SEBI/HO/MRD/MRD-PoD-1/P/CIR/2024/168

master_circulars · 1992 · State unknown

Download PDF Parent Act Back to Subordinates

Parent: THE SECURITIES AND EXCHANGE BOARD OF INDIA ACT, 1992 (7c4c1f5343adab106c3a94cafc08a5ecf5957ae7)

Text

MASTER CIRCULAR SEBI/HO/MRD/MRD-PoD-1/P/CIR/2024/168 December 03, 2024 To, All Depositories Dear Sir / Madam, Subject: Master Circular for Depositories Securities and Exchange Board of India (SEBI), from time to time, has been issuing various circulars/directions to Depositories . Further, a Master Circular in the form of a compilation of all the relevant circulars was issued on October 06 , 2023 . In order to enable the users to have access to all the applicable circulars/directions pertaining to depositories at one place, this Master Circular for Depositories has been prepared. This Master Circular shall come into force from the date of its issuance . This Master Circular covers the relevant applicable circulars/communications pertaining to depositories issued by SEBI upto September 30, 2024 . References to the Statutes/Regulations which now stand repealed have been suitably updated in the Master Circular . The list of circulars rescinded vide the instant circular is also updated in the Schedule-A to this circular . Notwithstanding such rescission: anything done or any action taken or purported to have been done or taken under the rescinded circulars, including registrations or approvals granted, fees collected, registration or approval suspended or cancelled, any inspection or investigation or enquiry or adjudication commenced or show-cause notice issued, prior to such rescission, shall be deemed to have been done or taken under the corresponding provisions of this Master Circular; any application made to SEBI under the rescinded circulars, prior to such rescission, and pending before it shall be deemed to have been made under the corresponding provisions of this Master Circular; the previous operation of the rescinded circulars or anything duly done or suffered ther

Rule TOC

1 · 1 Opening of BO Account by non-body corporates

1 · 1.1 Proof of Identity (PoI)

1 · 1.1.1 Permanent Account Number (PAN) to be the sole identification number for all transactions in the securities market1

1 · 1.1.2 PAN as the sole identification number for all transactions in the securities market3

1 · 1.1.2.1 It has been decided to discontinue with the requirement of Unique Identification Number (UIN) under the SEBI (Central Database of market Participants Regulations), 2003 (MAPIN regulations)/circulars.

1 · 1.1.3 List of documents admissible as Proof of Identity 4

1 · 1.2 Proof of Address (PoA) 4

1 · 1.2.1 Please refer SEBI Master Circular on Know Your Client(KYC) norms for the securities market dated October 12, 2023.

1 · Reference: SEBI Circular MRD/DoP/Cir-5/2007 dated April 27, 2007

2 · Income Tax Department since changed the link for verification to: https://eportal.incometax.gov.in/iec/foservices/

3 · Reference: SEBI Circular MRD/DoP/Cir-08/2007 dated June 25, 2007

4 · Reference: SEBI Circular SEBI/HO/MIRSD/SECFATF/P/CIR/2023/169 dated October 12, 2023

1 · 1.2.2 DP shall ensure that all documents pertaining to proof of identity and proof of address are collected from all the account holders.5 Submission of the aforesaid documents is the minimum requirement for opening a BO Account. DPs must verify the copy of the aforementioned documents with the original before accepting the same as valid. While opening a BO Account, DPs shall exercise due diligence 6 while establishing the identity of the person to ensure the safety and integrity of the depository system.

1 · 1.3 Clarification on voluntary adaptation of Aadhaar based e-KYC process 7

5 · Reference: SEBI Circular MRD/DoP/Dep/Cir-29/2004 dated August 24, 2004

6 · Reference: SEBI Circular Point 5 of part II on ' no. ISD/AML/CIR-1/2008 dated December 19, 2008

7 · Reference: SEBI Circular SEBI/MIRSD/09/2013 dated October 08, 2013

8 · Reference: SEBI Circular CIR/MIRSD/29/2016 dated January 22, 2016

1 · 1.4 Common and simplified norms for processing investor's service requests by RTAs and norms for furnishing PAN, KYC details and Nomination 9

1 · 1.5 SARAL Account Opening Form for resident individuals 10

1 · 1.5.1 It is gathered that a majority of new investors in the securities market begin with participation in the cash segment without obtaining various other facilities such as internet trading, margin trading, derivative trading and use of power of attorney. The account opening process can be simplified for such individual investors. With a view to encourage their participation, it is, therefore, decided that such individual investors can open a trading account and demat account by filling up a simplified Account Opening Form ('AOF') termed as 'SARAL AOF' given at Annexure 1 .

1 · 1.5.2 This form will be separately available with the intermediaries and can also be downloaded from the Exchanges' and Depositories' website. The investors who open account through SARAL AOF will also have the option to obtain other facilities, whenever they require, on furnishing of additional information as per prescribed regulations/circulars.

1 · 1.5.3 The standard set of documents viz. Rights and Obligations document, Uniform Risk Disclosure Document and Guidance Note and documentary proof related to identity and address as specified under Para 2.14 , Para 1.1.1 and Para 1.1.2 shall

9 · Reference: SEBI Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/37 dated March 16, 2023

10 · Reference: SEBI Circular MIRSD/1/2015 dated March 04, 2015

1 · 1.5.4 For these set of individual investors, it has been decided to simplify the requirement of submission of 'proof of address'. The matter has been examined in the light of amendment to the PML Rules, 2005 and accordingly, the requirement of submission of 'proof of address' is as follows:

1 · 1.5.4.1 Henceforth, individual investor may submit only one documentary proof of address (either residence/correspondence or permanent) while opening a trading account and / or demat account or while undergoing updation.

1 · 1.5.4.2 In case the proof of address furnished by the said investor is not the address where the investor is currently residing, the intermediary may take a declaration of the residence/correspondence address on which all correspondence will be made by the intermediary with the investor. No proof is required to be submitted for such correspondence/residence address. In the event of change in this address due to relocation or any other reason, investor may intimate the new address for correspondence to the intermediary within two weeks of such a change. The residence/ correspondence address and any such change thereof may be verified by the intermediary through 'positive confirmation' such as

1 · 1.6 Uniform Know Your Client (KYC) Requirements for the Securities Markets 11

1 · 1.6.1 In case of stock brokers (and also for the stock brokers who are depository participants), the account opening process for investors has been simplified vide Para 2.14, KYC form capturing the basic details about the client has been prescribed as Part I of the account opening form and additional information specific to dealing in the stock exchange(s) are obtained in Part II of the form.

11 · Reference: SEBI Circular MIRSD/SE/Cir-21/2011 dated October 05, 2011

1 · 1.6.2 With a view to bring about uniformity in securities markets, it has also been decided that the same KYC form and supporting documents shall also be used by all captioned SEBI registered intermediaries. The KYC form as given in Annexure 2 shall be filled by an investor at the account opening stage while dealing with any of the above intermediaries. Additional details specific to the area of activity of the intermediary being obtained now but not covered in the KYC form shall also be obtained from the investors in Part II of the account opening form.

1 · 1.6.3 The additional information (Part II) shall be prescribed by depositories for their depository participants and by Association of Mutual Funds in India ( " AMFI " ) for all mutual funds. The portfolio managers, venture capital funds, and collective investment schemes shall capture the additional information specific to their area of activities, as considered appropriate by them. The intermediaries shall also continue to abide by circulars issued by SEBI from time to time for prevention of money laundering.

