Securities and Exchange Board of India
Circular No. SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/24 Dated: February 06, 2023
To,
All Recognized Stock Exchanges
All Clearing Corporations
All Depositories
All Registered Stock Brokers through Recognized Stock Exchanges
Madam / Sir,
Sub: Enhanced obligations and responsibilities on Qualified Stock Brokers (QSBs)
1. SEBI, through various circulars issued from time to time, has given necessary directions/guidelines to stock brokers, to ensure orderly functioning of the securities market and to protect the interest of investors in securities market.
2. Over time, there have been significant developments in the securities markets such as advancement in technology, investor penetration and awareness, concentration of activity among few stock brokers and increase in risk including, on account of possibility of cyber-attacks.
3. Certain stock brokers, due to various factors like their size, trading volumes and amount of clients’ funds handled by them, have come to occupy a significant position in the Indian securities market which is leading to concentration of activity among few stock brokers. Such stock brokers cater to the needs of large number of investors and therefore, it is imperative for such stock brokers, inter-alia, to adhere to the regulatory guidelines, provide satisfactory services to investors and resolve investor complaints. The failure of such stock brokers has the potential to cause disruption in the services they provide to large number of investors causing widespread impact in the securities market.
4. Hence, in order to further strengthen the compliance and monitoring requirements relating to stock brokers and to ensure efficient functioning of securities market, SEBI, vide Gazette Notification dated January 17, 2023, amended the SEBI (Stock Broker) Regulations, 1992 for designating certain stock brokers, having regard to their size and scale of operations, likely impact on investors and securities market, as well as governance and service standards, as Qualified Stock Brokers (QSBs), on the basis of certain parameters and appropriate weightages thereon.
5. The stock broker designated as a QSB shall be required to meet enhanced obligations and discharge responsibilities to ensure appropriate governance structure, appropriate risk management policy and processes, scalable infrastructure and appropriate technical capacity, framework for orderly winding down, robust cyber security framework, and investor services including online compliant redressal mechanism.
6. This circular details the parameters which shall be considered for designating a stock broker as QSB, enhanced obligations and responsibilities which shall be cast on such QSBs and guidelines on enhanced monitoring of QSBs which shall be carried out by Market Infrastructure Institutions (MIIs).
7. Parameters for designating a stock broker as QSB:
7.1. Initially, the following parameters shall be considered for designating a stock broker as QSB:
a) the total number of active clients of the stock broker;
b) the available total assets of clients with the stock broker;
c) the trading volumes of the stock broker (excluding the proprietary trading volume of the stock broker); and
d) the end of day margin obligations of all clients of a stock broker (excluding the proprietary margin obligation of the stock broker in all segments)
Procedure for assigning score to a stock broker:
7.2. The following procedure shall be followed to assign score to a stock broker, based on the parameters enumerated at para 7.1 above:
a) For each stock broker, individual score for a particular parameter shall be calculated by dividing the individual parameter by the aggregate of the respective parameter summed across all stock brokers, i.e., a stock broker’s count of active clients will be divided by the aggregate count of active clients of all stock brokers and similarly individual scores shall be calculated for other parameters as well.
b) Then, total score shall be calculated by adding individual score of all the parameters. For calculating the scores for a particular financial year, parameters as on December 31st of such financial year shall be considered.
Identification of QSBs:
7.3. Initially, stock brokers with a total score greater than or equal to five based on the parameters enumerated at para 7.1 above, shall be identified as QSBs. The first such list of QSBs shall be prepared on the basis of parameters as on December 31, 2022.
7.4. The framework may be extended to more stock brokers in due course, if necessary, including, by considering the following additional parameters:
a) compliance score of the stock broker;
b) grievance redressal score of the stock broker; and
c) the proprietary trading volumes of the stock broker.
7.5. The scores shall be calculated on annual basis (financial year) and the revised list of QSBs shall be released jointly by stock exchanges, in consultation with SEBI.
7.6. The QSBs which no longer belong to the revised list, shall continue to comply with the enhanced obligations and responsibilities, for an additional period of 3 financial years or such time, as may be specified by SEBI/stock exchanges.
