Guidelines on Credit Rating Agencies

GUIDELINES ON CREDIT RATING AGENCIES SC-GL/CRA-2011 (R3-2023) 1st Issued: 30 March 2011 Revised : 10 January 2023

GUIDELINES ON CREDIT RATING AGENCIES Effective Date Upon 1st Issuance 30 Mar 2011 LIST OF REVISIONS Revision Revision Date Effective Date Series Number 1st Revision 14 May 2019 14 May 2019 SC-GL/CRA-2011 (R1-2019) 2nd Revision 16 Apr 2020 16 Apr 20201 SC-GL/CRA-2011 (R2-2020) 3rd Revision 10 Jan 2023 10 Jan 2023 SC-GL/CRA-2011 (R3-2023) 1 Save for the requirement to have policies and procedures on anti-corruption and whistleblowing under paragraph 4.24 of these Guidelines, which took effect on 1 June 2020.

CONTENTS Page Chapter 1 INTRODUCTION Chapter 2 APPLICABILITY Chapter 3 DEFINITIONS Chapter 4 REGISTRATION OF CRA Chapter 5 CONTINUOUS OBLIGATIONS Chapter 6 SUBMISSION PROCEDURE Chapter 7 REFUSAL OF REGISTRATION AND DEREGISTRATION Appendix 1 FIT AND PROPER CRITERIA Appendix 2 RATING CRITERIA AND METHODOLOGIES Appendix 3 RATING POLICIES Appendix 4 LIST OF CORPORATE BONDS AND SUKUK DOWNGRADED TO DEFAULT IN A FINANCIAL YEAR Appendix 5 TIMETABLE FOR RATING REVIEWS Appendix 6 TRAINING PROGRAMMES ATTENDED BY STAFF OF CRA 1 2 3 6 12 22 25 26 30 31 32 33 34

1 Chapter 1 INTRODUCTION 1.01 The Guidelines on Credit Rating Agencies (Guidelines) is issued by the Securities Commission Malaysia (SC) pursuant to section 377 of the Capital Markets and Services Act 2007 (CMSA). 1.02 Credit rating agencies (CRAs) play an important role in the development of corporate bonds and sukuk market in Malaysia. Hence, it serves the best interest of the corporate bonds and sukuk market for CRAs to conduct their credit rating activities in accordance with principles of integrity, transparency, quality and good governance. 1.03 CRAs are regulated as registered persons pursuant to section 76(1)(a) of the CMSA. 1.04 The International Organization of Securities Commissions (IOSCO) has revised its Objectives and Principles of Securities Regulation in June 2010 to include a principle for CRAs. 2 Considering this development, it is important for the SC to ensure that our CRAs continuously adhere to international standards and best practices. 1.05 These Guidelines set out the regulatory and supervisory requirements for CRAs including— (a) requirements for registration of a CRA; and (b) continuous obligations and conduct requirements relating to a CRA. 2 The principle states that ‘credit rating agencies should be subject to adequate levels of oversight. The regulatory system should ensure that credit rating agencies whose ratings are used for regulatory purposes are subject to registration and ongoing supervision.’

2 Chapter 2 APPLICABILITY 2.01 These Guidelines apply to an entity seeking registration as a CRA, a CRA registered with the SC and, where applicable, the rating holding company of the proposed or existing CRA. 2.02 To assist with the interpretation and application of the requirements under these Guidelines, guidance has been provided, where appropriate. Any departure from the guidance will be taken into consideration in the SC’s assessment on whether a breach of these Guidelines had occurred. 2.03 The SC may, upon an application, grant an exemption from or a variation to the requirements of these Guidelines if the SC is satisfied that— (a) such variation is not contrary to the intended purpose of the relevant requirements in these Guidelines; or (b) there are mitigating factors which justify the said exemption or variation. 2.04 These Guidelines are in addition to and not in derogation of any other requirements provided for under securities laws or any other guidelines issued by the SC.

3 Chapter 3 DEFINITIONS 3.01 Unless otherwise defined below, all words used in these Guidelines shall have the same meaning as defined in the CMSA. In these Guidelines, unless the context otherwise requires— board committees in relation to a CRA, means committees of the board of directors established for purposes of audit, nomination, risk management, remuneration or any other committee as may be required by the SC; controller in relation to a CRA, means a holding company of the CRA, or a person who— (a) is entitled to exercise, or control the exercise of, not less than 15% of the votes attached to the voting shares of a CRA; (b) has the power to appoint or cause to be appointed a majority of members of the board of directors of a CRA; or (c) has the power to make or cause to be made, decisions in respect of the business or administration of a CRA, and to give effect or cause them to be given effect to such decisions; corporate bonds means debentures as defined in the CMSA but does not include structured products; credit rating agency or CRA means a registered person under the CMSA which provides credit rating services for issuance or offerings of corporate bonds and sukuk; EASy means Electronic Application System; external member means any independent person who is not related to a CRA, rating holding company or its shareholders;

