I. Introduction

Financial markets should be efficient, and information should be available to all market participants. Rating and research companies play an important information role in these markets. Thomas Murray Network Management Limited and its affiliates (together, “Thomas Murray”) provide opinions in the form of written analysis (“Risk Assessments”) that incorporate a calibrated scale using the “AAA”, “AA”, “A” etc. symbology (“Risk Grades”), data, and related research about post-trade counterparty and market infrastructure risks around the world covering global custodians, sub-custodians, central counterparties, prime brokers, transfer agents, capital market infrastructures, central securities depositories and similar entities (“Assessed Entities”).

The Risk Assessments and Risk Grades are opinions about post-trade counterparty and market infrastructure risks that Thomas Murray provides to help institutions (including banks, brokers, infrastructure entities, fund managers and asset owners), that use post-trade service providers and market infrastructures, analyse the key post-trade risks they face when investing in a given market and the important factors to consider when appointing or using a post-trade service provider. In order to promote greater understanding of the processes supporting Thomas Murray’s Risk Assessments, Thomas Murray has adopted this Analytical Code of Conduct (“TM Code”). Although Thomas Murray is not a credit rating agency, (as defined by the European Securities Markets Authority -the pan-European regulator of credit rating agencies), Thomas Murray has modelled the TM Code on the International Organization of Securities Commissions’ code that acts as a guide and framework for the conduct of credit rating agencies.

Through the TM Code, Thomas Murray seeks to protect the integrity of the process by which Risk Assessments are created and updated (“Risk Assessment Process”), to ensure that Risk Assessments are conducted fairly and objectively, and to safeguard the confidentiality of information provided to Thomas Murray.

To use Thomas Murray’s Risk Assessments effectively, the market should be informed of both their attributes and limitations. In this regard, Thomas Murray seeks to be as transparent as practicable with respect to its Risk Assessment and Risk Grade methodologies, policies and practices.

The TM Code’s four main objectives are:

  • Quality and integrity of the Risk Assessment Process – Thomas Murray will endeavour to issue opinions that are of high quality as a result of a robust analytical process;
  • Independence and conflicts of interest – Thomas Murray’s opinions will be independent and free from political or economic pressures and from conflicts of interest arising due to Thomas Murray’s ownership structure, business or financial activities, or the financial interests of Thomas Murray’s employees. Thomas Murray will, as far as reasonably as possible, avoid activities, procedures or relationships that may compromise or appear to compromise the independence and objectivity of the analytical process;
  • Transparency and timeliness of the disclosure of Risk Assessments – Thomas Murray will make timely disclosure and transparency an objective of its analytical activities; and
  • Confidential information – Thomas Murray will maintain in confidence all non- public information communicated to it by any Assessed Entity, or its agents, under the terms of a confidentiality agreement or otherwise under a mutual understanding that the information is shared confidentially.

II. Definitions

For the purposes of the TM Code:

  • “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with another entity.
  • “Analyst” means an employee of Thomas Murray who performs analytical functions that are necessary for the issuing or monitoring of a Risk Assessment, Risk Grade or related opinion, including an employee involved in a Risk Committee meeting.
  • “Assessed Entity” means any Post-trade Counterparty or Financial Market Infrastructure on which Thomas Murray issues a Risk Assessment, Risk Grade or opinion.
  • “Chief Risk Officer” and “Deputy Chief Risk Officer” are Thomas Murray’s senior managers with responsibility for Thomas Murray’s, and its Employees’ compliance with the policies and procedures described in the TM Code and contact with market participants in respect of Thomas Murray’s adherence to the TM Code.
  • “Employee” means any individual who works for Thomas Murray on a full-time, part-time, or temporary basis, including any individual working as a contractor, provided that such contractor is involved in the Risk Assessment Process and is contracted on terms that require him/her to adhere to the same standards of integrity and confidentiality as fulltime employees.
  • “Financial Market Infrastructure” or “FMI” is defined as a multilateral system among participating financial institutions, including the operator of the system, used for the purposes of recording, clearing, or settling payments, securities, derivatives, or other financial transactions.
  • “Post-trade Counterparty” is any provider of Post-trade Services to users of those services and includes (but is not limited to) custodians, depositary banks, prime brokers, clearing brokers, fund administrators, transfer agents, securities lending agents and collateral managers.
  • “Post-trade Services” are services provided by Post-trade Counterparties and Financial Market Infrastructures after a trade is complete. This process is where the buyer and the seller compare trade details, approve the transaction, change records of ownership and arrange for the transfer of securities and other related activities including (but not limited to) custody, safekeeping, asset servicing, cash management, collateral management, fund administration, and securities lending.
  • “Product Committee” is the committee by which Thomas Murray’s senior management team assesses the commercial viability and analytical capacity and competence for new Risk Assessments or other related products.
  • “Outlooks” are Thomas Murray’s opinion of the likely direction of a Risk Assessment and Risk Grade over the medium term (six to eighteen months). Outlooks used are “Stable”, “Positive”, “Negative” or “On Watch”.
  • “Risk Assessment” is a written assessment of certain risks that a user of a Post-trade Counterparty or a Financial Market Infrastructure has when using that Post-trade Counterparty or Financial Market Infrastructure, expressed using an established and defined ranking system (“Risk Grade”). The detailed analysis contains the rationale for the opinion.
  • “Risk Grade” is the letter symbology (using “AAA”, “AA”, “A”, “BBB” etc.) that is used to rank an overall assessment of the Assessed Entity and certain sub-categories of risk.
  • “Risk Grade Scoring Guidelines” is the document that contains scoring guidelines and their criteria.
  • “Risk Committee” means the committee that approves the issuance of new and amended Risk Assessments, Risk Grades and Risk Assessment Methodologies (see Appendix I – Risk Committee).
  • “Risk Assessment Action” means to determine an initial Risk Assessment (including Risk Grades), an upgrade of an existing Risk Assessment, a downgrade of an existing Risk Assessment, or an affirmation of an existing Risk Assessment.
  • “Risk Assessment Methodology” means the procedure by which Thomas Murray determines Risk Assessments and Risk Grades, including the information that must be considered or analysed to determine a Risk Assessment and Risk Grade and the analytical framework used to determine the Risk Assessment and Risk Grade, including, as applicable, the models, financial metrics, assumptions, criteria, or other quantitative or qualitative factors to be used to determine the Risk Assessment and Risk Grades.
  • “Risk Assessment Process” means all the steps taken with respect to a Risk Assessment (including Risk Grades), but not limited to, Thomas Murray’s selection and assignment of analysts to work on the matter, application of the Risk Assessment, decision-making activities (e.g., the operation of a Risk Committee), interaction with the Assessed Entity, and as applicable, dissemination of the Risk Assessment (including Risk Grades) publicly or to subscribers to Thomas Murray’s information services.
  • “Thomas Murray” is Thomas Murray Group and each of its subsidiaries, or Affiliates.

III. The Code

1. Quality and Integrity of the Risk Assessment Process

3.1.1. Quality of the Risk Assessment Process

i. Thomas Murray should establish, maintain, document, and enforce a Risk Assessment Methodology for each type of Assessed Entity for which Thomas Murray issues Risk Assessments. Each Risk Assessment Methodology should be rigorous, capable of being applied consistently, and, where possible, result in Risk Assessments that can be subjected to some form of objective validation.

ii. Risk Assessments should reflect all information known, and believed to be relevant, to Thomas Murray, consistent with the applicable Risk Assessment Methodology that is in effect. Thomas Murray should establish, maintain, document, and enforce policies and procedures to ensure that the Risk Assessments and related reports it disseminates are based on a thorough analysis of all such information.

iii. Thomas Murray should adopt reasonable measures designed to ensure that it has the appropriate knowledge and expertise, and that the information it uses in determining Risk Assessments is of sufficient quality and obtained from reliable sources to support a high-quality Risk Assessment.

iv. In assessing the risks associated with the use, by users of Risk Assessments, of Post-trade Counterparties and Financial Market Infrastructures, analysts involved in the Risk Assessment Action should use the relevant Risk Assessment Methodology used by Thomas Murray for the type of Assessed Entity that is subject to the Risk Assessment Action. The Risk Assessment Methodology should be applied in a manner that is consistent across all Assessed Entities for which that particular Risk Assessment Methodology is used.