1 · 1.6.4 Please also refer SEBI Circular Nos. SEBI/HO/MIRSD/SECFATF/P/CIR/2023/169 dated October 12, 2023, SEBI/HO/MIRSD/SECFATF/P/CIR/2024/41 dated May 14, 2024 and SEBI/HO/MIRSD/SECFATF/P/CIR/2024/79 dated June 06, 2024

1 · 1.7 Acceptance of third party address as correspondence address 12

1 · 1.7.1 SEBI has no objection to a BO authorizing the capture of an address of a third party as a correspondence address, provided that the DP ensures that all prescribed KYC norms are fulfilled for the third party also. The DP shall obtain proof of identity and proof of address for the third party. The DP shall also ensure that customer due diligence norms as specified in Rule 9 of PML Rules, 2005 are complied with in respect of the third party.

1 · 1.7.2 The depository participant should further ensure that the statement of transactions and holding are sent to the BO's permanent address at least once in a year.

1 · 1.7.3 However, the above provision shall not apply in case of PMS (Portfolio Management Services) clients.

1 · 2 Exemptions from and clarifications relating to mandatory requirement of PAN

1 · 2.1 Mandatory requirement of Permanent Account Number (PAN)

12 · Reference: SEBI Circular CIR/MRD/DP/37/2010 dated December 14, 2010

13 · Reference: SEBI Circular MRD/DP/22/2010dated July 29, 2010

1 · 2.2 Central and State Government and officials appointed by Courts 14

1 · 2.3 Investors in Sikkim16

1 · 2.4 UN entities and multilateral agencies exempt from paying taxes/ filing tax returns in India18

1 · 2.5 FPIs/Institutional Clients19

1 · 2.6 HUF, Association of Persons (AoP), Partnership Firm, unregistered Trust, Registered Trust, Corporate Bodies, minors, etc . 16

14 · Reference: SEBI Circular MRD/DoP/Cir-20/2008 dated June 30, 2008

15 · Reference: Rule 114C (1)(c) of Income Tax Rules

16 · Reference: SEBI Circular MRD/DoP/Dep/Cir-09/06 dated July 20, 2006

17 · Reference: Hon'ble High Court of Sikkim judgment dated March 31, 2006

18 · Reference: SEBI Circular MRD/DoP/Dep/Cir-09/06 dated July 20, 2006

19 · Reference: SEBI Circular MRD/DoP/Dep/SE/Cir-13/06 dated September 26, 2006

1 · 2.7 Difference in the name of investors . 16

1 · 2.8 NRI/PIOs21

1 · 3 Simplification of demat account opening process 23

1 · 3.1 SEBI has taken a number of steps in the recent past to simplify the account opening and KYC process in the securities markets. In continuation of the efforts in the same direction, it has now been decided in consultation with both the depositories and associations of stock brokers and DPs to further simplify and rationalize the demat account opening process.

1 · 3.2 The existing Beneficial Owner-Depository Participant Agreements shall be replaced with a common document "Rights and Obligations of the Beneficial Owner and Depository Participant" (Annexure 3) . The document annexed herewith shall be mandatory and binding on all the existing and new clients and DPs. This will harmonize the account opening process for trading as well as demat account. This will also rationalize the number of signatures by the investor, which he is required to affix at present on a number of pages.

20 · Reference: SEBI Circular MRD/DoP/Dep/Cir-29/2004 dated August 24, 2004

21 · Reference: SEBI Circular MRD/DoP/Dep/SE/Cir-17/06 dated October 27, 2006

22 · Reference: Income Tax (Systems) PAN SEBI Circular No. 4 dated October 11, 2006

23 · Reference: SEBI Circular SEBI/MIRSD/ 12/2013 dated December 04, 2013

1 · 3.3 The DP shall provide a copy of Rights and Obligations Document to the BO and shall take an acknowledgement of the same. They shall ensure that any clause in any voluntary document neither dilutes the responsibility of the depository participant nor it shall be in conflict with any of the clauses in this document, rules, bye-laws, regulations, notices, guidelines and circulars issued by SEBI and the depositories from time to time. Any such clause introduced in the existing as well as new documents shall stand null and void.

1 · 3.4 In consultation with market participants, with a view to simplify the account opening kit, SEBI has decided that DP shall make available this document "Rights and Obligations of the Beneficial Owner and Depository Participant" to the clients, either in electronic or physical form, depending upon the preference of the client as part of account opening kit. In case the documents are made available in electronic form, DP shall maintain the logs of the same. It is also reiterated that Depositories/DP shall continue to make the aforesaid document available on their website and keep the clients informed about the same.24

1 · 4 Guidelines for online closure of demat accounts 25

1 · 4.1 Depositories are advised to issue guidelines under Para 1.4.4 to their participants offering online account opening, informing them to make available the facility for online closure of demat accounts from August 01, 2021.

1 · 4.2 Deleted .

1 · 4.3 Depositories shall also advise their participants to inform their clients regarding the availability of facility for online closure of demat accounts through emails, SMS, weekly / fortnightly / monthly newsletters etc. The procedure for online closure of demat accounts shall be prescribed in such communications.

1 · 4.4 Client shall be entitled to close the demat account through online mode without mandatorily giving any reasons to the DP. Clients shall not be restricted from requesting, through online mode or offline mode, for the closure of demat account maintained with the DP, subject to the compliance requirements as stipulated by SEBI / Depository from time to time.

1 · 4.4.1 Online closure of demat accounts shall be made available for the clients who have opened their accounts offline or online, by the DPs that provide various Depository related services in online mode. Those DPs which do not provide any services online and do not open accounts online may not be required to offer online closure of demat accounts.

1 · 4.4.2 Account closure for account with balance shall be done only through web portal / app of DP through secured access by way of client specific user ID and

24 · Reference: SEBI Circular CIR/MIRSD/64/2016 dated July 12, 2016

25 · Reference: SEBI MIRSD email dated July 15, 2021

1 · 4.4.3 In case of clients having demat accounts with nil balances can be closed by the DPs on the basis of emails received from the registered email ID of the demat account holder.

1 · 4.4.4 Once the application for closure of demat account is received, the DP shall intimate to the client on registered email id and / or mobile number (on both if available) about the receipt of closure request. A confirmation regarding the request made shall be sought from the client by way of OTP sent on the email id and / or mobile number updated in its source account (to be closed account).

1 · 4.4.5 The request for demat account closure shall include target account details (in case of request for closure of demat account having security balances is made) where the client intends to shift the securities.

1 · 4.4.6 Client would have to upload the scan / photograph of his / her signature alongwith Client Master Report (CMR) of the target account digitally signed by official of the target DP (CMR applicable in case of account having security balances). Filled Account Closure form alongwith uploaded ink-signature of the client and CMR as uploaded, would be displayed in one single file to the client, subsequent to which, client shall then be required to e-sign the form (using Aadhaar based online electronic signature service) alongwith the documents and submit the same for further processing. The requirement of obtaining a CMR will be exempted if the DP is able to verify the target demat account details (i.e. sole holder's name and PAN should match perfectly) directly from the Depository electronically.

1 · 4.4.7 If the DP authorises the request received, the account will get closed in the Depository system. If the DP rejects the client requests received, the DP shall inform the reason for such rejection to the client.

1 · 4.4.8 In case the target account of the client specified in the account closure form is not its own account i.e. not the same PAN both in source and target accounts, as per the extant requirements, it will be necessary for the client to submit an off-market transfer instruction delivery instruction slip for execution of such transfers along with the requirement of entering OTP as provided by the Depository.

1 · 4.4.9 After the closure of demat account by the DP, the same shall be intimated to the client through electronic mode enclosing the CMR & Transaction cum Holding

1 · 4.4.10 DP shall maintain and store system logs of the closure instructions and e-signed electronic requests (uneditable) received in electronic form in a secured manner and the same shall be subject to 100% internal audit .

