The article examines the legal liability (administrative and civil) regimes introduced to establish an accountability model for credit rating agencies (CRA). In particular, the article focuses on the limits that hinder the achievement of a comprehensive accountability model for CRA, in which the two functions of deterrence – performed by the ESMA’s supervisory power – and interpersonal justice – left to the national private courts – are effective and appropriately counterbalanced. Against the background of the three models envisaged for the interplay of public enforcement and private enforcement (separation, complementarity and integration of the two functions), which reflect models already adopted in the EU, the article explores the possibility of establishing a dialectical relationship between private autonomy and public rules in CRA’s liability cases. It does so, on the one hand, by ascertaining the existence of a continuous interaction between public enforcement (ESMA supervision) and private law, of which it provides two examples (the MiFID regulation for investment services and the Standardization Regulation European Union in specific industrial sectors) and, on the other hand, evaluating whether the harmonization of the constituent elements that constitute non-contractual liability or of the procedural rules in appeals for purely pecuniary damages is possible at a European level.

Sommario/Summary:

1. Introduction. - 2. In search of an accountability model for CRA. - 2.2. The trade-off between the functions of deterrence and compensation. - 3. The EU liability regimes for CRAs and their criticalities. - 3.2. Art. 36(a) of the CRA II. - 4. The rise of administrative enforcement and the interplay with private law remedies. - 4.1. The case of MiFID II. - 4.2. The case of the Regulation on European Standardization. - 5. The problem of harmonizing private enforcement of tort law in Europe. - 6. Conclusive considerations. - NOTE

1. Introduction.

These last years have experienced – especially in Europe – an increasing regulation of the Credit Rating Agencies (CRAs) industry, which, after the last financial crisis of subprime and mortgage loans, have been under scrutiny worldwide. In particular, CRAs were accused of contributing to the proliferation of structured finance products such as asset-backed securities (ABS) in the global market and assessing these credits very poorly – often overestimating them. However, they were also suspected of having discriminated between sovereign debtors [1], giving preferential treatment to some country-issuers, or sometimes acting in the most inconvenient time, spreading undue panic, while not acting in good time during the financial crisis of 2008 [2]. The anomaly in the CRAs industry is that, notwithstanding their semi-public function in ordering public financial markets worldwide, CRAs are private multinational enterprises operating behind the shield of limited liability. They aim to maximize profits and shareholders’ value. Even if their reputation provides a strong incentive for issuing honest information, they do not act in the common interest, as would be the case if they were regulatory agencies mandated by the State. In situations where private interests and public imperatives diverge, conflicts of interest may arise and undermine the credibility of the regulatory process [3]. In their defence, CRAs have consistently upheld their role as neutral information providers, a stance that has been the cornerstone of their reliability and reputation. This commitment to impartiality has been a key consideration for regulators, who have often favoured market control mechanisms over legal strategies when discussing CRAs’ regulation. This emphasis on their role as neutral information providers should reassure the audience about their integrity [4]. However, the US courts’ approach has shifted away from quasi-judicial immunity. CRAs have lost their permanent status as financial journalists, as demonstrated by the several lawsuits against CRAs that followed the financial crisis. US courts took up the idea that structured financial products were for a specific business audience, such as investment banks and selected groups of investment bankers, and, therefore, they were only of private – not public – concern. By re-qualifying CRAs’ ratings, no longer as political but as commercial speech that [...]

2. In search of an accountability model for CRA.

2.1. Ending over-reliance on CRAs: a mission impossible. CRAs develop an essential twofold audit function for financial markets. First, they evaluate the solvability of entities and their issues (credit risk audit). Second, by monitoring the performance of these entities through the periodical rating activity of their default risk, they indirectly contribute to the prudential supervision carried out by the financial authorities and central banks (compliance audit). Since assessing these securities may require a high level of knowledge and be highly time-consuming, the national regulators have been happy to delegate this task to CRAs trading off political control power for efficiency in the financial markets [18]. As financial markets grew increasingly complex, CRAs’ high reputation and technical skills have pushed national supervisors and institutional and non-institutional investors to rely on their cost-effective information services offered through economies of scale [19]. In addition, CRAs fulfil the role of real standard setters. The qualified financial opinions they issue through their ratings (indirectly) promote specific organizational procedures by establishing a shared understanding of what constitutes creditworthiness [20]. In other words, CRAs generate standards similar to, for instance, OECD recommendations (on best practices) for corporate governance. This mode of governance could be socially valuable for effectively harmonizing the praxis and uses of the markets [21]. Standards differ from rules. While rules are compulsory, standards are non-binding and for the use of the issuers who may or may not adopt them. However, CRA standards, represented by their issued ratings, have been enforced hierarchically by the States and their financial regulators through the regulatory involvement of ratings. Knowing that, as proved by the last financial crisis, the loss of reputation was not an effective deterrent for them, a model of accountability for CRAs is justified. They act as a quasi-regulatory authority, and a regulatory authority is accountable for any wrongdoing committed in the regulation issued [22]. Aware of the difficulty of ensuring justice among the private actors in the financial markets without incurring over-deterrence vis-à-vis the CRAs, the international regulators pointed out the need to end mechanistic reliance on CRA ratings by banks, institutional investors, and other participants. This [...]

