Figures published recently by the Financial Conduct Authority (“FCA”) show that the use of attestations by the FCA is on the rise. We examine their use and impact. An attestation is a personal commitment given by an approved person, requested by the regulator, that a specific action has been taken or will be  taken. By way of example, an individual may be required to inform the regulator if an identified  risk changes in its nature, magnitude or extent. An attestation can be given by an individual, a  collection of individuals, or even a firm.

Attestations are a formal supervisory tool, rather than  an enforcement tool. They are part of the  tool-kit used by the regulator to ensure personal accountability of senior management and can also  operate to focus the minds of senior managers on specific issues identified by the regulator.

The increasing use of attestations by the FCA and the Prudential Regulation Authority (“PRA”) in  recent years has not been without controversy, particularly given that they are, in effect, a creation of the regulator itself with no formal statutory basis. Some have  argued that attestations may skew the prioritisation of risk at firms, and that more transparency  regarding the criteria for their use is needed. The regulators are required to consult on and  publish guidance in respect of the exercise of their regulatory powers but guidance and  consultation in respect of their use of attestations has been notable by its absence.

The FCA has now responded to these concerns by publishing some clarification (in the form of an  exchange of letters with the FCA Practitioner Panel) as to its use of attestations together with  some statistics, with the first set of figures published in February this year.

FCA attestation statistics uncovered On 13 February 2015 the FCA published for the first time the statistics regarding its use of  attestations. The statistics covered attestations made in 2014 and are divided into quarters.

The figures demonstrate that there has been a sharp increase in the number of attestations  throughout 2014. In 2014 there were a total of 59 attestations requested by the FCA. Of these 59  attestations, there were ten in the fourth quarter of 2013/14, six in the first quarter of 2014/5, twenty in the second quarter of 2014/5, and twenty three in the third quarter of 2014/5.  So, if we compare the number of attestations in the first quarter of 2014/5 to the third quarter of  2014/5 there has been nearly a four-fold increase.

The use of attestations has been focussed on particular sectors, being most utilised in the  Wholesale and Investment Management sector (twenty one), followed by Long Term Savings and Pensions  (thirteen), and  then Retail (eleven). In the Wholesale and Investment Management, and the Long  Term Savings and Pensions sectors there was a focus on C2 firms (firms and groups with large retail customer numbers and wholesale firms with a significant market presence), whilst the attestations in the Retail sector were focussed on C1 firms (groups  with the largest number of retail customers  and wholesale firms with the most significant market presence). The two sectors with the fewest amount of attestations were Mortgages and Consumer Lending (eight), and  General Insurance and Protection (six).

The 2014 figures show that there was generally a focus on the bigger firms (C1 or C2), compared to  those in categories C3 firms (retail and wholesale firms with a medium-sized customer base) or C4  (retail and wholesale firms with a small number of customers). Of the 59 attestations in 2014, 49  were given by those in C1 or C2 firms, which equates to 83% of the total. The category with the most number of attestations was C2 which had 34,  comfortably more than half of the total number of attestations in 2014. Having  said this, the  number of attestations in C2 firms did fall slightly from quarter two to quarter three of 2014/5.   Whilst there had been a small number of attestations in C3 and C4 firms prior to the third quarter  of 2014/15, in that quarter there were six attestations, which was more than the total number of  attestations in the previous three quarters.

What the statistics tell us

The statistics indicate that the regulator’s enthusiasm for attestations continues to grow and it  is not difficult to see why attestations are such a useful and attractive tool for the FCA.  Attestations are a cheap and effective mechanism for the FCA to target a specific firm about a  specific issue that it is concerned about without having to become involved itself, thus allowing the FCA to utilise time and resources elsewhere.

And it is not just the FCA using attestations. The PRA recently required all branches of  non-European Economic Area banks to make attestations about compliance with systems and controls.

While it is generally understood that the regulator will look to the most relevant significant  influence function holder in a firm, in practice there may be more than one individual who could  provide the attestation sought. This level of clarification is missing from the FCA’s published  data and, so, no conclusions can be drawn at present as to whether certain roles are more likely to  receive requests for personal attestations than others.