1 · 4.4.11 Notwithstanding any such closure of demat account, all rights, liabilities and obligations of the parties arising out of or in respect of transactions entered into prior to the closure of demat account shall continue to subsist and vest in / be binding on the respective parties or his / its respective heirs, executors, administrators, legal representatives or successors, as the case may be.

1 · 4.4.12 The above process shall be applicable in case of individual client accounts with single holder (without pledge/freeze/pending demat requests balances) and the closure requests accepted through above mechanism shall be considered as a valid client request and DPs / Depository shall not be held liable for acting on such requests.

1 · 4.4.13 Depositories shall put in place a complaint redressal mechanism for dealing with complaints related to online closure of demat accounts.

1 · 5 Guidelines on Identification of Beneficial Ownership 26

1 · 6 Opening of demat account in case of HUF2 F27

26 · Reference: SEBI Circular CIR/MIRSD/2/2013 dated January 24, 2013

27 · Reference: SEBI Letter SEBI/HO/MRD/DP/OW/2016/25739/1 & 25740/1 dated September 14, 2016 and SEBI Letter MRD/DSA1/OW/4946/2018 and 4947/2018 dated February 14, 2018

1 · 6.1 Opening of HUF Demat Account

1 · 6.2 Death of Karta

1 · 6.3 Partition of HUF

28 · Reference: SEBI Letter SEBI/HO/MRD/DP/OW/2016/25739/1 & 25740/1 dated September 14, 2016

29 · Reference: SEBI Circular SEBI/HO/MRD/MRD-POD-2/P/CIR/2022/114 dated August 26, 2022

1 · 7 Operation of minor's demat account3 t30

1 · 8 Facility for a Basic Services Demat Account (BSDA) 31

1 · 8.1 Facility for a Basic Services Demat Account (BSDA) Please refer SEBI Circular SEBI/HO/MIRSD/MIRSD-PoD1/P/CIR/2024/91 dated June 28, 2024.

1 · 8.2 Eligibility for BSDA Please refer SEBI Circular SEBI/HO/MIRSD/MIRSDPoD1/P/CIR/2024/91 dated June 28, 2024.

1 · 8.3 Option to open BSDA Please refer SEBI Circular SEBI/HO/MIRSD/MIRSDPoD1/P/CIR/2024/91 dated June 28, 2024

1 · 8.4 Charges Please refer SEBI Circular SEBI/HO/MIRSD/MIRSDPoD1/P/CIR/2024/91 dated June 28, 2024

1 · 8.5 Holding Statement 32&33 :

30 · Reference: SEBI Letter SEBI SMDRP/NSDL/4615 /2000 dated March 13, 2000

31 · Reference: SEBI Circular CIR/MRD/DP/22/2012 dated August 27, 2012

32 · Reference: SEBI Circular CIR/MRD/DP/21/2014 dated July 01, 2014

33 · Reference: SEBI Circular SEBI/HO/MRD-Pod2/CIR/P/2024/93 dated July 01, 2024

1 · 8.6 Rationalisation of services with respect to regular accounts. 34

1 · 9 Change of Name in the Beneficial Owner (BO) Account3 t35

1 · 9.1 In order to simplify the procedure of change of name in individual Beneficial Owner's (BO) account, it has been decided that an individual BO may be allowed to change his/ her name, subject to the submission of following documents at the time of change of name of the individual in the BO account.

34 · Reference: SEBI Circular SEBI/HO/MRD-Pod2/CIR/P/2024/93

35 · Reference: SEBI Circular CIR/MRD/DP/27/2012 dated November 01, 2012

36 · Reference: SEBI Circular CIR/MRD/DP/158/2018 dated December 27, 2018

1 · 9.2 The Depository Participants (DPs) shall collect the self-attested copies of above documents and maintain the same in their records after verifying with the original document.

1 · 10 Fees/Charges to be paid by BO

1 · 10.1 Account opening, custody and credit of securities 37

1 · 10.2 Account Closure38

1 · 10.3 Transfer of a BO Account39

1 · 10.4 Account Maintenance Charges collected upfront on annual/ half yearly basis on demat accounts40

37 · Reference: SEBI Circular MRD/DoP /SE/Dep/Cir-4/2005 dated January 28, 2005

38 · Reference: SEBI Circular D&CC/FITTC/CIR - 12/2002 dated October 30, 2002

39 · Reference: SEBI Circular MRD/DoP/Dep/Cir-22 /05 dated November 9, 2005

40 · Reference: SEBI Circular MRD/DP/20/2010 dated July 1, 2010

1 · 10.5 Dissemination of tariff/charge structure of DPs on the website of depositories 41

1 · 11 Framework for automated deactivation of trading and demat accounts in cases of inadequate KYCs 42

1 · 11.1 SEBI has, vide various circulars issued from time to time, mandated that addresses form a critical part of the KYC procedures. Thus, every address recorded for the purpose of compliance with KYC procedure has to be accurate. An intermediary has to update the address from time to time. However, it has been observed that in some cases accurate/updated addresses of clients are not maintained. This is borne out of the fact that when SEBI issues any notices, etc. during the course of any enforcement proceedings on such addresses, the same remain unserved.

1 · 11.2 To ensure that the client furnishes accurate/updated details of address and to ensure that KYC details are correct, the following framework involving stock exchanges (except Commodity Derivatives Exchanges) and depositories (hereinafter collectively referred to as "the MIIs") is proposed

1 · 11.2.1 Where SEBI instructs MIIs to serve any Show Cause Notice ("SCN") or order issued by SEBI, the MIIs shall arrange to physically deliver the same to the

41 · Reference: SEBI Circular MRD/Dep/Cir- 20/06 dated December 11, 2006

42 · Reference: SEBI Circular SEBI/HO/EFD1/EFD1_DRA4/P/CIR/2022/104 dated July 29, 2022

1 · 11.2.2 Pending pay-in and pay-out obligations and open positions may be permitted to be settled, squared off or closed out, as the case may be, while enforcing the deactivation of trading/demat accounts of such entities.

1 · 11.2.3 MIIs shall ensure that they communicate the details of the deactivation along with reasons thereof to the respective registered intermediary. They shall also ensure that the reasons for the deactivation are displayed in a clear and unambiguous manner, when the entity attempts to transact using his trading/demat account.

1 · 11.2.4 Subject to the above, the MIIs shall ensure that the deactivated accounts are not used for dealing in securities market in any manner whatsoever.

1 · 11.2.5 The concerned entity may place a request to the registered intermediaries with which the entity holds a trading/demat account, seeking re-activation of trading/demat accounts along with –

1 · 11.2.6 The registered intermediary shall update the KYC records as per the extant norms and forward the copy of the signed acknowledgement of receipt of the SCN or order, as the case may be, to the concerned MII for re-activation of the

1 · 11.2.7 The concerned MII shall re -activate all trading accounts/demat accounts of the entity after ensuring that –

1 · 11.2.8 The process of reactivating the accounts by the MIIs shall not exceed more than 5 working days after receipt of request from the entity along with all the documents mentioned in Para 1.11.2.5 .

1 · 11.2.9 The framework would also apply to joint accounts. However, before deactivating the joint accounts, MIIs shall endeavor to contact the entity through the co-holders for delivery of SCN / order simultaneously by following the same process outlined above.

1 · 11.2.10The MIIs may deviate from the above provisions in appropriate cases, where the compliance with the framework is hampered due to factors beyond the control of the entity. In such cases, the MIIs shall record the reasons for deviating from the mandate of the framework and communicate the same to SEBI within 2 working days of such deviation.

