If you tell enough stories, perhaps the moral will show up.


Trusting Strangers -- Why Certificate Authorities are like Credit Rating Agencies

My list of causes of the banking crisis isn't quite the same as everyone else's. For me it generally boils down to moral courage. Because I have none myself, I can recognise that it was missing in plenty of differnt places.

  • "Spineless non-Execs" rather than "Wicked Banker" and
  • Fannie and Freddie for not making it plainer that they were lending on this stuff in response to government fiat rather than thinking it was any good, and
  • Rating agencies for closing down credit discussion on the grounds that if it was good enough for Fannie and Freddie it must be A+ at least, and 
  • Bankers (aha) for closing down credit discussion on the grounds that the securities were rated A+ by an independent rating agency, and .
  • Bankers (yes!) for saying that as everyone else was making fortunes:

    • writing liar's mortgages at tempting rates, and securitising them on
    • lending to doomed ventures, and securitising them on
    • buying A+ securities that somehow pay three points over base, and securitising THEM on
    they had better do the same, or the shareholders would kick their arses, and
  • Shareholders for kicking the arses of anyone who missed these amazing opportunities
  • and you know who else? Lying or self deluding borrowers. That's us.
Oh. I'm ranting. Let me get this back on track. Check out the credit rating agencies. They're right in the crux of this. Their business is to turn more or less synthetic securities (anything from a strip or a mortgage bundle right down to a plain bond -- anything that's denominated in money rather than equity) into a capital "I" Investment. The fairy dust they sprinkle to do this is their rating. They form an opinion on the ability of the borrower to pay as advertised. That's not whether it's a good investment or the right investment for you, or whether the issuer will craftily exploit the early redemption terms or whatever. The rating is just Moody's or S&P's opinion on whether the coupons and face will be redeemed on the published dates. Ratings go from AAA which is supposed to be a dead cert  down to ccc -- and you'll never get an agency to agree a correlation between the rating and a percentage probability.

Because of a long history of grade inflation, pretty much anything that can't make at least an A is called junk and a lot of investors aren't allowed to touch it.

Sometimes the agencies rate because they want media attention or because their franchise demands that they have an opinion on some popular issue. More often, they rate because the issuer pays to get a rating needed to get the issue away. You can't buy a particular grade, but the agencies will advise on how to get it,  and if you're an investment bank there's such a thing as being a good customer of the rating agency..... I don't really need to spell this out. Suffice to say that the investor (the technical term is "victim", these days) has no contract with the agency. If Moody's were to rate a bundle of Motown mortgages as A -- and some agencies were doing that -- and it defaults, then the owner of the bond, who trusted the rating, has no come back to Moody's when the bond defaults. It was the agency's published opinion, no more and no less. You relied on it at your own risk.

Now I expect that at some point you could say it was negligence, and of course rating agencies are controlled by financial regulators, but my point is a little different. Because there's a very fine parallel to this in the world of Internet security. The whole technical paraphernalia of X.509 has one purpose: to tell you, reliably, that the certificate authority has certified that the far end is the correct user of a name. You are trusting the certificate authority to do the necessary diligence, to refrain from certifying incorrect users, to guard their private key. (You are also, in effect, trusting them to do things they definitely do not do, like ensuring that the sites they certify can keep track of their private keys -- that's why the system is mad.) For ordinary users, this trust is a matter of default -- it's installed with the browser. Sites pay CAs for certificates because CAs pay browser authors to install their keys. The free-rider is the user, and that's a bad thing. No payment == no contract == no rights. As the rating agencies have shown us.

No comments: