Atto complaints policy

1. Purpose and scope

This complaints policy and procedure outlines how Atto manages and resolves complaints in a fair, transparent, and timely manner. It is designed to ensure compliance with:

• The Financial Conduct Authority (FCA) Handbook, including DISP and PRIN 12 (Consumer Duty);
• UK GDPR and the Data Protection Act 2018;
• The Revised Payment Services Directive (PSD2), as transposed into UK law via the Payment Services Regulations 2017.

Although Atto operates primarily as a B2B firm providing Account Information Services (AIS) and seeking authorisation for Credit Information Services (CIS), we recognise that complaints may originate from or relate to underlying consumers. Accordingly, this policy is designed to ensure that all complaints are handled in a manner consistent with FCA DISP requirements, including where complaints are received indirectly via clients or third parties.

This policy applies to all complaints received from, or on behalf of, individuals or organisations relating to Atto's activities.

2. Definition of a complaint

In line with FCA DISP requirements, a complaint is defined as any oral or written expression of dissatisfaction, whether justified or not, made by or on behalf of a customer relating to:

• The provision, or failure to provide, account information or credit information services;
• Any aspect of a customer or end-user's interaction with Atto, including:
  
  • The handling or accuracy of personal data;
  • Consent management under PSD2;
  • Service availability or communication standards;
  • Any decision or conduct by Atto causing, or potentially causing, financial loss, material distress, or inconvenience.

Under DISP 1.3.1A, a complaint may also include:

• A relevant credit-related complaint;
• Part of a complaint raised by a third party on behalf of a consumer;
• A cross-border complaint, where applicable.

For the purposes of this policy, Atto will also assess whether a complainant qualifies as an "eligible complainant" under DISP 2.7, as this determines their right to refer a complaint to the Financial Ombudsman Service.

3. General principles

• Complainants may submit complaints free of charge, in English, either orally or in writing.
• All complaints are handled with professionalism, impartiality, and confidentiality.
• Employees involved in the subject matter of a complaint will not handle that complaint.
• Atto ensures full compliance with UK GDPR, including individual rights (e.g. access, rectification, erasure) when handling personal data within the complaints process.
• Where necessary, complaints may be referred to external service providers, in accordance with Atto's outsourcing policy.
• The complaints process is overseen by the Compliance Function, with appropriate escalation to senior management to ensure independence, consistency, and regulatory compliance.

4. How to submit a complaint

4.1 Oral complaints

Upon receiving an oral complaint, the employee must:

1. Notify the complainant if the call is being recorded.
2. Confirm the complainant's identity and any relevant services.
3. Attempt to resolve the issue immediately.
4. Log the complaint and its resolution in the ISRR.

If the complaint cannot be resolved promptly, the complaint will be logged and progressed in accordance with this policy. The complainant is not required to submit the complaint in writing.

4.2 Written complaints

Written complaints should include:

• Company name and relevant employee or service.
• Complainant's name and contact details.
• A clear explanation of the issue, including supporting documents.
• Any preferred resolution.

5. Complaint registration and acknowledgement

All complaints are logged in the Complaints Register (ISRR) within one business day. The register includes:

• Date of receipt.
• Complainant and client details.
• Nature and summary of the complaint.
• Related agreements or data subject interactions (e.g. under PSD2 consent mechanisms).
• Assigned handler and expected timeline.

An acknowledgement email is issued within one business day of receipt, outlining next steps.

Where a complaint is resolved to the complainant's satisfaction within three business days following receipt, Atto may issue a Summary Resolution Communication in accordance with DISP 1.5, instead of a formal final response.

5.1 Record keeping

All complaint records, including correspondence, investigation notes, and outcomes, will be retained for a minimum of three years from the date the complaint is received, in line with FCA requirements.

6. Investigation and resolution

The assigned handler will investigate the complaint, consult with relevant staff, and may request further information.

Atto aims to resolve complaints promptly and, where possible, within 15 business days in line with PSD2 requirements.

Where a complaint cannot be resolved within this timeframe, Atto will provide a holding response and will issue a final response no later than eight weeks from receipt of the complaint, in accordance with FCA DISP requirements.

Final responses will:

• Provide a clear decision and rationale;
• Detail any remedial actions or goodwill gestures;
• Include regulatory rights of escalation (e.g. FOS referral).

Where a complaint involves data privacy rights, we will assess the legal basis under UK GDPR and confirm any required actions.

7. Escalation and external resolution

If a complaint remains unresolved or the complainant is dissatisfied, they may escalate to:

Financial Ombudsman Service (FOS) Exchange Tower, London E14 9SR Phone: 0800 023 4567 Website: www.financial-ombudsman.org.uk

Financial Services and Pensions Ombudsman (FSPO) Lincoln House, Lincoln Place, Dublin 2, D02 VH29 Phone: +353 1 567 7000 Website: www.fspo.ie

For eligible complainants under DISP 2.7 (e.g. microenterprises, small businesses, or charities), our final response will include full FOS details and inform the complainant of their right to refer the complaint to the FOS within six months of the date of the final response.

8. Complaints involving affiliates or third parties

If a complaint concerns an affiliate or service provider:

• Atto will notify the third party and inform the complainant of the referral;
• Atto maintains oversight and ensures resolution in line with regulatory and contractual duties;
• Persistent issues involving third parties will be escalated and investigated for systemic risk or breach of obligations under PSD2 or UK GDPR.

Root cause analysis is conducted on material complaints to identify underlying issues and implement appropriate remedial actions to prevent recurrence.

9. Monitoring and continuous improvement

• All complaints are reviewed monthly and categorised by type, cause, and risk rating.
• Thematic reviews are held quarterly to identify trends or emerging regulatory risks.
• Data privacy complaints are flagged and assessed for compliance with UK GDPR.
• Quarterly complaint summaries, including trend analysis, root cause insights, and remediation actions, are reported to the Executive Team and, where appropriate, the Board.

10. Policy review and availability

This policy is reviewed at least annually or in response to:

• Changes in FCA or UK regulatory expectations.
• Amendments to the Payment Services Regulations.
• UK GDPR updates.
• Internal audit findings or operational incidents.

Updates are approved by the Head of Compliance and circulated to all staff. The current version is published on Atto's website.

Where a complaint involves personal data, Atto will ensure that any investigation and response complies with UK GDPR requirements, including appropriate handling of data subject rights and data minimisation principles.