SOP for handling of technical glitches by MIIs

Securities and Exchange Board of India

CIRCULAR

SEBI/HO/MRD1/DTCS/CIR/P/2021/590

July 05, 2021

To,
All Stock Exchanges
All Clearing Corporations
All Depositories,

Dear Sir/ Madam,

Sub.: Standard Operating Procedure for handling of technical glitches by Market Infrastructure Institutions (MIIs) and payment of “Financial Disincentives” thereof

1. MIIs (i.e. Stock Exchanges, Clearing Corporations and Depositories) are systemically important institutions as they, inter-alia, provide infrastructure necessary for the smooth and uninterrupted functioning of the securities market.

2. With increasing dependence on technology, as the operations and functioning of MIIs are fully automated right from order entry to order matching to trade confirmation leading up to clearing and settlement of trades, the instances of technical glitches at MIIs, leading to business disruption/unavailability of services provided by MIIs, have been occurring, despite various mechanisms stipulated by SEBI such as Business Continuity Planning, Disaster Recovery policies, System Audit etc.

3. The general practice in the computing/technology industry to deal with business disruption/unavailability of services, is to work with specified downtime and for downtimes beyond such specified time, a pre-defined penalty structure is included in Service Level Agreement.

4. Considering the criticality of smooth functioning of systems of MIIs (as any disruption adversely impacts all classes of investors / market participants as well as the credibility of the securities market), specifying a pre-defined threshold for downtime of systems of MIIs becomes desirable. For any downtime or unavailability of services, beyond such pre-defined time, there is a need to ensure that “Financial Disincentive” is paid by the MIIs as well as Managing Director (being the executive head in-charge of all the day to day operations) and Chief Technology Officer (being the executive head incharge of technology) of the MII. This will encourage MIIs to constantly monitor the performance and efficiency of their systems and upgrade/ enhance their systems etc. to avoid any possibility of technical glitches/disruption/disaster and restart their operations expeditiously in the event of glitch/disruption/disaster.

5. Accordingly, after extensive discussion with various stakeholders, it has been decided that, MIIs shall :

a. Follow the Standard Operating Procedure (SOP) for handling technical glitches as detailed at Annexure - I of this Circular, and,

b. Comply with the “Financial Disincentive” structure as detailed at Annexure - II of this Circular.

6. The aforesaid “Financial Disincentives”, when triggered automatically under predefined conditions, as detailed in Annexure-II of this Circular, shall be credited to the Investor Protection Fund / Core Settlement Guarantee Fund maintained by the MII.

7. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.

8. This circular is available on SEBI website at www.sebi.gov.in under the categories “Legal Framework” and “Circulars”.

9. This circular shall come into effect from August 16, 2021 and shall supersede the SEBI directions dated August 06, 2019 to the MIIs having reference no. SEBI/HO/MRD/DOP1/OW/P/20062/7/2019 with regard to handling of technical glitches.

Yours faithfully,

Ansuman Dev Pradhan
Deputy General Manager
Division of Technology & Cyber Security
Market Regulation Department
+91-22-26449622
Email: ansumanp@sebi.gov.in

ANNEXURE- I
Standard Operating Procedure (SOP) for handling of technical glitches

Definition of “Technical Glitch”

1. Technical glitch shall mean any malfunction in the systems of an MII. Malfunction in the systems of the MII shall include malfunction in its (a) hardware, or; (b) software, or; (c) any products/ services provided by the MII, whether on account of inadequate infrastructure/ systems or otherwise, which may lead to either stoppage or variance in the normal functions/ operations of systems of the MII.

Reporting Requirements

2. The following reporting structure for technical glitches shall be adopted by the MIIs:

Business disruption shall mean either stoppage or variance in the normal functions/operations of systems of the MII thereby impacting normal/regular service delivery of the MII.

2.1. With regard to incidents resulting in business disruption, the following shall be submitted by the MIIs to SEBI:

(i) Information of technical glitch on immediate basis but not later than 2 hours from the time of occurrence of the glitch; provided that glitches of the nature of a disaster- as defined in SEBI Circular dated March 22, 2021 having reference number SEBI/HO/MRD1/DTCS/CIR/P/2021/33 - shall be reported immediately upon declaration of disaster.

(ii) Preliminary report within 24 hours of the occurrence of the glitch.

(iii) Comprehensive Root Cause Analysis (RCA) report and corrective action taken to address the technical glitch within 21 days of the incident. Such report shall be submitted to SEBI, after placing the same before the Standing Committee on Technology and the Governing Board of the MII and confirming compliance with their observations.