4 family means such person who falls within any one of the following categories: (a) Spouse; (b) Parent; (c) Child, including an adopted child and stepchild; (d) Sibling; and (e) Spouse of the persons referred to in paragraphs (c) and (d) above; fit and proper means meeting the fit and proper criteria as set out in Appendix 1 of these Guidelines; independent director has the meaning assigned to it under Main Market Listing Requirements of Bursa Malaysia Securities Berhad. For purposes of these Guidelines, reference to ‘listed issuer’ in the Main Market Listing Requirements of Bursa Malaysia Securities Berhad should apply to the CRA and its rating holding company; rating holding company means a holding company of a CRA and that derives more than 50% of its consolidated revenue or profit from the CRA, or that invests more than 50% of its assets in the CRA over a period of three years consecutively; senior management means a person, other than a director, having authority and responsibility for planning, directing or controlling the activities of a CRA or its rating holding company, including the chief executive, chief rating officer, chief operating officer, chief financial officer, members of decision-making committees and other key persons performing functions such as risk management, compliance, internal audit or other functions as may be specified by the SC; sukuk means certificates of equal value evidencing undivided ownership or investment in the assets using Shariah principles and concepts endorsed by the Shariah Advisory Council of the SC. For avoidance of

5 doubt, sukuk does not include sukuk issued by— (a) the Federal Government; (b) any State Government; or (c) Bank Negara Malaysia. 3.02 References to ‘days’ in these Guidelines will be taken to mean calendar days unless otherwise stated.

6 Chapter 4 REGISTRATION OF CRA 4.01 The SC may register a CRA, subject to the applicant satisfying the requirements set out in this chapter. Financial requirements 4.02 A CRA must have sufficient financial resources to operate independently and to be able to withstand economic and financial pressures. 4.03 A CRA must have a minimum paid-up capital of RM10 million and shareholders’ funds of at least RM10 million, or such amount as may be specified by the SC, at all times. Shareholding structure 4.04 A CRA must maintain a shareholding structure that will enable it to carry out its functions independently and objectively. Fit and proper requirements 4.05 Each of the following persons must be fit and proper: (a) The controller of a CRA; and (b) The person who is to be appointed to or holds the following positions in the CRA and its rating holding company: (i) Director; (ii) Chief executive; (iii) Compliance officer of the CRA; (iv) External members of rating committee of the CRA; and (v) Senior management excluding chief executive.

7 4.06 In addition to the fit and proper criteria set out in Appendix 1 of these Guidelines, the following, among others, must be considered by the CRA and its rating holding company for candidates of the positions listed in paragraph 4.05(b) in a CRA and its rating holding company: (a) His professional skills and qualification, honesty, integrity, diligence, length of service, competence and soundness of judgment in fulfilling the responsibilities and duties of that position; (b) For the chief executive position, his capability to lead the CRA; and (c) Whether the interest of clients, if any, of the CRA is likely to be in any way compromised by his holding that position as well as to the previous conduct and activities in business or financial matters of the person in question. 4.07 A CRA and its rating holding company must not appoint a candidate to any of the positions listed in paragraphs 4.05(b)(i) to (iv) without the prior approval of the SC. 4.08 The SC may refuse the application for registration of a CRA, if the applicant, its rating holding company, controller of the CRA, or any person holding the positions in paragraph 4.05(b) in a CRA and its rating holding company, is not fit and proper. Composition of board of directors and board committees 4.09 The CRA and its rating holding company must ensure that— (a) a majority of its board of directors and the board committees comprise independent directors; and (b) the chairman of the board of directors and all board committees must be an independent director. Appointment of compliance officer 4.10 A CRA must appoint a compliance officer, who has the necessary experience and competency, to be responsible for all compliance matters on a full-time basis as provided in these Guidelines and the CRA’s internal policies, including the CRA’s code of ethical conduct.

8 Establishment of rating committee 4.11 A CRA must establish a rating committee to assign and decide on credit ratings. All rating decisions, including decisions regarding changes in rating, must be made by the rating committee. A CRA must not establish any other committee that would or could potentially affect the finality of decision of the rating committee. 4.12 To ensure objectivity and effectiveness of the CRA’s rating committee, a CRA must comply with the following requirements: (a) The chairman of the rating committee must be an external member; (b) The rating committee must comprise a majority of external members; and (c) All members of the rating committee must be experts who have adequate qualification, knowledge and experience in key industry sectors and financial markets in relation to credit ratings (‘expertise requirement’). 4.13 As a measure to promote the independence, integrity and credibility of the rating committee, a CRA must not appoint an individual who— (a) has or is perceived to have a business development function of the CRA; or (b) initiates or participates in discussions regarding fees or payments with any client of the CRA, to be a member of the rating committee. However, on exceptional basis, a CRA is allowed to appoint not more than one individual of such background to the rating committee, provided that the individual meets the expertise requirement referred to in paragraph 4.12(c). Establishment of nomination committee 4.14 A CRA must establish a nomination committee to make recommendations to the board of directors on matters relating to— (a) the review of succession plans for directors; (b) the appointment and reappointment of directors, including alternate directors, if any; (c) the process and criteria for evaluation of the performance of the board of directors and board committees; and

