SEBI/HO/MIRSD/SECFATF/P/CIR/2023/169

1 · Prevention of Money Laundering (Maintenance of Records) Rules, 2005

2 · SEBI {KYC (Know Your Client) Registration Agency} Regulations, 2011

3 · SEBI Circular No.CIR/MIRSD/16/2011 dated August 22, 2011 and No.MIRSD/SE/Cir-21/2011 dated October 05, 2011

11 · The following are exempted from the mandatory requirement of PAN:

4 · SEBI Circular No.CIR/MIRSD/16/2011 dated August 22, 2011 and No.MIRSD/SE/Cir-21/2011 dated October 05, 2011

5 · SEBI Circular No.CIR/MIRSD/16/2011 dated August 22, 2011 and No.MIRSD/SE/Cir-21/2011 dated October 05, 2011

6 · SEBI Circular No.CIR/MIRSD/16/2011 dated August 22, 2011 and No.MIRSD/SE/Cir-21/2011 dated October 05, 2011

22 · If any proof of address is in a foreign language, then translation into English shall be required.

23 · If correspondence and permanent address is different, then proof for both shall be submitted.

24 · A client can authorize to capture address of a third party as a correspondence address, provided that all prescribed 'Know Your Client' norms are also fulfilled for the third party . T The intermediary shall obtain proof of identity and proof of address for the third party. The intermediary shall

25 · Registered intermediaries at the time of commencement of an accountbased relationship shall determine whether the client purports to act on behalf of juridical person or individual or trust and the registered intermediary shall verify that any person purporting to act on behalf of such client is so authorized and verify the identity of that person.

7 · SEBI Circular No.CIR/MIRSD/16/2011 dated August 22, 2011 and No.MIRSD/SE/Cir-21/2011 dated October 05, 2011

35 · SEBI registered intermediaries shall obtain the express consent of the client before undertaking online KYC.

38 · The mobile number of client accepted as part of KYC should preferably be the one seeded with Aadhaar.

39 · Mobile and email shall be verified through One Time Password (OTP) or other verifiable mechanism.

42 · The usage of Aadhaar shall be optional and purely on a voluntary basis by the client .

43 · Any document, except for the documents mentioned in the First Schedule of the Information Technology Act , 2000, shall be authenticated by a client by way of electronic/digital signature including Aadhaar e-Sign. Accordingly, the process of performing KYC shall be completed by using electronic/digital signature including Aadhaar e-Sign.

44 · A client can use the electronic/digital signature, including Aadhaar e-Sign service to submit the document to the registered intermediary.

45 · In case of non -individual clients, intermediaries shall exercise caution and satisfy themselves regarding the genuineness of the authorization and identity of the authorized signatories.

46 · The electronic/digital signature, including Aadhaar e-Sign shall be accepted in lieu of wet signature on the documents provided by the client . The cropped signature affixed on the online KYC form under electronic/digital signature, including Aadhaar e-Sign shall also be accepted as valid signature.

47 · Bank details of the client shall be captured online and signed cancelled cheque shall be provided as a photo / scan of the original under electronic/digital signature including Aadhaar e-Sign . Bank account details shall be verified by Penny Drop mechanism or any other mechanism using API of the Bank. The name and bank details as obtained shall be verified with the information provided by client.

48 · Once all the required information as per the online KYC form is filled up by the investor, KYC process shall be completed as under:

100 · The records of those clients in respect of which all attributes mentioned in para 96/97 above are verified by KRAs with official databases (such as Income Tax Department database on PAN, Aadhaar XML/Digilocker/ MAadhaar) shall be considered as Validated Records.

101 · The validated records shall be allowed portability i.e. the client need not undergo the KYC process again when the client approaches different intermediary in securities market and the intermediary shall fetch the validated records from the KRA database.

102 · The KRAs shall follow uniform internal guidelines/standards detailing aspects of identification of attributes and procedures for verification/ validation, in consultation with SEBI .

103 · The systems of intermediaries and the KRAs shall be integrated to facilitate seamless movement of documents/information to and from the intermediary to the KRAs for verification/validation of attributes under risk management framework.

