Regulatory regimes for ESG ratings providers

January 2025

It is just over 12 months since the launch of the UK Code of Conductopens in a new tab for ESG Ratings and Data Products Providers. A year on, regulators in both the EU and UK have responded to shortcomings and risks in the transparency and integrity of ESG ratings and have now also developed formal regulatory approaches. The analysis below looks at how the two regimes have been structured and considers how they will impact providers and users of ratings.

The European Commission first published proposals to regulate ESG ratings providers in 2023 and the resulting Regulation on the transparency and integrity of ESG rating activitiesopens in a new tab has now been published in the Official Journal of the European Union. The rules will apply from July 2026.

In the UK, HM Treasury (HMT) also put forward proposals in 2023 on regulating the activities of ESG ratings providers and has now published its response to the consultationopens in a new tab alongside a draft statutory instrumentopens in a new tab. Once these have been considered by Parliament, it will be for the FCA to develop and consult on specific requirements for in-scope providers, with the government estimating that the entire process from design to applicability could take up to four years, subject to the volume of applications for authorisation.

Both regimes recognise that ESG ratings play an important role in global capital markets and consequently address the need for them to be independent, comparable where possible, transparent and of adequate quality. The EU regime has progressed faster, and in-scope firms must now assess how the rules will affect their business models and take appropriate action to comply with the final requirements – although some detail is still to be published by the European Securities and Markets Authority (ESMA) in regulatory technical standards (RTS).

For firms likely to be captured by the UK regime, although final rules are yet to be published by the FCA, HMT has provided enough information for them to begin to assess the likely impacts. The FCA continues to encourage firms to sign up to the industry Code of Conductopens in a new tab, which has also been leveraged by Hong Kong (SAR), China to develop its code. Other countries such as Singapore & Japan have introduced their own codes of conduct, indicating the appetite for transparency and integrity in the ESG ratings market.

What is an ESG ratings provider?

HMT’s draft definition of an ESG ratings provider for regulatory purposes is ‘an assessment regarding one or more ESG factors, produced in the form of an ESG opinion, an ESG score or a combination of both, whether or not it is characterised as an ESG rating’. ESG opinions include an ESG rating where there has been substantial analytical input from an analyst, regardless of whether the opinion is formally characterised as a ‘rating’. Additionally, an ESG score refers to a rating that has been derived from data and a pre-established statistical or algorithmic model.

The EU has carved out a similar definition, with the final rules defining a system ‘that is based on both an established methodology and a defined ranking system of rating categories, irrespective of whether such ESG rating is labelled as “ESG rating”, “ESG opinion” or “ESG score”.’

Overview of the proposed regulatory requirements

The EU regime introduces specific requirements on the general principles of ESG ratings providers’ operation, disclosure of their data and methodologies, and their governance and organisational structure. The regime regulates the issuance, distribution and publication of ESG ratings, not the intended use of them.

Similarly, HMT intends for the regulatory regime to promote transparency, good governance, manage conflicts of interest, and introduce robust systems and controls. Like the EU, ‘the regulated activity would be the direct provision of an assessment’, i.e. regulate the provision rather than the use of ESG ratings.

Implications for users of ratings and ratings providers

Users of ESG ratings will welcome the additional robustness that the EU rules introduce. However, for ratings providers the new regimes may result in a significant uplift in their regulatory requirements, and in-scope firms will need to understand how they might be affected. This could include needing to seek authorisation, compliance with the EU’s general principles on the integrity and reliability of ESG ratings activities, and implementation of robust governance requirements. They will also need to comply with numerous disclosure requirements and may therefore benefit from considering how to leverage existing systems to gather the disclosure metrics. ‘Readiness assessments’ can help to establish overall preparedness for the new regime.

In the UK, HMT has signalled a similar trajectory and emphasised alignment with the IOSCO recommendations on ESG ratings. UK firms may benefit from conducting a ‘no regrets’ analysis to assess their readiness for future authorisation, covering transparency, good governance, managing conflicts of interests and robust systems and controls.

In the EU, ESMA, not the National Competent Authorities, will authorise and be the primary supervisor for ESG ratings providers. Where firms do not comply with the requirements, it may take the following supervisory measures:

Suspending or withdrawing the authorisation or recognition of the ESG rating provider
Temporarily prohibiting the ESG rating provider from publishing or distributing ESG ratings, until the infringement has been resolved
Requiring the ESG rating provider to bring the infringement to an end
Imposing fines
Issuing public notices

ESMA will develop draft RTS on areas such as information to be provided in the application for authorisation and recognition, measures and safeguards on the separation of business and activities, and disclosure of methodologies, models and assumptions.

Supervisory measures and penalties in the UK will become clearer once the FCA publishes its consultation paper.