9 (d) the review of training and professional development programmes for the board of directors. 4.15 The nomination committee must have— (a) the written terms of reference dealing with its authority and duties, which must include the selection and assessment of directors; (b) the policy on the board of directors’ composition having regard to the mix of skills, independence and diversity required to meet the needs of a CRA; and (c) the nomination and election process of directors and criteria used by the nomination committee in the selection process. Establishment of audit committee 4.16 A CRA must establish an audit committee to discharge its functions which include, among others, the following: (a) Nominate a person as the external auditor; and (b) Review and report to the board of directors of the CRA in relation to—

(i) the key audit matters and audit report prepared by the external auditor; (ii) the assistance given by the employees of the CRA to the external auditor; (iii) the annual financial statements, before the approval by the board of directors; (iv) any letter of resignation from the external auditor of the CRA; and (v) whether there is reason to believe that the CRA’s external auditor is not suitable for reappointment. 4.17 The audit committee must have the written terms of reference dealing with its authority and duties.

10 Establishment of other board committees 4.18 A CRA must establish a—

(a) risk management committee to oversee the CRA’s risk management framework and policies; and (b) remuneration committee to implement the CRA’s remuneration policies and procedures including reviewing and recommending matters relating to the remuneration of board of directors and senior management. Guidance to paragraphs 4.14, 4.16 and 4.18 For the avoidance of doubt, a board committee can carry out one or more functions. Operational and rating requirements 4.19 A CRA must have adequate infrastructure and information systems to provide reliable corporate bonds and sukuk rating services and maintain its credit rating operations and facilities with adequate security, system capacity and contingency arrangements (including business continuity plan). 4.20 A CRA must use rating criteria, methodologies and policies that are robust, systematic and apply them consistently. 4.21 The CRA must develop and publish on its website a set of rating criteria and methodologies as set out in Appendix 2 of these Guidelines. The criteria and methodologies listed in Appendix 2 are not meant to be exhaustive, and additional criteria and methodologies could be further specified by the SC from time to time. 4.22 A CRA must establish a set of transparent policies, controls and procedures in order to ensure consistency of its rating operation as well as to maintain a fair and robust relationship with its external stakeholders. As a minimum standard, the CRA must develop and publish on its website rating policies as specified in Appendix 3 of these Guidelines. 4.23 A CRA must structure its rating teams and process to promote continuity, consistency and avoid bias in the rating process. Upon considering the adequacy of its staffing strength, the CRA must use its best endeavour to subject its rating analysts to an appropriate rotation mechanism that provides for gradual change in rating teams.

11 Anti-corruption and whistleblowing policies and procedures 4.24 A CRA must have detailed policies and procedures on anti-corruption and whistleblowing that are appropriate to the nature, scale and complexity of its business. These policies and procedures must include provisions encouraging all employees to report (with complete confidentiality) any unethical practice or grave misconduct to a designated authority within the CRA and provisions to prevent discrimination, retaliation, or harassment against any whistle-blower or participant in the investigation process. All reported events must be taken seriously and investigated promptly in accordance with its policies and procedures. The investigation report must be prepared within a stipulated time frame (as specified by the CRA) from the receipt of the complaint. Guidance to paragraph 4.24 The policies and procedures on anti-corruption should be guided by the Guidelines on Adequate Procedures issued pursuant to section 17A(5) of the Malaysian Anti-Corruption Commission Act 2009 (Amendment 2018). Adoption of the IOSCO’s Code of Conduct Fundamentals for Credit Rating Agencies 4.25 Unless already provided in these Guidelines, a CRA must adopt all the requirements in the IOSCO’s Code of Conduct Fundamentals for Credit Rating Agencies (IOSCO CRA Code) into its own code of conduct and disclose it on its website. 4.26 Where the CRA’s code of conduct differs in substance from the provision of the IOSCO CRA Code (other than those provisions required in these Guidelines), the CRA must explain where and why these differences exist, and fully disclose them on its website.

12 Chapter 5 CONTINUOUS OBLIGATIONS General 5.01 A CRA and its rating holding company, where applicable, must at all times comply with the following requirements for the purposes of maintaining its registration as a CRA: (a) All the requirements stated in these Guidelines; and (b) Any additional terms and conditions as may be specified by the SC from time to time. Matters Requiring Prior Approval of the SC 5.02 A CRA and its rating holding company must obtain the SC’s prior approval before effecting any significant change to the shareholding structure of the respective entities, which includes— (a) the creation of a holding company or ultimate holding company of a CRA; or (b) any proposed change in the direct or indirect shareholding of a CRA, which results in a new controller. 5.03 A CRA and its rating holding company must obtain the SC’s prior approval before appointing any person for the positions in paragraphs 4.05(b)(i) to (iv) in a CRA and its rating holding company, where applicable. 5.04 A CRA and its rating holding company must undertake the necessary due diligence to ensure that any candidate for the positions in paragraph 4.05(b) in a CRA and its rating holding company is fit and proper, and suitably qualified to assume the position.

