Credit rating agencies play an important role in global securities and banking markets, as their credit ratings are used by investors, borrowers, issuers and governments as part of making informed investment and financing decisions. Credit institutions, investment firms, insurance undertakings, assurance undertakings, reinsurance undertakings, undertakings for collective investment in transferable securities (UCITS) and institutions for occupational retirement provision may use those credit ratings as the reference for the calculation of their capital requirements for solvency purposes or for calculating risks in their investment activity. Consequently, credit ratings have a significant impact on the operation of the markets and on the trust and confidence of investors and consumers. It is essential, therefore, that credit rating activities are conducted in accordance with the principles of integrity, transparency, responsibility and good governance in order to ensure that resulting credit ratings used in the Community are independent, objective and of adequate quality.
(2)
Currently, most credit rating agencies have their headquarters outside the Community. Most Member States do not regulate the activities of credit rating agencies or the conditions for the issuing of credit ratings. Despite their significant importance for the functioning of the financial markets, credit rating agencies are subject to Community law only in limited areas, notably under Directive 2003/6/EC of the European Parliament and of the Council of 28 January 2003 on insider dealing and market manipulation (4). Moreover, Directive 2006/48/EC of the European Parliament and of the Council of 14 June 2006 relating to the taking up and pursuit of the business of credit institutions (5) and Directive 2006/49/EC of the European Parliament and of the Council of 14 June 2006 on the capital adequacy of investment firms and credit institutions (6) refer to credit rating agencies. It is therefore important to lay down rules ensuring that all credit ratings issued by the credit rating agencies registered in the Community are of adequate quality and issued by credit rating agencies subject to stringent requirements. The Commission will continue to work with its international partners to ensure convergence of the rules applying to credit rating agencies. It should be possible to exempt certain central banks issuing credit ratings from this Regulation provided that they fulfil the relevant applicable conditions which ensure the independence and integrity of their credit rating activities and which are as stringent as the requirements provided for in this Regulation.
(3)
This Regulation should not create a general obligation for financial instruments or financial obligations to be rated under this Regulation. In particular, it should not require undertakings for collective investment in transferable securities (UCITS) as defined in Council Directive 85/611/EEC of 20 December 1985 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (7) or institutions for occupational retirement provision as defined in Directive 2003/41/EC of the European Parliament and of the Council of 3 June 2003 on the activities and supervision of institutions for occupational retirement provision (8) to invest only in financial instruments which are rated under this Regulation.
(4)
This Regulation should not create a general obligation for financial institutions or investors to invest only in securities for which a prospectus has been published in accordance with Directive 2003/71/EC of the European Parliament and of the Council of 4 November 2003 on the prospectus to be published when securities are offered to the public or admitted to trading (9) and Commission Regulation (EC) No 809/2004/EC of 29 April 2004 implementing Directive 2003/71/EC as regards information contained in prospectuses as well as the format, incorporation by reference and publication of such prospectuses and dissemination of advertisements (10) and which are rated under this Regulation. In addition, this Regulation should not require the issuers or offerors or persons asking for admission to trading on a regulated market to obtain credit ratings for securities which are subject to the requirement to publish a prospectus under Directive 2003/71/EC and Regulation (EC) No 809/2004.
(5)
A prospectus published under Directive 2003/71/EC and Regulation (EC) No 809/2004 should contain clear and prominent information on whether or not the credit rating of the respective securities is issued by a credit rating agency established in the Community and registered under this Regulation. However, nothing in this Regulation should prevent persons responsible for publishing a prospectus under Directive 2003/71/EC and Regulation (EC) No 809/2004 from including any material information in the prospectus, including credit ratings issued in third countries and related information.
(6)
In addition to issuing credit ratings and performing credit rating activities, credit rating agencies should also be able to perform ancillary activities on a professional basis. The performance of ancillary activities should not compromise the independence or integrity of credit rating agencies’ credit rating activities.
(7)
This Regulation should apply to credit ratings issued by credit rating agencies registered in the Community. The principal aim of this Regulation is to protect the stability of financial markets and investors. Credit scores, credit scoring systems and similar assessments related to obligations arising from consumer, commercial or industrial relationships should not fall within the scope of this Regulation.
