SEBI Registration

Enhanced Obligations & Responsibilities on QSBs: SEBI

On 6th February 2023, SEBI, vide circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/24, provided the Enhanced Obligations & Responsibilities on QSBs, i.e. Qualified Stock Brokers This circular enumerates the parameters which would be considered for designating a stock broker as QSB, their enhanced obligations and responsibilities and guidelines on enhanced monitoring them shall be done by Market Infrastructure Institutions (MIIs). The present article shall discuss all such aspects in detail to provide a better understanding of the same.

Parameters which shall be considered for designating a stock broker as QSB:

Initially, the below-mentioned parameters shall be considered for designating a stock broker as QSB:

• The total No. of active clients of the stock broker
• The client’s total assets  available with the stock broker
• The trading volumes of the stockbroker, not including their  proprietary trading volume; and
• The end-of-day margin obligations of  the stockbroker’s clients   not including  the proprietary margin obligation of the stockbroker in all segments)

Procedure for Assignment of  a score to a stock broker

The procedure for assigning a score to a stock broker is enumerated below –

The calculation of the individual score for a particular parameter for each stock broker shall be done on individual parameter ÷aggregate of the respective parameter added across all stock brokers, i.e., a stock broker’s count of active clients ÷ the aggregate count of their active clients and individual scores shall be calculated for other parameters in a similar manner.

The total score shall be derived after adding the individual score of every parameter, and for the purpose of calculating the score for every financial yr, the score as of the 31^st day of December of every FY shall be taken into consideration.

Identification of QSBs

• The stock brokers whose total score is =>5  based on the above-mentioned parameters shall be identified as Qualified Stock Brokers, and the first list with regard to the same shall be prepared based on the parameters as of 31.12.22. there might be the extension of such framework to more stock brokers if deemed necessary, and the additional parameters such as the stock broker’s compliance and grievance redressal score as well as  their proprietary trading volumes
• The calculation of such scores shall be done on an annual basis, and the release of the revised list of QSBs shall be done jointly by the stock exchanges after consulting with SEBI.
• The QSBs no longer belonging to the revised list would continue the compliance with the enhanced obligations & responsibilities for an additional period of 3 FYs or such time as may be specified by SEBI/stock exchanges^[1].

Enhanced obligations and responsibilities for QSBs:

The QSBs shall have the below-mentioned obligations and responsibilities

Governance Structure and Processes

• The analogous body or BOD of the qualified stock brokers would exercise oversight over the vulnerabilities/ incident impacting their functioning in the securities market and investor protection,  inclusive of data security breaches that can affect investor data.
• Further, the qualified stock brokers shall have committees of the (BoD) or analogous body such as the Nomination and Remuneration Committee, Audit Committee (for listed QSBs),   Information Technology (IT) Committee, Cyber security Committee  Risk Management Committee, or any other committee as mandated by SEBI from time to time.
• The CFO  or an analogous person of such brokers  shall submit the details in respect of the financial status of the entity, internal financial controls and risk management systems, disclosure of any related party transactions, inter-corporate loans and investments,  compliance with listing and other legal requirements in relation to financial statements,  compliance with regulatory provisions etc. to the audit committee,
•  They shall consult  with the nomination and remuneration committee  regarding their appointment, tenure and remuneration prior to  appointing directors, Key Managerial Personnel (KMP) and other employees,
• Inputs shall be sought from various committees, such as the risk management committee and cyber security committee, at the time of framing policies for the respective areas, such as risk management of the organization and establishment of a robust cyber security framework and IT infrastructure and scalability of operations.
• An annual report must be submitted by the Qualified Stock Brokers to the stock exchanges with respect to observations with regard to the committees of BOD or analogous body and the corrective action taken by the QSB  in respect of the same as well as measures taken to prevent the reoccurrence of such incidents.

Risk Management Policy and Processes

A clear and well-documented risk management policy encompassing the following must be devised by every QSB.

a) List of all relevant risks  that might be borne by them, such as:

i. Risks  arising during KYC and the process of opening an  account, like submission of incomplete KYC forms by the clients,  submitting  fake information with the intention of committing fraud and un- updation  of information  that was to be submitted  in case of any change  with regard to the  information earlier  submitted during KYC;

 ii. Operational risks such as faulty systems  that might cause erroneous execution of orders from clients’ accounts and/or unauthorized trading on  client’s behalf and misuse of client’s sensitive information by any employee of the qualified stock brokers

iii. Technology risks  like technical glitches and cyber-attacks; and

 iv. General risks such as credit risk,  fraud risk, legal risk,  market risk,  risk due to outsourcing of activities to third parties and reputation risk

The risk management policy shall –

a) Strive towards  addressing  the root cause of the risks and try to preventing the recurrence of such risks;

 b) Enabling early identification and prevention of risk;

 c) Assessing  the likely impact of a probable risk event on several aspects of the functioning of the QSB, such as the impact on investors, impact on other stakeholders in the market,  financial loss to them etc. and  provide measures for minimizing  the impact of such event and

d) Assigning accountability and responsibility (KMP) in the organization.

