By Jacqui Hatfield, Partner, Reed Smith and Melanie Shone, Trainee, Reed Smith
What is an “attestation” and when might we be asked by the FCA to give one?
Attestations are part of the FCA supervisory toolkit used to ensure accountability from senior management in all regulated firms. They commonly require an approved individual to take responsibility for confirming that the company has, for example, delivered customer redress, or has the appropriate governance arrangements or systems and controls in place.
They are essentially a means by which the FCA can gain personal commitment from an approved person that specific action has been taken or will be taken, often without requiring ongoing regulatory involvement. The FCA’s aim is to ensure that there is clear accountability and senior management focus towards making any necessary changes.
We have seen attestations commonly used in conjunction with other FCA supervisory powers, such as following the conclusion of a Skilled Person Review under Section 166 Financial Services and Markets Act 2000.
Who should not be giving an attestation?
An attestation should be given by the most relevant significant influence function holder (for example, the significant influence function holder who is responsible for the area of the firm at which the issue has arisen or who is responsible for addressing the issue).
However, while attestations were originally intended for the most senior management, we have seen these being directed towards compliance officers for whom it may not be appropriate to take on the personal liability attestations bring without at least the CEO or a Board member attesting alongside them.
Ultimately, the question of appropriateness of the individual is for the regulator to decide, in (we would hope) dialogue with the firm, individual(s) concerned and their respective advisers. The most appropriate person (or persons) to make an attestation will very much depend on the situation of the firm, the objectives of the attestation and the particular factual circumstances surrounding the FCA’s request. There are no “right” or “wrong” individuals. However, we would generally expect most attestations that undertake to take future actions to be made by the most senior individual(s) in the firm who has/have both the necessary authority and responsibility to initiate the changes required.
What if the attestation turns out to be false or the terms of an attestation are breached?
Attestations are an enforcement tool. It is important to remember that in seeking an attestation, the FCA is trying to ensure both personal accountability and senior management focus for implementing any future action required by the regulator. The FCA’s stance on enforcement action more generally is clear; it intends to pursue more cases against individuals and hold members of senior management accountable for their actions. This of course, echoes the forthcoming introduction of the Senior Managers Regime and Senior Insurance Managers Regime, and extension of the Senior Managers and Certification Regime across the regulated financial services sector.
Ultimately those providing an attestation, and also potentially the firm itself, remain exposed to the full suite of enforcement measures open to the FCA to take for regulatory breaches (this may include, for example, public censure, financial penalties or suspension/withdrawal of permissions).
There are several key issues to consider if, after having made the attestation, it turns out to have been untrue or any of its terms not complied with.
Enforcement action under the terms of the attestation.
Firstly, the firm and individual should consider the potential for any action to be taken under the terms of the attestation itself. At a very high level, a failure to act with integrity could result in enforcement action against an individual for breach of Statement 1 of the Statement of Principles for Approved Persons. In addition, approved persons are required to act with due care, skill and diligence in performing their accountable functions and managing the business for which they are responsible (including taking reasonable steps to adequately inform him about the affairs of the business). If the individual made the attestation as to a statement of affairs without exercising such care and reasonableness, there could be a question over their compliance with Statement 2 and Statement 6 (amongst others) of the Statement of Principles for Approved Persons.
The Supervision (SUP) Manual of the FCA Handbook requires that a firm must take reasonable steps to ensure that all information it gives to the appropriate regulator is factually accurate or, in the case of estimates and judgments, fairly and properly based after appropriate enquiries have been made by the firm.
An attestation given as to a particular state of affairs or future action, combined with a failure to have (i) taken reasonable steps or (ii) carried out appropriate enquiries as to that state of affairs could leave both the attester and firm exposed to enforcement action.
Should we notify the regulator that the attestation is/may be false, misleading, inaccurate etc.?
Secondly, the firm and its approved persons have an obligation to deal openly and cooperatively with the FCA (Principle 4 of the Principles of Business and Principle 11 of the Statement of Principles for Approved Persons). Firms are also subject to rules that require them to notify the regulator in the event that any information it has provided to it is or may have been false, misleading or inaccurate or information that has changed in a material particular. Consequently, there is also a related question of whether the individual/firm should notify the regulator that the attestation turned out to be (or may be) false, misleading or inaccurate.
This is a highly sensitive area on which we would suggest that firms seek specialist advice at the earliest opportunity.
Action for underlying regulatory breaches
There will undoubtedly be an underlying question of regulatory compliance that motivates the FCA towards requesting an attestation is given. For example, consider that an attestation was given to the effect that the firm has adequate systems and controls in place in relation to a specific area of concern to the FCA, and that it then materialises that the firm’s systems and controls were in fact inadequate. Subsequent enforcement action by the FCA could be both in respect of the false attestation and also for any underlying systems and controls breaches themselves.
Points to consider when faced with a request for an attestation
We have set out some points for consideration in the rest of this article. In summary, it is of crucial importance for any individual receiving a request for an attestation to remain cautious, not rush into providing an attestation to the FCA and to carefully consider all the relevant facts and circumstances of the situation.
The scope, content and timing of the proposed attestation should be given careful consideration, alongside the objectives the FCA is thereby attempting to achieve. Independent legal advice can help individuals to evaluate and consider the potential consequences and personal risks, and to help them (and the firm) to put together a tailored strategy in order to mitigate these.
The FCA has publically stated that attestations should be clear and realistic: i.e. specific, achievable and have realistic (but demanding) timelines. Depending on the circumstances, it may also be necessary to engage in constructive dialogue and negotiation with the FCA on the proposed terms of the attestation.