The SEC has announced charges against six nationally recognized statistical rating organizations, or NRSROs, for what the agency alleges are failures by the firms and their personnel to maintain and preserve electronic communications.
The firms admitted the facts set out in their respective orders and agreed to pay combined civil penalties of more than $49m, as detailed below. The SEC said the firms have each begun implementing improvements to their compliance policies and procedures to address these violations.
Each of the firms was charged with violating SEC Rule 17g-2(b)(7), which pertains to the records required to be made and retained specifically by nationally recognized statistical rating organizations.
The firms charged in this sweep include:
- Moody’s Investors Service, Inc. agreed to pay a $20m civil penalty;
- S&P Global Ratings agreed to pay a $20m civil penalty;
- Fitch Ratings, Inc. agreed to pay an $8m civil penalty;
- HR Ratings de México, S.A. de C.V. agreed to pay a $250,000 civil penalty;
- A.M. Best Rating Services, Inc. agreed to pay a $1m civil penalty; and
- Demotech, Inc. agreed to pay a $100,000 civil penalty.
Each of the credit rating agencies, with the exception of A.M. Best and Demotech, was ordered to retain a compliance consultant.
Significant cooperation
The SEC said that A.M. Best and Demotech engaged in significant efforts to comply with the recordkeeping requirements relatively early as registered credit rating agencies and otherwise cooperated with the SEC’s investigations. As a result, they will not be required to retain a compliance consultant under the terms of their settlements.
For example, A.M. Best took steps to ensure that employees’ firm-issued devices were equipped with mobile device management technology to ensure electronic communications, including text messages, were maintained and preserved and restricted users’ ability to download non-approved software.
And the company introduced additional or revised policies and procedures regarding use of electronic communications, including by requiring employees to submit quarterly certifications as to their compliance with its electronic communications policies.
Referring to Demotech, the SEC said the business initiated a training program to educate employees about the regulatory requirements of its new status as an NRSRO, including recordkeeping of communications. It also implemented a new policy delineating approved and unapproved methods of communicating about Demotech business and setting forth a procedure for preserving any unsolicited messages on unapproved messaging platforms.
Demotech also implemented controls regarding the new policy, including trainings, periodic reminders, quarterly certifications, and surveillance, and the company disciplined two employees who failed to comply with record retention requirements.