← Back to all briefings
Governance 7 min read Published Updated Credibility 90/100

Governance Briefing — October 20, 2023

Brazil’s CVM Guidance Opinion 41/2023 compels ESG rating providers and listed companies to institute independent oversight, implementation roadmaps, and LGPD-aligned DSAR protocols covering scoring data, methodologies, and conflict management disclosures.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On Brazil’s Comissão de Valores Mobiliários (CVM) released Guidance Opinion 41/2023 and Circular Letter SIN 02/23 to clarify supervisory expectations for environmental, social, and governance (ESG) rating providers operating in the Brazilian capital markets. The guidance responds to the rapid expansion of sustainability ratings, urging transparent governance, rigorous methodology oversight, and robust handling of personal data and confidential business information. Issuers and rating firms must align their internal control frameworks with Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados, LGPD) to process information that often includes identifiable board members, executives, suppliers, and affected communities. Building governance structures that integrate ESG analytics with DSAR-ready privacy operations is now a regulatory imperative for anyone marketing ESG scores to Brazilian investors.

Governance and accountability expectations

CVM requires ESG rating agencies to formalize governance arrangements equivalent to those expected of credit rating agencies under CVM Resolution 9 and International Organization of Securities Commissions (IOSCO) principles. Boards must designate accountable executives for methodological integrity, conflict of interest management, and LGPD compliance. Rating committees should include independent members with expertise in sustainability, data ethics, and Brazilian regulatory law. CVM emphasizes separation between commercial and analytical functions to mitigate undue influence on ratings, requiring a documented conflict of interest policy, board approval, and periodic training.

Issuers using ESG ratings in securities offerings or sustainability-linked instruments must ensure their audit committees understand how external ratings are produced, whether the underlying data includes personal information, and how DSAR obligations from investors, employees, or community stakeholders will be honored. Governance documentation should map ESG data ingestion, validation, scoring, and publication steps to named control owners across sustainability, investor relations, legal, and privacy teams. CVM expects controllers to retain minutes of rating committee decisions, disclose methodology updates to the market, and maintain oversight of outsourced data providers through contractual clauses that require LGPD compliance and timely DSAR cooperation.

Implementation roadmap for issuers and rating providers

Organizations should treat Guidance Opinion 41/2023 as a catalyst for a structured implementation program spanning people, processes, and technology. Recommended phases include:

  1. Gap assessment (0–60 days): Inventory all ESG rating relationships, including unsolicited ratings, to determine whether methodologies rely on personal data such as executive compensation, workforce demographics, human rights complaints, or whistleblower reports. Benchmark existing governance artifacts against CVM’s expectations for transparency and independence. Document DSAR capabilities for these datasets, including verification steps, data localization considerations, and retention rules.
  2. Control design (60–150 days): Establish or refresh ESG data governance councils that include privacy counsel and data protection officers (DPOs). Develop procedures to review rating methodologies for bias, data quality, and LGPD lawful basis. Implement vendor due diligence covering international data transfers, anonymization techniques, and complaint handling. Create standardized disclosure templates summarizing methodology changes, use of artificial intelligence, and governance structures to be included in reference forms (Formulário de Referência) and sustainability reports.
  3. Operationalization (150–300 days): Deploy tooling to track data lineage from ESG data ingestion to publication. Integrate consent management and DSAR tracking systems so that individuals whose information feeds ESG indicators can exercise rights to confirmation of processing, access, correction, anonymization, or deletion under LGPD Articles 18 and 19. Embed automated alerts when ESG ratings rely on sensitive personal data (dados sensíveis) that require explicit consent or legal justification. Train sustainability analysts on privacy-by-design checklists and escalate high-risk processing to the DPO for impact assessments.
  4. Continuous improvement (300–540 days): Monitor regulatory developments, including CVM’s ongoing rulemaking on ESG funds (Resolution 175) and Brazil’s National Monetary Council guidance. Conduct annual independent reviews of ESG rating governance, methodology robustness, and DSAR response performance. Report remediation progress to the board and include KPIs—such as average DSAR completion time for ESG-related requests, number of methodology changes communicated to investors, and volume of third-party data source audits—in sustainability disclosures.

LGPD compliance and DSAR handling for ESG data

ESG ratings frequently rely on structured and unstructured personal data: board composition, workforce health and safety incidents, diversity metrics, union grievances, and community impact surveys. CVM reminds firms that LGPD applies whenever identifiable individuals are referenced, even within aggregated scoring. Controllers must identify the lawful basis for processing—often legitimate interest or compliance with legal obligations—and document balancing tests demonstrating that processing is necessary and proportionate. When sensitive personal data is involved (e.g., health or biometric information in workplace safety programs), explicit consent or legal safeguards must be in place.

