Watch Your Back, Says compliance specialist Lee Werrell. The Regulator’s Toughening Up On Affirmations by Directors and SIFs
Last year the FCA declared that attestations are key elements to the new ARROW replacement of the Firm Systematic Framework (FSF). Now, I’ll agree that this important shift of emphasis might have gone unnoticed by many of us; nevertheless, the aim looks like a change of assessing how firms manage the risks they generate. That in turn means that we need to focus on the root factors behind what leads to these risks.
Make no mistake, by placing enhanced significance on personal conduct in financial services, the regulator is currently laying the ground for pursuing far more cases against executives individually as well as collectively – possibly leading to obtaining fines and criminal prosecutions.
This means a far greater concentration on personal accountability resulting from legal affirmations – and it’s something that needs to be treated seriously by all senior executives who are being required to sign on the dotted line – and thereby, to stake their professional reputations and their personal authority on the quality of their firm's compliance processes.
A Shifting Emphasis
The FSF assessment modules will usually consist of a series of interviews between supervisors and the firm, to look at the various processes in relevant areas. The FCA has clarified that detailed testing will not be used unless it is the only way to assess a particular risk.
The new regime has subtly moved the regulatory emphasis by shifting of responsibility away from the FCA, and onto firms instead, who are required to do their own monitoring on some of the less important points and to self-attest that these points have been addressed. The process by which these will be monitored and assessed will be by the use of Section 166 skilled persons’ reports, internal audit review, and non-executive director reports.
Like "Conduct Risk", the concept of "Attestations" is not defined in the regulator's Handbook – you’ll find no alphabetical entry in the glossary between "Attached Shares" or "Auction Platform". You won’t find any legal instrument defining the term employed either – but make no mistake, attestations are becoming required by the conduct regulator with ever increasing frequency. It seems that this term has so far been lost on the Prudential Regulation Authority (PRA), but there is no reason why it will not also be adopted by them in the future.
So What Does Giving An Attestation Mean?
An attestation is a written confirmation, much like a personal undertaking or guarantee, that specific supervisory actions or aspects of regulatory focus specified by the regulator are being met by the firm. The responsibility often falls to the CEO, but other SIFs and in some cases boards of directors can also be required to provide them.
There are currently two principal types of scenarios through which attestations are being used:
- Individual firms: Attestations are generally required as a consequence of a specific problem having been identified – whether that was through an agreed Risk Mitigation Programme (RMP), supervision, or through enforcement, such as a follow-up to a Skilled Persons’ Report under section 166 FSMA. The attestation is likely to be framed to reflect confirmation that the remedial actions agreed have been (or are about to be) implemented and finalised within a particular time frame.
- Thematically: Attestations are required from multiple businesses operating in a particular market, in which a particular issue has been identified across a number of firms as a result of thematic work undertaken by the FCA. The aim here is to make certain that Significant Influence Function holders within each firm are made aware of the issues and that they can, therefore, be held personally accountable, should those problems arise in the future. One example of such an attestation was in 2012 when Asset Management firms were expected to attest that their conflict of interest processes were compliant with the expectations of the regulator.
This approach is unquestionably a response to the public’s calls for senior management accountability in the wake of the financial crisis. But the situation has also been compounded by the mis-selling and LIBOR scandals. Previous attempts at obtaining evidence of personal awareness and culpability were a huge issue, and attestations are now being seen as a key pre-emptive method of overcoming this problem.
If firms find themselves in attestation territory, they might be advised to follow regulatory instructions and to acquire an independent holistic report on their compliance function, to help demonstrate a wholehearted commitment to improvement. But it’s better still to make sure that everything is in place before any regulatory involvement is needed
So What Are the Risks to You?
An attestation that is not honoured provides the FCA with clear proof of non-compliance against an individual or firm, and makes it simpler for enforcement action against them.
There are a variety of ways in which the attestation could be used, and it tends to make sense that, the more senior the attestor, the more likely it is that action will be taken against them personally:
- Ignoring the agreement would provide evidence that an approved person was made personally aware of the issue and failed to carry out a particular function, or did not act appropriately could amount to a breach of the Principles for Business (potentially any, but often principles 3,6 or 9) or Statements of Principle for Approved Persons (potentially 1 or 4, but also 5,6 or 7 if they are senior management);
- If the agreed actions in the attestation are not carried out, the individual can be criminally prosecuted for providing false or misleading information to the regulator, this would be regardless of whether it was done knowingly or recklessly;
- Any enforcement action against the firm will be most certainly be aggravated by the fact of the failed commitment to the attestation; and
- If shown to be dishonest in the making of the attestation and that the intention was to expose another to the risk of loss, the individual could also be liable to a criminal prosecution for fraud by false representation (up to 10 years imprisonment and/or an unlimited fine).
What Can You Do To Mitigate The Risks?
To deliver an attestation, you might want to treat it like a project.
- Ensure you comprehend the precise requirements and possess the authority to make an attestation, seek external guidance if possible.
- Is your authority, and the decision to elect you as attestor, clearly recorded in your governance records?
- Identify precisely what may be required, and ensure that any obligations are clearly achievable; and make sure that any timescales can be accomplished.
- Make certain that you implement adequate policies, procedures and processes to make sure all involved understand their obligations. This helps provide evidence that due care and diligence has been applied.
- Confirm what supporting information and evidence is to be provided to the FCA, and make sure that you understand the requirements. We often find errors in interpretation that can magnify the issues.
- Make sure that you have adequate access to all the documentation and material (including anything confidential) required to discharge your duties. You can still be liable even if you leave the firm.
- Ensure that everyone involved in the attestations is aware of the regulatory process and the definite necessity for accurate, reliable information.
The regulator’s increase in the use of attestations as a primary validation tool demonstrates the FCA’s determination to hold senior management responsible for the actions of the firm and its compliance function.
A SIF position already brings with it a huge amount of responsibility – but, critically, you should fully understand that signing any attestation without understanding your specific obligations – or without feeling fully confident that the problems you will need to address are going to be successfully remediated – can mean that you are signing away your future.
To validate your compliance function, seek independent advice and review.