1 · 11.2.11MIIs shall have a mechanism for exchange of information and coordination amongst themselves for the purpose of implementing the framework described above. MIIs shall submit a consolidated report indicating status of requests forwarded by SEBI, on a monthly basis.

1 · 11.2.12MIIs shall advise their registered intermediaries to ensure updation of KYC records at regular intervals as per the extant norms. This framework shall be in addition to and not in derogation of any Circular issued by SEBI or the MIIs with respect to KYC requirements or Unique Client Code norms.

1 · 11.2.13An Illustration covering different scenarios is as follows:

1 · 12 Safeguards to address the concerns of the investors on transfer of securities in dematerialized mode43&44

1 · 12.1 The depositories shall give more emphasis on investor education particularly with regard to careful preservation of Delivery Instruction Slip ( " DIS " ) by the BOs. The Depositories may advise the BOs not to leave "blank or signed" DIS with the Depository Participants (DPs) or any other person/entity.

1 · 12.2 The DPs shall not accept pre-signed DIS with blank columns from the BO(s).

1 · 12.3 If the DIS booklet is lost / stolen / not traceable by the BO, the same must be intimated to the DP immediately by the BO in writing. On receipt of such intimation, the DP shall cancel the unused DIS of the said booklet

1 · 12.4 The DP shall also ensure that a new DIS booklet is issued only on the strength of the DIS instruction request slip (contained in the previous booklet) duly complete in all respects, unless the request for fresh booklet is due to loss, etc. .

43 · Reference: SEBI Circular SEBI/MRD/Dep/Cir-03/2007 dated February 13, 2007 and SEBI Circular SEBI/MRD/Dep/Cir-03/2008 dated February 28, 2008

44 · Reference:SEBI Circular SEBI/HO/MRD/MRD -PoD -2/P/CIR/2024/18 dated March 20,2024

1 · 12.5 The DPs shall not issue more than 10 loose DIS to one account holder in a financial year (April to March). The loose DIS can be issued only if the BO(s) come in person and sign the loose DIS in the presence of an authorised DP official.

1 · 12.6 The DPs shall put in place appropriate checks and balances with regard to verification of signatures of the BOs while processing the DIS.

1 · 12.7 The DPs shall cross check with the BOs under exceptional circumstances before acting upon the DIS.

1 · 12.8 The DPs shall mandatorily verify with a BO before acting upon the DIS, in case of an inactive/dormant account, whenever any security in such account is transferred at a time. Such verification by DPs shall require a recorded phone call on registered number of BO by the authorized official of the DP and shall be additionally authorised by the Compliance officer or any other designated senior official of the DP. The authorized official of the DP verifying such transactions with the BO, shall record the details of the process, date, time, etc., of the verification on the instruction slip under his/her signature.

1 · 13 Delivery Instruction Slip (DIS) Issuance and Processing4 g45

45 · Reference: SEBI Circular SEBI/MRD/DOP/01/2014 dated January 07, 2014

46 · Reference: SEBI Circular CIR/MRD/DP/22/2014 dated July 04, 2014

47 · Reference: SEBI Letter MRD2/DDAP/OW/P/2020/19443/1 dated November 13, 2020

48 · Reference: SEBI Letter SEBI/HO/MRD2/DDAP/OW/P/2021/1632/1 dated January 20, 2021

2 · Implementation:

1 · 14 Nomination for Eligible Trading and Demat Accounts 49

1 · 14.1 Section 72 of Companies Act, 2013 provides for nomination by a holder of securities.

1 · 14.2 Investors opening new demat account(s) on or after October 01, 2021, shall have the choice of providing nomination or opting out nomination, as follows;

1 · 14.3 In this regard, DPs shall activate new Demat accounts from October 01, 2021, only upon receipt of above formats.

1 · 14.4 The nomination and Declaration form shall be signed under wet signature of the account holder(s) and witness shall not be required. However, if the account holder(s) affixes thumb impression (instead of wet signature), then witness signature shall be required in the forms.

1 · 14.5 The on -line nomination and Declaration form may also be signed using e-Sign facility and in that case witness will not be required.

1 · 14.6 DPs shall ensure that adequate systems are in place including for providing for eSign facility and also take all necessary steps to maintain confidentiality and safety of client records.

1 · 14.7 Non -submission of 'choice of nomination' shall not result in freezing of Demat Accounts as well as Mutual Fund Folios.

1 · 14.8 Securityholders holding securities in physical form shall be eligible for receipt of any payment including dividend, interest or redemption payment as well as to lodge grievance or avail any service request from the RTA even if 'choice of nomination' is not submitted by these securityholders.

1 · 14.9 Payments including dividend, interest or redemption payment withheld presently by the Listed Companies/RTAs, only for want of 'choice of nomination' shall be processed accordingly.

49 · Reference: SEBI Circular SEBI/HO/MIRSD/RTAMB/CIR/P/2021/601 dated July 23, 2021 and SEBI Circular SEBI/HO/MIRSD/POD-1/P/CIR/2024/81 dated June 10,2024

1 · 14.10 All new investors/unitholders shall continue to be required to mandatorily provide the 'Choice of Nomination' for demat accounts/ MF Folios (except for jointly held Demat Accounts and Mutual Fund Folios).

1 · 14.11Further, to encourage the existing investors to provide 'choice of nomination', a popup shall be provided on web/mobile application/platform to the investors by Depositories and Depository Participants while logging into the Demat Account and by AMCs (including MF RTAs, other platforms providing online execution services) while logging into their MF account. This pop-up may be shown only to those clients whose MF Folios/demat account(s) do not have 'choice of nomination'.

1 · 14.12DPs shall encourage their clients to update 'choice of nomination' by sending a communication on fortnightly basis by way of emails and SMS to all such demat accounts wherein the 'choice of nomination' is not captured. The communication shall provide guidance through which the client can provide his/her 'choice of nomination'.

1 · 14.13On the basis of representations received from various stakeholders, it has been decided that50:

1 · 15 Transmission of shares 51

1 · 16 Simplification of procedure and standardization of formats of documents for transmission of securities52

1 · 17 Mode of Operation and Transmission of Securities in Joint Demat Accounts 53

1 · 17.1 In order to streamline the process of operation and make the transmission of securities more efficient and investor friendly in demat accounts with joint holding,

50 · Reference: SEBI Circular SEBI/HO/MIRSD/MIRSD_RTAMB/P/CIR/2022/23 dated February 24, 2022

51 · Reference: SEBI Letter MRD//DP/OW/23881/2015 dated August 24, 2015 regarding multiple nominations in demat accounts

52 · Reference: SEBI Circular SEBI/HO/MIRSD/MIRSD_RTAMB/P/CIR/2022/65 dated May 18, 2022 and SEBI Master Circular SEBI/HO/MIRSD/PoD1/CIR/2024/37 dated May 07, 2024

53 · Reference: SEBI Letter MRD2/DDAP/OW/P/2021/8568/1 dated April 09, 2021 and letter SEBI/HO/MIRSD/POD-1/OW/P?2024/20944/1 dated June 26, 2024.