13 Disclosure Requirements Notification to the SC 5.05 A CRA and its rating holding company must immediately inform the SC, of any occurrence of the following events: (a) If there is a vacancy, resignation or cessation of any person holding the positions in paragraph 4.05(b) in a CRA and its rating holding company, to immediately inform the Head of Authorisation and Licensing Department via email. The entity concerned is expected to take the necessary steps to fill the positions in paragraphs 4.05(b)(ii) and (iii) within three months from the date of the vacancy; and (b) When the CRA, its rating holding company, any controller of the CRA, or person holding the positions in paragraph 4.05(b) in a CRA or its rating holding company, are no longer fit and proper, to immediately inform the Head of Supervision Department via email. 5.06 A CRA and its rating holding company must notify the SC on the following within 14 days from the occurrence of the event: (a) The appointment and the cessation of any of the positions specified in paragraph 4.05(b) in a CRA or its rating holding company; (b) Change of particulars for person holding the positions in paragraph 4.05(b) and shareholders of a CRA or its rating holding company; (c) Change in the direct or indirect shareholding of a CRA or its rating holding company; (d) Any establishment or acquisition of business, acquisition of shares or interests, disposal of any business, shares or interests, in or outside Malaysia, by a CRA or its rating holding company; (e) Cessation of business or deregistration of a CRA; (f) Change of particulars of a CRA or its rating holding company such as entity name, registered business and correspondence address; and (g) Any other material changes.

14 5.07 The CRA must provide notification to the SC within 14 days where— (a) corporate bonds or sukuk issue becomes unrated from rated or vice versa; and (b) it is appointed to replace another CRA. Reporting to the SC 5.08 Subsequent to its registration, a CRA must submit the following information to the SC in soft copy version: On an annual basis, (a) changes of any information provided in the registration application; (b) its latest audited financial statements, as soon as reasonably possible but not more than six months after the close of each financial year; (c) a timetable on the proposed yearly credit review for the next calendar year, to be submitted to the SC not later than 10 business days before the end of each calendar year (Appendix 5); (d) a list of all ancillary services provided throughout the year, which include relevant information relating to the client, income received or to be received and nature of the services, to be submitted to the SC not later than one month after the end of each calendar year; On a semi-annual basis, (e) a semi-annual report that it has fully complied with the requirements as stipulated by the SC in these Guidelines and if not, a list of events of non￾compliance with the Guidelines, as soon as reasonably possible but not later than one month after the close of the first and second half of each financial year; (f) a semi-annual staff training schedule to be submitted to the SC not later than one month after the close of the first and second half of each financial year (Appendix 6);

15 On a quarterly basis, (g) a quarterly report showing movement of its senior management, and rating analysts, to be submitted to the SC not later than 14 business days after the end of each quarter; (h) a quarterly report on all credit rating reviews published at each quarter to be submitted to the SC not later than 14 business days after the end of each quarter; (i) a quarterly report on list of all entities on rating watch and subsequent rating actions to be submitted to the SC not later than 14 business days after the end of each quarter; On an ongoing basis, (j) a written explanation to the SC, including any remedial actions taken on its rating policies, rating process and rating analysts, within 14 business days after the occurrence of the following events: (i) sharp downgrade which results in a credit rating being lowered by three notches or more in a single rating action; (ii) any rating action within six months after an initial rating has been assigned; or (iii) frequent rating action where credit rating for a particular issue or issuer is changed more than once within a period of six months; (k) where there is an occurrence of any event which would trigger the activation or execution of the business continuity plan, in such form and manner as may be specified by the SC; and (l) any other relevant information or documents as may be required by the SC. 5.09 Besides the CRA, the rating holding company of the CRA is required to comply with the reporting requirements provided in paragraphs 5.08(a), (b), (d), (e), (g), (k) and (l).

16 Other disclosure obligations 5.10 A CRA must ensure that the following information are published on its website within five business days after its submission of the documents to the SC: (a) A timetable on the proposed yearly credit review for the next calendar year (Appendix 5); (b) A quarterly report on credit rating reviews published at each quarter; and (c) A quarterly report on list of all entities on rating watch and subsequent rating actions at each quarter. 5.11 The CRA must disclose the latest shareholding structure (with percentage of shareholding for each shareholder) in its website. 5.12 A CRA must publish all information and documents required in these Guidelines on its website and ensure that the information and documents are freely and easily accessible by the public with exception of rating rationale reports. 5.13 A CRA must ensure timely disclosure of all rating opinions and adequately publish all information to support its rating opinions, which include, but not limited to, assumptions and rationale of its opinion. 5.14 The CRA must ensure that its rating reports for initial ratings are published as soon as the ratings have been finalised,or prior to the issuance of corporate bonds and sukuk that are being rated. 5.15 The rating reports must contain all pertinent information with sufficient analytical depth. The reports must provide current and critical information on the corporate bonds and sukuk issue and issuer as well as critical rating factors considered – both quantitative and qualitative. Where relevant, the rating reports must include disclosure of any benchmark used, any sensitivity analyses performed and the results, comparative analyses made with other industries or companies and disclosure of any credit enhancements. 5.16 In ensuring accountability of its rating opinions and promoting investor activism, a CRA must arrange a robust and effective communication channel, either in the form of briefing or conference call, to explain and discuss its rating actions with the users, subscribers or any stakeholders of its rating services. Such communication must be conducted by the chief rating officer (where applicable), lead analysts and analysts of the CRA as soon as practicable upon request from more than one rating user. The