Surveillance of client behaviour:

The risk management framework must consist of measures for conducting surveillance of client behaviour through analysis of the pattern of trading done by clients, detection of any unusual activity being carried out by the clients, reporting the same to stock exchanges and take necessary measures for preventing any kind of fraudulent activity in the market with regard to the regulatory requirements prescribed by SEBI and MIIs.

Ensuring Integrity of Operations

• Maintenance of adequate human resources, systems, processes and procedures is essential for qualified stock brokers for the seamless running of operations and protection of investor data.
• The staff of the QSBs would be provided with the necessary resources and support for carrying out their duties in an effective and efficient manner, along with training the employees at regular intervals with respect to the matters relating to the activities being handled by them.
• A CXO level officer shall have the responsibility of managing key risks, i.e., Chief Compliance Officer (responsible for all regulatory compliance-related activities), Chief Information Security Officer (responsible for all cybersecurity-related activities), CRO (responsible for overall risk management associated with the functioning of the QSB).
• Employing adequate tools for automating the process of risk management, reporting and compliance.
• The risk management policy must be reviewed on a half-yearly basis by the Qualified Stock Brokers, followed by the submission of a report in respect of the same by their risk management committee to the stock exchange.
• The BoD/senior management shall check for any recurrence of a particular incident, followed by taking prompt and appropriate action, including fixing accountability.

Framework for orderly winding down:

 It is the responsibility of the QSB to devise a framework for the orderly wind-down of business for ensuring the continuity of services to its clients in the event of the closure of business by them owing to their lack of ability towards providing services to its clients or meeting the prescribed regulatory requirements or any other reason.  This type of wind-down framework shall  have the following:

• Seamless portability of its clients to other  stock brokers registered with  while protecting the funds and securities of such clients;
• Providing all necessary support to the clients  for ensuring a smooth and secure transfer process;
• Supplying adequate notice to the clients prior to   winding down of the operations, not before taking approval from the stock exchanges; and
• Preventing any prominent impact on the market and inconvenience to the investors.

In case of wind-down takes place due to regulatory action, erosion of the net worth of the QSB etc., this type of wind-down of their operations will be implemented under the stock exchange’s supervision.

Robust cyber security framework and processes

• Digitalization and online platforms have increased the need for effective information and cyber risks mitigation SEBI has specified the framework for cyber security and cyber resilience that must be followed by all stock brokers.
• However, QSBs handle the sensitive data of a large number of investors in the securities market, and any cyber-attack on their systems can compromise the integrity and confidentiality of such data.
• Therefore the qualified stock brokers shall have additional features in their cyber security framework for commensuration with the amount of data they handle
• The  QSBs cyber security committee shall review the framework on a half-yearly basis and review the cases of cyber-attacks, if any, and take steps for strengthening  their cyber security framework.
• The  qualified stock brokers  shall have a dedicated team of security analysts,  including domain experts in the field of network security, cyber security and resilience and data security,  for carrying out the following activities:
• Preventing cyber security incidents by way of continuous threat analysis, deploying adequate and appropriate technology to prevent attacks originating from the external environment, network and host scanning for vulnerabilities and breaches and internal controls to manage insider threats etc.
• Monitoring, detection and analysis of potential security incidents intrusions/ in real-time and through historical trending on security-relevant data sources.
• Operating network defence technologies such as  IDSes and data collection/analysis systems.
• Conducting cyber-attack simulations on a quarterly basis for aiding towards developing cyber resiliency measures and testing the adequacy and effectiveness of the framework so adopted.
• Conducting training and awareness programs for its employees regarding cyber security and situational awareness on a quarterly basis.
• Prevention of attacks similar to those already faced.
• A quarterly report must be submitted by such a dedicated team to the QSBs  BoD on the above-mentioned activities carried out by them, along with details of cyber security incidents which took place and details of incidents so prevented from occurring.
• The dedicated team of security analysts would be reporting to the qualified stock broker’s CISO, and he shall be designated as a Key Managerial Personnel (KMP)  who would directly report to their  MD &CEO
• There must be well-defined and documented processes for monitoring the qualified stock broker’s systems and networks,  usage of appropriate technology tools, classifying the threats and attacks,  analysis of cyber security threats and potential intrusions/security incidents, escalating the hierarchy of incidents, responding to threats and breaches, and reporting of the incidents.