(8)
Credit rating agencies should, on a voluntary basis, apply the Code of Conduct Fundamentals for credit rating agencies issued by the International Organisation of Securities Commissions (IOSCO Code). In 2006, a Communication from the Commission on credit rating agencies (11) invited the Committee of European Securities Regulators (CESR), re-established by Commission Decision 2009/77/EC (12), to monitor compliance with the IOSCO Code and report back to the Commission on an annual basis.
(9)
The European Council of 13 and 14 March 2008 agreed to a set of conclusions to respond to the main weaknesses identified in the financial system. One of the objectives was to improve market functioning and incentive structures, including the role of credit rating agencies.
(10)
Credit rating agencies are considered to have failed, first, to reflect early enough in their credit ratings the worsening market conditions, and second, to adjust their credit ratings in time following the deepening market crisis. The most appropriate manner in which to correct those failures is by measures relating to conflicts of interest, the quality of the credit ratings, the transparency and internal governance of the credit rating agencies, and the surveillance of the activities of the credit rating agencies. The users of credit ratings should not rely blindly on credit ratings but should take utmost care to perform own analysis and conduct appropriate due diligence at all times regarding their reliance on such credit ratings.
(11)
It is necessary to lay down a common framework of rules regarding the enhancement of the quality of credit ratings, in particular the quality of credit ratings to be used by financial institutions and persons regulated by harmonised rules in the Community. In the absence of such a common framework, there is a risk that Member States take diverging measures at national level having a direct negative impact on, and creating obstacles to, the good functioning of the internal market, since the credit rating agencies issuing credit ratings for the use of financial institutions in the Community would be subject to different rules in different Member States. Moreover, diverging quality requirements as regards credit ratings could lead to different levels of investor and consumer protection. Users should, furthermore, be able to compare credit ratings issued in the Community with credit ratings issued internationally.
(12)
This Regulation should not affect the use made of credit ratings by persons other than those referred to in this Regulation.
(13)
It is desirable to provide for the use of credit ratings issued in third countries for regulatory purposes in the Community provided that they comply with requirements which are as stringent as the requirements provided for in this Regulation. This Regulation introduces an endorsement regime allowing credit rating agencies established in the Community and registered in accordance with its provisions to endorse credit ratings issued in third countries. When endorsing a credit rating issued in a third country, credit rating agencies should determine and monitor, on an ongoing basis, whether credit rating activities resulting in the issuing of such a credit rating comply with requirements for the issuing of credit ratings which are as stringent as those provided for in this Regulation, achieving the same objective and effects in practice.
(14)
In order to respond to concerns that lack of establishment in the Community may be a serious impediment to effective supervision in the best interests of the financial markets in the Community, such an endorsement regime should be introduced for credit rating agencies that are affiliated or work closely with credit rating agencies established in the Community. Nevertheless, it may be necessary to adjust the requirement of physical presence in the Community in certain cases, notably as regards smaller credit rating agencies from third countries with no presence or affiliation in the Community. A specific regime of certification for such credit rating agencies should therefore be established, in so far as they are not systemically important for the financial stability or integrity of the financial markets of one or more Member States.
(15)
Certification should be possible after determination by the Commission of the equivalence of the legal and supervisory framework of a third country to the requirements of this Regulation. The equivalence mechanism envisaged should not grant automatic access to the Community but should offer the possibility for qualifying credit rating agencies from a third country to be assessed on a case-by-case basis and be granted an exemption from some of the organisational requirements for credit rating agencies active in the Community, including the requirement of physical presence in the Community.
(16)
This Regulation should also require a third-country credit rating agency to meet criteria which are general prerequisites for the integrity of its credit rating activities in order to prevent interference with the content of credit ratings by the competent authorities and other public authorities of that third country, and to provide for an adequate conflict of interests policy, rotation of rating analysts and periodic and ongoing disclosure.
(17)
Another important prerequisite for a sound endorsement regime and an equivalence system is the existence of sound cooperation arrangements between competent authorities of home Member States and the relevant competent authorities of third-country credit rating agencies.