(iv) RCA submitted by the MIIs should inter-alia include exact cause of the technical glitch (including root cause from vendor(s), if applicable), exact duration of the technical glitch, chronology of events, list of business processes/systems and time for which they were impacted, recommendations of SCOT / Governing Board of MII, details of corrective/ preventive measures taken (or to be taken) by MII along with timelines and any other aspect relevant to the technical glitch. As part of the RCA, MIIs are required to demonstrate compliance with various requirements of this SOP. The RCA shall include details regarding time of incident, time when operations were restored and in the event of a disaster, time when disaster was declared.

2.2. All communication and information with regard to technical glitch shall be shared by the MII with SEBI through a dedicated e-mail id viz. techglitch@sebi.gov.in

Placing before Technical Advisory Committee (TAC)

3. With regard to the incidents wherein business is disrupted, the RCA and corrective action taken, as submitted by the MII, shall be placed before TAC of SEBI. TAC/ SEBI, if it so desires, may seek additional information/ clarification from the MII regarding the technical glitch.

4. In case TAC finds the actions taken by the MII as inadequate, then, based on the recommendations of TAC, the MII shall be required to address the technical glitch by taking appropriate corrective actions, within the timeline specified by TAC/SEBI. While deciding such timeline, criticality of the malfunction and/or the services/ applications affected by the same shall also be taken into consideration.

ANNEXURE- II

“Financial Disincentive” structure with regard to handling of technical glitches

Failure to timely submit RCA

1. In case of delay in submission or submission of incomplete/ inadequate RCA by an MII, a “financial disincentive” of Rs.1,00,000 per working day shall be paid by the MII for each working day of delay from the timeline specified at Para 2.1(iii) of Annexure-

I of this Circular or any revised timeline specified by TAC/SEBI for submission of exact RCA.

Failure to timely address technical glitch

2. In order to ensure that MIIs address technical glitch within the timeline specified by TAC/SEBI, the following progressive slab-wise “financial disincentive” shall be paid from the expiry of the timeline specified by TAC/ SEBI:

Failure to declare disaster within stipulated timelines

3. Vide SEBI Circular dated March 22, 2021 having reference number SEBI/HO/MRD1/DTCS/CIR/P/2021/33, it has been mandated that, in the event of disruption of any one or more of the ‘Critical Systems’, the MII shall, within 30 minutes of the incident, declare that incident as ‘Disaster’. In case of delay in declaration of disaster beyond the timeline specified by SEBI, the following “financial disincentive” shall be paid:

Failure to restore operations within Recovery Time Objective (RTO)

4. In the event of a disaster, if an MII fails to restore its operations within the RTO prescribed by SEBI, i.e. to restore operations of ‘Critical Systems’ including from Disaster Recovery Site within 45 minutes of declaration of Disaster, the following “financial disincentive” shall be paid:

“Financial disincentive” under Clause 3 and Clause 4 above, in relation to the same disaster, shall be paid only once either under Clause 3 or Clause 4.

5. Further, if an MII fails to restore operations of Critical Systems including from Disaster Recovery Site within three hours from the occurrence of the disaster, the following additional “financial disincentive” (over and above S No 3 or 4 above) shall be paid:

Failure to restore normalcy in cases of business disruption, not being in the nature of a Disaster

6. In the event of any business disruption, which is not required to be declared as “Disaster” as per SEBI circular dated March 22, 2021 having reference number SEBI/HO/MRD1/DTCS/CIR/P/2021/33, if an MII fails to restore normalcy of operations within 75 minutes of the incident, the following slab wise “financial disincentive” shall be paid by the MII:

7. The amount of “financial disincentive” paid as per the above structure shall be credited by MII to the following funds maintained by it :

8. Further, the MII shall submit a compliance report within 90 days of occurrence of disaster/ business disruption to SEBI providing details of payment of “financial disincentives” including computation of “financial disincentives” as per the SOP and the date when the amount was credited to the aforementioned funds. With regard to “financial disincentive” on the MD/CTO of the MII arising out of the variable pay component, the compliance report shall be submitted within 30 days of determination of variable pay of the concerned officials for the financial year when the disaster occurred.

9. With regard to the requirement of payment of “financial disincentive” on the aforesaid officials of the MII (i.e. MD and CTO), the MII shall insert a suitable clause in the terms of appointment of these officials and/ or in the Internal Code of Conduct of the MII to comply with the “financial disincentive” requirements.

10. The financial disincentives automatically triggered under predefined circumstances as stated in clauses 1,2,3,4,5,6 above shall be paid by the MIIs. However, these financial disincentives shall be without prejudice to any action as may be initiated by SEBI.