DSAR processes need to map to each ESG data store. Establish dedicated request categories for ESG-related personal data, ensuring DSAR portals explain how individuals can inquire about rating inputs, challenge inaccuracies, or request deletion where appropriate. Privacy teams should partner with sustainability analysts to produce intelligible explanations of ESG metrics without revealing proprietary methodologies. Maintain evidence logs showing when data was sourced, how it was validated, and whether anonymization or pseudonymization techniques were applied. For cross-border data transfers—common when global ESG providers operate from Europe or the United States—ensure standard contractual clauses or adequate safeguards are documented, and communicate transfer mechanisms in privacy notices.

When DSARs allege adverse impacts from ESG scoring, controllers must coordinate with investor relations and legal teams to avoid selective disclosure. Provide responses within the LGPD’s 15-day statutory timeframe, offering confirmation of processing immediately and full details—including data categories, processing purposes, and sharing partners—within the deadline. If a deletion request conflicts with securities law recordkeeping obligations, document the legal basis for retention and explain it to the requester. Maintain a register of DSAR outcomes to inform board reporting and demonstrate accountability to CVM inspectors.

Transparency and market disclosure obligations

CVM expects ESG rating providers to publish comprehensive methodology summaries covering qualitative and quantitative indicators, data sources, weightings, and limitations. Firms should disclose whether machine learning or natural language processing tools are used, the extent of human judgment, and how controversies or event-driven updates are incorporated. Issuers must ensure that prospectuses, sustainability-linked bond frameworks, and periodic reports clearly describe reliance on external ESG ratings, highlight governance controls in place, and outline DSAR contact points for affected stakeholders.

Transparency extends to conflicts of interest. Rating providers must publish policies describing how they manage situations where rated entities are also paying clients for consulting or assurance services. They should log gifts, entertainment, and fee arrangements, disclosing aggregated statistics annually. Issuers must scrutinize such relationships and include them in related-party transaction disclosures when material.

Risk management and assurance

Internal audit functions should develop testing plans covering ESG rating governance and LGPD compliance. Auditors should verify that role-based access controls restrict who can view personal data used in scoring, assess whether data minimization principles are respected, and confirm that DSAR tracking systems maintain immutable logs. Conduct sample testing of ratings to ensure methodology documentation matches actual practice and that any adjustments are approved by independent oversight committees. Where third-party data brokers supply ESG inputs, request assurance reports (e.g., ISAE 3000, SOC 2) or perform onsite reviews.

Risk teams must integrate ESG rating exposure into enterprise risk assessments, considering reputational, legal, and operational implications. Key risk indicators can include the number of unresolved DSAR complaints related to ESG data, volume of ratings withdrawn due to data quality issues, and percentage of data sources with completed privacy impact assessments. Establish escalation protocols for significant controversies, ensuring the board receives timely briefings and approves remediation plans.

Stakeholder engagement and training

Guidance Opinion 41/2023 emphasizes stakeholder engagement. Firms should engage civil society, investors, and rated entities to explain methodologies, gather feedback, and refine data collection practices. Training programs must cover LGPD principles, DSAR handling, conflict of interest scenarios, and how sustainability narratives intersect with securities law. Provide specialized sessions for frontline teams collecting data from suppliers or community organizations, reinforcing secure data transfer, consent documentation, and escalation of sensitive personal data.

Communicate updates through sustainability reports, investor days, and dedicated ESG portals, highlighting how governance enhancements improve rating credibility and protect individual rights. Demonstrating responsiveness to DSARs and community concerns can strengthen investor confidence and mitigate activism risk.

Next steps

Within 30 days, catalog all ESG rating relationships, data sources, and associated personal data categories. Within 90 days, submit updated governance charters and conflict of interest policies to the board, launch privacy impact assessments on ESG datasets, and integrate DSAR tracking with ESG workflows. Over the next year, pursue independent assurance over ESG rating methodologies, publish transparent disclosures, and maintain ongoing dialogue with CVM as rulemaking evolves. Treat Guidance Opinion 41/2023 as the baseline for a living ESG data governance program that blends sustainability ambition with verifiable privacy and investor protection controls.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Brazil ESG regulation
  • ESG ratings
  • Board oversight
  • Third-party risk
Back to curated briefings