Attestations

Personal accountability for senior management

DAVID HEFFRON, ADDLESHAW GODDARD

The practice of requiring senior management to attest to their firm’s compliance with regulatory requirements is becoming increasingly common and causing significant concern. This briefing looks at the regulators’ use of this supervisory tool, particularly the Financial Conduct Authority’s (FCA), and provides an overview of what senior managers and firms should consider when asked to provide one. Given the potentially serious personal and professional consequences where regulators subsequently question an attestation, they should not be given without careful consideration and necessary due diligence.[1]

Accountability
One of the frequent complaints by the public of the FCA’s predecessor was that while authorized firms might be fined for misconduct, their senior managers were rarely held accountable. In the aftermath of the financial crisis and in the absence of any significant disciplinary action against the senior executives of failed banks, the regulatory climate has changed and the use of attestations as a supervisory tool should be seen in this context. The FCA has published 10 principles of supervision, one of which specifically refers to individual accountability: “An emphasis on individual accountability, ensuring senior management understand that they are personally responsible for their actions – and that we will hold them to account when things go wrong.”[2] Moreover, in its 2015 Business Plan, the FCA states that “the accountability of individuals in positions of responsibility needs to be improved and overall standards of governance raised.” One of the ways that this concept has been “embedded” is through the growing use of requiring the giving of attestations by senior managers.[3]

In a recent speech Clive Adamson, FCA director of supervision, referring to the new senior managers and certified persons regime to be implemented in 2015, stated:

“[T]his should be seen as part of a more comprehensive approach to individual accountability including the use of attestations, where we ask senior individuals to attest to us in relation to a supervisory action… We will want to use these tools in an effective but proportionate way so it should be clear that there will be significant cost to individuals if conduct issues in retail or wholesale markets occur on their watch.” [4]

The use of attestations, unlike other parts of the regulatory tool kit, has developed away from the public eye and scrutiny. Partly for these reasons there exists considerable disquiet by firms and managers over their use and uncertainty about their effect. This was recently reflected in an exchange of correspondence between the FCA’s director of supervision and Graham Beale, chairman of the FCA practitioner panel, when the opportunity was taken to explain in greater detail the FCA’s approach.[5]

What are attestation clauses?
Attestations are supervisory, not enforcement tools. The plain dictionary meaning of the word “attest” is to declare that something exists or is the case. According to the FCA, attestations are used to obtain a personal commitment from an approved person at an authorized firm that a specific action has been or will be taken. Apart from personal accountability, the tool seeks to place a “senior management focus” on specific issues where the FCA wishes to see change without the regulator itself having to become involved.[6] While any approved person may be asked to attest, it is most usual for theperson holding the most relevant significant infuence function to be asked.

Aspects of the FCA’s new more judgment-led and interventionist style can be seen here with supervisors scrutinizing firms’ product governance and seeking assurances from firms without wishing to expend finite supervisory resource. The FCA say they will not usually wish to see any evidence to support the attestation although the presumption is that this will exist and it reserves the right to do so. As discussed below, it is advisable not only to carry out appropriate due diligence but to keep a record of the steps undertaken. There are four principal types of attestations: notifications, undertakings, self-certifications and verifications. For the FCA’s description of each please see the box.

What are the concerns?
There are a number of significant issues some of which have been articulated by the FCA practitioner panel:

  • Uncertainty over the legal status of attestations;[7]
  • Uncertainty over the consequences to individuals of providing attestations and in consequence to their firms;
  • Apparent inconsistencies in their use by different supervisors indicating governance and monitoring issues;
  • Limited transparency where no guidance about their use has been published and there only exists internal guidance privy only to supervisors; and
  • Skewing prioritization of risk at firms where considerable focus and resources have been devoted to issues where attestations have been required.

Legal basis
The FCA refers to attestations as now constituting a formal supervisory tool.[8] There is, however, no express reference to them in either the Financial Services and Markets Act 2000 (FSMA) or the regulators’ rulebooks.

High-level principles
The FCA relies on the Statements of Principle and Code of Practice for Approved Persons (APER), and in particular Principle 7, which states:

“An approved person performing an accountable significant-influence function must take reasonable steps to ensure that the business of the firm for which he is responsible in his accountable function complies with the relevant requirements and standards of the regulatory system.”

This is supported by examples provided, at APER 4.7, of the types of conduct which comply with this principle.[9] In this context, the provision of an attestation is viewed as an expression of the duty placed on an approved person and a confirmation to the regulator of its discharge.

Similarly, reliance is placed on the analogous Principle 3, in the Principles for Businesses (PRIN) under which a firm must take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems.

Approaching the issue from the perspective of disclosure, both APER and PRIN respectively require approved persons and firms to deal with regulators in an open and co-operative way, disclosing to them anything of which that regulator would reasonably expect notice.[10] Chapter 15 of the Supervision Manual (SUP) which concerns notifications by firms to regulators, provides examples of such matters (e.g., any significant failure in a firm’s systems and controls). An attestation which did not (but should) make reference to such a failure might, depending on the circumstances, contravene these principles.

One of a small number of exceptions to the absence of express authority for attestations is in the Regulated Covered Bonds (RCB) source-book. RCB 3.2.1 states that an issuer must provide to the FCA annual written confirmation of compliance with a number of regulations concerning covered bonds. These are in the form of statements such as:

“I confirm that I am satisfed that the arrangements relating to the regulated covered bonds comply with the requirements of the RCB Regulations and the RCB source-book”.

Approach
Usually with supervisory tools, the regulators provide guidance to firms on how and in what circumstances they will use a specific power. This is normally a requirement of FSMA. In the case of attestations there is only internal guidance for supervisors.

Earlier this year the FCA was ordered to disclose a small part of its internal guidance in response to a Freedom of Information Request (FOIA), but successfully withheld the majority on the basis that its disclosure would or would be likely to prejudice the exercise of its statutory function to supervise authorized persons.[11] In arguments before the Information Commissioner, the FCA explained that a key element in its strategy for using attestations is that firms and individuals will not know when they will be used in preference to more formal measures. Moreover, the FCA is purposively not overly prescriptive in terms of the actions or information which attestations seek to secure. This means that firms cannot be certain what they must do to satisfy the FCA that they have adequately resolved a particular issue put by a supervisor. The uncertainty militates against firms undertaking the minimum steps necessary and instead promotes a higher standard of compliance.

In response to the FCA practitioner panel’s concerns, the FCA’s director of supervision has promised to issue revised internal guidance and supporting materials to supervisors. These will emphasize the importance of clarity and transparency when using attestations.[12]

Consequences of providing attestations
The key authority on the responsibility of senior management for their business and how to discharge it is the decision in Pottage versus Financial Services Authority (FSA).[13] While the FSA was unsuccessful on the facts, the financial services tribunal confirmed its approach. The regulator argued that John Pottage, CEO of UBS’s wealth management business, was guilty of misconduct because he had failed “to take reasonable steps to satisfy himself by way of an initial assessment at the outset of his appointment as to the design and operational effectiveness of the governance and risk management frameworks in place.”

Under section 66(2) FSMA a person is guilty of misconduct if, while an approved person, he fails to comply with a statement of principle or he is knowingly concerned in a regulatory contravention by an authorized firm. This requires personal culpability, meaning deliberate conduct, or that the standard of their conduct fell below that which would be reasonable in all the circumstances.[14] This is obviously a question of fact, and the FSA were unable to show that Pottage’s actions breached the standards expected. Further, DEPP 6.2.8G, states that “an approved person will not be in breach if he has exercised due and reasonable care when assessing information, has reached a reasonable conclusion and has acted on it.”

The burden of proof is on the FCA, although changes to FSMA by the Financial Services (Banking Reform) Act 2013 will reverse the burden of proof for those performing senior management functions.[15] This is referred to as a presumption of senior management responsibility.

There is also, potentially, the risk of prosecution under section 398 FSMA. It is an offence in purported compliance with any requirement imposed by or under FSMA to knowingly or recklessly give the regulator information which is false or misleading. The penalty is a fine but any individual convicted is also likely to be prohibited from the industry.

What to remember if asked to attest
It is important to recall that the Principle 7, like the requirements in the Senior Management Arrangements, Systems and Controls manual (SYSC), only requires an individual to take reasonable steps. This wording is carried over to the draft C-Con rulebook in respect of senior manager and certified person conduct rules which in 2015 will replace APER for banks and building societies. Therefore, when a manager is asked to give, for example, a notification attestation, the responsibility is to take reasonable steps to ensure that the firm appropriately monitors the risk and makes any notifications which are appropriate. In other words, it is not an unqualified or strict liability obligation.

It is worth also remembering that there is nothing special about an attestation. It is likely that the FCA will regard any assurance, particularly a written letter, as an attestation. Therefore, whatever its form might be, satisfy yourself over the content of any confirmation or assurance that you might provide to the regulator.

What questions to ask
When presented with a request for an attestation there are a number of considerations:

Am I the right person?
You should consider whether you are the most appropriate person within a firm. If you are an approved person ask whether the attestation relates to matters within your control function and/or within your responsibilities. Is someone better placed?

