17 CFR § 240.17g-8 - Policies, procedures, and internal controls.
(a) Policies and procedures with respect to the procedures and methodologies used to determine credit ratings. A nationally recognized statistical rating organization must establish, maintain, enforce, and document policies and procedures reasonably designed to ensure:
(1) That the procedures and methodologies, including qualitative and quantitative data and models, the nationally recognized statistical rating organization uses to determine credit ratings are approved by its board of directors or a body performing a function similar to that of a board of directors.
(2) That the procedures and methodologies, including qualitative and quantitative data and models, the nationally recognized statistical rating organization uses to determine credit ratings are developed and modified in accordance with the policies and procedures of the nationally recognized statistical rating organization.
(3) That material changes to the procedures and methodologies, including changes to qualitative and quantitative data and models, the nationally recognized statistical rating organization uses to determine credit ratings are:
(i) Applied consistently to all current and future credit ratings to which the changed procedures or methodologies apply; and
(ii) To the extent that the changes are to surveillance or monitoring procedures and methodologies, applied to current credit ratings to which the changed procedures or methodologies apply within a reasonable period of time, taking into consideration the number of credit ratings impacted, the complexity of the procedures and methodologies used to determine the credit ratings, and the type of obligor, security, or money market instrument being rated.
(4) That the nationally recognized statistical rating organization promptly publishes on an easily accessible portion of its corporate Internet Web site:
(i) Material changes to the procedures and methodologies, including to qualitative models or quantitative inputs, the nationally recognized statistical rating organization uses to determine credit ratings, the reason for the changes, and the likelihood the changes will result in changes to any current credit ratings; and
(ii) Notice of the existence of a significant error identified in a procedure or methodology, including a qualitative or quantitative model, the nationally recognized statistical rating organization uses to determine credit ratings that may result in a change to current credit ratings.
(5) That the nationally recognized statistical rating organization discloses the version of a credit rating procedure or methodology, including the qualitative methodology or quantitative inputs, used with respect to a particular credit rating.
(b) Policies and procedures with respect to credit rating symbols, numbers, or scores. A nationally recognized statistical rating organization must establish, maintain, enforce, and document policies and procedures that are reasonably designed to:
(1) Assess the probability that an issuer of a security or money market instrument will default, fail to make timely payments, or otherwise not make payments to investors in accordance with the terms of the security or money market instrument.
(2) Clearly define each symbol, number, or score in the rating scale used by the nationally recognized statistical rating organization to denote a credit rating category and notches within a category for each class of credit ratings for which the nationally recognized statistical rating organization is registered (including subclasses within each class) and to include such definitions in Exhibit 1 to Form NRSRO (§ 249b.300 of this chapter).
(3) Apply any symbol, number, or score defined pursuant to paragraph (b)(2) of this section in a manner that is consistent for all types of obligors, securities, and money market instruments for which the symbol, number, or score is used.
(c) Policies and procedures with respect to look-back reviews. The policies and procedures a nationally recognized statistical rating organization is required to establish, maintain, and enforce pursuant to section 15E(h)(4)(A) of the Act (15 U.S.C. 78o-7(h)(4)(A)) must address instances in which a review conducted pursuant to those policies and procedures determines that a conflict of interest influenced a credit rating assigned to an obligor, security, or money market instrument by including, at a minimum, procedures that are reasonably designed to ensure that the nationally recognized statistical rating organization will:
(1) Promptly determine whether the current credit rating assigned to the obligor, security, or money market instrument must be revised so that it no longer is influenced by a conflict of interest and is solely a product of the documented procedures and methodologies the nationally recognized statistical rating organization uses to determine credit ratings; and
(2)
(i) Promptly publish, based on the determination of whether a current credit rating referred to in paragraph (c)(1) of this section must be revised (as applicable):
(A) A revised credit rating, if appropriate, and include with the publication of the revised credit rating the information required by § 240.17g-7(a)(1)(ii)(J)(3)(i); or
(B) An affirmation of the credit rating, if appropriate, and include with the publication of the affirmation the information required by § 240.17g-7(a)(1)(ii)(J)(3)(ii).
(ii) If the credit rating is not revised or affirmed pursuant to paragraph (c)(2)(i) of this section within fifteen calendar days of the date of the discovery that the credit rating was influenced by a conflict of interest, publish a rating action placing the credit rating on watch or review and include with the publication an explanation that the reason for the action is the discovery that the credit rating was influenced by a conflict of interest.
(d) Internal control structures. A nationally recognized statistical rating organization must take into consideration the factors identified in paragraphs (d)(1) through (4) of this section when establishing, maintaining, enforcing, and documenting an effective internal control structure governing the implementation of and adherence to policies, procedures, and methodologies for determining credit ratings pursuant to section 15E(c)(3)(A) of the Act.
