Compliance officers in the financial sector, beware: If you tell the Financial Conduct Authority in Britain that you have adequate internal controls and systems in place, be absolutely certain that is the case. 

Deutsche Bank and its British subsidiary, DB Group Services, learned that lesson the hard way last month, when the FCA slapped the bank with a £226.8 million ($345.6 million) penalty for the bank’s role in manipulating the London Interbank Offered Rate (LIBOR). The fine was part of a $2.5 billion global settlement that Deutsche Bank reached with other enforcement authorities. 

An unprecedented portion of the FCA’s fine, £100.8 million ($153.5 million), resulted from breaches of Principle 11 under the FCA’s Principles for Businesses, which requires companies to deal with regulators in an “open and cooperative” way and to disclose any issues that a regulator would reasonably expect to be notified about. According to the FCA, Deutsche Bank breached Principle 11 when it provided “false, inaccurate, or misleading information” to the agency, including a number of failures arising during the course of its LIBOR investigation.

Specifically, Deutsche Bank provided a formal written attestation “stating that its systems and controls in relation to LIBOR submissions were adequate at a time when no such systems and controls were in place,” the FCA stated. Even worse, the FCA said, the compliance officer who signed the attestation knew it was false.

“This case sends out a strong message that both individuals and companies need to be diligent when they are asked to sign attestations.”
Louise Hodges, Partner, Kingsley Napley

“This case sends out a strong message that both individuals and companies need to be diligent when they are asked to sign attestations,” says Louise Hodges, a partner with law firm Kingsley Napley in London.

“The FCA has made it clear that requiring an attestation is a major tool in its armory, as it is a means of obtaining a personal commitment from a senior manager that specific action has or will be taken,” says David Wilford, director of compliance products for Lombard Risk, a software vendor to the financial services industry. “Financial services firms can expect the regulator to increase the use of this tool going forward.”

Attestations Defined

The FCA has defined attestations as a formal “supervisory tool”—a step short of an enforcement tool, used by the agency to obtain a personal commitment from an individual within the company that a specific action has been taken or will be taken, in an area where the FCA would like to see changes. The attestation may be given by a number of individuals in the firm, including a senior officer, director, compliance officer, or someone in a managerial or supervisory role.

Attestations are “a way to get the attention of senior management and to really ensure that the particular activity within a firm is being focused on by the highest levels,” says Elizabeth Clay, an associate with law firm Bird & Bird in London. The FCA’s use of attestations has significantly increased following the financial crisis and a general frustration in the market over the lack of personal accountability placed on boards and senior management, she says.

No regulatory proceedings exist in the United States that compare to the FCA’s broad use of attestations. The FCA says it uses personal attestations in the following four scenarios:

Notification, where the bank sees a potentially troublesome new risk and wants the bank to alert it should the risk change in its nature or magnitude;

Undertaking, where the FCA wants a firm to take specific action within a particular timescale and extracts a promise to that effect;

Self-certification for more significant issues, where the FCA is “confident the firm can resolve the issue itself, we may ask for an attestation that the risks have been mitigated or resolved;” and

Verification, where the FCA asks for confirmation that some action was taken, complete with supporting evidence such as an internal audit.

Importantly, FCA attestations are not explicitly required by any British statute or regulation, meaning that a financial services firm cannot be required to respond to them. “The FCA can only request that you respond,” Clay says. 

Refusing to respond to an attestation, however, or remaining in non-compliance with an attestation request, is ill-advised. By doing so, you effectively are refusing to remediate an issue that the FCA has identified as serious. That exposes both the individual and the company up to an investigation or enforcement action.

Compliance Measures

“You need to make sure that you can, in fact, attest to what is being asked,” says Alix Prentice, a partner with law firm TaylorWessing in London. “If you can’t, you need to negotiate with the FCA in amending the terms of the attestation.”