1 · 18 Execution of Power of Attorney (PoA) by the Client in favour of the Stock Broker/ Stock Broker and Depository Participant5 t54

1 · 19 Execution of 'Demat Debit and Pledge Instruction' (DDPI) for transfer of securities towards deliveries / settlement obligations and pledging / re-pledging of securities 55

1 · 20 SMS alerts for demat accounts operated by Power of Attorney 56

54 · Reference: SEBI Circular CIR/MRD/DMS/13/2010 dated April 23, 2010 , CIR/MRD/DMS/28/2010 dated August 31, 2010 and SEBI/HO/MIRSD/DOP/CIR/P/2020/158 dated August 27, 2020

55 · Reference: SEBI Circular SEBI/HO/MIRSD/DoP/P/CIR/2022/44 dated April 04, 2022 and SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2022/137 dated October 06, 2022

56 · Reference: SEBI Letter SEBI/MRD/DEP/VM/169784 /09 dated July 15, 2009

1 · 21 Exemption from sending quarterly statements of transactions by depository participants (DPs) to clients in respect of demat accounts with no transactions and no security balances 57

1 · 21.1 SEBI has provided exemption to DPs from sending quarterly transaction statements to the clients in respect of demat accounts with no transactions and no security balances subject to the following conditions:

1 · 21.1.1 Client is informed in advance that it will not be receiving Transaction Statements for such accounts till there are any transactions or security holdings in the demat account.

1 · 21.1.2 KYC and PAN requirement in respect of all such depository accounts are complied.

1 · 21.1.3 No Annual Maintenance Charges are levied for such an account.

1 · 21.1.4 Information which is required to be disseminated by Participants by way of a note in the Transaction Statements will be required to be communicated to such Clients separately.

1 · 21.1.5 The Internal Auditor of the Participant shall comment in its internal audit report on compliance of the aforesaid requirements.

1 · 22 Discontinuation of sending transaction statements by depository participants to clients58

1 · 22.1 Transaction statements were returned undelivered on three consecutive occasions.

1 · 22.2 The DP maintains proof that the transaction statements were returned undelivered.

1 · 22.3 The transaction statements were returned undelivered for the reasons which clearly establish that the client no longer resides at the given address (i.e. party shifted, etc.) and not for other reasons (i.e. residence/office closed, address incorrect, address incomplete, etc.).

1 · 22.4 The DP informs such clients through alternative means (such as outbound call, SMS or email) that their transaction statements are returned undelivered and they need to communicate the proper (new) address.

1 · 22.5 The DP ensures that on receipt of request for address modification from the client as per the stipulated procedure, the dispatch of transaction statements is

57 · Reference: SEBI Letter MRD/CDSL/VM/155773/2009 dated February 27, 2009, MRD/DoP/NSDL/VM/168994 /2009 dated July 07, 2009 and MRD/CDSL/VM/168989 /2009 dated July 07, 2009

58 · Reference: SEBI Letter MRD/NSDL/VM/158886 /2009 dated March 30, 2009

1 · 23 Exemption to Depository Participants (DPs) from providing hard copies of transaction statements to BOs59

1 · 24 Consolidated Account Statement (CAS) for all securities assets 60

1 · 24.1 It has been decided to enable a single consolidated view of all the investments of an investor in Mutual Funds (MF) and securities held in demat form with the Depositories.

1 · 24.2 The Depositories and the Asset Management Companies (AMCs)/ MF-RTAs shall put in place systems to facilitate generation and dispatch of single Consolidated Account Statements (CAS) for investors having MF investments and holding demat accounts. AMCs/ RTAs shall share the requisite information with the Depositories on monthly basis to enable generation of CAS.

1 · 24.3 Consolidation of account statement shall be done on the basis of PAN. In case of multiple holding, it shall be PAN of the first holder and pattern of holding. Based on the PANs provided by the AMCs/MF-RTAs, the Depositories shall match their PAN database to determine the common PANs and allocate the PANs among themselves for the purpose of sending CAS. For PANs which are common between depositories and AMCs, the Depositories shall send the CAS. In other cases (i.e. PANs with no demat account and only MF units holding), the AMCs/ MF-RTAs shall continue to send the CAS to their unit holders as is being done presently in compliance with the Regulation 36(4) of the Securities and Exchange Board of India (Mutual Funds) Regulations, 1996 ("Mutual Fund Regulations") .

1 · 24.4 In case investors have multiple accounts across the two depositories, the depository having the demat account which has been opened earlier shall be the default depository which will consolidate details across depositories and MF investments

59 · Reference: SEBI Circular MRD/DoP/Dep/Cir-27/2004 dated August 16, 2004

60 · Reference: SEBI Circular CIR/MRD/DP/31/2014 dated November 12, 2014

1 · 24.5 The CAS shall be generated on a monthly basis. The AMCs /MF-RTAs shall provide the data with respect to the common PANs to the depositories within three days from the month end. The depositories shall then consolidate and dispatch the CAS within ten days from the month end.

1 · 24.6 The CAS shall be dispatched by email to all the investors whose email addresses are registered with the Depositories and AMCs/MF-RTAs. However, where an investor does not wish to receive CAS through email, option shall be given to the investor to receive the CAS in physical form at the address registered with the Depositories and the AMCs/MF-RTAs. The depositories shall also intimate the investor on quarterly basis through the SMS mode specifying the email id on which the CAS is being sent61 .

1 · 24.7 A proper grievance redressal mechanism shall be put in place by the depositories and the AMCs/MF-RTAs which shall also be communicated to the investors through CAS. AMCs/MF-RTAs would be accountable for the authenticity of the information provided through CAS in respect of MF investments and timely sharing of such information with Depositories. The Depositories would be responsible for the timely dispatch of CAS to the investors serviced by them and the demat account information.

1 · 24.8 The depositories and the AMCs/ MF-RTAs shall ensure data integrity and confidentiality in respect of the shared information. The depositories shall utilise the shared data only for the purpose of providing CAS and shall not share the same with their DPs. Where Depositories are required to share such information with unregulated entities like third party printers, the depositories shall enter into necessary data confidentiality agreements with them.

1 · 24.9 The CAS shall be implemented from the month of March 2015 with respect to the transactions carried out during the month of February 2015.

1 · 24.10 If an investor does not wish to receive CAS, an option shall be given to the investor to indicate negative consent. Depositories shall accordingly inform investors in their statements from the month of January 2015 about the facility of CAS and give them information on how to opt out of the facility if they do not wish to avail it.

1 · 24.11 Where such an option is exercised, the concerned depository shall inform the AMC/MF-RTA accordingly and the data with respect to the said investor shall not be shared by the AMC/MF-RTA with the depository.

1 · 24.12 If there is any transaction in any of the demat accounts of the investor or in any of

61 · Reference: SEBI Circular SEBI/HO/MRD -PoD2/CIR/P/2024/93 dated July 01, 2024

1 · 24.13 Further, the holding statement dispatched by the DPs to their BOs with respect to the dormant demat accounts with balances shall also be dispatched half-yearly .

1 · 24.14 The dispatch of CAS by the depositories to BOs would constitute compliance by the Depository Participants with requirement under Regulation 60 of DP Regulations, to provide statements of account to the BOs as also compliance by the MFs with the requirement under Regulation 36(4) of the Mutual Funds Regulations.

1 · 25 Generation and Dispatch of Consolidated Account Statement 63

1 · 25.1 It is noted that depositories are providing CAS to all investors having a demat account and mutual fund holdings in statement of account (SOA) form only. Further, in scenarios where investor is having mutual fund holdings in demat form or having only demat account with no mutual fund holdings, no consolidation is happening across depositories and depositories are providing separate holding statements for themselves.

1 · 25.2 In this regard, it is felt that extending the requirement of generation and dispatch of CAS to abovementioned scenarios will truly enable a single consolidated view of all the investments of investor in mutual fund and securities held in demat form with the depositories.

1 · 25.3 In view of the above, depositories are advised to coordinate with each other so as to provide for generation and dispatch of CAS for the above mentioned scenarios.