8. Enhanced obligations and responsibilities for QSBs:
8.1. Governance structure and processes:
8.1.1. The Board of Directors (BoD) or analogous body of QSBs shall exercise oversight over incidents/vulnerabilities having an impact on functioning of the QSB in the securities market and investor protection including data security breaches that can affect investor data.
8.1.2. Further, QSBs shall have committees of the Board of Directors (BoD) or analogous body such as Audit Committee (for listed QSBs), Nomination and Remuneration Committee, Risk Management Committee, Information Technology (IT) Committee, Cybersecurity Committee and any other committee as mandated by SEBI from time to time.
a) The Chief Financial Officer (CFO) or analogous person of the QSB shall submit to the audit committee, details in respect of financial status of the entity, disclosure of any related party transactions, inter-corporate loans and investments, internal financial controls and risk management systems, compliance with listing and other legal requirements relating to financial statements, adherence to regulatory provisions etc.
b) QSBs shall, before appointing directors, Key Managerial Personnel (KMP) and other employees, consult the nomination and remuneration committee with regard to their appointment, tenure and remuneration.
c) QSBs shall seek inputs from various committees such as risk management committee and cybersecurity committee while framing policies relating to respective areas such as risk management of the organization and, establishing a robust cyber security framework and augmenting IT infrastructure and scalability of operations.
8.1.3. QSBs shall submit an annual report to the stock exchanges regarding the observations of the committees of BOD or analogous body, corrective action taken by the QSB and measures taken to prevent recurrence of such incidents.
8.2. Risk Management Policy and Processes:
8.2.1. QSBs shall devise a clear and a well-documented risk management policy which encompasses the following:
a) List of all relevant risks which may have to be borne by the QSBs such as:
i. risks which can arise during KYC and account opening process such as submission of incomplete KYC forms by the clients, submission of fake information with an intention to commit frauds and non-updation of information submitted as and when there is any change in the information submitted during KYC;
ii. operational risks such as faulty systems which can cause erroneous execution of orders from clients’ account and/or unauthorized trading on behalf of the client and misutilization of client’s sensitive information by any employee of the QSBs;
iii. technology risks which include technical glitches and cyber-attacks; and
iv. general risks such as fraud risk, credit risk, market risk, legal risk, reputation risk and risk due to outsourcing of activities to third parties.
8.2.2. Such risk management policy shall:
a) strive to address the root cause of the risks and try to prevent recurrence of such risks;
b) enable early identification and prevention of risk;
c) assess the likely impact of a probable risk event on various aspects of the functioning of the QSB such as impact on investors, financial loss to the QSB, impact on other stakeholders in the market, reputational loss etc. and lay down measures to minimize the impact of such event and
d) assign accountability and responsibility of Key Managerial Personnel (KMP) in the organization.
Surveillance of client behaviour:
8.2.3. The risk management framework shall have measures for carrying out surveillance of client behaviour through analyzing the pattern of trading done by clients, detection of any unusual activity being done by such clients, reporting the same to stock exchanges and taking necessary measures to prevent any kind of fraudulent activity in the market in terms of the regulatory requirements prescribed by SEBI and MIIs.
Ensuring Integrity of Operations:
8.2.4. QSBs shall maintain adequate human resources, systems, processes and procedures for seamless running of operations and protection of investor data.
8.2.5. The staff of the QSBs shall be given the necessary resources and support to carry out their duties effectively and efficiently. The QSBs shall train their employees at regular intervals in matters relating to the activities being handled by them.
8.2.6. A CXO level officer shall be designated as responsible for managing key risks, i.e., Chief Compliance Officer (responsible for all regulatory compliance related activities), Chief Information Security Officer (responsible for all cyber security related activities), Chief Risk Officer (responsible for overall risk management associated with functioning of the QSB).
8.2.7. QSBs shall employ adequate tools to automate process of risk management, reporting and compliance.
8.2.8. The risk management policy shall be reviewed on half yearly basis by the QSB and a report in this regard shall be submitted by the risk management committee of the QSB to the stock exchange.
