On February 16, 2021, the Securities and Exchange Commission (“SEC”) filed a civil complaint against Morningstar Credit Ratings LLC (“Morningstar”), a credit rating agency, alleging violations of the disclosure and internal controls provisions of the federal securities laws based on Morningstar’s ratings of commercial mortgage-backed securities (“CMBS”).1 In bringing this complaint, the SEC stressed the importance of internal controls measures and full disclosure of rating methodologies for credit rating agencies.
According to the complaint, from 2015 to 2016, Morningstar permitted credit rating analysts to make undisclosed adjustments in its rating methodology for thirty CMBS transactions totaling $30 billion. Morningstar’s models stress-tested cash flows and valuation measures based on different economic environments, and Morningstar ultimately failed to disclose that its analysts could change stress-testing factors to benefit issuers. The SEC alleges that adjustments were “overwhelmingly used to ease those stresses, which lowered expected losses for many classes” of bonds that Morningstar rated.2 According to the SEC, Morningstar was required to disclose these adjustments to investors.3
Furthermore, the SEC alleges that Morningstar failed to establish and enforce an adequate internal control structure governing CMBS transactions. According to the SEC, Morningstar’s internal control structure “omitted elements designed to assess whether its analysts appropriately implemented the ‘loan-specific’ stress adjustments.”4 Specifically, under Morningstar’s internal controls, an analyst could employ loan-specific adjustments for reasons unrelated to specific loans or individual properties securing those loans. Further, Morningstar’s written methodology for determining ratings omitted any criteria for how, why, or when to make these “loan-specific” stress adjustments and did not require its analysts to provide reasoning for the adjustments.
II. Credit Rating Agencies
Credit rating agencies serve an important function in the market by evaluating credit risk, pricing securities and guiding investment decisions. Congress first authorized the SEC to establish oversight over credit agencies in the Credit Rating Agency Reform Act of 2006. The legislation requires credit rating agencies to submit to the SEC and annually certify information regarding the procedures and methodologies that an agency will use in determining credit ratings. Securities Exchange Act of 1934 Rule 17g-1 requires that credit rating agencies provide a description of procedures that is “sufficiently detailed to provide users of credit ratings with an understanding of the processes.”5
The Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”) increased regulation of credit rating agencies by requiring that each credit rating agency establish effective internal controls to ensure that the agency adheres to its own procedures when determining a credit rating.6 The SEC later adopted rules, based upon the Dodd-Frank Act, requiring rating agencies to disclose the version of the ratings methodology used to determine each credit rating when each rating is published.7
CMBS are bonds tied to loans on malls, office buildings, and other commercial properties. Loans are typically grouped into tranches and assigned investment ratings, from AAA to BB+ and below, depending on the credit risk. By using undisclosed adjustments to lower expected losses, a credit rating agency could assign higher credit ratings to a class of bonds, which would benefit the issuer at the expense of the investor. In this case, the SEC alleged that Morningstar used the adjustments to rate millions of dollars of CMBS as “investment-grade securities, when Morningstar would have rated those securities as below-investment-grade had Morningstar rated the CMBS in accordance with its disclosed methodology.”8
III. SEC Enforcement
Daniel Michael, Chief of the SEC Enforcement Division’s Complex Financial Instruments Unit, explained that “to increase transparency and guard against conflicts of interest, the federal securities laws require credit rating agencies to disclose how ratings are determined and to have effective internal controls to ensure they adhere to their ratings methodologies.”9 He further elaborated that “Morningstar failed on both counts by permitting analysts to make undisclosed adjustments over which Morningstar had no effective internal controls.”10
The Morningstar action follows an SEC settlement reached on September 29, 2020, with Kroll Bond Rating Agency Inc. (“KBRA”) concerning allegations that KBRA permitted analysts to make adjustments that had material effects on CMBS ratings without proper disclosure.11 Similar to the Morningstar action, the SEC alleged that KBRA did not have policies and procedures to determine when and how those adjustments should be made when rating CMBS. In that case, Daniel Michael explained that “[r]atings agencies play a crucial gatekeeping role in the securities market. With that responsibility comes the requirement that they establish and enforce policies and controls to ensure the consistency and integrity of credit ratings.”12 He further warned that the SEC will hold “rating agencies accountable for failing to ensure the integrity of the ratings process.”13
1 Complaint, SEC v. Morningstar Credit Ratings, LLC, 21-CV-1359 (S.D.N.Y. filed Feb. 16, 2021), available at https://www.sec.gov/litigation/complaints/2021/comp-pr2021-29.pdf.
2 Id. at 2.
3 Id. at 1.
4 Id. at 3.
5 Id.at 7; see 17 C.F.R. § 240.17g-1(f); 72 Fed. Reg. at 33,634 (adopting instructions).
6 15 U.S.C. § 78o-7(c)(3)(A)
7 17 C.F.R. § 240.17g-7(a)(1)
8 Complaint, Morningstar Credit Ratings, LLC, at 3.
9 Press Release, U.S. Sec. & Exch. Comm’n, SEC Charges Ratings Agency With Disclosure And Internal Controls Failures Relating To Undisclosed Model Adjustments (Feb. 16, 2021), https://www.sec.gov/news/press-release/2021-29.
11 Press Release, U.S. Sec. & Exch. Comm’n, SEC Charges Ratings Agency With Internal Controls Failures in Connection With Ratings of CMBS and CLO Combo Notes (Sept. 29, 2020), https://www.sec.gov/news/press-release/2020-235.