UK ESG ratings regulatory regime

June 2026

The UK is moving toward a dedicated regulatory regime for ESG ratings providers. In CP25/34, the FCA has proposed a framework intended to make ESG ratings more transparent.

The proposals set out a regulatory perimeter that is more complex than it first appears. The FCA’s definition of an ESG rating is broad, and while the consultation includes important exclusions, they are highly conditional. In particular, the treatment of ESG ratings provided as part of other regulated services, and those linked to unregulated benchmarks or credit ratings, means firms will need to examine closely how their products are structured and delivered.

A final policy statement is expected in Q4 2026. There will be a 12-month application window beginning in June 2027, with the UK regime going live in June 2028.

For firms already providing ESG ratings or adjacent services on an unregulated basis, that timetable may look generous. However, given the scope and complexity of the proposals, firms may need to undertake a substantial amount of preparatory work.

Benchmark providers expecting de-regulation through HM Treasury’s (HMT) Specified Authorised Benchmark Regime (SABR) may instead find themselves captured by this regime. Other providers will need to be certain whether their ratings are genuinely embedded within another service or are in fact being provided on a standalone basis. All potential providers of ESG ratings will need to ensure that they understand their regulatory obligations and plan accordingly for authorisation.

This analysis explores the requirements of FCA CP25/34 and should be read in conjunction with KPMG in the UK’s previous article on transparency and integrity in ESG ratings.

Key impacts for firms

Scoping:

Providers will need to map their products against the FCA’s proposed definition and exclusions, and assess whether internal assumptions about benchmarks and credit ratings remain valid under the new framework.
Expanded regulatory perimeter:

Firms will need to seek authorisation to operate in this new regime.
Complex application of expectations:

The FCA is not proposing a standalone rulebook. Instead, it proposes to overlay ESG-specific requirements onto a broader body of existing FCA expectations on threshold conditions, principles for businesses, selected systems and controls requirements, governance, conflicts of interest, transparency, stakeholder engagement and SMCR. For firms that have not previously been authorised, that creates a dual challenge: understanding the ESG-specific obligations of the proposed new regime and building the underlying control environment expected of an authorised firm.

UK proposals vs EU regime

There is broad alignment between the UK and EU on the definition of an ESG rating (for further detail on the definition see our previous articles here and here). The difference lies less in the headline definition and more in scope and exclusions.

Though both CP25/34 and the EU ESG Ratings Regulation (ESGRR) make similar exclusions (e.g. private/internal ratings and ratings provided by public authorities), only the proposed UK regime makes exclusions if the rating is provided as part of the following services:

A product or service that is already regulated;
A benchmark or credit rating that is unregulated because it does not fall under either the Benchmarks Regulation or the Credit Ratings Agencies (CRA) Regulation; and
Ratings provided by overseas firms to UK entities where there is no remuneration to the overseas firm.

Firms should therefore take care to determine precisely how the proposals would apply to their activities and products.

The proposed UK regime will apply core elements of the FCA Rulebook to ESG ratings providers – including threshold conditions, principles for business (PRIN), financial crime and market abuse, and Senior Management Arrangements and Systems and Controls (SYSC).

There are likely to be challenges in applying some of these expectations, for example the Consumer Duty, to ESG ratings . The FCA proposes not to apply the Duty directly to ESG rating activities because ratings provision is typically a wholesale activity. Instead, the FCA wants to ‘encourage providers to consider the Duty when they conduct their business’ as it ‘may apply to other firms in the distribution chain’. This is ambiguous and firms may wish to form a house view on what the FCA is encouraging them to consider exactly regarding the distribution chain. Firms may also wish to consider how any existing approaches to ‘consumer understanding’ for existing regulated business subject to the Duty can be leveraged to meet the new transparency requirements for ratings.

The FCA sets out minimum public disclosures on characteristics of the rating assessment and coverage universe, approach to engaging with rated entities, methodology and risks, conflicts of interest and complaints handling.

Additional disclosures specifically for direct users and rated entities include:

Product-level disclosures: full explanation of methodology, information on methodology reviews, what triggers a revision and how stakeholders are engaged, any steps taken to address limitations and steps taken to implement quality control.
Individual rating-level disclosures: which activities and entities are covered, factors and data used in the rating, detailed explanation of data sources, unresolved challenge from the rated entity regarding factual accuracy, and when the rating was last updated and reason for any material change to either the rating or underlying data.

