Figures published recently by the Financial Conduct Authority (“FCA”) show that the use of attestations by the FCA is on the rise. We examine their use and impact. An attestation is a personal commitment given by an approved person, requested by the regulator, that a specific action has been taken or will be taken. By way of example, an individual may be required to inform the regulator if an identified risk changes in its nature, magnitude or extent. An attestation can be given by an individual, a collection of individuals, or even a firm.
Attestations are a formal supervisory tool, rather than an enforcement tool. They are part of the tool-kit used by the regulator to ensure personal accountability of senior management and can also operate to focus the minds of senior managers on specific issues identified by the regulator.
The increasing use of attestations by the FCA and the Prudential Regulation Authority (“PRA”) in recent years has not been without controversy, particularly given that they are, in effect, a creation of the regulator itself with no formal statutory basis. Some have argued that attestations may skew the prioritisation of risk at firms, and that more transparency regarding the criteria for their use is needed. The regulators are required to consult on and publish guidance in respect of the exercise of their regulatory powers but guidance and consultation in respect of their use of attestations has been notable by its absence.
The FCA has now responded to these concerns by publishing some clarification (in the form of an exchange of letters with the FCA Practitioner Panel) as to its use of attestations together with some statistics, with the first set of figures published in February this year.
FCA attestation statistics uncovered On 13 February 2015 the FCA published for the first time the statistics regarding its use of attestations. The statistics covered attestations made in 2014 and are divided into quarters.
The figures demonstrate that there has been a sharp increase in the number of attestations throughout 2014. In 2014 there were a total of 59 attestations requested by the FCA. Of these 59 attestations, there were ten in the fourth quarter of 2013/14, six in the first quarter of 2014/5, twenty in the second quarter of 2014/5, and twenty three in the third quarter of 2014/5. So, if we compare the number of attestations in the first quarter of 2014/5 to the third quarter of 2014/5 there has been nearly a four-fold increase.
The use of attestations has been focussed on particular sectors, being most utilised in the Wholesale and Investment Management sector (twenty one), followed by Long Term Savings and Pensions (thirteen), and then Retail (eleven). In the Wholesale and Investment Management, and the Long Term Savings and Pensions sectors there was a focus on C2 firms (firms and groups with large retail customer numbers and wholesale firms with a significant market presence), whilst the attestations in the Retail sector were focussed on C1 firms (groups with the largest number of retail customers and wholesale firms with the most significant market presence). The two sectors with the fewest amount of attestations were Mortgages and Consumer Lending (eight), and General Insurance and Protection (six).
The 2014 figures show that there was generally a focus on the bigger firms (C1 or C2), compared to those in categories C3 firms (retail and wholesale firms with a medium-sized customer base) or C4 (retail and wholesale firms with a small number of customers). Of the 59 attestations in 2014, 49 were given by those in C1 or C2 firms, which equates to 83% of the total. The category with the most number of attestations was C2 which had 34, comfortably more than half of the total number of attestations in 2014. Having said this, the number of attestations in C2 firms did fall slightly from quarter two to quarter three of 2014/5. Whilst there had been a small number of attestations in C3 and C4 firms prior to the third quarter of 2014/15, in that quarter there were six attestations, which was more than the total number of attestations in the previous three quarters.
What the statistics tell us
The statistics indicate that the regulator’s enthusiasm for attestations continues to grow and it is not difficult to see why attestations are such a useful and attractive tool for the FCA. Attestations are a cheap and effective mechanism for the FCA to target a specific firm about a specific issue that it is concerned about without having to become involved itself, thus allowing the FCA to utilise time and resources elsewhere.
And it is not just the FCA using attestations. The PRA recently required all branches of non-European Economic Area banks to make attestations about compliance with systems and controls.
While it is generally understood that the regulator will look to the most relevant significant influence function holder in a firm, in practice there may be more than one individual who could provide the attestation sought. This level of clarification is missing from the FCA’s published data and, so, no conclusions can be drawn at present as to whether certain roles are more likely to receive requests for personal attestations than others.