17 subscribers of the CRA and the corporate bonds and sukuk investors must be duly informed of the communication. Otherwise, the communication should be conducted either on a regular basis or on an immediate basis which is deemed proper by the CRA. 5.17 A CRA must clearly disclose its definition of ‘default’ in a public domain. It must be made clear whether a particular rating only measures timely payment of debt obligations or includes recovery values expected after a default. In addition, a list of corporate bonds and sukuk downgraded to default should be disclosed and published by the CRA on its website on an annual basis based on the format prescribed in Appendix 4 of these Guidelines. A historical record of the default list (at least for the past five years) must also be made available on the website. 5.18 To ensure completeness of the default probability statistics, corporate bonds and sukuk rating must be withdrawn by a CRA only after it has assigned the latest rating action which includes downgrading the rating to default and such criteria must be disclosed in the CRA’s withdrawal and suspension policy. The criteria for any other withdrawal or suspension of rating must also be disclosed in the CRA’s withdrawal and suspension policy. 5.19 In order to promote transparency and to enable the market to best judge the average annual performance of the ratings, a CRA must publish sufficient information about the historical default rates of the CRA rating categories and whether the default rates of these categories have changed over time, so that interested parties can understand the historical performance of each category and if and how rating categories have changed, and be able to draw quality comparisons among ratings given by different CRAs. The definitions and computation methods for the default rates used in the default study must be provided in the report. The meaning of these default rates must be clearly explained to the interested parties. Conduct Requirements 5.20 A CRA and its rating holding company must have a sound governance structure to maintain its independence, objectivity and professionalism. In addition to complying with these Guidelines, a CRA is strongly encouraged to adopt the recommended corporate governance best practices in the Malaysian Code on Corporate Governance. Governance of CRA 5.21 To ensure proper governance of the CRA, the CRA must ensure that all its dealings and transactions with its rating holding company or holding company, commercial in

18 nature or otherwise, are periodically reviewed by the board of directors of the CRA, which should ensure that such dealings and transactions are undertaken in a fair and justifiable manner, on an arm’s length basis and are made in the best interest of the CRA. 5.22 With regards to the length of service as provided in paragraph 4.06(a), a CRA and its rating holding company must ensure that none of their independent directors and the external members of the CRA’s rating committee exceeds a cumulative term of nine years from the date of his first appointment in such capacity. Conduct of meetings 5.23 The CRA and its rating holding company must ensure that to form a quorum for a meeting of— (a) the board of directors and board committees, the majority of the directors present must be independent directors; and (b) the rating committee, the majority of members present must be external members.

Compliance officer 5.24 The compliance officer must continuously monitor for violations of the CRA’s code of conduct by any employee and is required to prepare and submit all regulatory reports to the SC on compliance with the CRA registration and the code of conduct. 5.25 In order to enable the compliance officer to discharge his duties properly and independently, a CRA must ensure the following requirements are met: (a) The compliance officer has the necessary authority, resources, expertise and access to all relevant information; (b) The compliance officer must not be placed in a position where there are possible conflicts of interest between the compliance responsibilities and any other responsibilities; and (c) The compliance officer must have a direct line of reporting to the CRA’s board of directors and/or relevant board committees, in addition to his regular reporting on the carrying out of duties to senior management.

19 Conflict of Interest 5.26 A CRA must ensure that its rating teams are able to perform its duties free of undue intervention or influence from its shareholders and its board of directors. 5.27 Where an analyst, or any of his family member, has any interest in the corporate bonds and sukuk pre and post-issuance (including annual rating review), the analyst must not be involved in the rating and monitoring process nor be involved in deciding on ratings. 5.28 A CRA must establish appropriate policies and procedures governing investments in and trading of securities by its employees. 5.29 A CRA and its rating holding company must have adequate procedures and mechanisms in place to ensure that its ancillary business (if any) does not lead to a conflict of interest situation with its credit rating activities. The CRA and its rating holding company, where applicable, must ensure that none of the ancillary services relating to advisory, origination and structuring of securities are offered to any of its rating clients by its employees or by its related corporation at all times. 5.30 A CRA must, to the best of its knowledge, include a specific statement in its rating reports if rating fees for corporate bonds and sukuk issue or from a group of related issuers comprise five percent or more of its rating revenue from the preceding year. 5.31 Analysts and members of the rating committee of a CRA must disclose all conflicts of interest, including those of his family members, to the public in its rating report for all corporate bonds and sukuk issues. Even though there is no conflict of interest to be disclosed, the CRA must include a statement in its rating report that the CRA, the analysts involved in the corporate bonds and sukuk rating and members of its rating committee have not encountered nor are aware of any conflict of interest relating to the corporate bonds and sukuk issue. However, this paragraph does not apply to a rating committee member in relation to his role under paragraphs 4.13(a) and (b). Confidentiality of information 5.32 A CRA and its staff must maintain the confidentiality of the information obtained from its clients in accordance with the confidentiality provisions or agreements entered into with its clients and must not disclose the same to any other person, except where such disclosure is permitted by or under any law for the time being in force and the disclosure is made to the SC.