104 · The records of all existing clients whose KYC has been completed based on OVDs other than Aadhaar, shall be verified by December 31, 2023 .

105 · All complaints pertaining to KRAs will be electronically sent through SCORES at http://scores.gov.in/Admin. KRAs are directed to view the pending complaints and submit the ATR along with supporting documents electronically in SCORES. Updation of action taken would not be possible with physical ATRs. Hence, submission of physical ATR will not be accepted for complaints lodged in SCORES.

106 · KRAs shall take adequate steps for redressal of grievances within one month from the date of receipt of the complaint and keep the investor and SEBI duly informed on the action taken thereon. Failure to comply with the said requirement will render the KRA liable for penal action.

107 · KRAs are advised to:

108 · Rapid technological developments in securities market have highlighted the need for maintaining robust Cyber Security and Cyber Resilience framework to protect the integrity of data and guard against breaches of privacy.

109 · A robust Cyber Security and Cyber Resilience framework should identify the plausible sources of operational risk, both internal and external, and mitigate the impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of its obligation in the event of cyber-attack.

110 · Since KRAs perform important function of maintaining KYC records of the clients in the securities market, the KRAs shall have robust Cyber Security and Cyber Resilience framework in order to provide essential facilities and perform systemically critical functions relating to securities market.

111 · The framework placed at Annexure A shall be complied by the KRAs with regard to Cyber Security and Cyber Resilience.

112 · The KRAs shall conduct comprehensive cyber audit at least twice in a financial year. All KRAs shall submit a declaration from the MD/ CEO certifying compliance by the KRAs with all SEBI Circulars and advisories related to Cyber security from time to time, along with the cyber audit report

113 · Government of India has authorized the Central Registry of Securitization Asset Reconstruction and Security interest of India (CERSAI), set up under sub -section (1) of Section 20 of Securitization and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002, to act as, and to perform the functions of, the Central KYC Records Registry under the PML Rules, 2005, including receiving, storing, safeguarding and retrieving the KYC records in digital form of a "client", as defined in clause (ha) sub-section (1) of Section 2 of the PMLA, 2002.

114 · As required under the PML Rules, registered intermediaries shall capture the KYC information for sharing with the Central KYC Records Registry in the manner mentioned in the PML Rules, as per the KYC template finalised by CERSAI.

115 · Registered intermediaries shall within ten days after the commencement of an account -based relationship with a client, file the electronic copy of the client's KYC records with the CKYCR.

116 · Registered intermediaries shall ensure that all existing KYC records of legal entities and of individual clients are uploaded on to CKYCR when the updated information is obtained/received from the client.

117 · The Central KYC Records Registry User Manual for uploading KYC records on CKYCR finalised by CERSAI is available at https://www.ckycindia.in/ckyc/assets/doc/User_Manual_1.12.1.pdf .

118 · Registered intermediaries shall ensure compliance with requirements contained in the PML Rules in this regard.

119 · For addressing any difficulty in uploading KYC records to CKYCR, CERSAI has operationalised a help desk. Contact details of the CKYCR Helpdesk: Phone: 022 -61102592 /022 50623300 Email: helpdesk@ckycindia.in

3 · 1.‘Identify’ critical IT assets and risks associated with such assets,

3 · 2.‘Protect’ assets by deploying suitable controls, tools and measures,

3 · 3.'Detect' incidents, anomalies and attacks through appropriate monitoring tools/processes,

3 · 4.'Respond' by taking immediate steps after identification of the incident, anomaly or attack,

3 · 5.'Recover' from incident through incident management, disaster recovery and business continuity framework.

10 · KRAs shall define responsibilities of its employees, outsourced staff, and employees of vendors, members or participants and other entities, who may have access or use KRA's systems / networks, towards ensuring the goal of cyber security.

