“Credit worthiness is like oxygen, you don’t notice it until its gone.”
–Warren Buffet
A credit rating agency is a company which rates the debtors on the basis of their ability to pay back the debt in a timely manner. They rate large scale borrowers, whether companies or governments. This rating analyzes the general creditworthiness of a country or foreign government. Sovereign credit ratings take into account the overall economic conditions of a country including the volume of foreign, public and private investment, capital market transparency and foreign currency reserves. There are three big credit rating agencies in the world which are Standard and Poor’s (S&P), Moody’s and Fitch Ratings. These agencies use letter codes to assess issuers. The highest score is a Triple A (AAA) and the lowest a Single D. The scale runs as follows: AAA, AA, A, BBB, BB, B, CCC, CC, C, and D.
Ratings can be made more specific by using + and – signs. For example, an issuer can be rated AAA+ or B-. Anything BB+ or below is considered high-yield, or “junk” bonds.
Credit rating agencies provide investors with objective analyses and independent assessments of companies and countries that issue such securities. They provide investors with information that helps them whether can repay their debts or not. These credit ratings have real effects upon an issuer and their ability to secure funding. The lower their rating, the better interest rates they have to offer to attract investors.
Indian CRAs
The Indian credit rating industry has evolved over a period of time. Indian credit rating industry mainly comprises of CRISIL, ICRA, CARE, ONICRA, FITCH & SMERA. CRISIL is the largest credit rating agency in India, with a market share of greater than 60%. It is a full-service rating agency offering its services in manufacturing, service, financial and SME sectors.
CRISIL stands for Credit Rating Information Services of India Limited and it was the first credit rating agency set up in India in 1987. Today, CRISIL has become a global analytical company that rates companies, researches the markets and provides risk and policy advisory services to its clients. At the time of incorporation, the agency was promoted by ICICI Limited, UTI and many such financial institutions. The agency started operations in 1988.
Comparative Analysis of Indian and International Credit Rating Agencies
1. Quality of data available
After SEBI 2010 regulations, Indian Rating Agencies disclose the history of ratings outstanding, 5years average default rates, list of defaulted companies in each rating classes, number of ratings upgrade or downgrade in the year. US credit rating agencies in SEC NARSRO Filing, disclose current year’s average default rates in every rating category, rating distribution, speculative & investment grade default rate over years, causes of defaults, default rates in every region, default rate according to different type of issuers.
But there is a very high degree of variations in the information disclosed in default &transition studies of different rating agencies. While US CRAs provide sovereign ratings, Indian agencies do not.
2. Default Rates
In the case of Indian Rating Agencies, though the default rate in the highest two categories is almost nil, overall investment grade default rate was six times than International Credit Rating Agencies. So Indian Credit Rating Agencies need to relearn from their parent companies to reduce investment grade defaults.
3. Accuracy Ratio
Accuracy ratio, which is considered to be the most precise tool of measuring rating accuracy, is disclosed by only Standard & Poor’s Ratings Services and CRISIL. Accuracy Ratio is a measure to find out rating accuracy with the help of cumulative accuracy profile. Indian CRAs need to improve their accuracy as they are more lenient than international CRAs.
CRAs acting as an Oligopoly
Investors can’t rely completely on a single credit rating or ratings. The justification that an investment is safe should be on the decision-makers side i.e. the investor. After all, it was the risk-taking and incompetence of the “big three” credit rating agencies that spawned the subprime mortgage crisis of 2008. While CRAs were not the actual cause of the crisis, their failings have highlighted the need for reform in the credit rating market and of the business models used. Increased due diligence by CRAs is required to ensure the verification of all information used in business models, and a decrease in regulatory reliance on ratings may be advisable.
CRAs have always been under the radar for the lack of oversight and transparency. How is it that these agencies rate? Is it based on fact or an opinion? Whatever the case maybe these CRAs are well reputed in the financial world. They are said to be self-regulating, but this approach can be challenged by the fact these companies earn profit on the basis of gained or lost depending on their ability to lure the business of issuers who will always be seeking the highest rating possible.
Credit ratings are experience goods i.e. the quality of the rating is only revealed after using a large sample. Therefore reputation for quality built on a long track record is the crucial competitive advantage. Ratings from a given CRA provide a common standard to interpret risk. Corporate issuers build a trust relationship with one or two CRAs but are unwilling to be rated by more. However, building this relationship involves valuable executive management time. Corporate issuers will value the ratings most trusted by investors to facilitate placement and provide for the lowest spread. Hence, for all the above reasons, the CRA market is a natural oligopoly.
The market for fundamental credit ratings cannot sustain a large number of agencies. The market will remain an oligopoly where CRAs tend to compete for the market (to become a standard) rather than in the market. Competitive dynamics amongst even a small number of CRAs can be based on building a reputation for rating quality. As the entry into the market is so difficult, competition amongst the rating agencies is distinct from other markets. It is also possible that they compete in a dimension other than quality, so if the situation becomes negative, it becomes negative for all and no single CRA will lose any market share.