2.2. The trade-off between the functions of deterrence and compensation.

The rise of regulation as a distinctive mode of governance has developed in the EU through a process known as “agencification”, which has led to the creation of new delegated institutions for specific policy objectives, such as the ESMA for the supervision of the EU financial markets. The proliferation of these new entities has led to the development of a hybrid legal order labelled “European financial supervision private law” or “regulatory private law” [30]. That framework identifies any financial company operating its business under the public supervision of an EU regulatory authority. In such a framework, the EU regulatory authority (financial supervision) affects the relationship between any financial company, including CRAs, and all the other private actors – professional or non-professional private parties – becoming a sort of quasi-private. There is, therefore, a need for coordination between the ex-ante public regulation and the ex-post civil liability remedy to counterbalance the functions of deterrence and compensation in CRAs’ accountability model. The public regulation, including the oversight measures and the specific powers of supervisor (public enforcement) granted to ESMA for their direct day-to-day supervision, should serve as a deterrent. Instead, the civil liability involving the private enforcement and ensuring justice between the private actors should compensate those who suffered damages caused by the infringements of CRAs. In addition, a civil liability regime, if operative, could also perform a deterrent function to discourage CRAs from non-compliance with regulatory and private law standards. Deterrence and compensation as a consequence of the actions of supervision and enforcement carried out by the regulatory agencies and the private courts should interact with each other in a way that they do not result in under or over-deterrence. The interplay between administrative enforcement and private law remedies (i.e., private damages) has been envisaged in three ways. Public and private enforcement may exist separately. In this first model, administrative enforcement is a matter for the regulatory agency (ESMA), and private enforcement remains the exclusive domain of the national private law courts. This ‘separation’ model places the onus on the judiciary to develop private law remedies by private law principles. However, because deterrence and compensation are [...]

3. The EU liability regimes for CRAs and their criticalities.

3.1. Art. 35(a) of CRA III. Introducing a liability regime for rating agencies has been one of the most controversial aspects of the new CRA reforms [32]. Article 35(a) of the CRA III establishes CRAs’ civil liability rules in the EU [33]. According to it, CRAs are liable to investors and issuers if they commit specific infringements listed in Annex III of the rating regulation. Thus, CRA III does not refer to false or erroneous ratings as the cause of damage. It instead provides a list of infringements of regulatory provisions, which may cause damage to the investor or the issuer [34]. This EU legislator’s choice has raised some criticisms because the procedural nature of the infringements listed in Annex III may function as a limit of the cases where CRAs can be held liable. Contrariwise, a CRA could escape liability by merely complying with the set of rules of conduct listed in Annex III [35]. The infringement list is supposed to be exhaustive and serve as a foundation for a liability claim. The duties included are of three kinds: those related to conflicts of interest, organizational or operational requirements; those related to obstacles to the supervisory activities; and those related to disclosure provisions [36]. For accountability to exist, the CRA’s infringements must have impacted the rating, resulting in a patrimonial loss for the claimant [37]. Regarding the standard of care for civil enforcement, Art. 35(a) states that the infringement shall be committed «intentionally or with gross negligence» [38]. Therefore, it excludes cases of slight negligence. However, CRA III allows for «further liability claims in accordance with national law», which allows investors and countries victims of breaches of extra-contractual liability to sue CRAs in any European national court [39]. Furthermore, the investor who wants to establish a claim under Art. 35(a) must show that «in accordance with Art. 5a(1) or otherwise with due care», reasonably relied on the credit rating for the decision to invest in, hold, or divest from the asset and that the infringement has caused damage [40]. This condition has been labelled as misleading [41]. If obeyed to the letter, the provision would appear excessively burdensome for the claimant. If the investors, after exercising their credit risk assessment, nevertheless rely on the disputed credit rating for economic [...]

