Close Close

Regulation and Compliance > Federal Regulation > SEC

SEC Finds Flaws in Credit Rating Agencies

Your article was successfully shared with the contacts you provided.

Nationally recognized statistical rating organizations are lacking in their management of conflicts of interest, as well as information technology and cybersecurity issues, reports the Securities and Exchange Commission.

The SEC issued its annual staff report on the findings of examinations of credit rating agencies registered as nationally recognized statistical rating organizations (NRSROs) and submitted a separate report on NRSROs to Congress. 

“These reports provide the most current and comprehensive picture of the credit rating industry,” said SEC Chairwoman Mary Jo White.  “The SEC’s enhanced oversight of NRSROs, informed by risk assessment, regular examinations and policy considerations, provides increasingly robust and effective oversight of the industry, as reflected by overall improvements in compliance, documentation, and board oversight.”

The 2014 exams, which focused on NRSROs’ activities for 2013, includes several recommendations from the SEC staff. While the SEC has not determined whether any finding “constitutes a material regulatory deficiency,” it is possible the commission may do so in the future.

The 10 credit rating agencies registered as NRSROs as of Dec. 1, 2014 – A.M. Best Co. Inc. (AMB); DBRS Inc. (DBRS); Egan-Jones Ratings Co. (EJR); Fitch Ratings Inc. (Fitch); HR Ratings de México, S.A. de C.V. (HR); Japan Credit Rating Agency Ltd. (JCR); Kroll Bond Rating Agency, Inc. (KBRA); Moody’s Investors Service Inc. (Moody’s); Morningstar Credit Ratings LLC (Morningstar); and Standard & Poor’s Ratings Services (S&P) – generally remain nameless in specific statements made in the SEC’s report.

One area that drew concern from the SEC was NRSROs’ management of conflicts of interest related to the rating business operations.

The SEC found that all seven of the smaller NRSROs had “weaknesses in policies and procedures concerning certain conflicts of interest or did not sufficiently disclose certain conflicts of interest.”

Of the 10 agencies, one larger and six smaller NRSROs were found by the SEC to have weaknesses in their policies and procedures and controls governing employee securities ownership.

“It is a conflict of interest if an NRSRO allows its personnel to directly own securities or money market instruments or have direct ownership interests in issuers or obligors subject to a credit rating determined by that NRSRO,” states the SEC report.

For example, at one of the smaller NRSROs, the SEC says an analyst participated in determining or approving the ratings of two issuers in which that analyst owned securities.

The SEC staff recommended that this NRSRO enhance its securities ownership policies and procedures, including establishing policies and procedures for the review of a prior rating where a conflict of interest is discovered and for securities divestiture – as this NRSRO did not have policies and procedures in place.

The SEC also found that all three of the larger NRSROs and two of the smaller NRSROs did not have sufficient policies and procedures or controls related to IT or cybersecurity.

The report states, “IT and cybersecurity are increasingly significant components of an NRSRO’s internal control structure … They also often affect an NRSRO’s capacity to publish accurate ratings in a timely fashion.”

The staff recommended that the two smaller NRSROs establish or enhance written IT and cybersecurity policies and procedures and internal controls, and enhance their IT testing and responses to IT-related tests.

In addition, the SEC also found that all three of the larger NRSROs had weaknesses in their IT policies and procedures concerning personnel’s access to information that is confidential or otherwise restricted. The Staff recommended that all three of the larger NRSROs enhance their internal controls governing access to IT networks, systems, applications, and file shares.

The SEC also found improvements in several areas. Since the SEC’s last report, NRSROs have enhanced their compliance resources, monitoring, and culture, as well as improving its board of directors or governing committee oversight.

The SEC also found that NRSRO’s document retention in general had gotten better, as did these agencies’ documentation and resources for criteria and model validation.

— Check out Under the Hood: What You Need to Know About Bonds, Pt. 1: Types and Ratings on ThinkAdvisor.