(18)
A credit rating agency that has endorsed credit ratings issued in a third country should be fully and unconditionally responsible for such endorsed credit ratings and for the fulfilment of the relevant conditions referred to in this Regulation.
(19)
This Regulation should not apply to credit ratings that a credit rating agency produces pursuant to an individual order and provides exclusively to the person who ordered it and which are not intended for public disclosure or distribution by subscription.
(20)
Investment research, investment recommendations and other opinions about a value or a price for a financial instrument or a financial obligation should not be considered to be credit ratings.
(21)
An unsolicited credit rating, namely a credit rating not initiated at the request of the issuer or rated entity, should be clearly identified as such and should be distinguished from solicited credit ratings by appropriate means.
(22)
In order to avoid potential conflicts of interest, credit rating agencies focus in their professional activity on the issuing of credit ratings. A credit rating agency should not be allowed to carry out consultancy or advisory services. In particular, a credit rating agency should not make proposals or recommendations regarding the design of a structured finance instrument. However, credit rating agencies should be able to provide ancillary services where this does not create potential conflicts of interest with the issuing of credit ratings.
(23)
Credit rating agencies should use rating methodologies that are rigorous, systematic, continuous and subject to validation including by appropriate historical experience and back-testing. Such a requirement should not, however, provide grounds for interference with the content of credit ratings and methodologies by the competent authorities and the Member States. Similarly, the requirement that credit rating agencies review credit ratings at least annually should not compromise the obligation on credit rating agencies to monitor credit ratings on a continuous basis and review credit ratings as necessary. Those requirements should not be applied in such a way as to prevent new credit rating agencies from entering the market.
(24)
Credit ratings should be well-founded and solidly substantiated, in order to avoid rating compromises.
(25)
Credit rating agencies should disclose information to the public on the methodologies, models and key rating assumptions which they use in their credit rating activities. The level of detail concerning the disclosure of information concerning models should be such as to give adequate information to the users of credit ratings in order to perform their own due diligence when assessing whether to rely or not on those credit ratings. Disclosure of information concerning models should not, however, reveal sensitive business information or seriously impede innovation.
(26)
Credit rating agencies should establish appropriate internal policies and procedures in relation to employees and other persons involved in the credit rating process in order to prevent, identify, eliminate or manage and disclose any conflicts of interest and ensure at all times the quality, integrity and thoroughness of the credit rating and review process. Such policies and procedures should, in particular, include the internal control mechanisms and compliance function.
(27)
Credit rating agencies should avoid situations of conflict of interest and manage those conflicts adequately when they are unavoidable in order to ensure their independence. Credit rating agencies should disclose conflicts of interest in a timely manner. They should also keep records of all significant threats to the independence of the credit rating agency and that of its employees and other persons involved in the credit rating process, as well as the safeguards applied to mitigate those threats.
(28)
A credit rating agency or group of credit rating agencies should maintain arrangements for sound corporate governance. In determining its corporate governance arrangements, the credit rating agency or group of credit rating agencies should have regard to the need to ensure that it issues credit ratings that are independent, objective and of adequate quality.
(29)
In order to ensure the independence of the credit rating process from the business interest of the credit rating agency as a company, credit rating agencies should ensure that at least one third, but no less than two, of the members of the administrative or supervisory board are independent in a manner consistent with point 13 in Section III of Commission Recommendation 2005/162/EC of 15 February 2005 on the role of non-executive or supervisory directors of listed companies and on the committees of the (supervisory) board (13). Moreover, it is necessary that the majority of the senior management, including all independent members of the administrative or supervisory board, have sufficient expertise in appropriate areas of financial services. The compliance officer should report regularly on the carrying out of his or her duties to the senior management and the independent members of the administrative or supervisory board.
(30)
In order to avoid conflicts of interest, the compensation of independent members of the administrative or supervisory board should not depend on the business performance of the credit rating agency.
