Skip to main content



Search form

ESMA publishes proposals on CRAs internal control functions

05 December 2019

The European Securities and Markets Authority (ESMA), the EU’s securities markets regulator, has launched a consultation on proposed Guidelines on Internal Controls for CRAs, which sets out the systems and controls that credit rating agencies (CRAs) should have in place to meet the requirements of the CRA Regulation (CRAR) on internal controls.

The Guidelines set out the criteria that CRAs should have in place, focusing on their internal controls framework and functions, to demonstrate to ESMA that adequate and effective internal control systems exist to ensure the accuracy and integrity of the credit rating process.

The need for guidance on internal controls was identified in the course of ESMA’s supervisory work during 2017 and 2018, and its development was highlighted as part of its 2019 Supervisory Work Programme.

Steven Maijoor, ESMA Chair, said:

“The accuracy and integrity of credit ratings is fundamental to ensuring that users have reliable sources of information to inform their investment decisions, while supporting investor protection and stable and orderly markets. Investors need to know that those producing the ratings have adequate systems in place to ensure their accuracy and integrity.

“The proposed Guidelines on Internal Controls provide clarity to CRAs as to what ESMA’s expectations are in this area, will promote a more consistent approach to internal controls amongst registered CRAs and set the marker for new entrants to the industry.”

Proposed Guidelines

The CRAR includes a number of requirements relating to the internal control system that a CRA must have in place in order to prevent or mitigate any possible conflicts of interest that may impact the independence of its credit rating activities.  

The proposed Guidelines set out ESMA’s views on the components and characteristics that CRAs should have in place to demonstrate the presence of an effective framework for internal controls and effective internal control functions.

The Internal Controls Framework focuses on a CRA’s:

i       control environment; risk management; control activities; information and communications; and monitoring activities.

While the Internal Controls Functions focus on specific roles, namely:

ii       compliance; review; risk management; information security; and internal audit.

Finally, these guidelines have been developed with a view to accommodating the proportionality that is provided for smaller CRAs under the CRA Regulation.

Next Steps

The closing date for responses is 16 March 2020. ESMA will consider the responses it receives to this CP in Q1 2020 and expects to publish a final report by Q3 2020.