Credit ratings agencies have a key role in maintaining market integrity, trust and stability, and minimising risks to consumers. To achieve this, credit ratings agencies need to consider how their activities and risk management processes could affect individuals, businesses, or the wider market. Effective controls and good management information can simplify reporting processes and demonstrate compliance with the FCA’s expectations.
Governance and oversight are two of the FCA’s primary concerns for credit ratings agencies (CRAs), as shown in its Dear CEO letter last October. CRAs need to be independent and have no conflicts of interest when producing credit ratings. As such, the FCA expects to see evidence of sound governance, with effective Board oversight and appropriate internal controls. This includes any work by non-UK companies or individuals. Senior managers must have the appropriate skills and experience to hold their current position.
However, following a review of CRA’s Board structures and documentation, the FCA has highlighted key areas for improvement. The Board was a primary concern, in terms of purpose, influence, and composition. For international organisations, UK Boards often held limited control over UK-based activities with parent Boards holding ultimate decision-making powers. The FCA are concerned that in some instances UK Board meetings were seen as a formality, with limited participation from senior management or support for independent non-executive directors. This could result in CRAs being unresponsive to the UK market and not fully understanding their local risk-profile.
The CRA regulation gives prescriptive rules on Board composition, to include a good range of skills and industry experience, but many firms aren't currently meeting those expectations. For example, some firms don't have the necessary number of independent non-executive directors (iNEDs), or the range of skills for effective challenge or succession planning. CRAs need a robust process for iNED selection, to ensure they're suitable experienced, and senior management must to be open to challenge from them. There was also variation in individual Board members’ understanding of the key risks, so further training could improve the quality of discussion. These elements can have a knock-on effect on oversight and governance, with the tone set at the top.
In its review, the FCA also saw disparity in Board effectiveness. While some Boards reflected active participation and discussion from all members, supported by good management information and clear follow-up actions; others weren't the case. Documentation often lacked coverage of key risk indicators, missed important information or didn’t accurately reflect the business. These factors can all hamper a Board’s ability to make informed decisions and proactively mitigate risks.
CRAs must follow robust methodologies for credit ratings, to uphold market integrity and trust. They should be subject to model validation, back-testing and review of the underlying assumptions. When errors or regulatory breaches do occur, firms should notify the FCA promptly, giving sufficient context to review what’s happened and why, and take action to resolve them. The FCA will review regulatory notifications to make sure potential errors and breaches and managed effectively, it will also carry out sot check so assess rating actions and changes in ratings methodologies.
The FCA only regulates some CRA activities, such as credit ratings. Other areas, such as ESG or cyber risk ratings are increasingly big business. However, they aren’t currently regulated so underlying methodologies may not be as robust and firms may not monitor conflicts of interest as closely. As such, transparency is essential so investors can make informed decisions about how they use that rating or scoring information.
While the CRA is dominated by a few large players, many smaller firms can offer more boutique services or provide specialist sector insight. Regardless of size or position in the market, all firms need to comply with the CRA Regulation and effectively govern regulated activities, with an understanding of how unregulated activities affect the risk profile. The FCA will be monitoring perimeter risk closely minimise the impact of unregulated activity on credit ratings and the wider market.
Inability to provide accurate and up to date credit ratings could cause financial harm to consumers and affect market integrity. Use of third parties, in-sourcing, and outsourcing is integral to many CRAs’ business models, so these are key areas of concern for operational resilience. With current skills shortages, it’s also vital to effectively manage people risks – particularly for specialist analytical positions. Transparency is essential to map critical processes and make contingency plans to resume services following a service outage.
Where service outages do occur, CRAs need to proactively find the root cause and strengthen internal controls to reduce the potential for a repeat outage or prolonged disruption. Firms must test their operational disruption thresholds, and inform the FCA of any material operational incidents.
CRAs need to meet all the FCA’s regulatory requirements as they continue to evolve over time. To achieve this, firms must proactively scan the regulatory horizon and stay up to date with all emerging themes. This includes expectations around the sale of credit rating data, potential regulation of ESG ratings providers and enhancing accountability through the Senior Managers and Certification Regime.
Moving under FCA regulation isn’t easy and it takes time to work out what’s needed under each regulatory framework and action them in a way that’s sustainable and cost-effective. It’s essential to create synergies and draw on regulatory expertise to ensure compliance and benchmark good practice. Starting with the Board, it’s important to set the tone from the top down to establish a good risk management culture and associated governance processes.
For more insight and guidance, get in touch with Paul Young.
