Markets regulator Sebi today asked registrars and share transfer agents to comply with enhanced monitoring requirements, through implementation of internal policy framework and periodic reporting on key risk areas, data security measures and governance structures.
Markets regulator Sebi today asked registrars and share transfer agents to comply with enhanced monitoring requirements, through implementation of internal policy framework and periodic reporting on key risk areas, data security measures and governance structures. Apart from data security measures and governance structures, periodic reporting should also be done in areas like business continuity, measures taken for enhanced investor services, grievance redressal and insurance against risks.
In a circular, Sebi has asked qualified registrars to an issue and share transfer agent (QRTAs) to formulate and implement a comprehensive policy framework approved by the board of directors. The comprehensive view of risks to the QRTAs include those emanating from vendors, third parties to whom activities are outsourced and clients.
They need to identify all relevant risks, including operational, fraud risk, technology, cyber security general business risk including credit, market, legal and reputation and put in place systems and procedures “to assess, monitor and manage the risks that arise in or are borne by the QRTAs, including audit and reporting of the same to the board of directors”.
Besides, they need to put in a place guidelines to fix responsibilities and accountability for risk decisions and decision making process in crises and emergencies. QRTAs are required to have written policy, protocols, processes and controls for business continuity plan (BCP) and need to “ensure business continuity and no adverse impact on investor servicing resultant of any data loss”.
“The effectiveness of BCP to be tested periodically, and the gap between two tests (mock drills) shall not be more than 12 months,” Sebi noted. QRTAs will have to maintain accurate up to date records for investor servicing and take all precautions necessary to ensure that the records are not lost or destroyed, and in the event of loss or destruction, ensure that sufficient back up of records is available at all times at a different place.
According to Sebi, registrar and share transfer agents will have to comply with the directive within six months and “the first compliance with these guidelines shall be submitted within 30 days from the end of six months period”.
“The compliance report of the enhanced reporting norms shall be submitted to Sebi duly reviewed by the board of directors of QRTAs, within 60 days of expiry of each calendar quarter,” it added. The registrar and share transfer agents’ board of directors would seek reports on incidents having an impact on investor protection including data security breaches that can affect investor data.