First credit rating agencies portfolio lette
What has happened?
In February 2022, the FCA issued its first portfolio letter to credit rating agencies (CRAs).
What do you need to do?
The FCA issued the letter to all firms in the CRA portfolio to communicate what it expects CRAs to do to minimise risks to consumers, market integrity or competition from CRAs’ failures to meet regulatory requirements. It also sets out key elements of what the FCA will do to supervise firms in the portfolio.
The FCA supervises CRAs according to the EU Credit Rating Agencies Regulation, as amended by the CRA Regulations (EU Exit) 2019 (referred to collectively as the ‘CRA Regulation’). It is important that firms understand the FCA’s approach to supervising them, their responsibility to act in accordance with the requirements of the CRA Regulation, and that they can demonstrate this to the FCA.
First and foremost, the FCA expects firms to adopt an open and cooperative relationship with the regulator, which, in line with the FCA’s Approach to Supervision, takes a holistic approach to supervising this portfolio and therefore, if the firm or the group to which it belongs also undertakes unregulated activities, it may assess these unregulated activities as part of its supervision of the regulated activities.
In accordance with the CRA Regulation, credit rating activities must be conducted in keeping with the principles of integrity, transparency, responsibility, good governance and independence. To deliver on these principles all firms should have a sound governance and oversight framework, suited to the size and nature of their operations, which focuses on the delivery of independent and high-quality ratings and methodologies by capable staff, using robust systems.
Regardless of whether firms have an issuer or investor pays business model, they must demonstrate an ability to effectively manage potential conflicts of interest. Activities outside the regulatory perimeter may also impact credit rating activities and firms must demonstrate that they have considered and are actively managing potential risks.
The FCA’s data strategy is a core component of its supervision strategy, and it will identify potential and actual risks of harm by reviewing regulatory reporting, alongside other key risk indicators.
Firms should consider the risks outlined below, how they monitor these risks and whether they have appropriate strategies in place to address them.
Ratings process and methodologies
The FCA considers the quality of the ratings process, the quality of methodologies and the adequacy of disclosures as the primary drivers of the independence and accuracy of credit ratings. Its supervision approach focuses on the application of firms’ processes and their outcome.
The FCA has observed that the current standard of regulatory notifications by firms (e.g. the identification of errors in methodologies/model processes and actual or potential breaches of the CRA Regulation) is inconsistent in terms of timeliness and meaningful content. It sees in some firms a level of reported errors and breaches which may indicate deficiencies of a more serious nature. If ratings are assigned in a manner that compromises their quality, this may lead to significant or unexpected ratings transition or withdrawals, with consequent risks to market confidence and integrity.
Methodologies, inclusive of models and key rating assumptions, are fundamental to the assignment of credit ratings. These must be rigorous, systematic, continuous and subject to validation based on historical experience, including back-testing. Errors in methodologies or their application, and biases in the methodology development process could negatively affect the quality and integrity of the output.
In some instances, firms’ rationales for methodology updates and changes to the review process lack detail and transparency. This could lead to the risk that ratings are not accurate or independent indicators of creditworthiness, leading in turn to substandard quality and potential market disruptions.
Addressing any weaknesses in ratings process and methodologies should be a priority for firms. The FCA expects them to meet their obligation for regulatory notifications on a timely basis, with the appropriate level of detail. Firms should therefore review policies and procedures for regulatory notifications to ensure they are fulfilling these requirements. Where there are errors in methodologies or processes and breaches of the CRA Regulation, firms should conduct analysis to assess root causes and take corrective actions. They should document clearly their ratings processes and explain thoroughly the key risk factors considered when assigning ratings. The FCA expects them to mitigate any conflicts of interest in their methodology development and review processes, and to disclose with a clear rationale any updates to methodologies or processes. Where a firm incorrectly applies its methodologies and ratings process, the FCA expects it to inform the FCA of these errors and the actions taken to correct them.
The FCA will review regulatory notifications to check that firms are actively identifying potential errors and breaches and reporting them according to the CRA Regulation. It will undertake spot checks, which may include targeted reviews of rating actions, methodology updates, and the process leading to methodology changes. It will supervise firms’ management of these risks and will take action against firms that fall short of expectations.
Governance and oversight
The FCA’s supervision approach focuses on firms’ conduct risk framework, whether they have effective governance arrangements in place to identify the risk of harm to consumers and markets, and whether they have a strategy in place to manage and mitigate those risks. In particular, the CRA Regulation requires that senior management is of good repute and is sufficiently skilled and experienced to ensure the sound and prudent management of the firm.
For this portfolio, the FCA has observed varying levels of board effectiveness and it has concerns about the robustness of risk frameworks given the nature of global group structures and the use of resources outside the UK. If board governance is not sufficiently strong or board-level accountability is not clear or if there are gaps in oversight and independent challenge or weak internal control frameworks, the risk of low-quality ratings will be high.
The FCA expects firms to exhibit sound governance through effective board oversight and an internal control structure to ensure an independent ratings process and methodologies that are free from conflicts of interest. Where a firm is using non-UK based resources to deliver any aspect of its internal control framework and/or process for issuing credit ratings, it will be expected to implement governance and control arrangements to oversee these activities, to assess the skills of senior management against the requirements of the CRA Regulation and to demonstrate that the standard is met.