11 · KRAs shall identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management. The critical assets shall include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc. All the ancillary systems used for accessing/communicating with critical systems either for operations or maintenance shall also be classified

12 · KRAs shall accordingly identify cyber risks (threats and vulnerabilities) that it may face, along with the likelihood of such threats and impact on the business and thereby, deploy controls commensurate to the criticality.

13 · KRAs shall also encourage its third-party providers, if any, to have similar standards of Information Security.

14 · No person by virtue of rank or position shall have any intrinsic right to access confidential data, applications, system resources or facilities.

15 · Any access to KRA's systems, applications, networks, databases, etc., shall be for a defined purpose and for a defined period. KRAs shall grant access to IT systems, applications, databases and networks on a need-to-use basis and based on the principle of least privilege. Such access shall be for the period when the access is required and shall be authorized using strong authentication mechanisms.

16 · KRAs shall implement strong password controls for users' access to systems, applications, networks and databases. Password controls shall include a change of password upon first log-on, minimum password length and history, password complexity as well as maximum validity period. The user credential data shall be stored using strong and latest hashing algorithms.

17 · KRAs shall ensure that records of user access are uniquely identified and logged for audit and review purposes. Such logs shall be maintained and stored in encrypted form for a time period not less than two (2) years.

18 · KRAs shall deploy additional controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users). Such controls and measures shall inter -alia include restricting the number of privileged users, periodic review of privileged users' activities, disallow privileged users from accessing systems logs in which their activities are being captured, strong controls over remote access by privileged users, etc.

19 · Account access lock policies after failure attempts shall be implemented for all accounts.

20 · Employees and outsourced staff such as employees of vendors or service providers, who may be given authorised access to the KRA's critical systems, networks and other computer resources, shall be subject to stringent supervision, monitoring and access restrictions.

21 · Two -factor authentication at log-in shall be implemented for all users that connect using online/internet facility.

22 · KRAs shall formulate an Internet access policy to monitor and regulate the use of internet and internet based services such as social media sites, cloud-based internet storage sites, etc.

23 · Proper 'end of life' mechanism shall be adopted to deactivate access privileges of users who are leaving the organization or whose access privileges have been withdrawn.

24 · Physical access to the critical systems shall be restricted to minimum. Physical access of outsourced staff/visitors shall be properly supervised by ensuring at the minimum that outsourced staff/visitors are accompanied at all times by authorised employees.

25 · Physical access to the critical systems shall be revoked immediately if the same is no longer required.

26 · KRAs shall ensure that the perimeter of the critical equipment room are physically secured and monitored by employing physical, human and procedural controls such as the use of security guards, CCTVs, card access systems, mantraps, bollards, etc. where appropriate.

27 · KRAs shall establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices and enterprise mobile devices within the IT environment. The KRAs shall conduct regular enforcement checks to ensure that the baseline standards are applied uniformly.

28 · KRAs shall install network security devices, such as firewalls as well as intrusion detection and prevention systems, to protect their IT infrastructure from security exposures originating from internal and external sources.

29 · Anti -virus software shall be installed on servers and other computer systems. Updation of anti-virus definition files and automatic anti-virus scanning shall be done on a regular basis.

30 · Data -in -motion and Data -at -rest shall be in encrypted form by using strong encryption methods such as Advanced Encryption Standard (AES), RSA, SHA2, etc.

31 · KRAs shall implement measures to prevent unauthorised access or copying or transmission of data / information held in contractual or fiduciary capacity. It shall be ensured that confidentiality of information is not compromised during the process of exchanging and transferring information with external parties.

32 · The information security policy shall also cover use of devices such as mobile phone, faxes, photocopiers, scanners, etc. that can be used for capturing and transmission of data.

33 · KRAs shall allow only authorized data storage devices through appropriate validation processes.

34 · Only a hardened and vetted hardware / software shall be deployed by the KRAs. During the hardening process, KRAs shall inter-alia ensure that default passwords are replaced with strong passwords and all unnecessary services are removed or disabled in equipment / software.

35 · All open ports which are not in use or can potentially be used for exploitation of data shall be blocked. Other open ports shall be monitored and appropriate measures shall be taken to secure the ports.