Vulnerability Assessment and Penetration Testing (VAPT)

• QSBs shall conduct continuous assessments of the threat landscape faced by them, conduct vulnerability assessments  for detection of the security vulnerabilities in their IT environments exposed to the internet and on a half-yearly basis
• Along with this carrying out penetration tests on a half-yearly basis is also necessary for conducting an in-depth assessment of the system’s security posture viz simulations of actual attacks on its systems and networks exposed to the internet.

Business Continuity Plan

• QSB shall  have a comprehensive Business Continuity Plan (BCP),  which shall be reviewed on a half-yearly basis  for the purpose of minimizing the incidents affecting the  continuity of  business
• They shall develop and document the mechanisms and SOPs for recovering from the cyber-attacks within the stipulated Recovery Time Objective (RTO) of qualified stock brokers, various scenarios and standard operating procedures for resuming operations from the Disaster Recovery (DR) site of qualified stock brokers.
• The QSB’s CISO shall review the implementation of the BCP and SOP on DR on a monthly basis, followed by the submission of a report  to their board of directors.
• All the provisions that applies to specified stock brokers (as stated in the SEBI circular dated November 25, 2022,  would be applied to such brokers.

Periodic Audit

The systems of the QSB should be audited on a half-yearly basis by an auditor empanelled in the CERT-IN for checking compliance with the above-mentioned requirements regarding cyber security and other circulars of SEBI on cyber security and technical glitches to the extent of relevant to them, along with submitting the report to stock exchanges together with the comments of the cyber security committee within a month of completion of the half year.

Investor Services, including online complaint redressal mechanism:

• QSBs must have investor service centres in all cities where they have branches.
•  They must possess online capabilities for engaging with clients, responding to investor queries and a seamless facility for complaint filing by investors and clearly defined escalation procedures.
•  Investor-friendly and convenient complaints redressal mechanism
• The same should have the capability of being retrieved easily by the complainant online through a complaint.

Enhanced Monitoring of QSBs

• There shall be enhanced monitoring and surveillance of the QSBs, along with additional submissions, which shall be made to MIIs/SEBI when asked for
• The annual inspection of such stock brokers shall be carried out by the respective stock exchanges in consultation with SEBI; communicate the findings of such inspection along with the action taken, and report to SEBI.
• Stock Exchanges shall come up with a comprehensive framework for conducting enhanced monitoring of such qualified stock brokers. An illustrative list of areas is as follows:
• The client’s Funds and securities are handled by the QSB;
• Significant changes in the net worth of the Qualified Stock Brokers
• Prominent changes in profits/losses, as compared to the previous financial year
• Adverse findings in audit reports;
•  Compliance with  the  prescribed timelines in  the event of  various periodic submissions  made by qualified stockbrokers ;
• Timely submission of any information  asked  by SEBI/MIIs;
•  Compliance with the  enhanced obligations and responsibilities stated in this circular; and
• Quality of services being provided to investors.

 In the event of any deviation/violation, Stock Exchanges shall take necessary steps for ensuring that the same is corrected by qualified stock brokers, including the initiation of disciplinary action, wherever deemed necessary,  according to the relevant regulatory provisions/by-laws.

Stock Exchanges and qualified stock brokers shall have appropriate systems and procedures for ensuring compliance with this circular’s provisions.

 The circular directs all the stock exchanges to –

• Notify the provisions of this circular to its members/participants  along with disseminating the same on their websites;
• Amend the relevant Bye-laws, Rules and Regulations for implementing the above-mentioned provisions.
• Issuance of  the first list of QSBs within a span of 15 days from the date of issuance of this circular;
• Take confirmation from such brokers that necessary systems required for compliance with the enhanced obligations and responsibilities for Qualified Stock Brokers,  as provided in the circular, are there followed by submitting a compliance report to SEBI within 7 days of implementing the same.

 Conclusion

The board has issued this circular in the exercise of powers provided u/s 11(1) of the SEBI Act 1992 and Section 19 of the Depositories Act 1996 for protecting the investor’s interest in securities and promoting the development of and regulation of the securities markets.

Read our Article: Stock Broking License: An Overview

1675683541895