v. Thomas Murray should define the meaning of each category in its Risk Grades and apply those categories consistently across all classes of Assessed Entities to which a given Risk Grade scale applies. vi. Risk Assessments should be approved by Thomas Murray’s Risk Committee (not by an analyst or other employee of Thomas Murray).

vii. Thomas Murray should assign analysts who, individually or collectively, have appropriate knowledge and experience for assessing the risks of the type of Assessed Entity being assessed.

viii. Thomas Murray should maintain internal records that are accurate and sufficiently detailed and comprehensive to reconstruct the Risk Assessment Process for a given Risk Assessment Action.

ix. Thomas Murray should ensure that it has and devotes, to the extent practicable, sufficient resources to carry out and maintain high quality Risk Assessments.

x. Together, Thomas Murray’s Risk Committee and Product Committee should review the feasibility of providing a Risk Assessment for a type of Assessed Entity that is materially different from the Assessed Entities Thomas Murray currently assesses.

xi. Thomas Murray’s Chief Risk Officer and Deputy Chief Risk Officer should be responsible for conducting a periodic review of all aspects of Thomas Murray’s Risk Assessment Methodologies and significant changes to the Risk Assessment Methodologies. This function should be independent of Employees who are principally responsible for determining Risk Assessments.

xii. Thomas Murray, in selecting the analyst or analysts who will participate in determining a Risk Assessment, should seek to promote continuity but also avoid bias in the Risk Assessment Process.

xiii. Thomas Murray should use all reasonable measures to ensure that a sufficient number of Employees and financial resources are allocated to monitoring and updating all its Risk Assessments. Except for a Risk Assessment that clearly indicates it does not entail ongoing surveillance, once a Risk Assessment is published, Thomas Murray should monitor the Risk Assessment on an ongoing basis by:

  • reviewing the risks associated with the Assessed Entity regularly;
  • initiating a review of the status of the Risk Assessment upon becoming aware of any information that might reasonably be expected to result in a Risk Assessment Action (including withdrawal of a Risk Assessment), consistent with the applicable Risk Assessment Methodology; and
  • updating on a timely basis the Risk Assessment, as appropriate, based on the results of such review.

3.1.2. Integrity of the Risk Assessment Process

i. Thomas Murray and its employees should deal fairly and honestly with Assessed Entities (all Assessed Entities should be provided with a copy of the Risk Assessment (and Risk Grades) prior to their dissemination to third parties. Assessed Entities should be given a minimum of 48 hours to comment on any Risk Assessments including upgrades, downgrades etc. This process is not designed to allow Assessed Entities to “negotiate” a higher Risk Assessment and Risk Grading. Instead, it is designed to provide the Assessed Entity to correct any factual inaccuracies or provide additional information that was previously unknown to Thomas Murray.

ii. Employees should be held to the highest standards of integrity and ethical behaviour as described in this TM Code and in the Company Handbook.

iii. Thomas Murray and its employees should not, either implicitly or explicitly, give any assurance or guarantee to an Assessed Entity subject to a Risk Assessment Action or user of Thomas Murray’s Risk Assessments, about the outcome of a particular Risk Assessment Action. This does not preclude Thomas Murray from developing preliminary indications such as “Outlooks”.

iv. Thomas Murray and its employees should not make promises or threats about the potential outcome of Risk Assessment Actions in order to influence Assessed Entities (or users of Thomas Murray’s Risk Assessments) to pay for Risk Assessments or other services.

v. Upon becoming aware that another Employee or an affiliate of Thomas Murray is or has engaged in conduct that is illegal, unethical, or contrary to the TM Code, the Employee should report such information immediately to the Chief Risk Officer, Deputy Chief Risk Officer or another senior officer of Thomas Murray, as appropriate, so proper action may be taken.