8.2.9. The BoD/senior management shall view any recurrence of a particular incident seriously and take prompt and appropriate action including fixation of accountability.
8.3. Scalable infrastructure and appropriate technical capacity:
8.3.1. The QSBs shall put in place a policy framework, approved by its IT committee, for upgradation of infrastructure and technology from time to time to ensure smooth functioning and scalability for delivering services to investors at all times. Such framework should be reviewed on half-yearly basis.
8.3.2. QSBs shall, at all times, maintain adequate technical capacity to
process 2 times the peak transaction load encountered during the preceding half year and shall also fulfill all other requirements as specified by SEBI/MIIs from time to time, in this regard.
8.4. Framework for orderly winding down:
8.4.1. QSB shall put in place, a framework for orderly wind down of its business to ensure continuity of services to its clients in case of closure of business by the QSB due to its inability to provide services to its clients or meet the prescribed regulatory requirements or any other reason. Such wind-down framework shall encompass the following:
a) Seamless portability of its clients to other SEBI registered stock brokers while protecting the funds and securities of such clients;
b) Providing all necessary support to the clients to ensure a smooth and secure transfer process;
c) Providing adequate notice to the clients before winding down of the operations after taking approval of the stock exchanges; and
d) Preventing any significant impact on the market and inconvenience to the investors.
8.4.2. In case of wind down which may happen due to regulatory action, erosion of networth of the QSB etc., such wind down of operations of the QSB will be implemented under the supervision of the stock exchange.
8.5. Robust cyber security framework and processes:
8.5.1. Digitalization and online platforms have given rise to need for effective mitigation of information and cyber risks. SEBI, has specified the framework on cybersecurity and cyber resilience to be followed by all stock brokers.
8.5.2. However, QSBs handle sensitive data of a large number of the investors in the securities market and any cyber-attack on the systems of a QSB can compromise the confidentiality and integrity of such data.
8.5.3. Hence, QSBs shall have additional features in their cyber security framework which would be commensurate with the amount of data handled by them. The cyber security committee of the QSB shall review the framework on half-yearly basis and review the instances of cyber-attacks, if any, and take steps to strengthen the cyber security framework of the QSB.
8.5.4. The QSBs shall have a dedicated team of security analysts, which may include domain experts in the field of cyber security and resilience, network security and data security which shall carry out the following activities:
a) Prevention of cyber security incidents through continuous threat analysis, network and host scanning for vulnerabilities and breaches, deploying adequate and appropriate technology to prevent attacks originating from external environment and internal controls to manage insider threats etc.
b) Monitoring, detection and analysis of potential intrusions/security incidents in real time and through historical trending on security-relevant data sources.
c) Operating network defence technologies such as Intrusion Detection Systems (IDSes) and data collection/analysis systems.
d) Conducting cyber-attack simulation on quarterly basis to aid in developing cyber resiliency measures and test the adequacy and effectiveness of the framework adopted.
e) Conducting awareness and training programs for its employees with regard to cyber security and situational awareness on quarterly basis.
f) Prevention of attacks similar to those already faced.
8.5.5. Such dedicated team shall submit a quarterly report to the BoD of QSB, on above mentioned activities carried out by them along with details of cybersecurity incidents which occurred and details of incidents which were prevented from occurring.
8.5.6. The dedicated team of security analysts shall report to Chief Information Security Officer (CISO) of the QSB and such CISO shall be designated as a Key Managerial Personnel (KMP) and shall directly report to the MD &CEO of the QSB.
8.5.7. The QSB should have well-defined and documented processes for monitoring of its systems and networks, analysis of cyber security threats and potential intrusions / security incidents, usage of appropriate technology tools, classification of threats and attacks, escalation hierarchy of incidents, response to threats and breaches, and reporting of the incidents.
Vulnerability Assessment and Penetration Testing (VAPT)
8.5.8. QSBs shall carry out continuous assessment of the threat landscape faced by them and on half yearly basis, conduct vulnerability assessment to detect security vulnerabilities in their IT environments exposed to internet.
8.5.9. QSB shall also carry out penetration tests on half-yearly basis, in order to conduct an in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks that are exposed to the internet.