The FCA also proposes that firms disclose the ‘reasons for any material change’ in a rating or its underlying data. Currently, many providers may not be able to explain why the underlying data has changed; only that it has been updated by the third-party data source. Firms may therefore find it challenging to provide a narrative on, as opposed to merely identifying, any data changes.

Many firms will also likely question what the differences should be between disclosures on scoring that is modelled/automated versus analyst-driven, and how these different business models should be reflected in the disclosures.

The FCA sets out proposals for outsourcing, personal transactions, record-keeping, data quality and quality control and methodology, with the first two likely to be the most onerous for firms to comply with:

Outsourcing: the regulated firm would remain operationally responsible for the ESG rating process, even where certain elements of the process are outsourced. Firms should therefore ensure that any outsourced processes are in line with their own policies and can satisfy regulatory expectations.

Personal transactions: the proposals would require firms to implement policies and procedures to stop relevant employees from making personal transactions that contravene the Market Abuse Regulation (MAR), involve improper use of confidential information or create a conflict that damages the ESG rating’s independence or integrity. Where the FCA regime outlines the principles for personal transactions, the EU ESGRR is instead more prescriptive about the prohibited activities and transactions of analysts and other employees involved in the provision of ESG ratings. At a practical level, this means firms seeking FCA authorisation will have more flexibility to interpret the principles but may have a harder task in evidencing how their processes have achieved outcomes in line with regulatory expectations.

Managing conflicts of interest is a critical component of the proposed FCA regime. The proposals require firms to identify actual or potential conflicts that could damage the integrity or independence of a rating, take reasonable steps to prevent or manage them, maintain an effective and transparent conflicts policy, keep records, and provide senior management with written reporting at least annually. Disclosure of conflicts of interest is treated as a last resort where a firm is not reasonably confident that mitigation measures are sufficient.

The UK and EU diverge more sharply here. The FCA is focused on identifying and managing conflicts, whereas the EU seeks more actively to minimise the occurrence of conflicts through separation of business and activities. In the EU, certain combinations of activities, including consulting, audit and credit rating services within the same entity, are explicitly prohibited. Under the FCA proposals, the same combinations are not necessarily prohibited, but do require careful conflict analysis.

The FCA proposes advance notification to rated entities before first issuing a rating, an opportunity to correct factual errors before and after publication, access for rated entities to the data used to produce the rating free of charge, complaints procedures and a stakeholder feedback process.

Again, this is broadly aligned with the EU, though there is more detail in the EU regime. The EU ESGRR specifies at least two full working days’ notice for the issuer of the rated item to inform the rating provider of any factual errors. The UK regime is less prescriptive on timing, allowing firms to decide appropriate timeframes that are suitable for stakeholders. This could produce inconsistent market practice.

The FCA proposes to apply the existing Senior Managers and Certification Regime (SMCR) to ESG ratings providers, classifying them as core firms unless they are already authorised as enhanced firms.

The SMCR is currently being reformed. The FCA is not expecting many, if any, ESG rating employees to be certified, but it is rating providers’ responsibility to decide. HMT also intends to remove the certification regime.

The EU has no direct equivalent to SMCR. Instead, the EU regime focuses on organisational structure and management-body responsibilities at the entity level. The UK proposals therefore place more emphasis on individual accountability, which may be material for newly authorised firms that have never operated under such a model before.

In-scope firms will require FCA authorisation by 29 June 2028. Third-country branch authorisation will be available, and the Financial Services Bill proposes an Overseas Recognition Regime (ORR) where firms could provide services directly into the UK if HMT considers those jurisdictions to have comparable regulatory regimes. The FCA proposes a proportionate supervisory approach without mandatory regulatory reporting at the outset, though it would retain its standard information-gathering, skilled person, permissions, waiver, notification and enforcement tools.

In the EU, supervision sits with ESMA, with authorisation required by 2 July 2026. Third-country ESG ratings providers can operate in the EU, using a similar model to that for financial benchmarks providers – equivalence, endorsement and recognition.

How KPMG in the UK can help

KPMG can provide support across each step of the authorisation journey including:

Initial gap analysis: assessing the business against regulatory requirements, identifying areas for remediation, planned activities for remediation and feedback on compliance in relation to other ratings firms.
Business change and design enhancements: translate gap analysis into programme for business change, develop policies to align with FCA requirements, implement risk and controls framework, and identify (and offer training to) accountable individuals.
Preparation for authorisation: support in preparing authorisation applications and key documentation, or performing quality assurance of applications.