3.2. Art. 36(a) of the CRA II.

Together with a civil liability regime, the EU legislator also established an articulated system of responsibility of an administrative nature. ESMA is in charge of the day-to-day supervision of CRAs and has the power to request information, conduct necessary investigations and on-site inspections, and even take supervisory measures or impose fines for administrative infringements. In particular, article 36a of EC Regulation n. 513/2011 (CRA II) delegated the European Security and Markets Authority (ESMA) the power to impose monetary fines to a CRA violating, intentionally or negligently, one of the administrative infringements listed in Annex III. Thus, the same violations that can sustain a civil liability claim can also be used as the basis for administrative liability, given that Articles 35a and 36a refer to the misconducts described in Annex III. In truth, the administrative liability regime comes before civil liability. The legislator first introduced the list of the infringements included in Annex III to allow ESMA to impose administrative sanctions and, only later, adopted the list for CRAs’ civil liability regime. The fact that the EU legislators introduced the list for the administrative liability regime can be inferred by looking at the infringements listed and noting that not all of them trigger civil liability because not all of them impact the rating (i.e., disclosure obligations). However, all give rise to administrative liability [51]. Interestingly, while civil liability requires a CRA to act intentionally or with gross negligence to be held liable, slight negligence is enough for ESMA to apply a monetary fine. Minimum and maximum amounts are applicable for each type of infringement, and a list of coefficients is linked to aggravating or mitigating factors that can reduce or increase a sanction. The different intensity of a fine reflects the behaviour of a CRA committing, intentionally or negligently, one of the infringements listed in Annex III [52]. When the financial authority decides to impose a fine, which can also be periodic in specific cases [53], it determines its amount by looking at the applicable ranges included in Art. 36a(2) of CRA II for each type of infringement. ESMA’s board of supervisors must give the persons subject to the proceedings the opportunity to be heard, comment on ESMA’s findings, and access ESMA’s file within limits set forth by Art. 36c. ESMA’s decisions on [...]

4. The rise of administrative enforcement and the interplay with private law remedies.

Over the years, the EU law has witnessed a progressive change in the traditional image of enforcement in private law. On the one side, the EU legislator has promoted the public enforcement of European private law by prescribing the establishment of European administrative agencies; on the other, the Court of Justice of the European Union (CJEU) has become more and more influential in shaping the judicial private enforcement landscape in a way that the meaning itself of the principle of procedural autonomy no longer implies a net separation of EU and national spheres in enforcement issues. In other words, private enforcement is no longer the exclusive competence of the Member States [67].

4.1. The case of MiFID II.

For instance, in the field of investment services, the EU legislator envisaged a strong interconnection between private law and public enforcement by making the private law rules part of the EU-harmonized public supervision framework, leaving the Member States little room for manoeuvre in determining the modes of implementation and enforcement [68]. Unfortunately, in other areas, such as CRAs’ creditworthiness assessment, no firm link between private and public enforcement has yet been established at the EU level. To make ESMA’s ex-post enforcement powers more effective and its sanctions more deterrent, EU legislators could significantly increase the upper limit of the penalties and the budget allocated to ESMA. At the same time, it could expand ESMA’s powers to render the procedural framework in which it operates more flexible, making ESMA as close as possible to its US counterparty. The ESMA could provide an efficient form of transnational regulation and administration, developing transnational governance functions and networks of cooperation. In this logic, the MiFID II Directive [69] harmonizes supervisory and public enforcement powers for any breach of the conduct of business rules [70] and strengthens the private enforcement of conduct of business rules where it requires Member States to set up alternative dispute resolution mechanisms for consumer complaints. In particular, the Directive obliges the Member States to set up remedies for compensation by national law for any economic loss or damage suffered due to an infringement of the MiFID II Directive or Regulation (EU) No 600/2014 [71]. These powers should offer sufficiently effective enforcement of provisions to protect the individual investor [72]. However, as it was argued, if, on the one hand, MiFID I and II measures achieve the goal of protecting specific categories of market participants, such as the investors, on the other, they still need to provide a minimum European level of individual protection under private law [73]. At the same time, to facilitate investors’ redress in the great civil procedure hurdles, the EU courts could rely on the decision of ESMA to establish the infringement of the CRA Regulation in civil proceedings. In such a circumstance, investors bringing a claim against a CRA could establish causation based on factors other than the investor’s reliance on a credit rating. For instance, demonstrate that the [...]