(31)
A credit rating agency should allocate a sufficient number of employees with appropriate knowledge and experience to its credit rating activities. In particular, the credit rating agency should ensure that adequate human and financial resources are allocated to the issuing, monitoring and updating of credit ratings.
(32)
In order to take account of the specific condition of credit rating agencies that have fewer than 50 employees, the competent authorities should be able to exempt such credit rating agencies from some of the obligations laid down by this Regulation as regards the role of the independent members of the board, the compliance function and the rotation mechanism, and provided that those credit rating agencies are able to demonstrate that they comply with specific conditions. The competent authorities should examine, in particular, whether the size of a credit rating agency has been determined in such a way as to avoid compliance with the requirements of this Regulation by the credit rating agency or by a group of credit rating agencies. The application of the exemption by competent authorities of Member States should be made in such a way as to avoid the risks of fragmenting the internal market and to guarantee the uniform application of Community law.
(33)
Long-lasting relationships with the same rated entities or their related third parties could compromise the independence of rating analysts and persons approving credit ratings. Those analysts and persons should therefore be subject to an appropriate rotation mechanism which should provide for a gradual change in analytical teams and credit rating committees.
(34)
Credit rating agencies should ensure that methodologies, models and key rating assumptions such as mathematical or correlation assumptions used for determining credit ratings are properly maintained, up-to-date and subject to a comprehensive review on a periodic basis and that their descriptions are published in a manner permitting comprehensive review. In cases where the lack of reliable data or the complexity of the structure of a new type of financial instrument, in particular structured finance instruments, raises serious questions as to whether the credit rating agency can produce a credible credit rating, the credit rating agency should not issue a credit rating or should withdraw an existing credit rating. Changes in the quality of information available for monitoring an existing credit rating should be disclosed with that review and, if appropriate, a revision of the credit rating should be made.
(35)
In order to ensure the quality of credit ratings, a credit rating agency should take measures to ensure that the information it uses in assigning a credit rating is reliable. For that purpose, a credit rating agency should be able to envisage, inter alia, reliance on independently audited financial statements and public disclosures; verification by reputable third-party services; random sampling examination of the information received; or contractual provisions clearly stipulating liability for the rated entity or its related third parties, if the information provided under the contract is knowingly materially false or misleading or if the rated entity or its related third parties fail to conduct reasonable due diligence regarding the accuracy of the information as specified under the terms of the contract.
(36)
This Regulation is without prejudice to the duty of credit rating agencies to protect the right to privacy of natural persons with respect to the processing of personal data in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (14).
(37)
It is necessary for credit rating agencies to establish proper procedures for the regular review of methodologies, models and key rating assumptions used by the credit rating agency in order to be able to properly reflect the changing conditions in the underlying asset markets. With a view to ensuring transparency, disclosure of any material modification to the methodologies and practices, procedures and processes of credit rating agencies should be made prior to their coming into effect, unless extreme market conditions require an immediate change in the credit rating.
(38)
A credit rating agency should indicate any appropriate risk warning, including a sensitivity analysis of the relevant assumptions. That analysis should explain how various market developments that move the parameters built into the model may influence the credit rating changes (for example volatility). The credit rating agency should ensure that the information on historical default rates of its rating categories is verifiable and quantifiable and provides a sufficient basis for interested parties to understand the historical performance of each rating category and if and how rating categories have changed. If the nature of the credit rating or other circumstances makes a historical default rate inappropriate, statistically invalid, or otherwise likely to mislead the users of the credit rating, the credit rating agency should provide appropriate clarification. That information should, to the extent possible, be comparable with any existing industry patterns in order to assist investors in drawing performance comparisons between different credit rating agencies.
(39)
In order to reinforce transparency of credit ratings and contribute to the protection of investors, CESR should maintain a central repository where information on the past performances of credit rating agencies and information about credit ratings issued in the past should be kept. Credit rating agencies should provide information to that repository in standardised form. CESR should make that information available to the public and should, annually, publish summary information on the main developments observed.