20 5.33 A CRA must establish, maintain and implement written policies, controls and procedures to prevent the misuse of non-public information and to take steps to monitor if these procedures are followed. Other Continuous Obligations Rating criteria, methodologies and policies 5.34 Rating criteria and methodologies must be developed for each type of corporate bonds and sukuk and the industry to which they are applied. These rating criteria and methodologies must be published before any rating is assigned to a corporate bond and sukuk issue, an issuer or an institution. The CRA must include the rating philosophy or approach adopted, the parameters or thresholds which will be considered for different rating categories and benchmarks used, where applicable. 5.35 A CRA must, where relevant, incorporate corporate governance analysis and the relevant benchmark of corporate governance practices into its rating framework to assess any impact on credit risks of a corporate bond and sukuk issue. Monitoring of corporate bonds and sukuk rated by CRAs 5.36 A CRA must conduct timely and regular rating reviews of outstanding corporate bonds and sukuk and publish its rating reviews and reports in a timely and consistent manner. In this regard, the CRA must ensure its annual rating review of a corporate bond and sukuk issue is conducted and rating report is published within a period not later than 15 months after the last annual rating review. 5.37 Notwithstanding paragraph 5.36, ratings must be monitored such that any change in the issuer/issues’ situation is reflected in the assigned rating on a timely and effective manner. Hence, a CRA must initiate immediate review of rating status upon becoming aware of any information that may reasonably be expected to result in a rating action. The CRA must also engage with corporate bonds and sukuk issuer and trustee, where applicable on a timely basis to ensure that it has the most current information on the corporate bonds and sukuk issue. 5.38 A CRA must implement rating outlook and rating watch into their ratings monitoring framework with the necessary parameters. An indicative timeframe must be set out by the CRA in finalising a rating action and the relevant rating reports after a corporate bond and sukuk issue is put on rating watch.

21 Human resources and expertise 5.39 A CRA must have analysts who are competent and qualified to carry out rating assignments and subsequent monitoring of the corporate bonds and sukuk. In assessing the competence of its analysts, a CRA must consider, among others, their level of education; experience within sectors, industries and geographic regions; experience with particular transactions and asset classes; and other specialty areas. 5.40 A CRA must ensure that its analysts maintain sufficient high level of analytical and monitoring standards. In this regard, the CRA must consider the number of corporate bonds and sukuk that can be effectively covered by a particular analyst, taking into account a broad spectrum of variables, including the size and complexity of the particular corporate bond and sukuk, and the experience and expertise of the analyst. 5.41 A CRA must ensure that all staff involved in the rating and monitoring process are and remain qualified through adequate training. In this regard, it must adopt policies and procedures designed to ensure that its analysts receive sufficient training and support to facilitate the generation of independent, objective and credible rating opinions. 5.42 A CRA must ensure that its chief executive is primarily responsible for all key functions relating to rating operations as well as human resources and expertise. The CRA must put in place appropriate policies and procedures, including proper review and oversight by a resource committee on all matters relating to its human resource and expertise requirements. Rating agreement 5.43 A CRA must ensure that its rating agreement with corporate bonds and sukuk issuer or originator contains sufficient provisions for it to obtain adequate information and to conduct effective and timely assessment on the corporate bonds and sukuk issuer or originator throughout the tenure of the corporate bonds and sukuk issue or programme. Records and data management 5.44 A CRA must keep records properly and in line with all applicable statutory requirements. Accounting records and other books must be retained for a period of not less than seven years. Proper record keeping includes maintaining records to support credit ratings prepared by the CRA.

22 Chapter 6 SUBMISSION PROCEDURE General 6.01 Submissions under these Guidelines must be made to the SC via—

(a) EASy, in accordance with the forms and accompanied by the supporting documentation as specified on the SC website. Further information on EASy can also be found on the SC website; or (b) email addressed to CRAsubmission@seccom.com.my and accompanied by supporting documentation, if any. 6.02 A submitting party must ensure that the relevant persons as indicated in the forms have authorised the submission of information and particulars stated in the forms, and the supporting documentation. 6.03 Any person who furnishes to the SC, directly or indirectly, any statement, information or document (collectively referred to as ‘representation’), by whatever means or in any form, must ensure that the representation is not false or misleading, and does not contain any omission. Breach of this requirement can result in enforcement action under the securities laws. For the avoidance of doubt, this requirement includes any clarification or additional representation submitted to the SC. 6.04 The SC must be immediately informed of any change or development in circumstances and information— (a) that may impact the application subsequent to the submission of the application; and (b) relating to an application occurring subsequent to the SC giving its approval. 6.05 The SC may at any time impose any additional terms and conditions deemed appropriate on the CRA or its rating holding company. 6.06 The SC may vary any requirement set out in these Guidelines on an applicant intending to or permitted by the SC to carry on limited activities of rating corporate bonds and sukuk issues in Malaysia.