EQUIFAX DATA BREACH
American credit rating agency Equifax disclosed on September 8 2017, that a vulnerability in one of its web applications has led to the leak of around 143 million Americans’ social security numbers being compromised. The leak comprises millions of Americans’ Social Security Numbers (SSNs), driving license numbers, and a couple hundred thousand credit card numbers, among other documents. The breach occurred from May to July, the company said.
The company said that aside from some British and Canadian consumers’ data, it has found no evidence that personal information of consumers in any other country has been impacted. It has also set up a website explaining the breach, and has set up a portal for Americans to check if they have been affected.
Why SSN leaks are dangerous
143 million Americans, which is almost half of the US’s population, now risk their SSNs ending up in the hands of identity thieves and, perhaps, the dark web. The Social Security Number system was first devised in the 1930s to audit American employees’ deposits and withdrawals from a mandatory pension-esque fund. Eventually, it was appropriated by other parts of the government and by financial institutions as a way of verifying citizens’ identities, and due to legal frameworks that later followed, it is now basically mandatory for US citizens to get a Social Security Number.
Unlike Aadhaar though, SSNs have little to no in-built security, and it’s incumbent on the cardholder themselves to make sure that nobody gets their hands on their social security number — there is no biometric or OTP-based authentication for SSNs that acts as a second factor of authentication. Compromised SSNs are a very common factor in a major portion of cases of identity theft in the US. In fact, the average financial losses US citizens whose SSNs were breached faced was almost twice as much as those who had lost their credit card; this is even more significant considering that there are few authentication safeguards on credit and debit cards in the US.
How this matters for India
Privacy has been a fundamental right under the US constitution for decades, while India’s Supreme Court just recently declared it one. Even with the relatively robust legal regime around data protection that the US has, breaches like Equifax’s are not unprecedented. As an NYT report pointed, a breach of Yahoo’s servers, which led to over a billion users’ personal information being compromised, was much larger.
In India, a data protection law couldn’t come at a better time. Right now, companies that maintain data of Indian citizens for various purposes operate in a legal vacuum, and their own internal security standards are the only thing standing in the way of this data being breached. Two bills may soon be floated before the Lok Sabha to legislate data protection, one by Jay Panda, and the other by Shashi Tharoor. While a legal framework isn’t going to ensure total data security, it is an essential foundation on which India’s public and private sector need to work to secure the data of citizens whose data they possess.
Government organisations alone have passively leaked over 130–135 million Aadhaar numbers, simply by not masking that information on their websites. A data protection law would require both companies and government organizations to better secure citizens’ data. Personal information like Aadhaar numbers and contact details are often stored by a large number of players, both in the private and the public sector and a single breach can leave millions of citizens exposed to identity theft and the Pandora’s Box that opens up with having their personal information in the public domain.
Equifax in India
In India, Equifax operates as a joint venture with four public sector banks — SBI, Bank of Baroda, Bank of India, and the Union Bank of India — and three private banks, according to the company’s website. The company offers credit ratings reports for free to consumers in India and requires users to submit their Aadhaar number to authenticate their identity for these reports. In the last few months, they have been expanding their microfinance offerings and partnered with the International Finance Corporation to “deepen coverage” of credit reports of Self-Help Groups in India. The company has been involved in microfinancing in India since 2011, according to its website.
Conclusion
Since the CRAs are playing a part in the regulatory framework, they should no longer remain completely private, profit-making enterprises. Rather, they should be brought under the aegis of the government without compromising on their autonomy.
There are several regulatory disclosures laid down by SEBI, RBI and IOSCO which apply to CRAs in India, it is imperative that there is transparency in their working. Credit rating agencies may be in for a tough ride as the Securities and Exchange Board of India continues to tighten the screws on them. The market regulator has released a consultation paper seeking feedback on a new set of rules drafted to improve “market efficiency” and enhance “the governance, accountability and functioning of credit rating agencies”. Although there is no simple method to regulate and sanction informal judgement.
However, it does not seem possible that these regulations will eliminate the conflicts of interest completely, increase the competition in the credit rating market and decrease the rating shopping in the short run. So further regulations are needed for efficient functioning of the credit rating market or alternatively, a public CRA may be established as an alternative to the private CRAs. Prudential regulation is thus justified to tackle this problem. This criticism, however, ignores the reputational damage these agencies suffer after each corporate default. Repeated failures have not affected the business of rating agencies, primarily due to the lack of alternative service providers who can help out investors.
Data breaches in these agencies also have alarming consequences. A question that arises is whether it makes sense for three large, private CRAs to aggregate so much information when they are vulnerable to such incidents.
The debate is indeed never ending, but for now, there is no solid alternative for CRAs or their functioning.
By Ghazal Abdullah