(40)
Under certain circumstances structured finance instruments may have effects which are different from traditional corporate debt instruments. It could be misleading for investors to apply the same rating categories to both types of instruments without further explanation. Credit rating agencies should play an important role in raising awareness of the users of credit ratings about the specificities of the structured finance products in relation to traditional ones. Credit rating agencies should therefore clearly differentiate between rating categories used for rating structured finance instruments on the one hand, and rating categories used for other financial instruments or financial obligations on the other, by adding an appropriate symbol to the rating category.
(41)
Credit rating agencies should take measures to avoid situations where issuers request the preliminary rating assessment of the structured finance instrument concerned from a number of credit rating agencies in order to identify the one offering the best credit rating for the proposed structure. Issuers should also avoid applying such practices.
(42)
A credit rating agency should keep records of the methodology for credit ratings and regularly update changes thereto and also keep a record of the substantial elements of the dialogue between the rating analyst and the rated entity or its related third parties.
(43)
In order to ensure a high level of investor and consumer confidence in the internal market, credit rating agencies which issue credit ratings in the Community should be subject to registration. Such a registration is the principal prerequisite for credit rating agencies to issue credit ratings intended to be used for regulatory purposes in the Community. It is therefore necessary to lay down the harmonised conditions and the procedure for the granting, suspension and withdrawal of such registration.
(44)
This Regulation should not replace the established process of recognising External Credit Assessment Institutions (ECAIs) in accordance with Directive 2006/48/EC. The ECAIs already recognised in the Community should apply for registration in accordance with this Regulation.
(45)
A credit rating agency registered by the competent authority of the relevant Member State should be allowed to issue credit ratings throughout the Community. It is therefore necessary to establish a single registration procedure for each credit rating agency which is effective throughout the Community. The registration of a credit rating agency should become effective once the registration decision issued by the competent authority of the home Member State has taken effect under relevant national law.
(46)
It is necessary to establish a single point of entry for the submission of applications for registration. CESR should receive applications for registration and effectively inform the competent authorities in all the Member States. CESR should also provide advice in respect of the completeness of the application to the competent authority of the home Member State. The examination of applications for registration should be carried out at national level by the relevant competent authority. In order to deal efficiently with credit rating agencies, competent authorities should set up operational networks (colleges) supported by an efficient information technology infrastructure. CESR should establish a subcommittee specialised in the field of credit ratings of each of the asset classes rated by credit rating agencies.
(47)
Some credit rating agencies are composed of several legal entities which, together, form a group of credit rating agencies. When registering each of the credit rating agencies being part of such a group, the competent authorities of the Member States concerned should coordinate the examination of the applications submitted by credit rating agencies belonging to the same group and the decision-making concerning the granting of registration. It should be possible, however, to refuse registration to a credit rating agency within a group of credit rating agencies when such a credit rating agency does not meet the requirements for registration while other members of such a group comply with all of the requirements for registration under this Regulation. As the college should not be entrusted with power to issue legally binding decisions, the competent authorities of home Member States of the members of the group of credit rating agencies should each issue an individual decision in respect of the credit rating agency established on the territory of the Member State concerned.
(48)
The college should represent the effective platform for an exchange of supervisory information among competent authorities, coordination of their activities and supervisory measures necessary for the effective supervision of credit rating agencies. In particular, the college should facilitate the monitoring of the fulfilment of conditions for the endorsement of credit ratings issued in third countries, certification, outsourcing arrangements, and exemptions provided for in this Regulation. The activities of the college should contribute to the harmonised application of rules under this Regulation and to the convergence of supervisory practices.
(49)
In order to enhance the practical coordination of activities of the college, its members should select among themselves a facilitator. The facilitator should chair the meetings of the college, establish its written coordination arrangements and coordinate its actions. During the registration process, the facilitator should assess the need to extend the period for examination of applications, coordinate such examination, and liaise with CESR.
(50)
In November 2008, the Commission set up a high level group with the task of examining the future European supervisory architecture in the field of financial services, including the role of CESR.
