The Securities and Exchange Commission today announced charges against credit rating agencies DBRS Inc. and Kroll Bond Rating Agency, LLC (KBRA) for longstanding failures to preserve electronic records, including off-channel communications on personal and work-issued devices. Additionally, the SEC charged DBRS with violating disclosure and internal control provisions of the federal securities laws in rating certain commercial mortgage-backed securities (CMBS). To settle the charges, DBRS agreed to pay $8 million in civil penalties and KBRA agreed to pay $4 million in civil penalties.

“Credit rating agencies are gatekeepers in our securities markets that are subject to recordkeeping requirements—requirements that aren’t optional, but rather foundational to the Commission’s ability to maintain fair, orderly, and efficient markets,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “If there’s an allegation of wrongdoing at the credit rating agency, the Commission must be able to review preserved documents to determine what happened. If there is an examination, our examiners must be able to look at relevant documents to assess compliance issues.”

“Given their critical gatekeeping function, rating agencies are required to disclose how ratings are determined and to have effective internal controls to ensure they adhere to their ratings methodologies,” said Osman Nawaz, Chief of the SEC Enforcement Division’s Complex Financial Instruments Unit.  “Our investigation found that DBRS fell short in fulfilling these requirements in rating certain CMBS transactions.”

DBRS

The SEC issued two separate orders against DBRS, one relating to recordkeeping violations and the other relating to disclosure and internal controls violations. The SEC’s recordkeeping order finds that, since at least July 2019, DBRS employees, including those at senior levels, communicated internally by text messages about initiating and determining credit ratings and about adjustments to results of the quantitative predictive model that DBRS used to rate multi-borrower CMBS transactions. The order finds that DBRS failed to retain these messages in violation of recordkeeping provisions of the federal securities laws. In fact, according to the order, at the direction of DBRS and with approval from its compliance department, at least nineteen analytical employees wiped their DBRS-issued phones in 2022 during a company rollout of new devices.

DBRS admitted the SEC’s findings and agreed to pay a $6 million penalty, cease and desist from committing violations of the relevant recordkeeping provisions, and a censure. DBRS also agreed to retain an independent compliance consultant to, among other things, conduct a comprehensive review of its policies and procedures relating to the retention of electronic communications and its framework for addressing non-compliance by its employees with those policies and procedures.

The SEC’s disclosure and internal controls order finds that, in rating certain multi-borrower CMBS transactions between July 2019 and November 2022, DBRS made systematic adjustments to credit enhancement levels in a manner not described by DBRS’s published procedures and methodologies. Additionally, according to the order, in rating three single-asset/single-borrower (SASB) CMBS transactions, DBRS publicly disclosed that it used a legacy SASB methodology, but it instead used a key element of a proposed methodology that DBRS had not yet approved and adopted. The order finds that DBRS had an ineffective internal control structure governing adherence to its published procedures and methodologies. The order also finds that, with respect to the three SASB transactions, DBRS failed to accurately identify the rating methodology it used and failed to enforce its policies and procedures requiring credit ratings to be determined and issued based on approved methodologies.

Without admitting or denying the SEC’s findings, DBRS agreed to pay a $2 million penalty, cease and desist from committing violations of the relevant provisions, and to be censured.

The DBRS investigation was conducted by Stephanie Reinhart and Lawrence Renbaum of the Complex Financial Instruments Unit and Emily Rothblatt of the Chicago Regional Office. It was supervised by Anne Graber Blazek and Mr. Nawaz. SEC staff from the Office of Credit Ratings assisted with the investigation.

KBRA

The SEC’s order finds that, since at least January 2020, KBRA employees, including senior executives and heads of rating groups, sent and received numerous text messages concerning credit rating activities on their personal and KBRA-issued mobile devices. The messages included discussions of initiating, determining, maintaining, monitoring, changing, or withdrawing credit ratings. KBRA did not maintain or preserve the substantial majority of these off-channel communications, in violation of recordkeeping provisions of the federal securities laws.

KBRA admitted the SEC’s findings and agreed to pay a $4 million penalty, cease and desist from committing violations of the relevant recordkeeping provisions, and to be censured. KBRA also agreed to retain an independent compliance consultant to, among other things, conduct a comprehensive review of its policies and procedures relating to the retention of electronic communications and its framework for addressing non-compliance by its employees with those policies and procedures.

The KBRA investigation was conducted by Wesley Wintermyer and Michael DiBattista of the New York Regional Office and was supervised by Judith Weinstock and Sheldon Pollock. SEC staff from the Office of Credit Ratings assisted with the investigation.