Securities and Exchange Board of India (SEBI) has proposed technology-based measures to enhance the security of trading and demat accounts and prevent unauthorized transactions. Rapid advancements in technology have led to an increase in incidents like SIM spoofing, hacking, and fraud, making it necessary to introduce stronger safeguards. The proposed framework includes SIM binding, biometric authentication, and measures for logging into accounts via multiple devices. Initially, these measures will be optional for investors but will become mandatory in phases. The new system will require clients to link their Unique Client Code (UCC) with a mobile device’s SIM and IMEI number, ensuring secure access. Bio-metric authentication and QR-based verification for logging in from multiple devices will further protect accounts. The framework also introduces the ability for investors to temporarily lock accounts or revoke sessions from other devices. The measures aim to create a secure and controlled trading environment, safeguarding against unauthorized activities. Comments on the consultation paper are invited until March 11, 2025.
Securities and Exchange Board of India
Consultation Paper on Technology based measures to secure trading environment and to prevent unauthorised transactions in trading/demat account of investors
SEBI- Feb 18, 2025 | Reports : Reports for Public Comments
Click here to provide your comments
1. Objective
The objective of this consultation paper is to seek comments from public on the proposed technology based measures to create secure trading environment and to prevent unauthorized transaction in trading and demat account.
2. Background
There have been rapid changes in the uses of technology & technological tools in the trading. Due to innovative technological tools, the instances of gaining unauthorised access to trading accounts, SIM spoofing (to divert OTPs), unauthorised account modifications, erroneous transfer of shares etc., are coming to the notice of the regulator in the recent past. Due to lack of adequate technology based controls, the web based and/or mobile based trading platforms are prone to hacking, identity theft and frauds etc. In order to address this issue, SEBI constituted a working group to recommend suitable measures.
Working group has recommended various measures including measures to create robust authentication mechanism while accessing trading account. It is proposed to hard binding of SIM with mobile device and UCC of the clients similar to that of UPI payment applications.
3. Proposed Framework
3.1 It is imperative that the authentication mechanism for accessing the trading account has to be strengthen in order to ensure that only authorized users could execute the trades. Hence it has been proposed to strengthen the authentication by way of SIM binding mechanism i.e. One UCC-One Device-One SIM similar to that of UPI payment applications where the UPI application recognize SIM along with mobile device & bank account details for carrying out UPI transactions. Similarly, the log-in into the trading account can take place only when the trading application recognise the UCC along with SIM and mobile device.
3.2 The proposed framework includes the provisions w.r.t. SIM binding, bio-metric authentication, log-in from multiple devices, family accounts operations, facility of temporary lock-in of trading account etc. Further, the access to trade is proposed to strengthen in cases where investors opt for call and trade/ walk and trade facility. The framework also proposed other allied technology measures to strengthen the trading eco system. The detailed proposal is provided in the Annexure A.
4. Applicability of the provisions:
4.1 The proposed provisions will be applicable to all the stock brokers in a phase manner. Initially, top 10 Qualified Stock Brokers would be required to implement these provisions and put in place the technology based requirements to enable it. For the purpose of ease of convenience to the investors, to begin with, it would be made optional for the investors to opt for the proposed secure authentication mechanism. Subsequently, in phase manner the proposed framework would be made mandatory to access the trading accounts.
5. Benefits to the Investors
5.1 The proposed framework would create secure and robust authentication for log-in into mobile application for trading. The first log-in can only take place through the registered mobile device. This would ensure that only authorised users/UCC holders can access the trading account through the hard bind parameters of the mobile device, such as biometric authentication or facial recognition, which cannot be tampered with. The registered mobile device would become key for accessing the trading account (either on the desktop or on the mobile device). Further, the proposed framework would mitigate the instances of unauthorised trading or unauthorised access to the trading applications as UCC of the client is linked to registered mobile number (SIM) & the mobile device and thereby create secure trading environment.
5.2 Investors would also be in the position to know all the logged-in sessions of their UCCs on other devices similar to services offered by many social media platforms. In addition, investors will have greater level of control on the trading applications in the form of putting temporary lock on trading account, revoking/invoking sessions running on other devices, keeping restrictions on quantum of trades, types of instrument to be traded etc. Therefore, the proposed framework would bring more robust and secure trading experience for the investors.
6. Summary of the framework:
6.1 Primary SIM bound device: A mobile device possessing the registered mobile number (i.e. SIM) and device IMIE number (mobile device) will be linked to the Unique Client Code (UCC) of the client.