(51)
The current supervisory architecture should not be considered as the long-term solution for the oversight of credit rating agencies. Colleges of competent authorities, which are expected to streamline supervisory cooperation and convergence in this area in the Community, are a considerable step forward, but may not substitute all the advantages of more consolidated supervision of the credit rating industry. The crisis in international financial markets has clearly demonstrated that it is appropriate to examine further the need for wide-ranging reforms of the regulatory and supervisory model of the Community financial sector. In order to achieve the necessary level of Community supervisory convergence and cooperation and to underpin the stability of the financial system, further wide-ranging reforms of the regulatory and supervisory model of the Community financial sector are highly needed and should be put forward swiftly by the Commission with due consideration to the conclusions presented by the group of experts chaired by Jacques de Larosière on 25 February 2009. The Commission should, as soon as possible, and in any event by 1 July 2010, report to the European Parliament, the Council and other institutions concerned any findings in this respect and should put forward any legislative proposal needed to tackle the shortcomings identified as regards supervisory coordination and cooperation arrangements.
(52)
Significant changes in the endorsement regime, outsourcing arrangements as well as the opening and closing of branches should, inter alia, be considered as material changes to the conditions for initial registration of a credit rating agency.
(53)
The supervision of a credit rating agency should be carried out by the competent authority of the home Member State in cooperation with the competent authorities of the other Member States concerned, using the relevant college and keeping CESR appropriately involved.
(54)
The ability of the competent authority of the home Member State and other members of the relevant college to assess and monitor compliance of a credit rating agency with the obligations provided for under this Regulation should not be limited by any outsourcing arrangements entered into by the credit rating agency. The credit rating agency should remain responsible for any of its obligations under this Regulation in the event of the use of outsourcing arrangements.
(55)
In order to maintain a high level of investor and consumer confidence and enable the ongoing supervision of credit ratings issued in the Community, credit rating agencies whose headquarters are located outside the Community should be required to set up a subsidiary in the Community in order to allow for the efficient supervision of their activities in the Community and the effective use of the endorsement regime. The emergence of new actors on the credit rating agency market should also be encouraged.
(56)
The competent authorities should be able to use powers defined in this Regulation in relation to credit rating agencies, persons involved in credit rating activities, rated entities and related third parties, third parties to whom the credit rating agencies have outsourced certain functions or activities, and other persons otherwise related or connected to credit rating agencies or credit rating activities. Such persons should include shareholders or members of the supervisory or administrative boards of the credit rating agencies and rated entities.
(57)
The provisions of this Regulation regarding supervisory fees should be without prejudice to relevant provisions of national law governing supervisory or similar fees.
(58)
It is appropriate to create a mechanism to ensure the effective enforcement of this Regulation. The competent authorities of the Member States should have at their disposal the necessary means to ensure that ratings issued in the Community are issued in compliance with this Regulation. The use of these supervisory measures should always be coordinated within the relevant college. Measures such as the withdrawal of registration or the suspension of the use for regulatory purposes of credit ratings should be imposed when they are considered to be proportionate to the significance of the breach of the obligations arising from this Regulation. In exercising their supervisory powers, competent authorities should have due regard to the interests of investors and market stability. Since the independence of a credit rating agency in the process of issuing its credit ratings should be preserved, neither the competent authorities nor the Member States should interfere in relation to the substance of credit ratings and the methodologies by which a credit rating agency determines credit ratings in order to avoid credit ratings to be compromised. In the event that a credit rating agency is subjected to pressure, it should notify the Commission and CESR. The Commission should examine on a case-by-case basis whether further action is to be taken against the Member State concerned for failure to comply with its obligations under this Regulation.
(59)
It is desirable to ensure that decision-making referred to in this Regulation be based on close cooperation between the Member States’ competent authorities, and the adoption of the registration decisions should therefore take place on the basis of an agreement. This is a necessary prerequisite for the efficient process of registration and performance of supervision. The decision-making should be effective, expeditious and consensual.
(60)
For the efficiency of supervision and in order to avoid duplication of tasks, the competent authorities of the Member States should cooperate.
(61)
It is also important to provide for exchange of information between competent authorities responsible for supervision of credit rating agencies under this Regulation and competent authorities supervising financial institutions, in particular those responsible for prudential supervision or financial stability in the Member States.
