AI Compliance for Credit Rating Agencies (NRSROs)

AI compliance for credit rating agencies is a high-stakes topic. NRSROs face some of the strictest confidentiality rules in finance. Section 15E and the SEC 17g rules govern MNPI and information barriers.

AI can do useful work at a rating agency. It can summarize filings, draft analysis, and compare covenants. But each task can touch MNPI, and the rules there are strict.

This guide shows how the 17g framework shapes AI use. It also lays out a clear AI governance program for an NRSRO.

The 17g framework and where AI fits

The 17g rules set the NRSRO oversight regime. They come from the Credit Rating Agency Reform Act of 2006, which added Section 15E. Dodd-Frank then expanded them.

Three rules matter most for AI. Rule 17g-5 covers conflicts of interest. Rule 17g-4 covers misuse of MNPI. Rule 17g-2 covers records.

AI does not change what these rules require. They are technology-neutral. But AI creates new places where the rules bite.

• Rule 17g-5: conflicts, plus the 17g-5(a)(3) deal-disclosure regime with a confidentiality pledge.
• Rule 17g-4: policies to prevent misuse of MNPI.
• Rule 17g-2: books and records, including work papers used to form a rating.
• Section 15E(g)(1): the law that requires MNPI-misuse and conflict policies.

• SEC — Oversight of NRSROs (small-entity compliance guide)
• SEC — Section 15E of the Exchange Act

MNPI, draft ratings, and information barriers

Draft ratings are very market-sensitive. So is the deal data you get under 17g-5(a)(3). That data comes with a pledge to keep it confidential and treat it as MNPI.

Rule 17g-4 requires steps to stop misuse of that information. It must not leak across the wall between analysts and the commercial side.

For AI, the rule is clear. Any AI that sees this data must sit inside the wall. Use a no-training endpoint, a controlled workspace, and logs analysts-only staff can read.

• Treat draft ratings and 17g-5(a)(3) deal data as confidential MNPI.
• Limit AI that sees this data to analytical staff inside the wall.
• Use no-training, access-controlled AI — never consumer tools.
• Scope AI logs and outputs so commercial staff cannot read them.

AI compliance for credit rating agencies under Rule 17g-2

Rule 17g-2 requires NRSROs to keep certain records. This includes work papers used to form a rating. AI work can fall into this group.

So if AI helps draft analysis or compare terms, its prompts and outputs may be records. They may need to be kept.

The fix is to plan ahead. Build retention into AI-assisted rating work from day one. Adding it after an exam request is much harder.

• AI work papers used to form a rating may be records under 17g-2.
• Capture rating-relevant prompts and outputs in a form you can produce.
• Keep AI records access-controlled and inside the wall.
• Design retention in before exams, not after.

• eCFR — 17 CFR 240.17g-2 (records)

AI in the rating process: conflicts and model governance

Some AI does more than summarize. It can shape analytical judgment. When that happens, more rules come into play.

Rule 17g-5 governs conflicts. Methodologies face disclosure and governance duties. So govern any AI that affects a rating like a model. Document it, validate it, and oversee it.

Watch your public claims, too. The SEC has fined firms for "AI washing," meaning false claims about AI use. In March 2024, it settled cases against two advisers for $225,000 and $175,000. Describe your AI use accurately.

• Govern outcome-affecting AI like a model: documented, validated, overseen.
• Keep AI use in line with 17g-5 conflict rules.
• Use SR 11-7-style model-risk practice for AI in the rating process.
• Describe AI use accurately to avoid "AI washing" exposure.

• SEC — AI washing enforcement (Delphia / Global Predictions)

A note on Regulation SCI

People often link Reg SCI to rating agencies. That is a mistake. Reg SCI applies to a set list of "SCI entities."

That list includes SROs, certain clearing agencies, large ATSs, and plan processors. NRSROs are not on it. The SEC's 2023 plan to expand it was withdrawn in June 2025 and never added rating agencies.

Strong systems still matter, though. Good security and continuity support the 17g internal-controls duties. But Reg SCI is not the legal hook for an NRSRO.

• Reg SCI does not apply to NRSROs — and the withdrawn 2023 expansion would not have either.
• Systems resilience still matters under the 17g internal-controls duties.
• Cite the 17g rules and Section 15E for NRSRO duties, not Reg SCI.

• SEC — Regulation SCI

Build an NRSRO AI governance program

A strong program ties the 17g rules to real controls. Start with an AI inventory. Then classify which workflows can touch MNPI or draft ratings.

Send those workflows to no-training, access-controlled AI inside the wall. Build retention for rating work papers. Govern outcome-affecting AI like a model. Then supervise it all.

Map this to a known framework for exam support. Good options are the NIST AI Risk Management Framework, ISO/IEC 42001, and the US Treasury Financial Services AI Risk Management Framework from February 2026. But the binding rules are still the 17g rules and Section 15E.

• Inventory and classify AI workflows by MNPI exposure.
• Wall off MNPI-touching AI with no-training, access-controlled endpoints.
• Retain rating-relevant AI work papers under 17g-2.
• Govern outcome-affecting AI as a validated model, and supervise all AI use.

• US Treasury — AI resources for financial services

Conclusion: AI compliance for credit rating agencies

AI compliance for credit rating agencies starts with the 17g rules. Keep MNPI-touching AI inside the wall. Retain rating work papers. Govern AI that affects ratings like a model.

Do not confuse the rules. Reg SCI does not apply to you. Section 15E and the 17g rules do.

Get this right, and analysts gain AI's leverage without harming the information barrier. The related guides below help you set it up.