6.2 Bio-metric authentication: A bio-metric authentication would be required on the primary SIM bound device for authorizing the log-in into the trading application provided by stock brokers.
6.3 Log-in from multiple device: A QR code based, proximity sensitive and time sensitive, authentication would be used in the trading application for authorization to log-in into other devices such as desktop and laptops. This is similar to multiple log-in facility provided by many social media platforms.
6.4 A fall back mechanism shall be put in place in case of change/loss of device to ensure continuity of trading to the clients.
6.5 Family accounts operations from primary device: A mobile device/SIM can be linked to multiple UCCs of family members who are using same mobile number. The facility can be provided based on the authorization mandate from the family members.
6.6 A call and trade facility either to stockbroker or to Authorised Person (AP) shall be allowed only through centralized dedicated phone numbers or email address or mobile numbers of the stockbroker.
7. Public Comments
7.1 The comments are invited on the proposals mentioned in the consultation paper. The comments/ suggestions should be submitted latest by March 11, 2025, through the following link:
https://www.sebi.gov.in/sebiweb/publiccommentv2/PublicCommentAction.do? doPublicComments=yes
7.2 In case of any technical issue in submitting your comment through web based public comments form, you may write to consultationMIRSD@sebi.gov.in with the subject: “Public comments on Technology based measures to secure trading environment and to prevent unauthorised transactions in trading/demat account of investors.”
General Manager
Technology, Process Re-engineering, Data Analytics Division (TPD)
Market Intermediaries Regulations and Supervision Department
Securities and Exchange Board of India
SEBI Bhavan II, Plot No. C-7, “G” Block, Bandra Kurla Complex
Bandra (East), Mumbai – 400 051
Issued on: February 18, 2025
Annexure A
DRAFT CIRCULAR
SEBI/HO/MIRSD/ MIRSD-TPD/P/CIR/2025/
February 18, 2025
To,
All recognised Stock Exchanges
All recognised Depositories
Sub: Technology based measures to secure trading environment and to prevent unauthorised transactions in trading/demat account of investors
1. Background
1.1. SEBI vide circular SMDRP/POLICY/CIR-06/2000 dated January 31, 2000, CIR/MRD/DP/25/2010 dated August 27, 2010, CIR/MRD/DP/8/2011 dated June 30, 2011 read with para 52.2.2(g), 53.2.5, 54.2, 54.3 and 55.1 of Master Circular for Stock Brokers dated August 09, 2024, has laid down norms for online trading through Internet Based Trading (IBT) mode and Securities Trading using Wireless Technology (STWT) mode.
1.2. There have been rapid changes in the uses of technology & technological tools in the trading. Due to innovative technological tools, the instances of gaining unauthorised access to trading accounts, SIM spoofing (to divert OTPs), unauthorised account modifications, erroneous transfer of shares etc., are coming to the notice of the regulator in the recent past. Due to lack of adequate technology based controls, the web based or mobile based trading platforms are prone to hacking, identity theft and frauds etc. In order to address this issue, SEBI constituted a working group to recommend suitable measures.
1.3. Working group inter-alia recommended various measures to create robust authentication mechanism for accessing trading accounts. Based on the recommendations of working group and views obtained from stakeholders and industry experts, it has been decided to put in place the following framework.
2. Authentication mechanism: Hard binding of SIM of the device with mobile and UCC of the clients:
Primary SIM bound device:
2.1 A mobile device possessing the registered mobile number (SIM) and device IMIE number shall be linked to the Unique Client Code (UCC) of the clients. The hard bind device (i.e. SIM-Mobile-UCC enabled) would become primary SIM bound device. Stock exchanges shall issue detail procedure for such hard binding (registration) of devices with the UCC of the clients.
2.2 In addition to primary device, client will have an option to register one more SIM and device with the UCC which would become as secondary SIM bound device. Hard binding of the device shall be one-time activity.
2.3 Both these SIM bound devices (i.e. primary and secondary) will be active provided that both are within 100-meter proximity. However, trading can be done through any one of the device at any given point in time. Further, if any of two active device moved away beyond 100 meter distance, secondary device will be logged out automatically.
2.4 In case of change or loss of primary/secondary device, a fall back mechanism for registering new device shall put in place to ensure continuity of trading for the clients. Client can revoke the existing SIM/device and re-perform KYC (either through IPV or virtual IPV) to link a new SIM/device.