(62)
The competent authorities of Member States other than the competent authority of the home Member State should be able to intervene and take appropriate supervisory measures, after informing CESR and the competent authority of the home Member State and after consulting the relevant college in the event that they have established that a registered credit rating agency whose ratings are used within their territory breaches the obligations arising from this Regulation.
(63)
Unless this Regulation provides for a specific procedure as regards registration, certification or withdrawal thereof, the adoption of supervisory measures or the performance of supervisory powers, the national law governing such procedures including linguistic regimes, professional secrecy and legal professional privilege, should apply and the rights of the credit rating agencies and other persons under that law should not be affected.
(64)
It is necessary to enhance convergence of the powers at the disposal of the competent authorities in order to achieve an equivalent intensity of enforcement across the internal market.
(65)
CESR should ensure coherence in the application of this Regulation. It should enhance and facilitate the cooperation and coordination of competent authorities in supervisory activities and issue guidance where appropriate. CESR should therefore establish a mediation mechanism and peer review in order to facilitate a coherent approach by the competent authorities.
(66)
Member States should lay down rules on penalties applicable to infringements of the provisions of this Regulation and ensure that they are implemented. Those penalties should be effective, proportionate and dissuasive and should at least cover cases of gross professional misconduct and lack of due diligence. It should be possible for Member States to provide for administrative or criminal penalties. CESR should establish guidelines on the convergence of practices relating to such penalties.
(67)
Any exchange or transmission of information between competent authorities, other authorities, bodies or persons should be in accordance with the rules on transfer of personal data as laid down in Directive 95/46/EC.
(68)
This Regulation should also provide for rules relating to exchange of information with competent authorities in third countries, particularly with those responsible for the supervision of the credit rating agencies involved in endorsement and certification.
(69)
Without prejudice to the application of Community law, any claim against credit rating agencies in relation to any infringement of the provisions of this Regulation should be made in accordance with the applicable national law on civil liability.
(70)
The measures necessary for the implementation of this Regulation should be adopted in accordance with Council Decision 1999/468/EC of 28 June 1999 laying down the procedures for the exercise of implementing powers conferred on the Commission (15).
(71)
In particular, the Commission should be empowered, while taking account of international developments, to amend Annexes I and II, which lay down the specific criteria for assessing the compliance of a credit rating agency with its duties in terms of internal organisation, operational arrangements, rules on employees, presentation of credit ratings and disclosure, and to specify or amend the criteria for determining the equivalence of the regulatory and supervisory legal framework of third countries with the provisions of this Regulation. Since those measures are of general scope and are designed to amend non-essential elements of this Regulation, inter alia, by supplementing it with new non-essential elements, they must be adopted in accordance with the regulatory procedure with scrutiny provided for in Article 5a of Decision 1999/468/EC.
(72)
With a view to taking into account further developments in the financial markets, the Commission should submit a report to the European Parliament and the Council assessing the application of this Regulation, in particular the regulatory reliance on credit ratings as well as the appropriateness of the remuneration of the credit rating agency by the rated entity. In the light of that assessment, the Commission should put forward appropriate legislative proposals.
(73)
The Commission should also submit a report to the European Parliament and the Council assessing incentives for issuers to use credit rating agencies established in the Community for a proportion of their ratings, possible alternatives to the ‘issuer-pays’ model including the creation of a public Community credit rating agency, and convergence of national rules concerning infringements of the provisions of this Regulation. In the light of that assessment, the Commission should put forward appropriate legislative proposals.
(74)
The Commission should also submit a report to the European Parliament and the Council assessing developments in the regulatory and supervisory framework for credit rating agencies in third countries and the effects of those developments and of transitional provisions referred to in this Regulation on the stability of the financial markets in the Community.
(75)
Since the objective of this Regulation, namely to ensure a high level of consumer and investor protection by laying down a common framework with regard to the quality of credit ratings to be issued in the internal market, cannot be sufficiently achieved by the Member States, given the current scarcity of national legislation in this field and the fact that the majority of existing credit rating agencies are established outside the Community, and can therefore be better achieved at Community level, the Community may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective,
