Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

You have six months to prepare an attestation for the regulator – before you sign in blood, you need to be absolutely sure…


Close this video

By Jonathan Rodgers, Sally Kift and Gavin Neilson, PA financial services experts

After years of economic crisis and scandal, the UK’s financial regulators have faced widespread criticism for failing to hold senior executives to account. As Martin Wheatley, CEO of the FCA, said: “There has to be some sense of… culpability when things go wrong.” For this reason, the FCA is now “ pursuing far more cases against executives”.

One way the FCA and PRA are doing this is by requiring senior executives to attest personally that their organisation is responding adequately to regulatory concerns.  The FCA expects these attestations to be complete, in-depth and accurate. If they find any evidence lacking, they are likely to carry out a more detailed investigation. At worst, as well as irreparable damage to their professional reputation, signatories face “fines, criminal prosecutions and bans.”

Executives should not underestimate the scale of work involved in preparing an attestation, yet they cannot afford to uncover problems late in the day. The FCA may, however, set an attestation date as soon as six months in the future. This provides only a short window to ensure the attestation is complete. As they face significant personal risks, executives find themselves under extreme pressure to deliver in time.

Since the shift towards more “judgement-based” regulation, we have worked with a number of top-tier banks and insurers to help them prepare for attestation.

Drawing on our wide-ranging experience, we recommend the following steps.

  • Start with a rapid assurance review to allow you to prioritise what you need to fix by the attestation date. Bear in mind that attestations regularly focus on areas that are already perceived to be deficient. Given the timescales involved, you are unlikely to be able to fix everything, but specific weaknesses can be addressed. You should focus on these immediately to give you time to address significant issues before you sign in blood!
  • Set up the attestation as a project. Your attestation may well require input from multiple geographies and business functions. It may also call for the testing of systems and controls and the engagement of a wide range of stakeholders. Against a backdrop of pressing and rigid timeframes, there will be little leeway for error or for finding out that your team has provided you with inaccurate information. We recommend, therefore, that you set your attestation up as a project. In practice, this means defining a clear plan, roles and responsibilities, and agreed deliverables, as soon as possible.
  • Have absolute clarity on what you are required to attest to. To manage risk efficiently, you need to keep your scope as tight as possible. The regulator may even give you a specific form of wording. While you may include caveats in your attestation, these are likely to draw the regulator's attention to areas of frailty.
  • Make sure your documentation is in order. While this sounds obvious, its importance cannot be underestimated. Regulators will expect your documentation to be easy to access and understand and for it to clearly answer their questions. In our experience, we have found many regulatory programmes do not have all their documentation ready. At times, as a result, they have been unable to prove that they are where they think they are.

To find out more about preparing a watertight attestation, please  contact us now .

Contact the pa consulting group in Scotland

By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.