(1) With respect to establishing the internal control structure, the nationally recognized statistical rating organization must take into consideration:
(i) Controls reasonably designed to ensure that a newly developed methodology or proposed update to an in-use methodology for determining credit ratings is subject to an appropriate review process (for example, by persons who are independent from the persons that developed the methodology or methodology update) and to management approval prior to the new or updated methodology being employed by the nationally recognized statistical rating organization to determine credit ratings;
(ii) Controls reasonably designed to ensure that a newly developed methodology or update to an in-use methodology for determining credit ratings is disclosed to the public for consultation prior to the new or updated methodology being employed by the nationally recognized statistical rating organization to determine credit ratings, that the nationally recognized statistical rating organization makes comments received as part of the consultation publicly available, and that the nationally recognized statistical rating organization considers the comments before implementing the methodology;
(iii) Controls reasonably designed to ensure that in-use methodologies for determining credit ratings are periodically reviewed (for example, by persons who are independent from the persons who developed and/or use the methodology) in order to analyze whether the methodology should be updated;
(iv) Controls reasonably designed to ensure that market participants have an opportunity to provide comment on whether in-use methodologies for determining credit ratings should be updated, that the nationally recognized statistical rating organization makes any such comments received publicly available, and that the nationally recognized statistical rating organization considers the comments;
(v) Controls reasonably designed to ensure that newly developed or updated quantitative models proposed to be incorporated into a credit rating methodology are evaluated and validated prior to being put into use;
(vi) Controls reasonably designed to ensure that quantitative models incorporated into in-use credit rating methodologies are periodically reviewed and back-tested;
(vii) Controls reasonably designed to ensure that a nationally recognized statistical rating organization engages in analysis before commencing the rating of a class of obligors, securities, or money market instruments the nationally recognized statistical rating organization has not previously rated to determine whether the nationally recognized statistical rating organization has sufficient competency, access to necessary information, and resources to rate the type of obligor, security, or money market instrument;
(viii) Controls reasonably designed to ensure that a nationally recognized statistical rating organization engages in analysis before commencing the rating of an “exotic” or “bespoke” type of obligor, security, or money market instrument to review the feasibility of determining a credit rating;
(ix) Controls reasonably designed to ensure that measures (for example, statistics) are used to evaluate the performance of credit ratings as part of the review of in-use methodologies for determining credit ratings to analyze whether the methodologies should be updated or the work of the analysts employing the methodologies should be reviewed;
(x) Controls reasonably designed to ensure that, with respect to determining credit ratings, the work and conclusions of the lead credit analyst developing an initial credit rating or conducting surveillance on an existing credit rating is reviewed by other analysts, supervisors, or senior managers before a rating action is formally taken (for example, having the work reviewed through a rating committee process);
(xi) Controls reasonably designed to ensure that a credit analyst documents the steps taken in developing an initial credit rating or conducting surveillance on an existing credit rating with sufficient detail to permit an after-the-fact review or internal audit of the rating file to analyze whether the analyst adhered to the nationally recognized statistical rating organization's procedures and methodologies for determining credit ratings;
(xii) Controls reasonably designed to ensure that the nationally recognized statistical rating organization conducts periodic reviews or internal audits of rating files to analyze whether analysts adhere to the nationally recognized statistical rating organization's procedures and methodologies for determining credit ratings; and
(xiii) Any other controls necessary to establish an effective internal control structure taking into consideration the nature of the business of the nationally recognized statistical rating organization, including its size, activities, organizational structure, and business model.
(2) With respect to maintaining the internal control structure, the nationally recognized statistical rating organization must take into consideration:
(i) Controls reasonably designed to ensure that the nationally recognized statistical rating organization conducts periodic reviews of whether it has devoted sufficient resources to implement and operate the documented internal control structure as designed;
(ii) Controls reasonably designed to ensure that the nationally recognized statistical rating organization conducts periodic reviews or ongoing monitoring to evaluate the effectiveness of the internal control structure and whether it should be updated;
(iii) Controls reasonably designed to ensure that any identified deficiencies in the internal control structure are assessed and addressed on a timely basis;
(iv) Any other controls necessary to maintain an effective internal control structure taking into consideration the nature of the business of the nationally recognized statistical rating organization, including its size, activities, organizational structure, and business model.
(3) With respect to enforcing the internal control structure, the nationally recognized statistical rating organization must take into consideration:
(i) Controls designed to ensure that additional training is provided or discipline taken with respect to employees who fail to adhere to requirements imposed by the internal control structure;
(ii) Controls designed to ensure that a process is in place for employees to report failures to adhere to the internal control structure; and
(iii) Any other controls necessary to enforce an effective internal control structure taking into consideration the nature of the business of the nationally recognized statistical rating organization, including its size, activities, organizational structure, and business model.
(4) With respect to documenting the internal control structure, the nationally recognized statistical rating organization must take into consideration any controls necessary to document an effective internal control structure taking into consideration the nature of the business of the nationally recognized statistical rating organization, including its size, activities, organizational structure, and business model.