ESG ratings have become one of the most influential drivers of capital flows in modern finance. Investors use them to assess how exposed a company is to long-term risks that don’t show up neatly in financial statements: carbon transition liability, workplace discrimination claims, cyber breaches, sanctions failures or corruption issues. Ratings aim to quantify how resilient organisations are to these events — and how well they manage, govern and disclose the risks.
Despite this influence, ESG ratings have developed in a largely unregulated space. Methodologies differ, data quality is inconsistent, and conflicts of interest are not always well-controlled. Compliance professionals have had to rely on trust and vendor statements rather than regulatory assurance. That is now changing.
The UK Government has laid the Financial Services and Markets Act 2000 (Regulated Activities) (ESG Ratings) Order 2025 before Parliament, introducing a new regulated activity covering the provision of ESG ratings that are reasonably expected to influence investment decisions. Once approved, the Order will amend the Regulated Activities Order (RAO) to require ESG ratings providers operating in or commercially targeting the UK to obtain FCA authorisation, unless a specific exclusion applies. The legislation takes legal effect in 2025 once made, but the full regulatory regime applies from 29 June 2028, supported by a transitional period for existing providers to continue limited operations while their authorisation applications are processed.
What ESG ratings actually measure
ESG ratings assess a firm’s exposure to environmental, social and governance risks and how effectively they are mitigated. Environmental scoring typically focuses on emissions, waste, climate resilience and responsible resource use. Social assessments examine worker safety, inclusion, data protection and supply-chain integrity. Governance analysis tests board oversight, whistleblowing systems, anti-bribery controls, and accountability structures.
There is no single universal scoring model. Some providers use 1–100 scales, others AAA to CCC, and all make different assumptions about materiality. This inconsistency creates comparability challenges and leaves room for greenwashing risks. Still, when used carefully, ratings help firms understand where to improve, help investors screen high-risk business models, and provide a powerful incentive for better disclosure and behaviour.
The UK has now drawn a regulatory perimeter
The Government has introduced legislation that formally brings ESG ratings providers under FCA oversight. If a company produces an ESG rating using a structured methodology and scale, and makes that rating available in a way that is reasonably expected to influence an investment decision, it will need authorisation to operate in the UK.
The scope includes both opinion-led assessments and algorithm-driven scores. It applies to UK entities and overseas firms that commercially target UK investors or users. Unsolicited ratings are captured if they influence investment decisions.
This change effectively treats ESG ratings as investment research with systemic impact, and therefore subject to regulatory scrutiny.
What is out of scope
The regime isn’t designed to catch everything with “ESG” in the title. Ratings embedded within an existing authorised activity remain within that activity’s permissions. Private, bespoke ratings created for a single client and not intended to be shared externally remain outside the perimeter. Journalists, academics, charities, and public authorities are carved out where the work is non-commercial.
Overseas providers who make ratings freely available into the UK may also remain out of scope, but only so long as there is no commercial relationship or targeted promotion. The moment UK investors start paying, the firm is in regulated territory.
Compliance officers will need to map these distinctions carefully when assessing vendor exposure.
FCA expectations: Transparency, governance, controls and conflicts
The FCA has confirmed its regime will focus on four pillars: transparency of methodologies and data sources; robust governance; effective systems and controls; and credible management of conflicts of interest.
What this means in practice is that ESG ratings will no longer operate in a ‘black box.’ Providers will be expected to document how ratings are built, justify data inputs, control changes to models, and demonstrate independence between commercial relationships and scoring decisions.
This directly addresses long-standing concerns about inconsistent ratings, hidden assumptions, and ratings agencies consulting the very firms they assess.
Expect requirements that rhyme with IOSCO and the industry code of conduct landscape, such as:
- Methodology transparency. Clear model descriptions, data sources, treatment of estimates and how controversies are handled.
- Model risk management. Version control, back-testing where meaningful, sensitivity analysis, change logs and audit trails.
- Conflicts controls. Separation between sales and analytical teams, rules on rated-entity engagement, and restrictions on consulting.
- Operational resilience. Robust IT, cyber, data lineage, incident handling and recordkeeping.
- Fair presentation. Consistent use of scales and categories and prominent disclosure of scope, limitations and uncertainty.
Expect alignment with the UK’s anti-greenwashing rule on claims that must be fair, clear and substantiated. Even though that rule targets firms making sustainability claims, the expectation of evidence-based labelling will echo through the ratings ecosystem that firms rely on.
A regulated supply chain for ESG inputs
Bringing ESG ratings into the regulatory perimeter has a direct downstream effect on firms that use them. If financial products, disclosures or investment strategies rely on ESG ratings, compliance teams must now be confident those ratings come from an authorised, well-controlled provider.
This links directly with the FCA’s anti-greenwashing expectations. Claims about sustainability performance need substantiation. Poor-quality or opaque ratings will no longer be a defensible basis for product messaging, due diligence or portfolio construction.
In short, compliance cannot treat ESG ratings as a procurement convenience. They are part of regulated risk intelligence.
Timeline and transition: What happens when
The full regime takes effect on 29 June 2028. The FCA will open an authorisation window ahead of time, and providers with existing contractual obligations or public ratings may operate during a transitional period , but only if they notify clients and accept supervisory conditions.
By mid-2029, transitional relief ends. Any provider without approval at that point will not be permitted to continue business that influences investment decisions in the UK.
This gives compliance teams two-and-a-half years to confirm their supply chain will remain lawful.
A more accountable ESG market
The purpose of this shift is not to slow sustainable finance or add unnecessary friction. It is to ensure that when markets rely on ESG information, they are relying on something credible. Transparent methodologies, regulated governance and enforceable standards reduce greenwashing risk and strengthen the connection between ESG assessments and real-world risk.
For compliance professionals, this change is structural. ESG ratings are no longer a voluntary add-on to support corporate messaging. They are evolving into regulated inputs that sit directly under the FCA’s oversight and within the organisation’s compliance risk footprint.
Between now and the end of the transition period, the firms that succeed will be the ones that replace blind trust in ratings with evidence-based validation — and that treat ESG ratings as what they have become: critical risk data in a regulated marketplace.
What compliance teams must do now
Firms should already be assessing which ratings they rely on, how they are used, and whether vendors intend to seek authorisation. Contracts will need updating to require transparency on methodologies, notification of changes, and confirmation of regulatory status during and after transition.
Internal product governance and disclosure processes must also adapt. Where ESG ratings inform investment decisions, risk committees must be able to challenge the inputs and demonstrate that the organisation knows their limitations.
Overseas vendors pose the highest strategic uncertainty. Firms using them should prepare contingency plans for replacement, renegotiation, or proof of their chosen provider’s UK compliance.
What to do now:
Inventory the ESG flow. List every rating and data product you rely on. Tag what is standalone, paid and used for decision-making. That is your in-scope universe.
Ask smarter questions. Push providers for methodology decks, controversy treatment, data lineage, re-scoring frequency, change logs and conflict policies. Use IOSCO’s headings as your RFP checklist.
Prepare for resilience. Update contracts to require notice of methodology changes, audit trails, model risk controls, outage SLAs, and an explicit obligation to maintain UK authorisation once required. Include transitional representations through 2029.
data
Tidy your own claims. If your marketing leans on ratings, make sure your statements are fair, clear and substantiated and that you can evidence how you selected and validated those inputs.
Mind the overseas edge cases. If you buy from a non-UK house, assume they will need a UK permission unless they publish freely. Plan for potential re-papering or provider consolidation.