1 · 25.4 Further, all the other provisions and modalities with regards to generation and dispatch of CAS will remain the same as prescribed in Para 1.24 above .

1 · 26 Redressal of investor grievances through SEBI Complaints Redress System (SCORES) platform 64 & Procedure for filing and redressal of investor grievances using SCORES 65

2022 · (Master Circular on the redressal of investor grievances through the SEBI

62 · Reference: SEBI Circular SEBI/HO/MRD -PoD2/CIR/P/2024/93 dated July 01, 2024

63 · Reference: SEBI Letter SEBl/HO/MRD/SEC-2/P/OW/2023/00001730411 dated April 28, 2023

64 · Reference: SEBI Circular CIR/OIAE/1/2014 dated December 18, 2014

65 · Reference: SEBI Circular SEBI/HO/OIAE/IGRD/CIR/P/2018/58 dated March 26, 2018

1 · 27 Framework for the process of accreditation of investors for the purpose of Innovators Growth Platform 66

1 · 28 Common Application Form for Foreign Portfolio Investors 67

66 · Reference: SEBI Circular SEBI/HO/CFD/DIL2/CIR/P/2019/67 dated May 22, 2019

67 · Reference: SEBI Circular IMD/FPI&C/CIR/P/2020/022 dated February 04, 2020

2 · 1 Online Registration Mechanism for Securities Market Intermediaries 68

2 · 2 Supervision of branches of DPs 69

2 · 2.1 To ensure compliance with Regulation 63 of the DP Regulations, and Clause 19 of the Code of Conduct for Participants contained in the Third Schedule to the DP Regulations the DP shall ensure that it has satisfactory internal control procedure in place, inclusive of their branch offices. DPs are therefore required in terms of these provisions to put in place appropriate mechanisms to ensure that their branches are carrying on the operations in compliance with the applicable regulations, bye-laws, etc. DPs are also required to put in place suitable internal control systems to ensure that all branches exercise due diligence in opening accounts, complying with KYC requirements, in ensuring systems safety in complying with client instructions, manner of uploading client instructions, in verifying signatures and maintaining client records, etc. DPs shall also ensure that the branches are suitably integrated.

2 · 2.2 Depositories shall examine the adequacy of the above mechanisms during their inspections of DPs. The Depositories shall also carry out surprise inspections/ checks of the DP branches apart from the regular inspection of the DPs. Depositories shall also put in place appropriate mechanisms for monitoring opening of branches by DPs.

2 · 3 Incentivisation to Depository Participants (DPs) 70

2 · 3.1 In order to compensate the DPs towards the cost of opening and maintaining Basic Services Demat Accounts (BSDA), the depositories shall pay an incentive of Rs. 100/- for every new BSDA opened by their participants in other than the top 15 cities. The name of the top 15 cities is given in following table:

68 · Reference: SEBI Circular SEBI/HO/MIRSD/MIRSD1/CIR/P/2017/38 dated May 02, 2017

69 · Reference: SEBI Circular MIRSD/DPS-III/Cir-9/07 dated July 3, 2007

70 · Reference: SEBI Circular CIR/MRD/DP/18/2015 dated December 09, 2015

2 · 3.2 The incentive shall be provided at the end of the financial year only with respect to the new BSDA opened during the financial year and which displayed at least one credit in the account during the Financial Year.

2 · 3.3 Further to the above, in order to incentivize the DPs to promote holdings in the BSDA, the depositories may pay an amount of Rs. 2 per folio per ISIN to the respective depository participant (DP), in respect of the ISIN positions held in Basic Service Demat Accounts (BSDA). This incentive may be provided with respect to all the BSDA in the depository system.

2 · 3.4 The reimbursement to DPs shall be made on an annual basis at the end of the financial year. The depositories shall set aside 20% of the incremental revenue received from the Issuers to manage the aforementioned incentive schemes. Any surplus after reimbursement of DPs may be utilized by the depositories to incentivize the DPs for promoting financial inclusion, encouraging investors to hold Mutual Fund Units in demat account and familiarizing the investors on the OFS mechanism, etc.

2 · 3.5 The incentive scheme may be reviewed after a period of two years.

2 · 4 Guidelines on Outsourcing of Activities by Intermediaries 71

2 · 4.1 SEBI Regulations for various intermediaries require that they shall render at all times high standards of service and exercise due diligence and ensure proper care in their operations.

2 · 4.2 It has been observed that often the intermediaries resort to outsourcing with a view to reduce costs, and at times, for strategic reasons.

71 · Reference: SEBI Circular CIR/MIRSD/24/2011 dated December 15, 2011 and SEBI Circular SEBI/HO/ MIRSD/POD-1/P/CIR/2024/110 dated August 09,2024

2 · 4.3 Outsourcing may be defined as the use of one or more than one third party – either within or outside the group - by a registered intermediary to perform the activities associated with services which the intermediary offers.

2 · 4.4 Principles for Outsourcing

2 · 4.5 Activities that shall not be Outsourced

2 · 4.6 Other Obligations

2 · 4.7 An intermediary seeking to outsource activities shall have in place a comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced. The Board / partners (as the case may be)

2 · 4.7.1 The policy shall cover activities or the nature of activities that can be outsourced, the authorities who can approve outsourcing of such activities, and the selection of third party to whom it can be outsourced. For example, an activity shall not be outsourced if it would impair the supervisory authority's right to assess, or its ability to supervise the business of the intermediary. The policy shall be based on an evaluation of risk concentrations, limits on the acceptable overall level of outsourced activities, risks arising from outsourcing multiple activities to the same entity, etc.

2 · 4.7.2 The Board shall mandate a regular review of outsourcing policy for such activities in the wake of changing business environment. It shall also have overall responsibility for ensuring that all ongoing outsourcing decisions taken by the intermediary and the activities undertaken by the third-party, are in keeping with its outsourcing policy.

2 · 4.8 The intermediary shall establish a comprehensive outsourcing risk management programme to address the outsourced activities and the relationship with the third party.

2 · 4.8.1 An intermediary shall make an assessment of outsourcing risk which depends on several factors, including the scope and materiality of the outsourced activity, etc. The factors that could help in considering materiality in a risk management programme include-

2 · 4.8.1.1 The impact of failure of a third party to adequately perform the activity on the financial, reputational and operational performance of the intermediary and on the investors / clients;

2 · 4.8.1.2 Ability of the intermediary to cope up with the work, in case of nonperformance or failure by a third party by having suitable back-up arrangements;

2 · 4.8.1.3 Regulatory status of the third party, including its fitness and probity status;

2 · 4.8.1.4 Situations involving conflict of interest between the intermediary and the third party and the measures put in place by the intermediary to address such potential conflicts, etc.

2 · 4.8.2 While there shall not be any prohibition on a group entity / associate of the intermediary to act as the third party, systems shall be put in place to have an arm's length distance between the intermediary and the third party in terms of infrastructure, manpower, decision-making, record keeping, etc. for avoidance of potential conflict of interests. Necessary disclosures in this regard shall be made as part of the contractual agreement. It shall be kept in mind that the risk

2 · 4.8.3 The records relating to all activities outsourced shall be preserved centrally so that the same is readily accessible for review by the Board of the intermediary and / or its senior management, as and when needed. Such records shall be regularly updated and may also form part of the corporate governance review by the management of the intermediary.

2 · 4.8.4 Regular reviews by internal or external auditors of the outsourcing policies, risk management system and requirements of the regulator shall be mandated by the Board wherever felt necessary. The intermediary shall review the financial and operational capabilities of the third party in order to assess its ability to continue to meet its outsourcing obligations.