23 Submission for Registration 6.07 Upon satisfying the relevant requirements as set out in these Guidelines, an applicant seeking registration and, if applicable, the applicant’s rating holding company must submit the relevant forms and documents, via EASy, as specified on the SC website. 6.08 Where necessary, the SC may request for other relevant or additional information and materials to be submitted. 6.09 In the case where a CRA or its rating holding company is appointing its director, chief executive, compliance officer, or external member of rating committee (where applicable), the CRA or its rating holding company is responsible for verifying the good character, reputation and competency of the respective individual. 6.10 Application results may be released through the system or via any other method deemed appropriate by the SC. Withdrawal of application 6.11 A submission made to the SC may be withdrawn prior to communication of decision by the SC. Any withdrawal must be accompanied by an explanation. Other submissions 6.12 Other submissions to the SC in relation to the registration, continuous compliance, reporting requirements and any other matter specified in these Guidelines must be made in the manner set out below— Subject Matter Mode of Submission EASy Email3 Application for registration pursuant to paragraph 6.07 √ Application of the SC’s prior approval on any significant change to the shareholding structure of a CRA or its rating holding company, pursuant to paragraph 5.02 √ 3 This refers to the submission under paragraph 6.01(b) of these Guidelines.

24 Subject Matter Mode of Submission EASy Email3 Application of the SC’s prior approval on appointment of person for the positions in paragraphs 4.05(b)(i) to (iv), pursuant to paragraph 5.03 √ Notification when any of the relevant person is not fit and proper, pursuant to paragraph 5.05(b) √ All notifications required pursuant to paragraph 5.06 √ All notifications required pursuant to paragraph 5.07 √ Reporting to the SC pursuant to paragraphs 5.08 and 5.09 √ Application for extension of time 6.13 A CRA seeking an extension of time to comply with any registration requirements and conditions must submit an application with accompanying justifications and relevant supporting materials to the Head of Authorisation and Licensing Department at least 14 days prior to the expiry of the stipulated time frame for the SC's consideration.

25 Chapter 7 REFUSAL OF REGISTRATION AND DEREGISTRATION Refusal of registration 7.01 The SC may refuse an application for registration or approval if – (a) any of the criteria or requirements specified in these Guidelines is not met; or (b) the SC has any reason to believe that the registration or approval would be contrary to the interests of the public. Suspension and deregistration 7.02 The SC may suspend or withdraw the registration of a CRA under these Guidelines if it is necessary for the protection of investors or in the public interest. 7.03 For purposes of paragraph 7.02, events or circumstances involving a CRA that may jeopardise the protection of investors or which is not in the public interest includes, but is not limited to, the following: (a) When the CRA, the CRA’s rating holding company, any controller of the CRA, or the person holding the positions in paragraph 4.05(b) in a CRA and its rating holding company are no longer fit and proper; (b) The CRA or its rating holding company contravenes any term or condition imposed by the SC; or (c) The CRA or its rating holding company does not comply with the directives issued by the SC.

26 Appendix 1 FIT AND PROPER CRITERIA - ENTITY An applicant, the CRA, their respective rating holding company or controller of the CRA is considered to be fit and proper if— (1) the entity— (a) is not in the course of being wound up or otherwise dissolved; (b) has no execution against it in respect of a judgment debt has been returned unsatisfied in whole or in part; (c) has not had any receiver, receiver and manager or an equivalent person appointed within or outside Malaysia, in respect of any of its property; (d) has not, whether within or outside Malaysia, entered into a compromise or scheme of arrangement with its creditors, being a compromise or scheme of arrangement that is still in operation; (e) has not been convicted, whether within or outside Malaysia, of an offence involving fraud or other dishonesty or violence or the conviction of which involved a finding that it acted fraudulently or dishonestly; (f) has not been convicted of an offence under the securities laws or any law outside Malaysia relating to capital market; (g) has not been subjected to any action taken by the SC under sections 354, 355 or 356 of the CMSA; (i) has not been charged for any offence or had any civil action initiated against it, in any court of law; (j) has not contravened any provision made by or under any written law whether within or outside Malaysia appearing to the SC to be enacted for protecting members of the public against financial loss due to dishonesty, incompetence or malpractice by persons concerned in the provision of financial services or the management of companies; (k) has not engaged in any business practices appearing to the SC to be deceitful or oppressive or otherwise improper (whether unlawful or not) or which otherwise reflect discredit on its method of conducting business; or

27 (l) has not engaged in or has been associated with any other business practices or otherwise conducted itself in such a way as to cast doubt on its competence and soundness of judgment; and (2) the SC is satisfied— (a) that the entity is able to act in the best interest of the investors having regard to its reputation, character, financial integrity and reliability; (b) as to the financial standing of the entity or the manner in which its business is to be conducted; (c) as to the record of past performance or expertise of the entity having regard to the nature of the business which it may carry on in connection with the registration; (d) that there are no other circumstances which are likely to— (i) lead to the improper conduct of business by the entity; or (ii) reflect discredit on the manner of conducting the business of the entity; and (e) that the entity will carry on the capital market service activity efficiently, honestly and fairly.