36 · KRAs shall ensure that regression testing is undertaken before new or modified system is implemented. The scope of tests shall cover business logic, security controls and system performance under various stress-load scenarios and recovery conditions.

37 · KRAs shall establish and ensure that the patch management procedures include the identification, categorisation and prioritisation of security patches. An implementation timeframe for each category of security patches shall be established to implement security patches in a timely manner.

38 · KRAs shall perform rigorous testing of security patches before deployment into the production environment so as to ensure that the application of patches do not impact other systems.

39 · KRAs shall frame suitable policy for disposals of the storage media and systems. The data / information on such devices and systems shall be removed by using methods viz. wiping / cleaning / overwrite, degauss and physical destruction, as applicable.

40 · KRAs shall carry out periodic vulnerability assessment and penetration tests(VAPT) which inter-alia include critical assets and infrastructure components like Servers, Networking systems, Security devices, load balancers, other IT systems pertaining to the activities done as KRAs etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks.

41 · Any gaps/vulnerabilities detected shall be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within 3 months post the submission of final VAPT report.

42 · In addition, KRAs shall perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system which is a critical system or part of an existing critical system.

43 · KRAs shall establish appropriate security monitoring systems and processes to facilitate continuous monitoring of security events and timely detection of unauthorised or malicious activities, unauthorised changes, unauthorised access and unauthorized copying or transmission of data / information held in contractual or fiduciary capacity, by internal and external parties. The security logs of systems, applications and network devices shall also be monitored for anomalies.

44 · Further, to ensure high resilience, high availability and timely detection of attacks on systems and networks, KRAs shall implement suitable mechanism to monitor capacity utilization of its critical systems and networks.

45 · Suitable alerts shall be generated in the event of detection of unauthorized or abnormal system activities, transmission errors or unusual online transactions.

46 · Alerts generated from monitoring and detection systems shall be suitably investigated, including impact and forensic analysis of such alerts, in order to determine activities that are to be performed to prevent expansion of such incident of cyber attack or breach, mitigate its effect and eradicate the incident.

47 · The response and recovery plan of the KRAs shall aim at timely restoration of systems affected by incidents of cyber attacks or breaches. KRAs shall have the same Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as specified by SEBI for Market Infrastructure Institutions vide SEBI circular CIR/MRD/DMS/17/20 dated June 22, 2012 as amended from time to time.

48 · The response plan shall define responsibilities and actions to be performed by its employees and support / outsourced staff in the event of cyber attacks or breach of cyber security mechanism.

49 · Any incident of loss or destruction of data or systems shall be thoroughly analysed and lessons learned from such incidents shall be incorporated to strengthen the security mechanism and improve recovery planning and processes.

50 · KRAs shall also conduct suitable periodic drills to test the adequacy and effectiveness of response and recovery plan.

51 · All Cyber-attacks, threats, cyber-incidents and breaches experienced by KRAs shall be reported to SEBI within 6 hours of noticing / detecting such incidents or being brought to notice about such incidents.

52 · Such details as are felt useful for sharing with other KRAs in masked and anonymous manner shall be shared using mechanism to be specified by SEBI from time to time.

53 · KRAs shall conduct periodic training programs to enhance awareness level among the employees and outsourced staff, vendors, etc. on IT / Cyber security policy and standards. Special focus shall be given to build awareness levels and skills of staff from non -technical disciplines.

54 · The training program shall be reviewed and updated to ensure that the contents of the program remain current and relevant.

55 · KRAs shall arrange to have its systems audited on an annual basis by an CERT -IN empanelled auditor, an independent DISA (ICAI) Qualification, CISA (Certified Information System Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, CISSP (Certified Information

56 · Further, the KRAs shall conduct comprehensive cyber audit at least twice a financial year. All KRAs shall submit a declaration from the MD/ CEO certifying compliance by the KRAs with all SEBI Circulars and advisories related to Cyber security from time to time, along with the cyber audit report.

57 · KRAs shall take necessary steps to put in place systems for implementation of this framework .

1 · to 10

10 · to 100