Digital database under ‘Insider Trading’ laws and evolving chain of responsibility
Updated: Oct 27, 2020 11:30 AM
A key cause for concern will be data security and integrity of sensitive data like PAN details or equivalent identifiers in case of foreign nationals, which are required to be maintained as part of the digital database.
A price-sensitive development within a company is a complex and often iterative exercise, where the ambit of persons involved is a constant variable
On October 8, 2020, SEBI issued a revised set of FAQs on the Insider Trading Regulations, 2015. At first blush, these appear to be somewhat routine clarifications, issued in the form of Q&A to augment the internal processes of listed companies, intermediaries, and fiduciaries when they set out to collate data of persons with access to price-sensitive information. A closer look though points us to a wide assortment of complexities.
Before we proceed, some background to this regulatory stipulation itself. An amendment in 2018, pursuant to the TK Viswanathan Committee recommendations, introduced a provision in the Insider Trading Regulations, which directed all companies (and their boards) to mandatorily create a “structured digital database” (fortified with adequate internal controls, audit trails, time stamps) that would contain the names of those who received price sensitive information, along with their PAN numbers or equivalent identifiers. This was intended to operate as a tool of strategic importance to SEBI and aid in the efficiency of regulatory investigations by casting a wider net.
Over the past couple of years, however, this requirement has evolved and steadily intensified in scale due to several amendments, guidance notes, and FAQs issued by SEBI. An important sequitur to any directive to maintain such a database is to understand its scope and applicability. Was this limited to listed companies only, as originators of price-sensitive information?
SEBI responded with a clarification in a Guidance Note in July 2019 (subsequently sanctified through an amendment in 2020), clarifying that not only listed companies but SEBI registered intermediaries and fiduciaries such as audit firms, law firms, consultants, etc who handled UPSI of listed companies also needed to create and tend to their own digital catalogues.
In fact, the July 2020 amendment also clarified that this database must delineate the nature of the UPSI involved and details of persons with whom such information has been shared by original recipients. All data so collated must be preserved for 8 years and interestingly, in the event of receipt of any information from SEBI regarding an ongoing investigation or proceedings, the relevant information in the structured digital database must be “preserved till the completion of such proceedings”.
The second critical question revolved around the granularity of such data. For instance, in any listed company restructuring/acquisition, where the key actors are the principals to the transaction itself, the investment bank(s), law firms and auditors, the company itself populates a list of its own employees/insiders who are privy to the deal. But in so far as the external advisors are concerned, would the company need to pierce the veil and maintain a detailed list of each of those coverage teams as well? FAQs issued by SEBI in November 2019 adopted a practical approach and clarified that each entity must identify its own deal team only and rely upon the others (given their own legal status as intermediaries and fiduciaries), to in turn follow through within the chain of responsibility and create a detailed list of their respective employees working on the same project.
Whilst still a substantial compliance exercise, such a method ensured that each organization was a master of its own data and monitored/updated information regarding individuals within its own organization. Most importantly, this also meant that entities and their boards were cast with the regulatory responsibility of a dataset that they were in control of. To better coordinate across multiple lines of businesses and different office locations, many market participants also commissioned bespoke digital solutions specifically for this purpose, which ensured seamless and timely data updation.
The October 8th amendments have entirely altered that approach. The FAQs now state that each entity must maintain details of other advisers and firms as well as their natural persons involved in the price-sensitive event. Using an example, the FAQ clarifies that where individuals within a listed company share information with their external consultants, the listed company’s database must contain details of all recipients (both corporate and individual) and such details must be separately replicated on the systems of the advisers as well.
A price-sensitive development within a company is a complex and often iterative exercise, where the ambit of persons involved is a constant variable, growing or shrinking based on how the project itself evolves. Although most entities keep track of their own “wall-crossed” employees, the task of remaining authentic bookkeepers of each other’s coverage teams as well as a complex task. Not only will such expectations spawn avoidable maker-checker relationships between parties, but will effectively turn what was a linear chain of responsibility into an unwieldy web of overlapping information.
Also, a natural consequence of such a regulatory directive will be for all parties to build contractual protection through information rights, with specific indemnity clauses also likely finding their way into engagement letters and mandates. It will be interesting to see how this arrangement plays out inter-se the advisers themselves, who otherwise do not have a contractual relationship but based on these amendments, may now need to keep track and store data of the other’s deal teams.
Another key cause for concern will be data security and integrity of sensitive data like PAN details (or equivalent identifiers in case of foreign nationals) which are also required to be maintained as part of the database. This will be accompanied by its own ramifications and risk for corporate entities that must now securely obtain and maintain such data of natural persons that they otherwise have no employment or business relationship with, especially when read with the 8-year retention requirement (or longer if there are ongoing proceedings).
Even if one were to look beyond questions on why such far-reaching directives are introduced through FAQs (and not formal amendments), there is little doubt that SEBI needs better access to information from the market today for its enforcement powers to yield their intended impact. Data collation of this nature rightfully allows SEBI somewhat of a foundation and a ready reckoner to commence its investigation with, rather than build the dramatis personae from the ground up. That said, the implementation of these requirements is going to be a challenge across industry participants and should ideally have been preceded by an industry impact assessment, that would allow for a cost-benefit analysis and help arrive at optimal outcomes.
The present approach of keeping parties on the hook, especially within the strict liability regime of the Insider Trading Regulations, for data that is beyond their control is daunting and will impede meaningful compliance. SEBI must design an appropriate regulatory solution for such concerns, which acknowledges the inherent gaps and risks that will inevitably arise and in doing so, as has often been said in the context of the Data Rush age, should consider if our processes will generate more data or more vulnerabilities.
Shruti Rajan is Partner at Trilegal and specialises in areas of financial regulatory advisory and enforcement. Views expressed are the author’s personal.