What exactly am I being asked to attest?
It is helpful to remember the nature of the regulatory obligation on senior management. Generally speaking this is one of taking reasonable care or reasonable steps. For example, SYSC 3.2.6 provides that a firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system. Therefore, you should resist making an unqualifed assertion that, for instance, there have been no breaches of the client money rules. Instead, you should state that you have taken reasonable steps to confirm that appropriate procedures and processes are in place to comply with the CASS rules.

Can I refuse or negotiate the wording?
You should never sign an attestation if you are not confident about providing the assurance requested; the consequences of doing so are far worse. The FCA accept attestations need to be specific, and achievable with demanding but realistic time lines. It is accepted that there should be an open dialogue between firms and supervisors, and you should be ready to remind them of that fact if necessary. Should you have concerns you might suggest to the supervisors alternative wording, qualify the statements you are being asked to make or seek further time to carry out the work necessary to have sufficient comfort to sign. Remember, if the FCA were to query the accuracy of the statement at a future date, providing there was a reasonable basis for making it with appropriate due diligence, you will have a defence to disciplinary action.

What steps are necessary?
This will of course depend on the nature of the request and the circumstances. At a minimum you should ask questions of colleagues, challenge assertions and assumptions and make sure that you understand the issues, processes and if applicable any product or service. In some cases it may be necessary to use a firm’s control functions such as audit or compliance, and in other cases to appoint outside consultants. You are likely to want to take advice from your firm’s legal advisers and where you consider that there might be a divergence of interest between you and your employer seek independent legal advice.

How much due diligence is necessary?
Again, this is a question of judgment which will depend on the nature of the request and its circumstances. In certain cases the amount of any initial assessment carried out when taking up the role may help you to decide. The FCA, in its arguments to the Information Commissioner, indicated that a degree of uncertainty by firms over what they needed to do was helpful to its supervision. Nonetheless, it does not expect firms to create onerous assurance processes that could skew prioritization of management focus. Clearly, there will exist a tension in deciding how much to do but ultimately the obligation is to take reasonable steps.

  • Notification: For emerging risks at firms which are unlikely to result in material consumer detriment or negative impact on market integrity, we may ask an appropriate individual at a firm to attest that they will notify us if the risk changes in its nature, magnitude or extent. The responsibility on the person making the attestation is to ensure that the firm appropriately monitors the risk and makes any notifications which are appropriate to us.
  • Undertaking: Where we want a firm to take specific action within a particular timescale, but the risk is one which is unlikely to result in material consumer detriment or negative impact on market integrity, we may ask for an attestation undertaking that the action will be taken.
  • Self-certification: For more significant issues, but where we are confident that the firm can resolve the issue itself, we may ask for an attestation that the risks have been mitigated or resolved.
  • Verification: In cases in which we not only want a firm to resolve issues or mitigate risks but we also want verification of that, we may ask for an attestation confirming that the action, including verification as appropriate (e.g., by internal audit), has been done.

David Heffron advises on regulatory and commercial matters in the financial services sector, including all aspects of the Financial Services & Markets Act 2000 and the FCA Handbook. He advises on structures and distribution of financial services products, authorization and conduct of business issues and on regulatory issues relating to acquisitions and disposals. He has advised on a number of transfers under Part VII of the Act. He has particular experience of distribution agreements for the sale of a wide range of products.

Footnotes

  1. Readers will also find helpful the note on “Individual Attestations by Approved Persons of July 2013” by Chris Lawrenson, head of legal services, BSA.
  2. See, for example, FCA, “The FCA’s Approach to Supervision for C1 Groups”, March 2014.
  3. FCA & PRA, “Strengthening Accountability in Banking: A New Regulatory Framework for Individuals”, Consultation Paper FCA CP14/13/PRA CP14/14, July 2014.
  4. “A Sustainable Conduct Environment”, Speech by Clive Adamson, FCA Director of Supervision, 23 March 2014.
  5. Exchange of correspondence on the FCA use of attestations between the FCA’s director of supervision and Graham Beale of the FCA practitioner panel published on 26 August 2014.
  6. See above.
  7. See note 5.
  8. See note 3.
  9. In 2015 a new C-CON source-book will replace APER for senior managers and certified employees of banks, building societies and larger investment firms. These will include a similar obligation to “take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.”
  10. APER 2.1A, Statement of Principle 4 and PRIN 2.1.1, Principle 11.
  11. Information Commissioner’s office, Decision Notice Ref: FS50529860, 9 June 2014.
  12. See note 5.
  13. Upper Tribunal (Tax and Chancery Chamber), Reference no. FS/2010/33.
  14. APER 3.1.4G. See also the Decision Procedure and Penalties manual (DEPP) at DEPP 6.2.4 to 9.
  15. Sections 66A, 66B FSMA.