What the guidance tells us

In its August 2014 letter to the FCA Practitioner Panel,  the FCA explained that it usually looks  to utilise personal attestations in the following four scenarios:

  • Notification – Where an appropriate individual at a firm is asked to confirm that they will  notify the regulator if a non-material emerging risk changes in its nature, magnitude or extent.
  • Undertaking − Where the FCA requires a firm to confirm that it will take specific action within a  specified timescale to address a particular risk which is unlikely to result in material harm to  consumers or a negative impact on market integrity.
  • Self-certification − Where the FCA are confident the firm can resolve the issue itself, an  attestation may be requested in respect of more serious and material risks, confirming that the  risk has been mitigated or resolved.
  • Verification − Where the regulator requires a firm to resolve issues or mitigate risks, together  with confirmation (for example, by way of an internal audit) that those steps have been taken.

Do those targeted (and their insurers) have anything to fear from the increasing use of attestations?

There is no statutory basis for a regulator to  require an individual to give an attestation. As such, an individual may, in theory, refuse to  provide one. Having said this, in practice it will be difficult for a firm and the individual to resist giving an attestation without good reason as this will likely result in more significant regulatory intervention, for example by way of a skilled persons  report under section 166 of Financial Services & Markets Act 2000 (“FSMA”) or even enforcement  action.

Whilst the interests of the individual and the firm will often coincide, this will not always be  the case and, depending on the circumstances, it may be necessary for the individual to obtain  separate legal advice before signing an attestation.

Once the decision has been taken to provide an attestation, the individual concerned must be  careful to ensure that he understands the parameters of what is being attested to and is comfortable this can be complied  with and evidenced.

Providing an attestation which turns out to be false, or which is not or cannot be complied with,  could well constitute a breach by the individual of the Statements of Principle of Approved Persons  (“Statements of Principle”). Of particular significance are likely to be Statements of Principle 1  (the requirement that an individual must act with integrity in carrying out their accountable  functions) and 4 (the requirement to be open and co-operative with a firm’s regulator and to disclose appropriately any information of which the regulator would  reasonably expect notice).

Section 66 of FSMA provides that an approved person is guilty of misconduct if he fails to comply  with a Statement of Principle or has been knowingly concerned in a contravention by the firm of a  requirement imposed on it under FSMA. It is under this section that most enforcement action is  taken against individuals. Whilst an attestation may be seen as giving rise to some form  of strict  liability in the event of breach, it was stressed in Pottage v Financial Services Authority, Upper  Tribunal (Tax and Chancery) (2012), a key authority on the responsibility for senior management of their business, that individuals are only personally liable where they are personally culpable  and it is therefore not enough that a regulatory failure occurred in an area of business for which the approved person was responsible – rather, the  individual must have been responsible for the breach and the onus is on the regulator to show that  a breach has occurred.

However, Pottage concerned specifically the role and duties of a CEO and no personal attestation  had been given. Further, the regulatory environment has moved on since the events forming the basis  of Pottage given the increased use of attestations and, following the recommendations of the June 2013 report of the Parliamentary Commission for Banking Standards, a new regulatory  regime for senior managers is pending (see our article on page 6), and a key element of this is the presumption of responsibility. This means that where a firm contravenes  a relevant requirement, the senior manager with responsibility  for the management of any of the  firm’s activities in relation to which the contravention occurred is guilty of misconduct, unless the senior manager can  satisfy the regulator that they took such steps as a person in their position could reasonably be  expected to take to avoid the contravention occurring, or continuing. In short, the burden of proof  will be reversed. The signing of a false attestation may also open up an individual to criminal sanctions under section 398 of the FSMA, which provides that it is an  offence for a person knowingly or recklessly to provide a regulator with information which is false  or misleading in a material particular.

In addition to these consequences, there is of course the likely damage to an individual’s  professional reputation if they provide an attestation which is false or is not, or cannot be,  complied with.

A breach of an attestation will likely also bring the firm itself back under the regulatory  spotlight, noting that the Principles for Business impose similar obligations of integrity,  openness and cooperation on the firm.

The breach of an attestation will also potentially have an impact for D&O insurers. It will depend  on the wording  of the D&O insurance policy whether an individual’s legal costs, for example  defending an investigation by the regulator into the breach, are covered. Such costs could be very  substantial, particularly if there is an appeal. Cover may not be available if the individual  signed the attestation knowing that it was not true.