As the use of ESG data and ratings has grown in financial services, so has regulators' concern around issues such as data quality, transparency of methodologies and conflicts of interest. The European Commission's proposal for a regulation on ESG rating activities is the latest potential regulatory regime to emerge, following not long after the launch of UK HM Treasury's consultation. With two major jurisdictions now seeking to formally regulate ESG ratings, providers, any firms developing and selling ESG scores, opinions and ratings in Europe should start to evaluate how this could impact their business models.
What is the aim of the Commission's proposal?
The proposal aims to enhance the integrity, transparency, governance and independence of ESG ratings provided in the EU. It is broadly aligned to the existing Benchmarks Regime (BMR), reflecting the close relationship between ESG ratings and benchmarks used in the EU. The risk that benchmark administrators may accidentally or carelessly misuse ESG ratings, leading to the miscalculation of a benchmark, is a key regulatory concern.
What's in scope?
The proposal relates to `ESG ratings'.
An ESG rating is defined as `an opinion, a score or a combination of both, regarding an entity, a financial instrument, a financial product, or an undertaking's ESG profile or characteristics or exposure to ESG risks' where:
- An `opinion' is an assessment which directly involves a rating analyst and is derived from a rules-based methodology or ranking system.
- A `score' is defined similarly, but without the need for the direct involvement of an analyst.
The scope of the ESG characteristics captured is not limited to climate-related issues, but also includes the impact on people, society and broader environmental issues. Similar to the UK proposal, there is no need for the ESG rating to be explicitly labelled as such — therefore products could inadvertently fall into the scope of the regulation.
The regime would apply to all ESG ratings provided to EU `regulated financial undertakings', i.e. regulated financial services providers or funds, with some exceptions for ratings which are developed in-house, by central banks in limited circumstances, or where the rating is not intended to be publicly disclosed or distributed. ESG data which contains no elements of an opinion or score and is not the subject of modelling or analysis before being provided would also be out of scope.
How will the proposed regime be enforced?
EU legal entities which fall into scope will require authorisation by ESMA. ESMA will be responsible for developing the secondary legislation/ Regulatory Technical Standards (RTS) which will further clarify the responsibilities of authorised ESG Ratings providers under the new regime. Providers will have to pay supervisory fees to ESMA in proportion to its annual net turnover.
Entities which are located outside of the EU but provide ratings in the EU would also be regulated (similar to the EU Benchmarks regulation). This could be achieved by the European Commission adopting an equivalence decision for an overseas regime, such as the proposed UK regime. The UK may adopt a similar approach to equivalence.
A second option for overseas entities providing ESG ratings would be to seek endorsement for their ratings from an EU-authorised ESG ratings provider. ESMA would be required to approve the endorsement and the EU entity would take on the risk that inapprorpriate ratings might be provided. For entities based in overseas jurisdictions where ESG ratings regimes are not as developed as in the EU, compliance with IOSCO's recommendations for ESG ratings providers would be considered as equivalent with compliance with the EU regulation.
A final option for a third country provider would be to gain `recognition' from ESMA. In order to do this, the provider would need to have an annual net turnover on its ESG rating activities below EUR 12 million for three consecutive years and a legal representative in the EU to be accountable for the provider's obligations under the regulation.
What are the proposed requirements for providers?
Providers would be required to maintain independence. As currently drafted, ESG rating providers would not be able to offer a number of other services including credit ratings, benchmarks, consulting, audit, investment activities, insurance or banking. Firms should also develop processes to monitor, manage and disclose to ESMA potential independence or conflict of interest issues. ESMA may require the ratings provider to take measures to mitigate conflicts of interest, including establishment of an independent oversight function representing stakeholders or ceasing the activities or relationship that create the conflict of interest.
- Analysts providing ESG opinions would also be subject to independence requirements, including not being able to take up a key management position at an entity for which they have provided an opinion within six months of that opinion.
- Providers must develop written policies to demonstrate that their ESG ratings are based on a thorough consideration of all available information.
- Providers must publish on their website the methodologies, models and key rating assumptions they use in their ESG rating activities.
- The methodologies used by firms to develop ratings must be `rigorous, systematic, objective and capable of validation'. Methodologies must be reviewed at least annually. The sources of data used and how they are used would be subject to strict record-keeping requirements, to the extent that determination of the ESG rating is replicable by another party.
- To set the tone from the top, a permanent and effective oversight function should be established to oversee the end-to-end process of providing ESG ratings including oversight of outsourced functions.
- The regime would be underpinned by powers to enforce penalty fines, including up to 10% of total annual net turnover of the ratings provider. This penalty scheme would bring the regime for ESG ratings broadly into line with the existing regime for credit ratings agencies.
Timeline
The consultation closes on 10 August 2023. The proposal will then move through the EU legislative process, including the development of technical standards (RTS) by ESMA. Assuming no speedbumps, the earliest that we could expect to see agreement on the final regime would be mid-2024 — however this seems ambitious given the European Parliament elections next year and the current book of work. The final Regulation would apply six months after coming into force with providers needing to apply for authorisation from ESMA within this period, although smaller rating providers will be allowed 24 months to apply for authorisation.
Next steps for `ESG Ratings' providers
- Consider the proposed definitions and how they may be applied to existing ESG data / ratings products.
- Perform an impact assessment of the proposed regime, with a focus on governance structures, oversight and managing potential conflicts of interest.
- Benchmarking of the EU proposals against the equivalent UK proposals and voluntary codes of conduct.
- Overseas firms should consider options for structuring their ESG ratings business. For example, in the future will a regulated entity be required within the European Union or will one of the third-country mechanisms be suitable/applicable?