In the movie adaptation of the Michael Lewis book The Big Short, Mark Baum and Vinny Daniels from the investment firm FrontPoint Partners visit the offices of S&P Global Ratings. FrontPoint has noticed that the credit rating agencies (CRAs) haven’t downgraded subprime bonds, even though millions of Americans are defaulting on their home loans and the underlying securities are essentially junk. They want answers, but analyst Georgia Hale tells them she doesn’t have to share any of S&P’s data with them.

Hale suffers from an eye condition and wears a thick black eyeshade. “I can’t see a damn thing,” she says, ominously.

The movie’s symbolism here is obvious, perhaps even ham-handed—the rating agencies couldn’t see the junk bonds that were making up these complex structured products; they turned a blind eye to the malfeasance of the issuers, their paying customers.

As Georgia tells FrontPoint’s Daniels and Baum, “If we don’t give them the ratings, they will go to Moody’s right down the block.”

While sifting through the wreckage of the financial system after 2008, regulators found that the “issuer pays” model under which the CRAs operate dis-incentivized them from downgrading bonds. That there were only a few broker-dealers operating in these complex structured products magnified this effect: Pissing off an issuer by slapping their swap with a BBB rating could significantly hurt a CRA’s bottom line. And then there was the fact that the rating industry itself was dominated by three players—S&P, Moody’s, and Fitch Ratings.

Global post-crisis regulation of the CRAs has focused on transparency of ratings, assigning liability for losses, and reducing conflicts of interest. This is a well-worn problem. But the rise of environmental, social, and governance information has presented regulators with a new one that recalls the post-crisis reckoning that came to the CRAs and yet differs from it—that is, whether and how to regulate the providers of ratings and data products for ESG investing.

Regulators around the world are starting to ask similar questions about ESG providers as they did about CRAs: Do we need to start requiring these data vendors to be more transparent about their methodologies? Are there conflicts of interest between these providers and the corporates to which they are assigning ratings? Is the slew of M&A deals in the ESG data space driving too much consolidation?

These questions are arising because the ESG data industry is flourishing. For example, while it’s not a new idea to screen a portfolio for sin stocks, the investor interest managers are seeing now in specialized ESG products is unprecedented. The problem is that while investee companies are well used to being scrutinized on their financials—and there exist established standards and laws around financial disclosure—they generally don’t know how—or aren’t willing—to make comparable disclosures on their ESG impacts and risks. Many corporates (quite naturally) carefully select information that makes them look good, and have their marketing departments create glossy brochures around it—great PR, not so great for a true understanding of risks and impacts.

Since there is no equivalent of a 10K filing for ESG, investment firms turn to a diverse array of ratings and data products from benchmark and index providers like FTSE Russell and MSCI; data vendors like Sustainalytics and Bloomberg; the CRAs, which have themselves branched out into ESG-related products; and start-ups, which are being busily snapped up by the big companies. These particular activities aren’t regulated, however, and governments seem to be worried that increasing reliance on ratings and data products poses risks to investor protection, as well as fears of greenwashing, creating market inefficiencies, and convoluting the risk pricing and capital allocation process.

The UK’s Financial Conduct Authority (FCA), for one, said in its Greening Finance report, published in mid-October, that it is considering bringing rating and data providers into the scope of its regulation, and will set out further detail next year. The European Securities and Markets Authority (Esma) has written about the low levels of correlation among ESG rating providers and the lack of transparency in some quarters—companies in highly polluting industries can obtain environmental scores from some rating providers, it says. Securities and Exchange Commission (SEC) chairman Gary Gensler expressed concerns in the summer about the data underpinning ratings.

Perhaps the most significant development toward regulating data providers came last week, when the International Organization of Securities Commissions (Iosco) published its final report on ESG ratings and data product providers, the result of a consultation period that began in July. These companies don’t come under the dominion of securities regulators, Iosco said, and it wanted to know more about this industry. 

Iosco doesn’t produce regulation per se, but rather sets standards and makes recommendations that guide local regulators in how they want to go about implementing regulation in their individual jurisdictions. In the final report it makes some recommendations to regulators, corporates, investors, and of course the rating providers themselves, which, the recommendations say, might consider providing transparency around the sources of the data and the methodologies they use in building their products.

These are not dissimilar measures to those that informed regulation and guidelines around the CRAs. And it’s true that, on the surface at least, these are similar products.

Conflicts of interest, for example, can also appear in the ESG space. “Some vendors have consulting services for corporates to advise them on ESG issues that they should be aware of and how they can look to improve. These services may lead to conflicts of interest as they are not firewalled from the main rating business,” Paul Sinthunont, a strategic advisor at Aite-Novarica who specializes in buy-side research, tells WatersTechnology.

But there are major differences between credit and ESG ratings, and this should give regulators pause before they apply too many prescriptive rules on a still-nascent industry. ESG ratings are more qualitative and more varied products than credit ratings, in a wider and more varied industry. Credit ratings are defined in law, as certain types of asset managers are only allowed to invest in products that are investment grade; ESG ratings are not defined, and so it’s not always clear who ESG rating providers even are.

And possibly most importantly, ESG providers have more variety in the models they use for making money.

“With the credit rating agencies, there was a conflict of interest, because they were actually paid by the banks, whereas at the moment, ESG ratings are done one step removed. There are some boutiques that corporates can go to and they’ll rate them for ESG, but it’s not the whole industry,” says Steve Cheng, who was global head of data management at Rimes Technologies and is now an independent consultant currently advising Australian software provider Brilliance Technology.

The problem in ESG is the lack of transparency stemming from the “patchy and spotty” data released by corporates, Cheng adds—a very different problem from the one the CRAs exemplified. Investment firms don’t like that ESG ratings are uncorrelated, but Cheng says even that wouldn’t be too much of an issue if one could query how a rating provider arrived at its decisions and what data it input.

“So it wouldn’t matter if MSCI and Sustainalytics had different opinions, different ratings on a company, as long as you can trace back and actually find out how they came to that conclusion,” he says.

Investment firms seem to broadly support the idea of more regulation in this space. For a research report, Sinthunont canvassed the opinions of about 55 individuals at a range of buy-side firms—67% of his respondents said that lawmakers and regulators should place at least a high level of prioritization around overseeing third-party ESG rating agencies.

The data providers themselves, however, are less enthusiastic. MSCI, in its consultation filing with Iosco, says “interference” with ratings, whether from issuers, investors or governments, could compromise the independence of those ratings. 

“In a nascent, rapidly developing market, global principles of conduct for ESG ratings would be more effective than overly prescriptive and point-in-time rules,” the letter says.

I think they have a point. ESG as a whole industry is still in its infancy, and there are still many aspects of it that regulators don’t entirely understand. Moving too quickly on strict rules could backfire, perhaps inadvertently creating less reliability in ESG ratings and data products.