Business Continuity Plan:
8.5.10. QSB shall put in place a comprehensive Business Continuity Plan (BCP) and such policy shall be reviewed on half-yearly basis to minimize the incidents affecting the business continuity.
8.5.11. QSB shall develop and document mechanisms and standard operating procedures to recover from the cyber-attacks within the stipulated Recovery Time Objective (RTO) of the QSB, various scenarios and standard operating procedures for resuming operations from Disaster Recovery (DR) site of QSB.
8.5.12. The CISO of the QSB shall review the implementation of the BCP and SOP on DR on monthly basis and submit a report to the board of QSBs.
8.5.13. All the provisions applicable to specified stock brokers (as stated in SEBI circular SEBI/HO/MIRSD/TPD-1/P/CIR/2022/160 dated November 25, 2022 regarding Framework to address the ‘technical glitches’ in Stock Brokers’ Electronic Trading Systems) shall also be applicable to the QSBs.
Periodic Audit
8.5.14. QSBs shall arrange to have their systems audited on half-yearly basis by a CERT-IN empanelled auditor to check compliance with the above mentioned requirements related to cyber security and other circulars of SEBI on cybersecurity and technical glitches, to the extent they are relevant to them and shall submit the report to stock exchanges along with the comments of the cybersecurity committee within one month of completion of the half year.
8.6. Investor Services including online complaint redressal mechanism:
8.6.1. QSBs must have investor service centers in all cities where they have branches.
8.6.2. QSBs shall have online capabilities for engaging with clients, responding to investor queries and seamless facility for filing complaints by investors and clearly defined escalation procedures.
8.6.3. The complaints redressal mechanism should be investor friendly and convenient. The same should have capabilities of being retrieved easily by the complainant online through complaint reference number, e-mail id, mobile no. etc.
9. Enhanced Monitoring of QSBs:
9.1. QSBs shall be subjected to enhanced monitoring and surveillance including additional submissions to be made to MIIs/SEBI, as and when sought.
9.2. Stock Exchanges, in consultation with SEBI, shall carry out annual inspection of QSBs and communicate the findings of such inspection along with action taken report to SEBI.
9.3. Stock Exchanges shall devise a comprehensive framework to carry out enhanced monitoring of such QSBs. An illustrative list of areas is as follows:
i. Funds and securities of clients which are handled by the QSB;
ii. Significant changes in net-worth of the QSB;
iii. Significant changes in profits/losses, as compared to previous financial year;
iv. Adverse findings in audit reports;
v. Adherence to prescribed timelines in case of various periodic submissions to be made by QSB;
vi. Timely submission of any information sought by SEBI/MIIs;
vii. Adherence to enhanced obligations and responsibilities stated in this circular; and
viii. Quality of services being provided to investors.
9.4. In case of any deviation/violation observed, Stock Exchanges shall take necessary steps to ensure that the same is corrected by QSBs including initiating disciplinary action, wherever found necessary, in accordance with the relevant regulatory provisions/bye-laws.
10. The provisions of this circular (excluding para 7.4) shall come into effect from July 01, 2023.
11. Stock Exchanges and QSBs shall put in place appropriate systems and procedures to ensure compliance of the provisions of this circular.
12. Stock Exchanges are directed to:
12.1. bring the provisions of this circular to the notice of their members / participants and also disseminate the same on their websites;
12.2. make necessary amendments to the relevant Bye-laws, Rules and Regulations for the implementation of the above provisions;
12.3. issue the first list of QSBs within 15 days from the date of issuance of this circular; and
12.4. seek confirmation from QSBs that necessary systems required to comply with the enhanced obligations and responsibilities for QSBs, stated in this circular, are in place and shall submit a compliance report to SEBI within 7 days of implementation.
13. This circular is issued in exercise of powers conferred under Section 11(1) of the Securities and Exchange Board of India Act, 1992, and Section 19 of the Depositories Act, 1996 to protect the interests of investors in securities and to promote the development of, and to regulate the securities markets.
Yours faithfully
Aradhana Verma
Deputy General Manager
Tel. No: 022 26449633
aradhanad@sebi.gov.in