How KPMG in the UK can help

KPMG’s ESG Data and Risk and Regulatory Assurance teams are well-placed to support financial institutions on a range of activities relating to the evolving ESG data and ratings landscape, for example:

Regulatory readiness assessments of ESG ratings providers’ business activities against the relevant requirements.
Remediation and implementation of enhancements required to meet the relevant requirements, including ratings entity design, governance structures and data controls.
Preparation and submission of regulatory applications for the authorisation of ESG ratings providers.
Provision of ESG Rating Assurance for use with ratings clients and users against either the Code of Conduct or future EU and UK regulatory obligations.

More detail

EU: The EU’s rules include 14 general principles on the integrity and reliability of ESG rating activities. These include principles on:

The independence of rating activities
Ensuring that rating methodologies are rigorous, systematic, and capable of justification
Maintaining effective oversight of all aspects of the provision of ESG ratings

Additionally, ESG ratings cannot be issued from the same legal entity as credit ratings, auditing and consulting activities. However, the Regulation does now allow a derogation for some other activities. An ESG ratings provider can only provide financial benchmarks from the same legal entity if ESMA considers that the specified measures to manage the conflicts of interest are sufficient.

UK: HMT has signalled that consistency with international standards and other jurisdictions is vitally important – UK requirements will therefore likely take account of international policy initiatives such as the IOSCO recommendationsopens in a new tab on ESG ratings. Once the government has introduced secondary legislation to expand the regulatory perimeter, the FCA will consult on draft rules and guidance. After this, the FCA authorisation gateway will open and in-scope firms will need to obtain FCA authorisation.

EU: Annex III of the Regulation lists the minimum disclosures that will be required for methodologies, models and key rating assumptions. Examples include:

Overview of the rating methodology, including whether the analysis is backward- or forward-looking and time horizons used
Data sources used, including whether data is sourced from sustainability statements required under the Sustainable Finance Disclosure Regulation (SFDR)
Whether and how the ratings are based on scientific evidence
Whether the rating is assessing risks, impacts or both according to the double materiality principle
Scope, and whether the rating covers E, S or G factors or if it is an aggregate view
For an aggregated rating, disclosure of the weighting of each of the E, S and G categories and explanation of the weighting method
Reference to the use of artificial intelligence (AI) in the data collection or rating process, including current limitations and risks of using AI
Limitations in data sources and methodologies used
Any conflicts of interest and steps taken to mitigate them

UK: The FCA has not yet published its policy proposals for regulating ESG ratings providers. However, firms can reasonably expect the FCA to outline proposals on transparency and disclosure requirements.

EU: The Regulation sets out requirements on organisational structure, such as:

Robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent roles and responsibilities
Ensuring that rating analysts and employees have the appropriate knowledge and experience; and
Keeping records of all ESG rating activities for at least five years

UK: The FCA has not yet published its policy proposals for regulating ESG ratings providers. However, firms can reasonably expect the FCA to outline proposals on transparency, good governance, managing conflicts of interests, and robust systems and controls.

EU: The approach to allowing third-country ESG ratings providers to operate in the EU is similar to that for third-country financial benchmarks providers: equivalence, endorsement and recognition. Third-country ESG ratings providers can operate in the EU where the provider:

Is authorised within a third-country regime that is deemed equivalent by the European Commission; or
Is endorsed by an authorised EU ESG rating provider within the same group; or
Applies for recognition by ESMA provided they have an EU legal representative that will be accountable to ESMA for the ratings provider compliance with the Regulation.

UK: The FCA is considering its approach to UK authorisation for overseas ESG ratings providers. This will include exploring whether, based on size, significance or market impact in the UK, an ESG ratings provider would be expected to be incorporated in the UK. HMT is also considering whether there is merit in creating an ‘overseas regime’ or other access route into the UK market as an alternative to requiring full UK authorisation.

Under both regimes there are specific exclusions from the definitions, noting that in the UK these are still subject to FCA consultation. Excluded activities, products and firms will not be in scope of the ESG ratings regulatory regimes. Key exemptions under both regimes are:

Firms that create an ESG rating as part of the development and delivery of other regulated activity for which they already have authorisation. In this case, dual authorisation would be disproportionate. Where an authorised firm produces ESG ratings, it is important to have safeguards to ensure high quality, robust, and transparent ratings that are free from conflicts of interest.
Private ESG ratings that are not intended for public disclosure or distribution. This includes internal ratings or intra-group ratings, where ESG ratings are used exclusively by the firm or other entities within the same corporate group, and where the ratings will not be made available to a third party outside the group.
Central banks and other public authorities where ESG ratings are not created for commercial purposes. This also applies to academia, journalism and charities.