internal controls

SEC Charges Rating Agency Morningstar with Failures of Disclosure and Internal Controls in CMBS Rating Model Adjustments

 

On February 16, the Securities and Exchange Commission (SEC) filed a civil action in federal district court in the Southern District of New York against the former credit ratings agency, Morningstar Credit Ratings LLC, regarding alleged failure to disclose and maintaining internal control provisions in violation of federal securities law in its CMBS ratings practice. The complaint alleges that, in 30 transactions rated by Morningstar between 2015 and 2016, Morningstar failed to disclose that its rating criteria permitted analysts to adjust property cash flow and valuation stresses on a “loan-specific basis,” which resulted in lower expected losses on CMBS classes and the assignment of credit ratings and failed to adequately maintain a system of internal controls to ensure adherence to its ratings criteria. The complaint alleges violations of the Securities Exchange Act of 1934 against Morningstar and seeks injunctive relief, disgorgement and civil penalties. Release.

Federal Reserve Updates Risk Management Supervisory Guidance for Smaller FBOs

On June 8, 2016, the Federal Reserve updated its Supervisory Guidance that partially supersedes SR letter 95-51, “Rating the Adequacy of Risk Management and Internal Controls at State Member Banks and Bank Holding Companies.”  The guidance clarifies Board and senior management oversight of risk management, policies, procedures and limits, risk monitoring and MIS, and internal controls.  One revision extends the applicability of the guidance to the U.S. operations of foreign banking organizations with total consolidated U.S. assets of less than $50 billion (such as ISP), which were not previously subject to SR 95- 51. The guidance notes, however, that FBO risk management processes and control functions for the U.S. operations may be implemented domestically or outside of the U.S. and in cases where the functions are performed outside of the U.S., the FBO’s oversight function, policies and procedures, and information systems need to be sufficiently transparent to allow U.S. supervisors to assess their adequacy.

Additionally, the FBO’s U.S. senior management need to demonstrate and maintain a thorough understanding of all relevant risks affecting the U.S. operations and the associated management information systems, used to manage and monitor these risks within the U.S. operations.  With respect to Board responsibilities, the guidance states in a footnote: “For the purpose of this guidance, for foreign banking organizations, ‘board of directors’ refers to the equivalent governing body of the U.S. operations of the FBO.”

The guidance goes on further to state that:

The board of directors should collectively have a balance of skills, knowledge, and experience to clearly understand the activities and risks to which the institution is exposed.  The board of directors should take steps to develop an appropriate understanding of the risks the institution faces, through briefings from experts internal to their organization and potentially from external experts.  The institution’s management information systems should provide the board of directors with sufficient information to identify the size and significance of the risks.  Using this knowledge and information, the board of directors should provide clear guidance regarding the level of exposures acceptable to the institution and oversee senior management’s implementation of the procedures and controls necessary to comply with approved policies, the guidance states.

IOSCO Consults on Rating Agency Internal Controls

On May 25, IOSCO published a consultation report describing internal controls and procedures that rating agencies use to promote the integrity of the rating process and address conflicts of interest. IOSCO is seeking the views of stakeholders and rating agencies to assist it with further analysis of rating agency internal controls and procedures. Comments must be submitted by July 9. IOSCO Release. IOSCO Report.