ESG ratings providers are facing an increasingly diverse landscape of potential regulation, as regulators in the UK, EU and Asia rapidly develop new measures. In the UK, the International Regulatory Strategy Group (IRSG), a cross-sector group of practitioners from the financial and related professional services industry, has been mandated by the FCA to develop a voluntary code of conduct for ESG data and ratings providers. At the same time, HM Treasury (HMT) is consulting on a formal regulatory regime. The European Commission has also proposed a formal regime, which could come into force next year. Meanwhile, there are moves in Japan, Singapore and India to develop local requirements.
Current proposals may evolve as they move through the consultative process, and firms should expect iterative updates to plug gaps that emerge. Equivalence is unlikely to be granted until regimes have settled, and some firms may therefore have to grapple with uneven requirements across jurisdictions.
Ethical, independence and transparency requirements
In line with IOSCO's 2021 recommendations, regulators in the UK, EU and Asia have taken similar approaches to ethical and independence issues, and also to methodological transparency.
Regulators across the board agree that users must be able to fully understand the nature of ratings. Therefore, ratings providers should disclose not only the data points considered, but also their weighting in calculations and the time horizon of assessments. The EU proposes that ratings providers should disclose the extent to which data points are science-based.
Both UK and EU proposals require ratings providers to review the relevance and appropriateness of their methodologies on a regular basis. While the IRSG does not specify a minimum frequency, the EU Commission defines 'regular' as on at least an annual basis.
Ratings are expected to appear, and be, independent. At entity level, ratings providers must also ensure that their business activities do not conflict with the ratings that they provide. The EU proposal is the most restrictive in this respect, and would make a wide range of business activities, including banking, investment and insurance services, benchmark development, issuance of credit ratings, consulting and audit activities, incompatible with authorisation to provide ESG ratings. Other proposals are less stringent, encouraging providers to put in place appropriate measures to maintain the independence and objectivity of different arms of their business.
Proportionality
The EU and the IRSG both appear to offer some leeway for proportionate application of requirements. The IRSG's principles-based framework could be more easily flexed to apply to different sized firms, while the EU's rules-based approach has a specific carve-out for small or medium-sized entities, providing they have already implemented measures and procedures which ensure effective compliance with the rules. However, in practice, the EU proposal is likely to be more burdensome for smaller firms who have to make enhancements to their internal control mechanisms and reporting arrangements.
Divergence in scope
The scope of HMT's proposed regime would include data products which contain an element of assessment. The IRSG's voluntary code of conduct goes further, capturing both ESG ratings and ESG data products. This could include firms providing opinions, scores or rankings of the ESG characteristics of a financial instrument, product or company, as well as firms just providing aggregated data to allow a user to assess these ESG characteristics themself. The EU proposal is narrower, only capturing providers of ESG ratings. A 'rating' includes both ESG 'opinions' and ESG 'scores' with both categories requiring application of a rules-based methodology (by a ratings analyst or statistical model) to raw data before the output is brought into scope.
Audit and assurance requirements
Neither the EU or IRSG's proposals would require audit and assurance of the ratings or data provided. However, under existing credit rating regulations in the UK and EU, ratings providers are required to retain audit trails for a minimum of 5 years. The Benchmarks Regulation (applicable in the EU and on-shored in the UK) goes further, requiring an annual internal review of a benchmark's compliance, and external review for some benchmarks on a biannual basis, to ensure user confidence in the outputs. It is feasible that, over time, requirements for ESG data and ratings regimes will expand to include similar measures — firms should therefore consider conducting appropriate internal review and assurance exercises at an early stage.
Data collection issues
The EU would only require ratings providers to ensure they have made a 'thorough analysis' of all the information available to them, whereas the IRSG voluntary code specifies principles which aim to minimise the burden on the companies being rated to produce information to be consumed by ratings firms. At the stage of data collection, ESG ratings firms would be required to prepopulate data templates with publicly available information before requesting further data, inform companies that they are being rated and disclose the rating methodology. Companies would also have the right to draw the ratings firm's attention to errors or omissions that they identify.
Efforts are underway to standardise the presentation of sustainability information required under the EU Corporate Sustainability Reporting Directive (CSRD), however potential benefits to ESG ratings providers in terms of availability of data will not be clear until reporting rolls out, beginning in 2024, and may not be fully realised until phasing in of the directive completes in 2029. Moreover, ESG ratings firms in the EU would not be limited to using only the data points required by CSRD, meaning that companies might still need to provide additional information.
UK |
30 June 2023 — HMT consultation on formal regulatory regime for ESG ratings providers closed. Timeline for finalisation and application of regime not yet clear. Regime expected to significantly ramp up mandatory requirements. 5 October 2023 — IRSG consultation closes, with the voluntary code of conduct to be finalised at the end of 2023. |
EU |
1 September 2023 — EU Commission consultation on proposed Regulation closed. The proposal will now be scrutinised by the European Parliament and Council. Once agreed and adopted, it will be approximately six months before the final Regulation enters into force. |
Japan |
June 2023 — Endorsement of Japanese FSA’s final code of conduct for ESG evaluation and data providers. June 2024 — Code of conduct for ESG data provision expected. |
Singapore |
22 August 2023 — MAS’s consultation on a voluntary code of conduct closed. A proposal for a formal regulatory regime should be expected in the future, following the structure of the existing local regime for the provision of credit rating services. |
India |
11 March 2022 — SEBI’s consultation on a regulatory framework for ESG rating providers in the securities market closed. |
KPMG in the UK is well placed to support on a range of activities related to the evolving ESG Data and Ratings regulatory landscape. We have the right blend of financial services risk, regulatory authorisation and financial services legal expertise, allowing us to provide turnkey solutions to regulatory challenges within the ESG Data and Ratings space.