The FCA will assess the effectiveness of board oversight, which will include reviewing board documentation and meeting with selected board members. It will assess firms’ internal control structures, including reliance on and oversight of non-UK based staff and arrangements, and senior management skills. It will challenge firms and expect improvements if they are unable to demonstrate adequate oversight.
Market and perimeter risks
The FCA-regulated CRA portfolio reflects the global industry, which is concentrated among a small number of large firms. Whilst smaller CRAs may not have the profile or resources of their larger competitors, they have an important role to play in financial markets by providing alternative opinions and in some cases specialist sector knowledge. Smaller firms must also invest sufficiently in people, processes and systems to ensure the quality of their credit rating activities.
CRAs are increasingly active outside the regulatory perimeter through the provision of a variety of unregulated data, research and analytics (e.g. credit assessments and cyber risk ratings) beyond regulated credit ratings. As CRAs expand these product offerings, this may introduce conflicts of interest which, if not identified and managed, could impact the quality and independence of regulated credit rating activities.
Environmental, Social and Governance (ESG) is a growing area of focus across the portfolio, with increasing investor focus on ESG risk factors and some firms expanding their product offerings to include ESG ratings, scores and data. For those products which are not credit ratings, and which therefore sit outside the FCA’s current regulatory remit, it is important that CRAs make this distinction clear to prevent investor confusion. Where CRAs are sharing resources and data across the regulatory perimeter, there should be appropriate governance arrangements and management of conflicts of interest.
To promote competition in the interests of the market, the FCA will publish a market share report for UK registered CRAs. It will be proactive at the boundaries of the regulatory perimeter, especially where unregulated activities may impact regulated activities and it will assess areas outside the regulatory perimeter to the extent they may impact credit ratings, or where it considers there is potential risk.
Operational resilience and resourcing
Operational resilience is key for all FCA-regulated firms as disruptions can cause harm to consumers and, for some firms, may risk market integrity. For CRAs in particular, failure to provide timely and accurate credit ratings could result in misinformation and potential inappropriate allocation of capital. Given the dependence on technology, market disruption may occur if key systems or tools integral to the ratings process are not functioning or compromised.
The FCA has observed cases where firms did not understand their obligation to inform it of information security incidents.
Many firms have a growing reliance on outsourcing aspects of the ratings process to affiliated group entities and/or third-party providers. Where a firm operates this model, the robustness of processes and internal controls framework must be maintained. The FCA has observed a lack of visibility of how these arrangements are being managed and assessed for additional risks.
Further, in light of the challenging working environment due to the pandemic, organisational changes following Brexit and competitive dynamics of the market, the FCA has noted instances of actual or potential key person dependencies and difficulties in attracting or retaining analytical staff. Where resource constraints are not addressed, ratings may suffer in quality. The assignment of new ratings should not have a negative impact on firms’ capability and obligation to maintain the accuracy of existing ratings through their surveillance process.
The FCA expects firms to be operationally resilient against multiple forms of disruption and to address the root cause for repeated incidents – this applies to larger and smaller firms. Where disruption does occur, firms should notify the FCA and should have robust and quick-to-implement alternative arrangements which they test regularly. Regarding firms outsourcing to deliver credit rating activities, the FCA expects them to assess their requirements and ensure that analytical staff have the appropriate knowledge, experience and capacity to deliver high quality ratings and to monitor these on an ongoing basis.
Where there is a material operational incident, the FCA will engage with firms to understand the cause and the effectiveness of the remedies. If firms fail to inform the FCA, it may take regulatory action. It will provide feedback later in the year to firms that responded to its operational resilience and cyber questionnaires and it will review firms’ monitoring of resourcing arrangements
Other areas of work impacting the portfolio
Accessing and using wholesale data – The FCA will undertake, by the end of 2022, a market study looking at competition in the sale of credit rating data. The study will look at issues such as pricing and contractual relationships, barriers to entry and the scope for and level of innovation.
ESG ratings – In 2021, the Government published a roadmap, Greening Finance: A Roadmap to Sustainable Investing, setting out plans for sustainable finance policy, including potential regulation of ESG data and ratings providers. The FCA will continue its engagement with HM Treasury on this topic. Following the FCA’s consultation paper on enhancing climate-related disclosures by standard listed companies (CP21/18), it will publish a feedback statement on topics covered in the discussion chapter of that consultation, including ESG data and ratings providers, in the first half of 2022.
Senior Managers and Certification Regime (SM&CR) – While SM&CR does not currently apply to CRAs, the FCA has made public in the Perimeter Report 2020/2021 its view that it would like to extend it to this portfolio, and it is discussing this with HMT.
The FCA’s overall expectation of CRA firms
CRA firms should consider the issues raised in this letter and how they have addressed them.
How can we help you with credit compliance?
If you would like to know more about how we can help you with your credit rating activities, credit compliance or with any other regulatory compliance issues, our specialist team is here to help.
Contact us today on 0207 436 0630 – or email info@thistleinitiatives.co.uk.