This guide was last updated in February 2015
This guide will set out how attestations are used and what bankers, insurers and investment managers should do when asked to provide one.
What is an attestation?
Attestations enable regulators to formally obtain a personal commitment from a named senior individual at an authorised firm that their firm is complying with some aspect or other of the regulatory rules. They are designed to make the chief executive or board of a regulated firm pay particular attention to an area that is perceived as being weak or having poor systems and controls in place. Attestations are usually quite short, but can lead to serious consequences for the individual if given incorrectly.
A number of people in regulated firms may be asked to provide an attestation. These can range from senior managers such as chief executives, chairmen or directors; to compliance officers and possibly others with managerial or supervisory roles. However, the FCA will usually ask for an attestation to be given by the most relevant significant influence function holder.
Attestations are used for four main reasons:
- notification: a commitment to notify the regulator if an emerging risk changes in nature, magnitude or extent;
- undertaking: a commitment that a specific action will take place within a specified time period;
- self-certification: confirmation that certain risks have been mitigated or resolved;
- verification: after a regulatory notice, an attestation can be used to verify that the issues identified by the regulator have been resolved and a particular action has taken place.
What to do when faced with an attestation request
A request for an attestation will generally accompany the results of a regulatory review or investigation, meaning that you will already know the regulator's area of interest. Pay close attention to the specific findings of that review.
Although the attestation wording may be very short, a substantial amount of work and due diligence may be needed before the attestation can be given. You should be able to show the process used to investigate relevant internal systems and controls in a controlled environment when answering a request for an attestation so keep good records of what you do. It is important to look at existing controls and processes with an open mind and to document absolutely everything so that you can provide evidence of your conclusions. That evidence must reliably lead to your conclusions with a seamless line of responsibility from the current position to your future action plan. Some firms will undertake internal audits to verify the evidence.
Sometimes, the notice from the regulator setting out the attestation request will provide a timescale. It is really important to ensure that this timescale gives you enough time and, if it doesn't, to go back to the regulator and explain why you need more time. If you agree to a timescale, you will be expected to deliver against it.
If possible, provide a positive attestation. However, if this is not possible you must state the situation as you see it and not say all is fine if it is not. Where existing practices do not measure up to regulatory standards this should be explained, justified if possible and a remediation plan provided.
Risks of signing an attestation
Signing an attestation makes an individual an easy target for future enforcement action if non-compliance is identified post-signing. The FCA has also said that it intends to name and shame persons under investigation. For these reasons, it may be appropriate to use internal attestations to reduce the risk and perhaps spread the burden of signing the final attestation with the regulator. An attestation which is signed by all board members internally can produce the right discussion, debate and challenge.
When facing an attestation request, as in all dealings with the FCA, it is important to keep in mind Principle 11 in the FCA Handbook: that a firm must deal with its regulators in an open and cooperative way. In addition, section 398 of the Financial Services and Markets Act states that it is an offence to knowingly or recklessly provide false or misleading information in purported compliance with regulatory requirements.
With these two principles in mind, it is important to ensure that you are absolutely clear as to the purpose and scope of the attestation request at the very outset. If in doubt, pick up the phone or email your FCA supervisor to check your understanding of the notice.
In August 2014 the FCA's practitioner panel asked the regulator to identify exactly what its expectations were around the use of attestations, because there had been a number of industry concerns in relation to their use. In response, the FCA said that it planned to make "substantial and important" changes to the process to ensure that attestations were being used consistently.
According to the letter, the FCA plans to issue "revised internal guidance and supporting materials" to its supervisors in order to emphasise the importance of clarity and transparency when using attestations. It also plans to introduce stronger governance requirements, including a new requirement that attestations be signed off by a department head and a new central review process; and has committed to publishing data on its use of attestations on a quarterly basis.