Widening the Net
October 4th, 2024
On Wednesday 4 September, the U.S. Securities and Exchange Commission (SEC) fined six Nationally Recognized Statistical Rating Organizations (NRSROs)—aka ratings agencies—for failures to properly maintain and preserve electronic communications, a breach of federal securities laws. In addition to paying substantial fines, four of the firms will also be required to retain a compliance consultant.
The actions by the SEC were not unexpected. The SEC and the Commodity Futures Trading Commission (CFTC) have imposed over $3.3bn in fines on financial firms since late-2021. This latest action signals that the SEC is now widening the net beyond financial firms, to include other federally regulated companies.
This is not the first time the SEC has sanctioned ratings agencies. In recent years, firms have been sanctioned for lapses of controls related to ratings adjustments, or mismanagement of conflicts of interest. But the recent fines are generally larger. And the fact that several of the latest fines were announced simultaneously seems to signal that the SEC is now putting ratings firms on notice.
The fact that the SEC now has rating agencies in its sights shouldn’t come as a surprise. It’s well known that ratings agencies are subject to specific recordkeeping regulations. While the provisions related to ratings agencies (SEC Rule 17g-2)are distinct from recordkeeping provisions governing financial firms ((Rule 17a-4), the reasoning behind both sets of provisions is similar: communications of employees who work for both financial institutions and ratings agencies frequently involve highly sensitive data which, if released into the public domain, could affect a security’s price or market.
Ratings agencies bring added concerns. For example, because a change in a listed company’s credit rating could affect the company’s share price, ratings agencies are expected to have controls around their ratings methodologies, internal discussions about changes, misuse of material non-public information [MNPI], and conflicts of interest. One control is the requirement for ratings agencies to record and retain communications related to “initiating, determining, maintaining, monitoring, changing, or withdrawing a credit rating.”
The SEC also relies on records of telephone and electronic communications to determine if ratings agencies have engaged in conflict-of-interest breaches. So clearly, not recording off-channel communications could deprive the regulator of evidence they would need to investigate suspected breaches.
How Wide Can the Net Be Cast?
Given their unique nature and ability to influence the price of securities, ratings agencies will always be subject to specific SEC rules, which other types of non-financial firms (for example law firms) are not required to follow.
That said, lawyers can’t completely throw caution to the wind. Securities regulations broadly apply to everyone. Hence the SEC is able to bring, and in fact has brought, actions against individuals who have access to MNPI and could misuse it. This includes individuals who fall outside of the sphere of the SEC’s typical domain for sanctions, for example lawyers acting as advisors (and their associates who could come into possession of MNPI).
How to Avoid Getting Caught in the Net
If the latest round of sanctions and fines hasn’t given the C-suite at ratings agencies reason for pause, it should. Just like their financial counterparts, ratings agencies must have a compliance function. In addition to rethinking their own behaviour with respect to business communications, ratings agencies need to give serious consideration to raising the profile of the compliance department and control functions within the firm. They also need to make sure they are paying careful attention to recording and monitoring of regulated employee communications. ratings agencies, like financial firms, are now clearly under pressure to get their houses in order in these respects.
For more information on NICE Actimize solutions for financial markets compliance that help FIs meet regulatory obligations, go here.