III. The Code

2. Independence and Management of Conflict of Interests

3.2.1. General

i. Thomas Murray should not delay or refrain from taking a Risk Assessment Action based on the potential effect (economic, political, or otherwise) of the action on Thomas Murray, an Assessed Entity, investor, user of Thomas Murray’s Risk Assessments or other market participant.

ii. Thomas Murray and Employees should use care and professional judgment to maintain both the substance and appearance of Thomas Murray’s employees’ independence and objectivity.

iii. Thomas Murray’s determination of a Risk Assessment should be influenced only by factors relevant to assessing the risks of the Assessed Entity.

v. The Risk Assessment (and Risk Grades) that Thomas Murray assigns to an Assessed Entity should not be affected by whether there is an existing or potential business relationship between Thomas Murray (or its affiliates) and the Assessed Entity (or any of its affiliates), or any other party. Thomas Murray should establish, maintain, document, and enforce a Risk Assessment Methodology for each type of Assessed Entity for which Thomas Murray issues Risk Assessments. Each Risk Assessment Methodology should be rigorous, capable of being applied consistently, and, where possible, result in Risk Assessments that can be subjected to some form of objective validation.

3.2.2. Policies, Procedures, Controls and Disclosures

i. Thomas Murray should identify and eliminate, or manage and disclose, as appropriate, any actual or potential conflicts of interest that may influence the Risk Assessment Methodologies, Risk Assessment Actions, or analyses by Thomas Murray or the judgment and analyses of Employees.

3.2.3. Employee Independence

i. Reporting lines for Employees and their compensation arrangements should be structured where practicable to eliminate or effectively manage actual and potential conflicts of interest.

ii. An Employee who participates in or who might otherwise have an effect on a Risk Assessment Action with respect to an entity or obligation should not be compensated or evaluated on the basis of the amount of revenue that Thomas Murray derives from that Assessed Entity.

iii. Thomas Murray should conduct formal and periodic reviews of its compensation policies, procedures, and practices for Employees who participate in or who might otherwise have an effect on a Risk Assessment Action to ensure that these policies, procedures, and practices have not compromised and do not compromise the objectivity of Thomas Murray’s Risk Assessment Process.

iv. An Employee should not participate in or otherwise influence a Risk Assessment Action with respect to an Assessed Entity if the employee, an immediate family member of the employee e.g., spouse, domestic partner, or dependent), or an entity managed by the employee (e.g., a trust):

  • a. Unless approved by the Chief Risk Officer, is currently employed by, or had a recent employment or other significant business relationship with the Assessed Entity that may cause or may be perceived as causing a conflict of interest; Is a director of the Assessed Entity; or
  • b. Has, or had, another relationship with or interest in the Assessed Entity (or any of their affiliates) that may cause or may be perceived as causing a conflict of interest.

v. An Employee should be prohibited from soliciting money, gifts, or favours from anyone with whom Thomas Murray does business and should be prohibited from accepting gifts offered in the form of cash or cash equivalents or any gifts, including entertainment, exceeding a minimal monetary value of £30.

vi. An Employee who becomes involved in a personal relationship (including, for example, a personal relationship with an employee) of an Assessed Entity that creates an actual or potential conflict of interest should be required under the TM Code to disclose the relationship to the Chief Risk Officer, Deputy Chief Risk Officer or another senior officer of Thomas Murray e.g., CEO or CFO as appropriate.

III. The Code

3. Transparency and Timeliness of Risk Assessment Disclosure

i. Thomas Murray should assist users of Risk Assessments in developing a greater understanding of Risk Assessments by disclosing in plain language, among other things, the nature and limitations of Risk Assessments.

ii. Thomas Murray should disclose sufficient information about its Risk Assessment Process and its Risk Assessment Methodologies, so that users of Risk Assessments can understand how a Risk Assessment was determined by Thomas Murray.

iii. Thomas Murray should disclose a material modification to a Risk Assessment Methodology prior to the modification taking effect unless doing so would negatively impact the integrity of a Risk Assessment by unduly delaying the taking of a Risk Assessment Action. In either case, Thomas Murray should disclose the material modification in a non-selective manner.

iv. Thomas Murray should disclose definitions of the meaning of each category in its Risk Grade scales.

v. Thomas Murray should be transparent with users of Risk Assessment and Assessed Entities about how the Assessed Entity is assessed.