28 FIT AND PROPER CRITERIA - INDIVIDUAL A controller of an applicant or the CRA, or any of the person holding the positions in paragraph 4.05(b) in an applicant, its rating holding company, the CRA or its rating holding company, is considered to be fit and proper if— (1) the person— (a) is not an undischarged bankrupt whether within or outside Malaysia; (b) has no execution against him in respect of a judgment debt has been returned unsatisfied in whole or in part; (c) has not, whether within or outside Malaysia, entered into a compromise or scheme of arrangement with his creditors, being a compromise or scheme of arrangement that is still in operation; (d) has not been convicted, whether within or outside Malaysia, of an offence involving fraud or other dishonesty or violence or the conviction of which involved a finding that he acted fraudulently or dishonestly; (e) has not been convicted of an offence under the securities laws or any law outside Malaysia relating to capital market; (f) has not been subjected to any action taken by the SC under sections 354, 355 or 356 of the CMSA; (g) has not been charged for any offence or had any civil action initiated against him, in any court of law; (h) has not contravened any provision made by or under any written law whether within or outside Malaysia appearing to the SC to be enacted for protecting members of the public against financial loss due to dishonesty, incompetence or malpractice by persons concerned in the provision of financial services or the management of companies or against financial loss due to the conduct of discharged or undischarged bankrupts; (i) has not engaged in any business practices appearing to the SC to be deceitful or oppressive or otherwise improper (whether unlawful or not) or which otherwise reflect discredit on his method of conducting business; or

29 (j) has not engaged in or has been associated with any other business practices or otherwise conducted himself in such a way as to cast doubt on his competence and soundness of judgment; and (2) the SC is satisfied— (a) as to the educational or other qualification or experience of him having regard to the nature of the duties he is to perform in connection with the registration; (b) that the person is able to act in the best interests of the investors having regard to his reputation, character, financial integrity and reliability; (c) as to the record of past performance or expertise of the person having regard to the nature of the duties which he may perform in connection with the registration of the entity; (d) that there are no other circumstances which are likely to lead to the improper conduct of business by, or reflect discredit on the manner of conducting the business of, the person or any person employed by or associated with him for the purpose of his business; and (e) that the person will carry on the capital market service activity efficiently, honestly or fairly.

30 Appendix 2 [Paragraph 4.21] CRITERIA AND METHODOLOGIES

1. Rating watch and rating outlook – its meanings, usage, timeline before final rating actions
2. Rating monitoring – process and timeline for rating reviews
3. Use of corporate governance in rating decisions
4. Treatment of letter of support and letter of comfort
5. State Government guarantees
6. Federal Government guarantees
7. Methodology for bank-guaranteed issues
8. Rating of Government related entities
9. Methodology governing linkages between parent and subsidiary companies
10. Equity weight for hybrid capital of rated issuer
11. Methodology for Danajamin guaranteed papers
12. Correlation between short- and long-term rating scale
13. Approach to rating sukuk
14. Methodology for foreign entities raising ringgit-denominated corporate bonds
15. Treatment of guarantees from foreign parent
16. Criteria on subordinated loans and preferred debt by corporate and financial institutions
17. Business and financial risk matrix – relationship between financial ratios and business outlook for each rating category
18. Definition of default and how default rates are calculated

31 Appendix 3 [Paragraph 4.22] POLICIES AND PROCEDURES

1. Rating withdrawal and suspension policy
2. Unsolicited rating policy
3. Rating fee guide for all products
4. Analyst rotation policy, if any
5. Rating appeal process
6. Rating announcement policy
7. Policy on treatment of confidential information
8. Policy on comments by issuer on press release and rationale
9. Anti-corruption and whistle blower policies and procedures
10. Business continuity planning
11. Personal investment and trading policy

32 Appendix 4 [Paragraph 5.17] LIST OF CORPORATE BONDS AND SUKUK DOWNGRADED TO DEFAULT IN A FINANCIAL YEAR I. Long Term Scale No. Name ofIssuer Initial Rating Date ofInitial Rating Rating Prior to Default Date of Default Recognition Instruments Type * Where initial rating is AAA, 1. 2. 3. Where initial rating is AA, 1. 2. 3. Where initial rating is A, 1. 2. 3. Where initial rating is BBB, 1. 2. 3. Where initial rating is BB, 1. 2. 3. Where initial rating is B, 1. 2. 3. Where initial rating is C, 1. 2. 3.

• To indicate sukuk, asset-backed securities or plain vanilla corporate bonds, where applicable

33 Appendix 5 [Paragraphs 5.08(c), 5.10(a)] TIMETABLE FOR RATING REVIEWS Credit Rating Agency: For Calendar Year: Date of Submission: No. Name of Issuer Issue Details/Description Expected Time for Rating Review Announcement Remarks

1. [Month, Year] Note: The input provided in this table is for illustration purposes only.

34 Appendix 6 [Paragraph 5.08(f)] TRAINING PROGRAMMES ATTENDED BY STAFF OF CRA Credit Rating Agency: Yearly Training Budget: Date of Submission: YTD Budget Utilisation: No. Name of Staff Designation and Department Training Attended Type of Training Organiser Date

1. [Day(s), Month, Year] Note: The input provided in this table is for illustration purposes only.