What the guidance tells us
In its August 2014 letter to the FCA Practitioner Panel, the FCA explained that it usually looks to utilise personal attestations in the following four scenarios:
- Notification – Where an appropriate individual at a firm is asked to confirm that they will notify the regulator if a non-material emerging risk changes in its nature, magnitude or extent.
- Undertaking − Where the FCA requires a firm to confirm that it will take specific action within a specified timescale to address a particular risk which is unlikely to result in material harm to consumers or a negative impact on market integrity.
- Self-certification − Where the FCA are confident the firm can resolve the issue itself, an attestation may be requested in respect of more serious and material risks, confirming that the risk has been mitigated or resolved.
- Verification − Where the regulator requires a firm to resolve issues or mitigate risks, together with confirmation (for example, by way of an internal audit) that those steps have been taken.
Do those targeted (and their insurers) have anything to fear from the increasing use of attestations?
There is no statutory basis for a regulator to require an individual to give an attestation. As such, an individual may, in theory, refuse to provide one. Having said this, in practice it will be difficult for a firm and the individual to resist giving an attestation without good reason as this will likely result in more significant regulatory intervention, for example by way of a skilled persons report under section 166 of Financial Services & Markets Act 2000 (“FSMA”) or even enforcement action.
Whilst the interests of the individual and the firm will often coincide, this will not always be the case and, depending on the circumstances, it may be necessary for the individual to obtain separate legal advice before signing an attestation.
Once the decision has been taken to provide an attestation, the individual concerned must be careful to ensure that he understands the parameters of what is being attested to and is comfortable this can be complied with and evidenced.
Providing an attestation which turns out to be false, or which is not or cannot be complied with, could well constitute a breach by the individual of the Statements of Principle of Approved Persons (“Statements of Principle”). Of particular significance are likely to be Statements of Principle 1 (the requirement that an individual must act with integrity in carrying out their accountable functions) and 4 (the requirement to be open and co-operative with a firm’s regulator and to disclose appropriately any information of which the regulator would reasonably expect notice).
Section 66 of FSMA provides that an approved person is guilty of misconduct if he fails to comply with a Statement of Principle or has been knowingly concerned in a contravention by the firm of a requirement imposed on it under FSMA. It is under this section that most enforcement action is taken against individuals. Whilst an attestation may be seen as giving rise to some form of strict liability in the event of breach, it was stressed in Pottage v Financial Services Authority, Upper Tribunal (Tax and Chancery) (2012), a key authority on the responsibility for senior management of their business, that individuals are only personally liable where they are personally culpable and it is therefore not enough that a regulatory failure occurred in an area of business for which the approved person was responsible – rather, the individual must have been responsible for the breach and the onus is on the regulator to show that a breach has occurred.
However, Pottage concerned specifically the role and duties of a CEO and no personal attestation had been given. Further, the regulatory environment has moved on since the events forming the basis of Pottage given the increased use of attestations and, following the recommendations of the June 2013 report of the Parliamentary Commission for Banking Standards, a new regulatory regime for senior managers is pending (see our article on page 6), and a key element of this is the presumption of responsibility. This means that where a firm contravenes a relevant requirement, the senior manager with responsibility for the management of any of the firm’s activities in relation to which the contravention occurred is guilty of misconduct, unless the senior manager can satisfy the regulator that they took such steps as a person in their position could reasonably be expected to take to avoid the contravention occurring, or continuing. In short, the burden of proof will be reversed. The signing of a false attestation may also open up an individual to criminal sanctions under section 398 of the FSMA, which provides that it is an offence for a person knowingly or recklessly to provide a regulator with information which is false or misleading in a material particular.
In addition to these consequences, there is of course the likely damage to an individual’s professional reputation if they provide an attestation which is false or is not, or cannot be, complied with.
A breach of an attestation will likely also bring the firm itself back under the regulatory spotlight, noting that the Principles for Business impose similar obligations of integrity, openness and cooperation on the firm.
The breach of an attestation will also potentially have an impact for D&O insurers. It will depend on the wording of the D&O insurance policy whether an individual’s legal costs, for example defending an investigation by the regulator into the breach, are covered. Such costs could be very substantial, particularly if there is an appeal. Cover may not be available if the individual signed the attestation knowing that it was not true.