2 · 4.9 The intermediary shall ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and regulators, nor impede effective supervision by the regulators.

2 · 4.9.1 The intermediary shall be fully liable and accountable for the activities that are being outsourced to the same extent as if the service were provided in-house.

2 · 4.9.2 Outsourcing arrangements shall not affect the rights of an investor or client against the intermediary in any manner. The intermediary shall be liable to the investors for the loss incurred by them due to the failure of the third party and also be responsible for redressal of the grievances received from investors arising out of activities rendered by the third party.

2 · 4.9.3 The facilities / premises / data that are involved in carrying out the outsourced activity by the service provider shall be deemed to be those of the registered intermediary. The intermediary itself and Regulator or the persons authorized by it shall have the right to access the same at any point of time.

2 · 4.9.4 Outsourcing arrangements shall not impair the ability of SEBI/SRO or auditors to exercise its regulatory responsibilities such as supervision/inspection of the intermediary.

2 · 4.10 The intermediary shall conduct appropriate due diligence in selecting the third party and in monitoring of its performance.

2 · 4.10.1 It is important that the intermediary exercises due care, skill, and diligence in the selection of the third party to ensure that the third party has the ability and capacity to undertake the provision of the service effectively.

2 · 4.10.2 The due diligence undertaken by an intermediary shall include assessment of:

2 · 4.10.2.1 third party's resources and capabilities, including financial soundness, to perform the outsourcing work within the timelines fixed;

2 · 4.10.2.2 compatibility of the practices and systems of the third party with the intermediary's requirements and objectives;

2 · 4.10.2.3 market feedback of the prospective third party's business reputation and track record of their services rendered in the past;

2 · 4.10.2.4 level of concentration of the outsourced arrangements with a single third party; and

2 · 4.10.2.5 the environment of the foreign country where the third party is located.

2 · 4.11 Outsourcing relationships shall be governed by written contracts / agreements / terms and conditions (as deemed appropriate) {hereinafter referred to as "contract"} that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of the parties to the contract, client confidentiality issues, termination procedures, etc.

2 · 4.11.1 Outsourcing arrangements shall be governed by a clearly defined and legally binding written contract between the intermediary and each of the third parties, the nature and detail of which shall be appropriate to the materiality of the outsourced activity in relation to the ongoing business of the intermediary.

2 · 4.11.2 Care shall be taken to ensure that the outsourcing contract:

2 · 4.11.2.1 clearly defines what activities are going to be outsourced, including appropriate service and performance levels;

2 · 4.11.2.2 provides for mutual rights, obligations and responsibilities of the intermediary and the third party, including indemnity by the parties;

2 · 4.11.2.3 provides for the liability of the third party to the intermediary for unsatisfactory performance/other breach of the contract

2 · 4.11.2.4 provides for the continuous monitoring and assessment by the intermediary of the third party so that any necessary corrective measures can be taken up immediately, i.e., the contract shall enable the intermediary to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations;

2 · 4.11.2.5 includes, where necessary, conditions of sub-contracting by the thirdparty, i.e. the contract shall enable intermediary to maintain a similar control over the risks when a third party outsources to further third parties as in the original direct outsourcing;

2 · 4.11.2.6 has unambiguous confidentiality clauses to ensure protection of proprietary and customer data during the tenure of the contract and also after the expiry of the contract;

2 · 4.11.2.7 specifies the responsibilities of the third party with respect to the IT security and contingency plans, insurance cover, business continuity and disaster recovery plans, force majeure clause, etc.;

2 · 4.11.2.8 provides for preservation of the documents and data by third party ;

2 · 4.11.2.9 provides for the mechanisms to resolve disputes arising from implementation of the outsourcing contract;

2 · 4.11.2.10 provides for termination of the contract, termination rights, transfer of information and exit strategies;

2 · 4.11.2.11 addresses additional issues arising from country risks and potential obstacles in exercising oversight and management of the arrangements when intermediary outsources its activities to foreign third party. For example, the contract shall include choice-of-law provisions and agreement covenants and jurisdictional covenants that provide for adjudication of disputes between the parties under the laws of a specific jurisdiction;

2 · 4.11.2.12 neither prevents nor impedes the intermediary from meeting its respective regulatory obligations, nor the regulator from exercising its regulatory powers; and

2 · 4.11.2.13 provides for the intermediary and /or the regulator or the persons authorized by it to have the ability to inspect, access all books, records and information relevant to the outsourced activity with the third party.

2 · 4.12 The intermediary and its third parties shall establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities.

2 · 4.12.1 Specific contingency plans shall be separately developed for each outsourcing arrangement, as is done in individual business lines.

2 · 4.12.2 An intermediary shall take appropriate steps to assess and address the potential consequence of a business disruption or other problems at the third party level. Notably, it shall consider contingency plans at the third party; co-ordination of contingency plans at both the intermediary and the third party; and contingency plans of the intermediary in the event of non-performance by the third party.

2 · 4.12.3 To ensure business continuity, robust information technology security is a necessity. A breakdown in the IT capacity may impair the ability of the intermediary to fulfil its obligations to other market participants/clients/regulators and could undermine the privacy interests of its customers, harm the intermediary's reputation, and may ultimately impact on its overall operational risk profile. Intermediaries shall, therefore, seek to ensure that third party maintains appropriate IT security and robust disaster recovery capabilities.

2 · 4.12.4 Periodic tests of the critical security procedures and systems and review of the backup facilities shall be undertaken by the intermediary to confirm the adequacy of the third party's systems.

2 · 4.13 The intermediary shall take appropriate steps to require that third parties protect confidential information of both the intermediary and its customers from intentional or inadvertent disclosure to unauthorised persons.

2 · 4.13.1 An intermediary that engages in outsourcing is expected to take appropriate steps to protect its proprietary and confidential customer information and ensure that it is not misused or misappropriated.

2 · 4.13.2 The intermediary shall prevail upon the third party to ensure that the employees of the third party have limited access to the data handled and only on a "need to know" basis and the third party shall have adequate checks and balances to ensure the same.

2 · 4.13.3 In cases where the third party is providing similar services to multiple entities, the intermediary shall ensure that adequate care is taken by the third party to build safeguards for data security and confidentiality.

2 · 4.14 Potential risks posed where the outsourced activities of multiple intermediaries are concentrated with a limited number of third parties.

2 · 4.14.1 In instances, where the third party acts as an outsourcing agent for multiple intermediaries, it is the duty of the third party and the intermediary to ensure that strong safeguards are put in place so that there is no co-mingling of information /documents, records and assets.

2 · 5 Implementation of the Multilateral Competent Authority Agreement and Foreign Account Tax Compliance Act 72&73

2 · 6 Interest and Dividend information reporting in case of Custodial Accounts Rule 114G(1)(e) of the Income Tax Rules, 1962 74

2 · 6.1 In terms of Rule 114G(1)(e)(i) of Income Tax Rules, 1962 issued under Section 285BA of Income Tax Act, 1961 following information is required to be reported by reporting financial institution in the case of reportable custodial account: -

72 · Reference: SEBI Circular CIR/MIRSD/2/2015 dated August 26, 2015

73 · Reference: SEBI Circular SEBI/HO/ MIRSD/POD-1/P/CIR/2024/110 dated August 09,2024

74 · Reference: SEBI Circular CIR/HO/MIRSD/MIRSD2/CIR/P/2017/59 dated June 15, 2017

2 · 6.2 In respect of the above it has been decided in consultation with Central Board of Direct Taxes, Department of Revenue, Ministry of Finance that:-

2 · 6.2.1 Depositories shall provide additional field in the depository system to the RTAs whereby the RTAs can incorporate the details of corporate action viz. dividend/interest in rupee terms per unit of the security at the time of setting up of corporate action. Depositories shall make available such information to DPs to enable them to do necessary reporting .

