News & Insights

Client Alert

March 16, 2021

SEC Brings Action Against Morningstar Alleging Undisclosed CMBS Rating Adjustments

On February 16, 2021, the SEC filed a litigated civil complaint in the Southern District of New York against Morningstar Credit Ratings LLC, a former Nationally Recognized Statistical Rating Organization (“NRSRO”)  alleging violations of disclosure and internal control provisions.[i]  The allegations state that Morningstar allowed its analysts to make undisclosed stress adjustments that resulted in higher credit ratings assigned to certain classes of “conduit/fusion” CMBS certificates in 2015 and 2016. According to the SEC, the stress adjustments were not disclosed in Morningstar’s credit rating methodologies and the agency did not have controls in place that governed how analysts were supposed to make such adjustments.  The SEC’s action against Morningstar takes an aggressive position regarding the level of granularity with which NRSROs must describe their procedures and methodologies.

According to the complaint, Morningstar’s rating process involved determining key cash flow and valuation amounts for commercial properties and associated loans backing each CMBS transaction, and their model then stressed those amounts to project expected loan losses in different economic environments. The complaint alleged that Morningstar’s rating methodologies did describe how its model stressed net cash flow and capitalization rates, for example applying different stresses for different property types and applying different capitalization stresses at each rating category. However, the methodologies did not disclose that analysts were permitted to make “loan-specific” adjustments to the disclosed cash flow and capitalization rate stresses.  

The complaint alleges that while the adjustments were used both to increase and decrease property cash flow and valuation stresses, the adjustments were “overwhelmingly” used to decrease those stresses, resulting in lower than expected loan losses and materially higher ratings for many classes of the CMBS certificates. Morningstar allegedly used these “loan specific” stress adjustments in 30 conduit/fusion CMBS transactions during 2015-2016. 

In addition to its failure to disclose the discretionary “loan specific” adjustments, the complaint alleged that Morningstar also failed to implement internal controls governing the adjustments. According to the complaint, Morningstar had no criteria or guidelines for analysts to follow and did not require analysts to document their determinations. As a result, Morningstar allegedly lacked effective internal controls to ensure that its analysts appropriately made the “loan-specific” adjustments for loan-specific reasons. The complaint alleges that the lack of internal controls allowed analysts to apply “loan-specific” adjustments for reasons unrelated to the specific loans or individual properties securing those loans.  In addition, in some cases the adjustments, which were supposed to be “loan-specific”, were applied across all of the loans in the CMBS transaction portfolio.

The complaint alleges that these actions violated Sections 15E(b)(2)(A), 15E(c)(3)(A), and Rules 17g-1(f) and 17g-7(a)(1)(ii)(B) of the Exchange Act, which are disclosure and internal control provisions applicable to NRSROs, and seeks injunctive relief, disgorgement with prejudgment interest, and civil penalties.

The SEC’s action represents an apparent departure from the type of conduct that the staff typically has scrutinized in its NRSRO examinations or the SEC has sanctioned in most prior enforcement actions against NRSROs. In its annual exam reports, the SEC’s Office of Credit Ratings (“OCR”) has typically looked at whether ratings agencies acted in accordance with their policies, procedures, and methodologies with an emphasis on overt inconsistencies between the credit rating agency’s published criteria and the procedures followed in practice. For example, one smaller agency’s published methodology stated it reviewed various qualitative factors relating to certain issuers.[ii]  However, OCR found that the rating files for these issuers contained little or no information about any such factors, and the analysts assigned to those ratings could not answer basic questions regarding the factors. In another example, a smaller agency determined ratings using an approach that was neither documented nor approved, and which did not take into account factors that its methodology stated would be considered in the rating process.[iii]

Likewise, most of the SEC’s enforcement actions against NRSROs have historically focused on conduct involving clear deviations from published criteria. For example, in a January 2015 settlement with a large rating agency, the SEC’s order found that the agency did not use the loss severity assumptions clearly laid out in its criteria, rendering its criteria objectively inaccurate.[iv]  In another large agency’s October 2015 settlement with the SEC, the agency was found to have failed to undertake the surveillance process described in their methodology.[v]  Specifically, the SEC’s order found that the agency did not execute several specific steps described in its surveillance criteria. The SEC’s very first settled enforcement action against an NRSRO in 2010 provides perhaps the closest analog to the allegation against Morningstar. In that 2010 case, the rating agency was charged with failing to disclose in its Form NRSRO that it performed an extra layer of review for credit ratings of issuers whose securities made up the pools for asset-backed securities managed by the firm’s largest customer, and failing to document the process for performing this extra layer of review in its written policies and procedures.[vi]

The SEC’s position in the Morningstar action raises the important question of how much detail publicly published methodologies must contain to comply with the law. Credit rating agencies must provide a “general description” of the procedures, and methodologies used to determine credit ratings, and the description must be “sufficiently detailed to provide users of credit ratings with an understanding of the processes the applicant or NRSRO employs to determine credit ratings including . . . the quantitative and qualitative models and metrics used to determine credit ratings . . . . ”[vii]  However, the “general description” requirement does not require that published criteria  outline with specificity how a rating agency approaches every step in its rating determinations and in fact, the Commission expressly rejected such an approach. 

