leave the individual who is signing the attestation vulnerable to later criticism and/or regulatory action should anything go wrong. 

6. What are the risks if there is a breach of an attestation?

Signing an attestation will make an individual vulnerable to regulatory action should there be any problems or breach in the undertaking given.  In the Supervision Letter, reference is made to Statement 4 of the Principles for Approved Persons i.e., the requirement for an approved person to be open and co-operative with the regulator and that a failure to notify “could result in action being taken as required and appropriate”. Therefore if circumstances change or an event occurs that means that a self-certification is no longer correct or a notification is triggered and the individual fails to report this to the regulator, this could lead to enforcement action. Although not referred to in the Supervision Letter, it appears likely that an allegation that an individual signed an attestation knowing or believing it to be false could result in enforcement action for breach of Statement 1 of the Principles (to act with integrity) and/or a s177 FSMA offence of providing false, misleading or reckless information to the regulator.

When and if the Principles for Approved Persons are replaced by the Senior Persons Regime in the banking sector, the reverse burden would mean a senior manager would have to prove that they took “all reasonable steps” to prevent the breach. 

7. Who is the right person to sign the attestation?

According to the Supervision Letter, depending on the attestation being required, the FCA will “usually ask for attestations to be given by the most relevant significant influence function holder”, although they are likely to leave the firm to identify who this should be. In practice there could be a number of individuals who potentially could sign an attestation.  

8. Should I sign an attestation? Steps to mitigate the risks

Inevitably there is likely to be pressure from the firm for an individual to sign an attestation as the alternative may be some form of regulatory intervention, such as a skilled persons review under s166. However, individuals will need to understand that an attestation is a personal commitment with potentially serious consequences for them which mean their interests may not be aligned with that of the firm.  They should consider seeking independent advice before signing.  Steps to mitigate the risks may include:

• Is the attestation clear and realistic? It needs to be specific, achievable and have a realistic timetable.  If this is not the case then efforts should be made with the FCA to change it.  This will not necessarily be an easy process, but for the individual  it is better to get this done at the outset rather than trying to rectify a badly drafted attestation after it has been signed.
• If appropriate, more detailed documents may be appended or sent as a follow up to the attestation in order to provide context about the basis upon which the attestation has been signed, such as the evidence that has been seen prior to the individual attesting, presumptions that have been made, the role of the individual and other individuals in ensuring the commitment is complied with and identifying any potential risk factors that may impact on performance.
• It is important that firms have an open dialogue with their FCA supervisors so there is no misunderstanding on either side about their expectations, their understanding of the attestation that is being given, its timing and the basis upon which it is being signed.

9. Consistency in the FCA's approach

The Supervision Letter sets out the FCA’s next steps to ensure increased consistency in its approach:

• issue revised internal guidance and supporting materials to supervisors setting out the importance of clarity and transparency when using attestations
• strengthen internal governance processes.; 
• record, track and publish of data relevant to attestations

10. Publication of data about attestations

The FCA intends to publish information on a quarterly basis on how often it requests attestations.  The first set of data sets out the number of attestations requested during 2014 by sector and conduct classification.
The conduct categories relate to the FCA’s assignment of every firm or group to one of four categories of conduct supervision: C1, C2, C3 and C4. These broadly reflect a firm’s size and retail customer numbers or wholesale presence, and the corresponding level of risk the firm potentially poses to the FCA’s objectives.  Each category is subject to a different level of supervision.

• C1  - Groups with the largest number of retail customers, and wholesale firms with the most significant market presence. They have a named supervisor and a high level of firm-specific supervision.
• C2  - Firms and groups with large retail customer numbers and wholesale firms with a significant market presence. They have a named supervisor and a high level of firm-specific supervision.
• C3  - Retail and wholesale firms with a medium-sized customer base. They are supervised with a sector-based approach, with less frequent firm-specific engagement.
• C4  - Retail and wholesale firms with a small number of customers. They are supervised with a sector-based approach, with less frequent firm-specific engagement.

For the data gathered so far, 59 attestations have been requested from Q4 2013/14 to Q3 2014/15.  The number of requests per quarter have more than doubled during that period with the majority of requests in the C2 category (34 out of 59) and the sector with the most requests being Wholesale & Investment Management (21 out of 59).

11. Benefits and risks of signing an attestation with the FCA

It is early days in the monitoring of the use of attestations, but it is likely that in time we will see enforcement action against individuals directly related to these personal undertakings. Individuals should approach signing an attestation with caution and only sign when they are confident that they understand the commitment that they are giving, that it can be complied with and that any risks associated with them are mitigated.