4.2. The case of the Regulation on European Standardization.

Another tool that has been adopted at the EU level as a mechanism of co-regulation that brings together private and public parties at different decision-making stages to balance different interests is standardization [79]. A decade ago, EU legislators introduced the Standardisation Regulation as a new regulatory strategy to foster trade within the EU market, consisting of the interaction between legislative instruments and European standards [80]. The idea behind this approach is to complement top-down legislation with bottom-up regulation. The harmonized standards are not binding on individuals. However, since normative and economic incentives push businesses toward compliance, they can be considered soft law. The Standardization Regulation establishes European standards and standardization deliverables for products and services. Standards have become so significant that market access in certain industries is contingent on compliance with the related standards. It would be so expensive and time-consuming for a professional to provide any other evidence of compliance with EU law [81]. In the European approach to standardization, the idea is to make a specific activity procedural profiting from the dialectical relation established between private autonomy and public rules [82]. An example is the Italian Law No 24/2017, regulating the liability of healthcare professionals and allowing doctors to avoid liability by invoking their compliance with guidelines and best practices or otherwise explaining the circumstances of the case that justified a deviation from that behaviour (the so-called ‘comply or explain’ approach). Other examples come from the introduction of the AI (Artificial Intelligence) liability framework and the standardization of the ICT and Telecommunications sectors. In extra-contractual liability litigation for AI-related damages, the role of standards can mitigate the uncertainty that characterizes the judicial assessment of the elements of fault-based liability, namely damage, negligence and causation [83]. Theoretically, the standardization approach could also harmonize CRAs’ liability regimes in Europe. Extra-contractual liability or tort requires the assessment of fault on behalf of the alleged tortfeasor in addition to causation and damage. Determining whether the rating agency acted maliciously, recklessly or slightly negligently is essential but extremely challenging. Not all misconducts [...]

5. The problem of harmonizing private enforcement of tort law in Europe.

There are several good reasons for the cautious approach of many EU legal systems to limit compensation of tort damages for pure economic loss strongly. 1. These claims are potentially indeterminate, characterized by unreliable evidence and collusive actions. Therefore, there would be no reasonable limit to a defendant’s liability. The risk is that the courts would become overwhelmed with claims, as in floodgate litigation, a phenomenon widespread in the USA[85]. 2. In a free market economy such as the one of the European Union, the most important interest to protect is the individual freedom to determine one’s investment choices and not to prevent profits from being made at the expense of others if the gaining person has not intentionally caused wrongs to anybody[86]. 3. Any suggestion to deal with these cases of tort damages for pure economic loss with loss insurance generally favours a rule of no liability (i.e. an exclusionary rule)[87]. The problem of harmonizing private enforcement of tort law also involves the United Kingdom, which was among the Member States at the entry into force of the Regulation, although later, following the Brexit process, the UK withdrew from the EU Community and, therefore, from its Regulations. However, while from the perspective of public law, the Financial Conduct Authority (FCA) has replaced the ESMA in its task of supervision of the UK financial markets [88], from a private enforcement perspective, it is still meaningful to include the UK in the process of harmonization of private law in Europe to avoid a potential regulatory arbitrage effect [89]. In England, the situations in which the law recognizes a duty of care about pure economic loss are strictly limited and mainly included in the area concerning negligent misstatements and negligence in the performance of a service [90]. The case that introduced liability for negligent misstatements was Hedley Byrne v Heller in 1964 [91]. The House of Lords ruled that, even without fraud or a contractual relationship, damage for pure economic loss could arise in certain situations under specific conditions. These are the existence of a fiduciary relationship (“special relationship”) between the parties, the party preparing the advice/information has voluntarily assumed the risk, there has been reliance on the advice/info by the other party, and such reliance was reasonable. Therefore, to incur tort liability, a CRA must be in a [...]

6. Conclusive considerations.

Public policymakers rely on CRAs to perform a function of private governance over the financial markets. CRAs assess the solvability of entities and their issues by evaluating their risk, and they contribute to prudential regulation by periodically monitoring their performance and indirectly promoting specific organization procedures. Assuming no alternative is available, this article has commented on the EU legal liability regimes implemented for CRAs, emphasizing their main criticalities. A sound accountability model should provide deterrence and compensation without incurring under or over-deterrence. The two functions of sanctioning any infringement committed and compensating those who suffer damages due to the infringement attain the goals of serving as a deterrent and ensuring justice between the private individuals. Three models envisaged for the interplay of public (administrative) and private (civil) enforcement reflect models already adopted in the EU. The first is the separation model, in which the ESMA develops its role of supervisor by sanctioning CRAs in case of the infringement of a procedure, while in parallel, the national private courts are in charge of the provision of redress to private parties who suffered damages for pure economic loss due to the infringement. From the study conducted, it could be argued that such an accountability model would most likely bring an under-deterrence – because it would be tough to hold a CRA liable for extra-contractual liability – which could, in turn, become over-deterrence in the remote case of harmonization of EU private law or facilitation in the procedural law applicable to the cases of CRA civil liability. In fact, this would create a risk of floodgate litigation. At the same time, the original intent of the regulator was not much to compensate but mainly to improve the regulatory governance of the financial markets as a whole. The second is the complementarity model, in which the ESMA could have a role to play in facilitating private redress for victims of breaches of EU private law. The EU legislator has promoted such a model in other areas of EU private law, such as unfair trading, unfair contract terms, consumer sales of goods, and antitrust. The article discusses two examples: the MiFID II framework for investment services and the Standardization Regulation for specific sectors like AI liability or ICT and Telecommunication. The ESMA could be empowered with specific [...]

NOTE