CIR/MRD/DP/ 8 /2011 June 30, 2011
Sub: Review of Internet Based Trading (IBT) and Securities trading using Wireless Technology (STWT)
1. Further to the SEBI circular no SMDRP/POLICY/CIR-06/2000 dated January 31, 2000 on Internet Based Trading and SEBI circular no CIR/MRD/DP/25/201 0 dated August 27, 2010 on Securities Trading using Wireless Technology, it has been decided that the stock exchange shall ensure that the broker comply with the following –
a. The broker shall capture the IP (Internet Protocol) address (from where the orders are originating), for all IBT/ STWT orders.
b. The brokers system should have built-in high system availability to address any single point failure.
c. There should be secure end-to-end encryption for all data transmission between the client and the broker through a Secure Standardized Protocol. A procedure of mutual authentication between the client and the broker server should be implemented.
d. The broker system should have adequate safety features to ensure it is not susceptible to internal/ external attacks.
e. In case of failure of IBT/ STWT, the alternate channel of communication shall have adequate capabilities for client identification and authentication.
f. Two-factor authentication for login session may be implemented for all orders emanating using Internet Protocol. Public Key Infrastructure (PKI) based implementation using digital signatures, supported by one of the agencies certified by the government of India, is advisable. Further the two factors in the Two-factor authentication framework should not be same.
g. In case of no activity by the client, the system should provide for automatic trading session logout.
Further to the above, the following practice is advisable –
h. The back-up and restore systems implemented by the broker should be adequate to deliver sustained performance and high availability. The broker system should have on-site as well as remote site back-up capabilities.
2. The clauses 1(a) to 1(g) shall be implemented within 9 months from the date of this circular.
3. SEBI vide circular no SMDRP/POLICY/CIR-06/2000 dated January 31, 2000 specified that exchanges shall put in place a system for handling of complaints with regard to IBT. In continuation to the above, the exchanges shall put in place a system for monitoring of specific complaints with regard to unauthorized access using IBT.
4. Exchanges are advised to
a) make necessary amendments to the relevant bye-laws, rules and regulations for the implementation of the above decision.
b) bring the provisions of this circular to the notice of the member brokers/clearing members of the Exchange and also to disseminate the same on the website.
c) communicate to SEBI, the status of the implementation of this circular in the Monthly Development Report.
5. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
Deputy General Manager