The SEC has adopted credit rating agency rules for Nationally Recognized Statistical Rating Organizations (NRSROs), which include requirements relating to NRSROs’ internal controls. The Dodd-Frank Act requires NRSROs to establish, maintain, enforce, and document effective internal control structures relating to credit ratings. In the final rules adopted on August 27, the SEC identified factors in Rule 17g-8 that an NRSRO must take into consideration when establishing, maintaining, enforcing, and documenting an effective internal control structure. Some of these factors are relevant to public companies.

The controls in Rule 17g-8 are set forth in four categories: (1) the establishment of an internal control structure, (2) the maintenance of an internal control structure, (3) the enforcement of an internal control structure, and (4) the documentation of an internal control structure. The SEC noted that, although it is “prescribing factors an NRSRO must consider, it is not mandating that a specific factor be implemented. Consequently, while NRSROs must consider the factors identified by the Commission, they can tailor and scale their internal control structures to their size and business activities.”

The following factors that NRSROs must consider regarding the maintenance of an internal control structure may be instructive for companies other than NRSROs:

  • Controls reasonably designed to ensure that the NRSRO conducts periodic reviews of whether it has devoted sufficient resources to implement and operate the documented internal control structure as designed
  • Controls reasonably designed to ensure that the NRSRO conducts periodic reviews or ongoing monitoring to evaluate the effectiveness of the internal control structure and whether it should be updated
  • Controls reasonably designed to ensure that any identified deficiencies in the internal control structure are assessed and addressed on a timely basis
  • Any other controls necessary to maintain an effective internal control structure that take into consideration the nature of the NRSRO’s business, including its size, activities, organizational structure, and business model

The following factors that NRSROs must consider regarding the enforcement of an internal control structure may also be instructive for companies other than NRSROs:

  • Controls designed to ensure that additional training is provided or discipline taken against employees who fail to adhere to the requirements imposed by the internal control structure
  • Controls designed to ensure that a process is in place for employees to report failures to adhere to the internal control structure
  • Any other controls necessary to enforce an effective internal control structure that take into consideration the nature of the NRSRO’s business, including its size, activities, organizational structure, and business model