Across the UK financial services sector we are increasingly seeing instances of CEOs, chairmen, Boards and other senior executives being required to provide written attestations to the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) on areas of regulatory focus and specific supervisory actions. The use of attestations demonstrates an intention on the part of the regulators to achieve credible deterrence by holding senior management individually and/or collectively accountable for regulatory issues.

"Attestations evolved from our greater emphasis on personal accountability. We find that when we ask for them it focuses the mind not only of the individuals but of the firm" Clive Adamson, FCA Director of Supervision, May 2013

Attestations came to prominence in late 2012 when the FSA wrote to larger asset management firms in relation to conflicts of interest compliance, asking CEOs to attest their conflicts of interest systems were in line with regulatory expectations. Since then their use has become increasingly common across all sectors of the financial services industry from banking to insurance.

Increased use

The use of attestations, as well as the range of issues which they will cover, is likely to continue to increase as the FCA and PRA seek to establish clear accountability for decision making at the top level. The nature of the requirement may include representations from individuals, such as the CEO or Chairman, as well as the Board as a collective, for the regulator to gain confidence on a particular issue. For example it may be used as a follow up to specific concerns which the FCA and PRA have identified in their supervisory work or to ascertain culture and compliance within business lines or support functions. In particular, whilst attestations will not replace the use of s166 skilled persons reports across-the-board, it is likely they will be used as an alternative in some instances.

The five key factors to consider when providing an attestation

Given the significance attached to an attestation and the potentially severe consequences of getting it wrong, the process leading up to signing has to be watertight, delivering a high degree of confidence that the attestation is both accurate and comprehensive. In Deloitte's view this process should be informed by five key factors that a firm should take into account:

1) What are senior management being asked to attest to?

The scope of attestations can vary significantly; from confirmation of the effectiveness of specific arrangements such as conflicts of interest management, through to broad attestations on the effectiveness of firm-wide governance arrangements. It is essential for firms to clarify and understand the scope of the attestation with the regulator before undertaking any work. Our experience has shown that early engagement with the regulators on any uncertainties and/or concerns can result in helpful clarifications to the scope.

2) What are the existing controls and processes in place that enable senior management to make the attestation?

Firms should consider what business as usual controls can be relied upon to support the attestation and whether any Internal Audit or other reviews have previously identified issues in the area in question. Firms should pay particular attention to any issues or concerns that the regulators have previously identified in relation to these controls, e.g. in earlier risk assessments.

3) What further evidence will be needed to support the attestation?

Most representations or attestations will require some form of additional testing so those attesting can be confident in the statement and highlight areas for improvement. The level of testing will vary depending on the scope of the request and the controls already in place. In some cases the testing could be performed by internal resources, such as Internal Audit. In other cases, firms will choose to obtain third party, independent support.

4) Has the work plan and approval process been agreed?

The scope of the work plan is driven by the level of confidence those attesting are seeking to achieve. For the reasons given above, our expectation is that this level will invariably be very high and the work plan should therefore be commensurate with this. This means that a clear methodology and detailed work plan should be agreed up front which should specify the review, challenge and approval process, before arriving at a final position. Appropriate review and approval will depend on the attestation required, but consideration should be given to the role of the Board and governance committees as well as individuals to ensure that responsibilities and expectations are understood from the outset.

5) What work has been carried out?

A detailed description of work undertaken and evidence relied upon to support the attestation should form part of any attestation. This should include any qualifications or caveats to the information relied upon. There is an important balance to be struck between including relevant qualifications and caveats while at the same avoiding making the scope of the attestation so narrow that it fails to meet the regulators' expectations.

These five key factors are based on our practical experience of working with a number of firms in the preparation for and delivery of attestations. Firms that take these factors into account will be well positioned to provide a timely attestation to the regulators with confidence in its accuracy and completeness.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.