Bio-metric authentication:
2.5 A log-in into the primary SIM bound device shall take place through a bio-metric authentication for authorizing the login attempt directly without password. Alternate option may be given for log-in such as a pin based authentication.
Web based Log-in from multiple devices:
2.6 The log-in into a web-based trading application from multiple devices such as desktop and laptops shall be authenticated through the primary/secondary SIM bound device. A QR code based, proximity sensitive and time sensitive, authentication shall be done in the trading application for authorizing web based login into other devices including desktop and laptop.
2.7 The access controls shall be implemented in the trading application to prevent scanning QR codes on phone gallery (or) messaging apps to ensure that a shared QR code is not being scanned.
2.8 At any point of time, a single instance per channel (Desktop application/browser based/Mobile Browser) apart from the sim bound devices can be active.
Family accounts operations from primary device:
2.9 In order to facilitate ease of trading for family members, a mobile device/SIM can be linked to multiple UCCs of family members (including HUF’s UCC). Exchange shall ensure that stock brokers get the specific authorization mandate from the clients to allow their UCCs to link to one device. Exchange shall issue further guidelines on the modalities and the process for this purpose.
3. Trade Authorization and Controls:
In order to put in place an enhanced level of controls in trading applications, stock exchanges shall ensure that the following mechanism is made available in the trading applications provided by stock brokers.
3.1 Primary/secondary SIM bound device shall also have the facility to monitor and revoke any sessions authorized by it including the sessions running on other devices such as desktop or laptop.
3.2 A facility for temporarily placing a lock on the trading account for a certain duration to disable the trades.
3.3 A facility to control the trades based on various parameters such as volume, price band, date/time window etc., shall be implemented in a phased manner starting with turnover based limits.
3.4 In case of deceased client, if there is no open trade position then trading account may be freezed until nomination /transmission is completed. In case of open trading position exists in deceased client’s trading account, stock broker shall square off the existing open position and then freeze the trading account until nomination /transmission is completed.
4. Mechanism for clients opting for call and trade / walk and trade facility: The framework for call and trade or for walk-in trade clients has been prescribed by SEBI from time to time. This framework is further strengthened with following provisions.
4.1 A call and trade through stock broker’s head office, branch office or through Authorised participants (APs), shall be only through centralised dedicated phone numbers or email address or mobile numbers of the stockbrokers.
4.2 The call recording mechanism shall ensure uniform unchangeable time-stamp for orders received from clients.
4.3 The orders received through call and trade facility shall be authenticated through OTP based mechanism unless call is received from registered mobile number. The OTP shall be sent to the registered mobile number or email id of the investors. Stock broker shall confirm the identity of clients through OTP to place and execute the orders.
4.4 The clients who opts for walk-in trade, stock brokers shall either put in place tamper proof system of recording order placed by the clients with uniform unchangeable time-stamp such as webcam with voice / CCTV with voice etc. Else, such orders shall be executed through call and trade mechanism.
5. Measures to prevent unauthorised creation of trading / demat accounts:
5.1 Exchange and Depositories shall develop a system to enable investors to ascertain and know the number of trading and demat accounts held with their PAN.
6. Measures to prevent erroneous/unintended transactions in Demat Accounts:
For executing the request of off-market transfer, following steps shall be taken by the intermediaries:
6.1 A facility to verify the beneficiary/target demat account’s name before execution of off-market transactions shall be made available in the trading/demat applications (akin to addition of beneficiary in banking systems). Alternatively, while executing E-DIS, Target Demat account number shall be validated by entering it twice – once in a displayable manner and other instance in a masked environment.
6.2 Transaction authorization shall be performed through a QR code scan / validation of push notification sent to the registered device’s mobile application for transfer of shares.
6.3 In case of investors possessing basic phones, transaction shall be authorized by entering the OTP on keypad in response to an automatic (IVRS) call.
7. Implementation:
7.1 The framework of hard binding of SIM and mobile device with UCC will be applicable initially to top 10 Qualified Stock Brokers who would be required to implement these provisions and put in place the technology based requirements to enable it. Stock exchanges shall ensure that top 10 QBSs are mandated to implement the above framework within 6 months from the date of this circular.
7.2 For the purpose of ease of convenience to the investors, to begin with it would be made optional for the investors to opt for the secure authentication mechanism (i.e. hard binding of SIM, mobile and the UCC) stated in this framework. Subsequently in phased manner the framework would be made mandatory to access the trading accounts.
7.3 Except authentication mechanism, all other provisions shall be applicable to all the stock brokers and depository participants.
