Attestation costs: the price of placing your neck on the line

Over the past 6 months it has become increasingly common for the Financial Conduct Authority (FCA) to require senior personnel; typically those holding a Significant influence Functions (SIF) of regulated firms to provide 'attestations' about the state of certain aspects of their business. This regulatory tool brings increased accountability for senior management which can be positive, yet it also has the potential to impact the industry detrimentally as firms risk losing key people who want to avoid putting their necks on the line.

Ian Stott from independent compliance consultancy The Consulting Consortium and Joanne Hall from law firm DWF’s litigation and regulatory group explore the legal implications and industry impacts of attestations in financial services.

Senior management accountability

The concept of attestations is not set out, or defined, in the Handbook or, indeed, any other legal instrument, but they are nonetheless becoming required by the FCA with ever greater frequency. Further, although they have not yet been used by the Prudential Regulation Authority (PRA), there is no reason why it will not do so in the future too.

It is not an entirely new concept for regulators to require senior executives to put their own reputations on the line for the sake of their company. In cases of suspected serious corporate tax fraud, the Inland Revenue used to read company directors their rights (the criminal caution) and audio-record interviews with them in response to which each director agreed to take responsibility for ensuring that all relevant matters were reported to the Revenue so that a settlement could be reached. If the report was incomplete or incorrect in any way, each was liable then to criminal prosecution for the offence. This was considered a very effective process and was very successful in bringing companies into compliance. It was only changed with regulatory re-structure of the agencies.

The primary reason for this trend in the finanacial services industry is the FCA's determination to focus the minds of senior individuals and boards of firms on matters of compliance that the FCA considers to be important and is a direct result of the regulatory predecessor, the Financial Services Authority’s (FSA) failure to do so. The FCA has long been frustrated by the distance it perceives that boards have from grass roots compliance, delegating responsibility (and effectively liability) to those further down the hierarchy.

It is the FCA's hope that, by requiring these attestations from individuals at the helm, it is more likely that proper, and crucially effective, remedial action will be taken and problems properly addressed.

In July 2013, Martin Wheatley (FCA Chief Executive) was at pains to emphasise what he described as the "…crystallising [of] personal accountability…" and this approach is very much at the heart of that. Clive Adamson, Director of Supervision has also said that "attestations evolved from our greater emphasis on personal accountability. We find that when we ask for them it focuses the mind not only of the individuals but of the firm".

What are attestations and what do they mean?

An attestation is a written confirmation, similar to a personal undertaking, that particular supervisory actions or areas of regulatory focus specified by the regulator are being met by the firm. It usually falls to the CEO, but other SIFs and boards can also be required to provide them.

There are used in two principal types of situation in which attestations are being used:

  1. Individual firms – they are usually required as a result of a particular problem having been identified whether that was through and agreed FCA Risk Mitigation Programme (RMP), supervision or enforcement - such as following a Skilled Persons’ Report under section 166 FSMA. The attestation is likely to be framed to reflect confirmation that the remedial actions agreed between the FCA and the firm have been, or will be, implemented within a particular time frame; and
  2. Thematically – they are required from multiple businesses operating in a particular market in which a particular issue has been identified across a number of firms as a result of thematic work undertaken by the FCA. The aim is to ensure that Significant Influence Function holders (SIFs) are made aware of the problems and can, therefore, be held personally accountable should those problems arise in the future. One example of such an attestation was in 2012 when Asset Management firms were asked to attest that their conflict of interest processes were compliant with the expectations of the regulator.

In both situations, the fact is that the firms are already under increased FCA scrutiny and it is likely that there is a serious issue requiring investigation.

There can be little doubt that this change of attitude has been brought about in large part as a response to the public's calls for high profile scalps in the wake of the financial crisis generally but this was then compounded by the mis-selling and LIBOR scandals. Evidential difficulties in demonstrating personal awareness and culpability of the most senior executives proved to be the stumbling block and attestations are seen as key to overcoming this.

It is, however, vital to evidence all steps taken to comply with an attestation if enforcement action is to be avoided. At this point firms would be wise to follow regulatory instructions and review its compliance function holistically to demonstrate a wholesale commitment to improvement.

What are the liabilities?

The lack of clarity around the meaning of attestations has led many to underestimate their import. If the attestation is contravened, the consequences for the firm involved and for the individual attestor can be severe.

An attestation, if not abided by, will provide the FCA with evidence against an individual or firm and make it easier for enforcement action against them. There are a number of potential ways in which the attestation could be used and the more senior the attestor, the more likely the FCA is to take action against them personally:

  1. As evidence that a SIF was personally aware of the issue at hand and has not carried out a particular function, or has not acted, appropriately could amount to a breach of the Statements of Principle for Approved Persons (in particular principles 1 and 4);
  2. If the attestation is not carried out, the attestor can be criminally prosecuted for providing false or misleading information to the regulator, regardless of whether it was knowingly done or recklessly;
  3. Enforcement action against the firm will be aggravated by the fact of the attestation; and
  4. If shown to be dishonest in the making of the attestation and that the intention was to expose another to the risk of loss, the individual attestor could be liable to a criminal prosecution for fraud by false representation which carries up to 10 years imprisonment and an unlimited fine.

For the attestor, before signing up, it will be essential to consider whether there is enough confidence in the abilities of those more junior employees working within existing systems and procedures to risk their own reputation and livelihood stake.

If the FCA is not satisfied that the requirements of attestations have been met, it will be necessary for the attestor to overcome prima facie evidence of their personal failure. Key to that will be demonstrating to the FCA (which will view everything with the benefit of hindsight) that the steps taken were reasonable; that appropriate challenge was made to information provided; that explanations that seemed unlikely or unsatisfactory were rejected; and that conclusions reached were reasonable and based on sound evidence.

Impact on the industry

The potential impact on the industry is arguably quire interesting. It is entirely feasible that there will be senior individuals in firms that have sufficient confidence in their people, processes and controls to ensure that any personal risk is mitigated in the same way as corporate risk – by having proportionate and relevant risk controls in place that inform the business and therefore direct appropriate mitigants. However, there will no doubt be others who have less confidence in their firm’s ability to adhere to FCA requirements and might consider it a step too far to personally attest to satisfactory work being completed in line with regulatory expectation. How this plays out in terms of personnel attrition at firms under FCA scrutiny remains to be seen but it would be an interesting dynamic for the FCA to observe SIFs refusing to attest or resigning their positions of influence.

Hypothesising further, if these risks crystallise this might create some issues for firms which would be faced with the dual challenges of losing key individuals at a critical time, alongside potentially unreliable and undependable business practices. This would inevitably set alarm bells ringing for the regulator, who would want to know why a SIF was unwilling to provide a personal attestation.

Things to consider before providing an attestation

What should you do if you are asked to provide an attestation? Although there is no legal obligation to provide it, in practice it is likely to be difficult to decline.    

The increasing use of attestations as a validation tool demonstrates the willingness of the regulator to hold senior management responsible for the actions of their firm and their compliance function. Being a SIF already brings with It a great deal of responsibility, but you should realise that signing an attestation without understanding your obligations or ensuring that the issues you are being asked to address are going to be be successfully remediated, could mean you are signing away your reputation and future.

For more information please contact Joanne Hall, Partner at DWF.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.