Below, the FCA outlines where Deutsche Bank failed to follow Principle 11.
2.13. Principle 11 requires firms to deal with their regulators in an open and cooperative way, and to disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice. The Principle 11 breaches arise from instances when Deutsche Bank provided false, inaccurate or misleading information to the Authority including a number of failures arising during the course of the Authority’s investigation into Deutsche Bank’s IBOR misconduct.
2.14. Deutsche Bank provided inaccurate and misleading information to the Authority regarding its ability to disclose to the Authority a report commissioned by the BaFin [Federal Financial Supervisory Authority for Germany], which was relevant to aspects of Deutsche Bank’s IBOR misconduct. In short, Deutsche Bank failed to disclose the report and told the Authority that the BaFin had prohibited disclosure of the report to the Authority. However, there was no such prohibition. The Authority considers this aspect of Deutsche Bank’s misconduct to be reckless. The Authority accepts that recklessness is not the same as deliberately acting improperly.
2.15. Separately, Deutsche Bank provided a formal attestation to the Authority stating that its systems and controls in relation to LIBOR submissions were adequate at a time when no such systems and controls were in place. The attestation was known to be false by the person who drafted it at the time it was sent to the Authority.
2.16. Furthermore, Deutsche Bank failed during the course of the Authority’s investigation to provide accurate, complete and timely information, explanations and documentation to the Authority. Although the Authority has concluded that there was no intention on the part of Deutsche Bank to deliberately conceal documents or information, these failures caused delay to and difficulties for the investigation.
2.17. These Principle 11 failings also reflect further cultural shortcomings in that Deutsche Bank did not place sufficient importance on ensuring the accuracy and completeness of its communications with the Authority, including in respect of the production of information and documents. The breaches are particularly serious given that they all relate to IBOR misconduct at Deutsche Bank at a time when the integrity of the UK financial markets was subject to particular scrutiny and criticism due to the emergence of widespread IBOR manipulation.
Source: FCA.

From a practical standpoint, financial services firms will want to conduct a thorough review and assessment of the relevant controls and processes, and document everything, so that the senior manager signing the attestation can do so in the knowledge that it is “true and correct,” Wilford says. “Senior managers for their part should take all reasonable steps to make sure they have all the evidence at their fingertips before signing the attestation,” he says.

In some instances, the attestation request will provide a particular timeline. “You often don’t get that much time when you get one of these requests,” says Jonathan Herbst, a partner with law firm Norton Rose Fulbright in London.

If the company believes that it doesn’t have enough time, it can—and should—talk with the FCA, explaining why it needs more time, Prentice advises. It may be that the company needs more time to conduct due diligence on the subject of the attestation, or to address any necessary remedial work, she says.

“The negotiation should foster a full and accurate response,” Prentice adds. Looking for too many carve-outs may cause regulators to have suspicions; the purpose of having dialogue with the FCA to “manage your regulatory risk,” she says.

Another important consideration is who should sign the attestation. Generally, the regulator will request that the attestation be given by the individual with oversight or responsibility over the subject area of the attestation. “It’s up to the firm itself to say, ‘This is not the appropriate person, but we can suggest a more suitable approved person within the organization to sign the letter,’ ” Clay says.  

More to Come

Properly responding to a request for an attestation is only becoming more relevant, as the FCA’s use of attestations continues to rise. According to quarterly data provided by the agency, the FCA requested 23 attestations in the third quarter of 2014—a nearly four-fold increase from the six it requested just six months earlier. In total, the FCA requested 59 attestations in 2014.

The FCA’s latest data also showed that attestations were used most often in the wholesale and investment management sector (21), followed by long-term savings and pensions (13), and retail (11). The two sectors with the fewest amount of attestations were mortgages and consumer lending (eight), and general insurance and protection (six).

“What we haven’t yet seen is an enforcement action where the FCA has taken any disciplinary action against an individual based solely on an incorrect attestation,” Clay says. “Given how much more these attestations have been used over the last couple of years, in particular, and the focus that’s on them, I think we may well start to see enforcement actions against individuals on the basis of an incorrect attestation.”