vi. Where feasible and appropriate, Thomas Murray should inform the Assessed Entity about the critical information and principal considerations upon which a Risk Assessment will be based prior to disseminating a Risk Assessment that is the result or subject of the Risk Assessment Action and afford such Assessed Entity an adequate opportunity to clarify any factual errors, factual omissions, or factual misperceptions that would have a material effect on the Risk Assessment. Thomas Murray should duly evaluate any response from such Assessed Entity. Where in particular circumstances Thomas Murray has not informed such Assessed Entity prior to disseminating a Risk Assessment Action, Thomas Murray should inform such Assessed Entity as soon as practical thereafter and, generally, should explain why Thomas Murray did not inform such Assessed Entity prior to disseminating the Risk Assessment Action.

vii. When Thomas Murray publicly discloses or distributes to users of Risk Assessments a Risk Assessment that is the result or subject of the Risk Assessment Action, it should do so as soon as practicable after taking such action.

viii. Thomas Murray should indicate in the announcement of a Risk Assessment that is the result or the subject of a Risk Assessment Action when the Risk Assessment was last updated or reviewed. ix. When issuing or revising a Risk Assessment, Thomas Murray should explain in its announcement and/or report the key assumptions and data underlying the Risk Assessment, including financial statement adjustments that deviate materially from those contained in the published financial statements of the relevant Assessed Entity

III. The Code

4. Treatment of Confidential Information

i. Thomas Murray should ensure that it protects confidential and/or material non-public information, including confidential information received from an Assessed Entity and non-public information about a Risk Assessment Action (e.g., information about a Risk Assessment Action before the Risk Assessment is publicly disclosed or disseminated to subscribers).

a. Thomas Murray and Employees should not use or disclose confidential and/or material nonpublic information for any purpose unrelated to Thomas Murray’s Risk Assessment activities, including disclosing such information to other employees where the disclosure is not necessary in connection with Thomas Murray’s Risk Assessment activities, unless disclosure is required by applicable law or regulation.

b. Thomas Murray and Employees should take reasonable steps to protect confidential and/or material non-public information from fraud, theft, misuse, or inadvertent disclosure.

c. With respect to confidential information received from an Assessed Entity, Thomas Murray and Employees should not use or disclose such information in violation of the terms of any applicable agreement or mutual understanding that Thomas Murray will keep the information confidential, unless disclosure is required by applicable law or regulation.

d. With respect to a pending Risk Assessment Action, Thomas Murray and Employees should not selectively disclose information about the pending Risk Assessment Action, except to the Assessed Entity, or as required by applicable law or regulation.

ii. Thomas Murray should take all reasonable steps to prevent violations of applicable laws and regulations governing the treatment and use of confidential and/or material non-public information.

iii. Employees that possess confidential and/or material non-public information concerning a trading instrument should not engage in a transaction in the trading instrument or use the information to advise or otherwise advantage another person in transacting in the trading instrument.

VI. Governance, Risk Management and Employee Training

i. Thomas Murray’s Chief Risk Officer, Deputy Chief Risk Officer and the Risk Committee should have ultimate responsibility for ensuring that Thomas Murray maintains, documents, and enforces a code of conduct that has a similar effect to that of the IOSCO Code of Conduct Fundamentals for Credit Rating Agencies.

ii. Thomas Murray should establish the office of Chief Risk Officer made up of one or more senior managers or employees with the appropriate level of experience responsible for identifying, assessing, monitoring, and reporting the risks arising from its activities, including, but not limited to legal risk, reputational risk, operational risk, and strategic risk. The Chief Risk Officer should make periodic reports to the board (or similar body) and senior management to assist them in assessing the adequacy of the policies, procedures, and controls Thomas Murray establishes to manage risk.

iii. Thomas Murray should require Employees to undergo formal ongoing training at reasonably regular time intervals. The subject matter covered by the training should be relevant to the Employee’s responsibilities and should cover, as applicable, the TM Code, Thomas Murray’s Risk Assessment Methodologies, the laws (if any) governing Thomas Murray’s activities, any policies and procedures for managing conflicts of interest and governing the holding and transacting in trading instruments, and Thomas Murray’s policies and procedures for handling confidential and/or material non-public information. The policies, procedures, and controls should include measures designed to verify that employees undergo required training.