In its proposing release for rules implementing provisions of the Credit Rating Agency Reform Act of 2006,[viii] the Commission had proposed that agencies submit its procedures and methodologies in Exhibit 2 to Form NRSRO.  In response, commentators suggested that the Exhibit should require a description rather than requiring agencies to submit and disclose “each actual procedure and methodology. These commentators pointed out that large credit rating agencies that issue multiple types of credit ratings generally have volumes of detailed procedures that credit analysts must follow in the course of determining a rating . . . . Disclosing all this information would be burdensome and could be difficult for users of credit ratings to parse. They also noted that some of the procedures and methodologies may involve the use of proprietary models.”[ix]  In agreeing with the commentators, the Commission’s final rule required only a description of the procedures and methodologies and “not the submission and disclosure of each actual procedure and methodology” in Exhibit 2.   

In addition, qualitative inputs that are based on the judgment and experience of analysts are important to the rating process and aren’t easily subjected to policies and procedures, at least not without potentially compromising their value. As the SEC stated in the adopting release for Exchange Act Rule 17g-8, which relates to policies, procedures, and internal controls, “[t]he Commission acknowledges that rating procedures and methodologies commonly incorporate qualitative analysis that introduces a degree of subjectivity to the rating process.”[x]  Such subjectivity is important for credit rating agencies to perform accurate assessments that provide value to investors. 

In 2012, the SEC released a report in which it considered the feasibility and desirability of credit rating standardization, including standardizing market stress conditions or credit rating terminology.[xi]  The Commission considered whether it made sense to adopt a quantitative correspondence (i.e. conformity) between credit ratings and a range of default probabilities and loss expectations under standardized conditions of economic stress.[xii]  It concluded that this approach did not make sense, stating that it “could interfere with the methodologies NRSROs use to determine credit ratings by requiring them to give less affect to qualitative factors.”[xiii]  The report cited to comments from different rating agencies, all of which underscored the importance of qualitative analysis in the rating process. Comments stressed that “analysts may consider qualitative factors because quantitative factors may not capture all risks”[xiv] and also that a “single-dimensioned” approach would likely “result in greater ratings volatility, which could adversely affect the stability of the financial system.”[xv]  Formulaic approaches compromise professional judgment, a key component in the rating process, and could discourage competition in the credit rating industry, which would undermine a clearly expressed goal of the Dodd-Frank Act. 

It remains to be seen how the litigation will unfold, but as this action has demonstrated, rating agencies should evaluate to what extent, if any, their rating process does not align in a material way with their published policies, procedures, and methodologies given the SEC’s current posture. This is particularly important where the process involves a discretionary step like the one taken in Morningstar’s process. In addition, the Morningstar action highlights the importance the SEC places on internal controls around qualitative inputs. Rating agencies would be well advised to consider whether a control and review process over any discretionary factors is needed. The SEC has clearly begun to scrutinize rating methodologies for perceived inadequacies in their content and is willing to take enforcement action against rating agencies that, in its view, fail to disclose important steps in the rating process.


[i] Complaint, U.S. Securities and Exchange Commission v. Morningstar Credit Ratings LLC, 21-CV-1359 (S.D.N.Y. January 16, 2021), available at

After Morningstar Inc acquired DBRS, it combined the operations of its credit rating agency, Morningstar Credit Ratings with that of DBRS, and the combined business operates under the name DBRS Morningstar. 

[ii] SEC, 2019 Summary Report of Commission Staff’s Examinations of Each Nationally Recognized Statistical Rating Organization, available at

[iii] Id. at p. 26.

[iv] In the Matter of Standard & Poor's Ratings Services, Release No. 34-74103 (Jan. 21, 2015), available at

[v] In the Matter of DBRS, Inc., Release No. 34-76261 (October 26, 2015), available at

[vi] In the Matter of LACE Financial Corp., et al., Release No. 34-62834 (September 2, 2010), available at

[vii]Application for Registration as a Nationally Recognized Statistical Rating Organization (NRSRO), Exhibit 2 Instructions.  The SEC acknowledges, however, that rating agencies should not be compelled to disclose any proprietary information.  See SEC, Final Rule, ‘Oversight of Credit Rating Agencies Registered as Nationally Recognized Statistical Rating Organizations’, Release No 34-55857 at p. 91 (June 18, 2008), available at (stating the Form NRSRO’s Exhibit 2 requirements are “designed to avoid the public disclosure of proprietary information.”)

[viii] SEC, Proposed Rule, ‘Oversight of Credit Rating Agencies Registered as Nationally Recognized Statistical

Rating Organizations’ pp. 42-45, 179 (Feb. 2, 2007) available at

[ix] SEC, Final Rule, ‘Oversight of Credit Rating Agencies Registered as Nationally Recognized Statistical Rating Organizations’, Release No 34-55857 at p. 50 (June 18, 2008)

[x] SEC, Final Rule, ‘Nationally Recognized Statistical Rating Organizations’, Release No 34-72936 (August 27, 2014), available at

[xi] SEC, ‘Report to Congress Credit Rating Standardization Study,’ September 2012, available at

[xii] Id. at 29.

[xiii] Id. at 34.

[xiv] Id. at 31.

[xv] Id. at 33.