The SEC published its Staff Report on Nationally Recognized Statistical Rating Organizations (NRSROs) last week. This legally mandated annual report summarizes any regulatory findings and actions connected to the NSROs, including their compliance with relevant laws and rules.
The report includes a NRSRO specific risk assessment, which determines the focus of the SECs examinations in any given year. It also discusses competition in this sector as well as industry transparency, and assesses potential conflicts of interest among the rating agencies.
Although industry specific and connected to regulatory monitoring and examinations that took place in 2022, but which focused on NRSROs activities for 2021, the report provides some useful insight into some general risks that the regulator continues to be concerned about including:
- effective internal controls;
- changing methods of communication;
- managing conflicts of interest.
Under pressure
The report points to stresses originating with the Covid-19 pandemic spilling over into the post-pandemic operating environment, increasing workloads and therefore causing problems with rating surveillance practices. Away from the specific NRSRO context, what the SEC seems to be pointing to here are compliance issues with specific policies and procedures not being followed and with pressure on front-line staff compounded by management action to streamline processes “without sufficient controls to ensure appropriate documentation and disclosure.”
The report includes a number of cases where the SEC examinations uncovered problems in this area that potentially constituted material regulatory deficiencies. Problems range from key information missing, which potentially led to incomplete disclosures, to internal communication problems connected with rating models potentially affecting ratings themselves. A common theme connecting many of the cases is the regulator being unhappy with the inability of the firms to maintain and enforce effective internal control, something that is non-negotiable when it comes to effective compliance.
Struggling with messaging
The SEC continues to be concerned about the “increased use of text messaging applications as a means of communication”, which is leading to “an increased likelihood that business communications are conducted through unapproved means and/or that appropriate records are not retained”.
The record fines paid for infractions in this area have been reported widely, but the SEC’s concern are clearly not limited to the banks. The report is a clear signal of the regulator’s intent to tackle issues around unapproved communication means and record retention in all sectors that it is responsible for.
The report points out the case of a large NRSRO where an unapproved messaging application was used for analytical discussions connected to credit ratings. The SEC’s recommendation to the firm to enforce policies and procedures, appropriately train staff and “institute appropriate discipline with regard to personnel who do not follow such policies” is a very clear warning shot. It underlines the continuing regulatory scrutiny in this area and suggests that further regulatory action is more than simply a possibility. Firms would be well advised to take a long hard look at their own policies and procedures and assess employee compliance with these in order to forestall the risk of being fined and censured.
Conflicts of interest
Another area of communication under regulatory scrutiny is the sharing of information by email. Weaknesses in policies and procedures as well as their enforcement in this area at the NRSROs were identified by the SEC in 2021 and appear to persist.
One example cited in the report was employees sending sensitive information to personal inboxes, something expressly proscribed in order to avoid the unauthorized dissemination of material non-public information. Another example was the use of shared inboxes, which could also lead to unauthorized dissemination of information, but also potentially breached the Chinese walls between the sales and analytical (or ratings) functions.
Both instances illustrate how easily modern communication methods potentially lead to ethical or conflict of interest issues. Adequate training, coupled with the effective enforcement of the rules, is essential in this context. The penalty levied against S&P in November illustrates the consequences of inadequate focus on this area of business operations.