Proposed regulation of ESG Ratings providers

As part of the European Commission's renewed sustainable finance strategy launched in July 2021, it was announced that the European Commission would develop proposals to regulate ESG ratings providers. As part of the package announced on 13 June 2023, the European Commission published the drafttextof a regulation on the transparency and integrity of Environmental, Social and Governance rating activities (ESG Rating Regulation).

For those of you familiar with the EU Benchmarks Regulation, there will be a sense of déjà vu when reading the text as many of the concepts are direct lift and drops from the benchmark regime. It is a relatively concise regulation, without the equivalent obligations that appear in the BMR on "users" of ESG ratings, which is good news for many.

Who does the ESG Rating Regulation apply to?

文本草案声明,它适用于“环境、社会和治理ratings issued by ESG ratings providers operating in the Union that are disclosed publicly or that are distributed to regulated financial undertakings in the Union, under NFRD or public authorities”.

重要的是,第二条(2)sets out what the ESG Rating Regulation does not apply to. This includes:

1. private ESG ratings which are not intended for public disclosure or for distribution;
2. ESG ratings produced by regulated financial undertakings in the Union that are used for internal purposes or for providing in house financial services products;
3. the provision of raw ESG data that does not contain an element of rating or scoring and that is not subject to any modelling or analysis resulting in the development of an ESG rating;
4. credit ratings;
5. products or services that incorporate an element of an ESG rating;
6. second party opinions on sustainability bonds;
7. ESG ratings produced by Member States, public authorities or central banks (subject to certain conditions); and
8. ESG ratings from an authorised ESG rating provider that are made available to users by a third party.

Financial institutions will be pleased to see the carve out at (1) and (2) above for private ESG ratings not publicly disclosed or distributed and for those internally produced that are used for their own products. This is an important carve out for the industry and limits the scope of the ESG Rating Regulation significantly. These exclusions are similar in nature to the proposed carve outs in the UK regime which excludes ratings produced for use intra-group from its ambit.

What is an ESG Rating?

The draft regulation defines an ESG rating as "an opinion, score or combination of both regarding an entity, a financial instrument, a financial product or an undertaking’s ESG profile or characteristics or exposure to ESG risks or the impact on people, society and the environment that are based on an established methodology and defined ranking system or rating categories and that are provided to third parties, irrespective of whether such ESG rating is explicitly labelled as ‘rating’ or ESG score".

ESG Score means a measure derived from data, using a rule-based methodology and based only on a pre-established statistical or algorithmic system or model, without any additional substantial input from an analyst.

Opinion means an assessment that based on a rules-based methodology and defined ranking system of rating categories, involving directly a rating analyst in the rating process or systems process.

These are not dissimilar definitions to the approach taken as to what constitutes an index under the BMR.

Clearly there is a need for the creation of a methodology or system to be applied in the production of the ESG rating. That is helpful to be able to descope those entities whose business is focused on the extraction and distribution of ESG data, rather than ratings or scoring of that data.

What are authorisation requirements on ESG rating providers?

An ESG rating provider means a legal person whose occupation includes the offering and distribution of ESG ratings or scores on a professional basis.

A EU ESG rating provider must apply for authorisation to ESMA and comply with the conditions for authorisation at all times ESMA will maintain a register of ESG ratings providers.

A non-EU ESG rating provider that wants to provide ESG ratings in the EU can only do so if it is included in the ESG rating provider register. A non-EU ratings provider will be included in the register where:

a. equivalence – there is an equivalence decision from the European Commission as to the jurisdiction in which the non-EU ESG rating provider is established;

b. endorsement – an EU ESG rating provider can endorse ESG ratings provided by a third country ESG rating provider in the same group, subject to certain conditions;

c. recognition – a non-EU ESG rating provider with an annual net turnover on ESG rating activities below EUR 12 million for three consecutive years can provide ESG ratings to regulated EU financial institutions subject to recognition from ESMA.

The concepts in the ESG Rating Regulation with respect to non-EU rating providers almost exactly mirror those in the BMR. It is unlikely that any equivalence decision will be made by the European Commission any time soon given that there are few national licensing regimes for ESG rating providers yet in force.

What are the obligations on an ESG Rating provider?

Again, similar to the BMR, the obligations there are a number of obligations that apply to ESG rating providers under the proposed text. These include:

a. independence – requirement for independence of rating activities including from all political and economic influences or constraints;

b. oversight, policies and procedures – ESG rating providers need to employ systems, resources and procedures that are adequate and effective and ESG rating providers need to adopt measures to ensure that their ESG ratings are based on a thorough analysis of all the information that is available to them and in accordance with their methodologies;

c. methodologies – ESG rating providers need to employ methodologies that are rigorous, systematic, objective and capable of validation and such methodologies shall be reviewed on an ongoing basis and at least annually. ESG methodologies also need to be publicly disclosed on their website;

d. knowledge and experience – ESG rating providers need to ensure that analysts and employees have the knowledge and experience necessary for the performance of their duties (this includes an obligation on the firm to review the work of the analyst for the last year prior to their departure in the event they leave the firm);

e. record keeping requirements – prescriptive information is required to be kept by the ESG rating provider;

f. complaints handling – ESG rating providers need a complaints procedure that is published on their website;

g. outsourcing – ESG rating providers cannot outsource important operational functions where such outsourcing would materially impair the quality of the ESG rating provider's internal controls or the ability to be supervised effectively; and

h. conflicts – ESG rating providers need arrangements in place to ensure that their ratings are not affected by conflicts.

Are there any obligations on the users of ESG Ratings?

No. There is no equivalent to the EU BMR Article 28 obligations on users of benchmarks, which is good news for industry. Users and rated entities will be provided with certain information about the ESG rating provider through the disclosure requirements it must satisfy both in terms of its activities and its methodologies. However, there are no other considerations for users other than to ensure that the ESG ratings they are using are being provided by an appropriately authorised firm.