2 · 6.2.2 The reporting with respect to dividend/interest is to be done by DPs on 'entitlement' basis and not on the basis of actual payment received by the demat account holder.

2 · 6.2.3 If a demat account is identified as a 'reportable account' during a calendar year by the DP, the reporting under Rule 114G (1) (e) is to be done for the dividend /interest entitlements during the entire calendar year i.e. including the period of the calendar year before identification of such account as a 'reportable account' by the DP.

2 · 7 Printing of Grievances Redressal Mechanism on Delivery Instruction Form Book 75

75 · Reference: SEBI Circular CIR/MRD/DP/DA/25/2012 dated September 21, 2012

2 · 8 Central KYC Records Registry (CKYCR) 76

2 · 9 Rollout of Legal Entity Template 76

2 · 10 e -KYC Authentication facility under section 11A of the Prevention of Money Laundering Act, 2002 by Entities in the securities market for Resident Investors77 and Entities permitted to undertake e-KYC Aadhaar Authentication service of UIDAI in Securities Market78

2 · 11 The Securities and Exchange Board of India (KYC Registration Agency) Regulations, 201179

76 · Reference: SEBI Circular CIR/MIRSD/ 66/2016 dated July 21, 2016;Central KYC Registry Circular CKYC/2020/01 dated January 10, 2020 and SEBI/HO/MIRSD/SECFATF/P/CIR/2023/169 October 12, 2023

76 · Reference: SEBI Circular SEBI/HO/MIRSD/DOP/CIR/P/2021/31 dated March 10, 2021 and SEBI/HO/MIRSD/SECFATF/P/CIR/2023/169 October 12, 2023

77 · Reference: SEBI Circular SEBI/HO/MIRSD/DOP/CIR/P/2019/123 dated November 05, 2019 78 Reference: SEBI Circular SEBI/HO/MIRSD/DOP/CIR/P/2020/80 dated May 12, 2020; SEBI Circular SEBI/HO/MIRSD/DOP/CIR/P/2020/167 dated September 08, 2020; SEBI Circular SEBI/HO/MIRSD/SEC-5/P/CIR/2022/99 dated July 20, 2022; SEBI Circular SEBI/HO/MIRSD/SEC-5/P/CIR/2023/0026 dated February 08, 2023

79 · Reference: SEBI Circular MIRSD/Cir-23/2011 dated December 02, 2011

2 · 12 Guidelines in pursuance of the SEBI KYC Registration Agency (KRA) Regulations, 2011 and for In-Person Verification (IPV) 80

2 · 12.1 Guidelines for Intermediaries:

2 · 12.1.1 Please refer SEBI Master Circular on Know Your client norms for Securities Market i.e. SEBI/HO/MIRSD/SECFATF/P/CIR/2023/169 dated October 12, 2023 . 81

2 · 12.2 Guidelines for KRAs:

2 · 12.2.1 Please refer SEBI Master Circular on Know Your client norms for Securities Market i.e. SEBI/HO/MIRSD/SECFATF/P/CIR/2023/169 dated October 12, 2023 .

2 · 12.3 In -Person Verification (IPV): 82

2 · 13 Clarification on Know Your Client (KYC) Process and Use of Technology for KYC 83

80 · Reference: SEBI Circular MIRSD/Cir- 26 /2011 dated December 23, 2011

81 · Reference: KYC Registration Agency (Amendment) Regulations, 2013 vide Notification No. LAD -NRO/GN/2012-13/35/6998 dated March 22, 2013

82 · Reference: SEBI Circular SEBI/HO/MIRSD/DOP/CIR/P/2020/73 dated April 24, 2020

83 · Reference: SEBI Circular SEBI/HO/MIRSD/DOP/CIR/P/2020/73 dated April 24, 2020

2 · 14 Simplification and Rationalization of Trading Account Opening Process 84

2 · 15 Recording of Non Disposal Undertaking (NDU) in the Depository System 85

2 · 15.1 Depositories shall develop a separate module/ transaction type in their system for recording NDUs.

2 · 15.2 Both parties to the NDU shall have a demat account with the same depository and be KYC compliant.

2 · 15.3 Pursuant to entering the NDU, the Beneficial Owner (BO) along with the other party shall make an application through the participant (where the BO holds his securities) to the depository, for the purpose of recording the NDU transaction.

2 · 15.4 The application shall necessarily include details of BO ID, PAN, email-id, signature(s), name of the entity in whose favor such NDU is entered and the quantity of securities. Such entity in whose favor NDU is entered shall also authorize the participant of the BO holding the shares, to access the signatures as recorded in that entity's demat account.

2 · 15.5 The participant after being satisfied that the securities are available for NDU shall record the NDU and freeze for debit the requisite quantity of securities under NDU in the depository system.

84 · Reference: SEBI Circular CIR/MIRSD/16/2011 dated August 22, 2011

85 · Reference: SEBI Circular CIR/MRD/DP/56/2017 dated June14, 2017

2 · 15.6 The depositories shall make suitable provisions for capturing the details of BO ID and PAN of the entity in whose favor such NDU is entered by the participant. The depositories shall also make available to the said participant, the details of authorized signatories as recorded in the demat account of the entity in whose favor such NDU is entered.

2 · 15.7 On creation of freeze in the depository system, the depository/ participant of the BO holding shares, shall inform both parties of the NDU regarding creation of freeze under NDU.

2 · 15.8 The depositories shall make suitable provisions for capturing the details of company/ promoters if they are part of the NDU.

2 · 15.9 In case if the participant does not create the NDU, it shall intimate the same to the parties of the NDU along with the reasons thereof .

2 · 15.10 Once the freeze for debits is created under the NDU for a particular quantity of shares, the depository shall not facilitate or effect any transfer, pledge, hypothecation, lending, rematerialisation or in any manner alienate or otherwise allow dealing in the shares held under NDU till receipt of instructions from both parties for the cancellation of NDU.

2 · 15.11 The entry of NDU made as per Para 2.15 . 5 above may be cancelled by the depository/participant of the BO through unfreeze of specified quantity if parties to the NDU jointly make such application to the depository through the participant of the BO.

2 · 15.12 On unfreeze of shares upon termination/cancellation of NDU, the depository shall inform both parties of the NDU in the form and manner agreed upon at the time of creating the freeze. The unfreeze shall be effected in the depository system after a cooling period of 2 clear business days but no later than 4 clear business days.

2 · 15.13 The freeze and unfreeze instructions executed by the Participant for recording NDUs will be subject to 100% concurrent audit.

2 · 15.14 The DPs shall not facilitate or be a party to any NDU outside the depository system as outlined herein.

2 · 16 Recording of all types of Encumbrances in Depository system 86

2 · 16.1 The SAST Regulations requires promoters of a company to disclose details of their encumbered shares. Apart from pledge, hypothecation and non-disposal undertakings(NDUs), there is no framework to capture the details of other types of encumbrances in the depository system.

2 · 16.2 In this regard, Depositories shall put in place a system for capturing and recording all types of encumbrances, which are specified under Regulation 28(3) of the SAST

86 · Reference: SEBI Circular SEBI/HO/MRD2/DDAP/CIR/P/2020/137 dated July 24, 2020

2 · 16.2.1 All types of encumbrances as defined under Regulation 28(3) of SAST Regulations shall necessarily be recorded in the depository system . 87

2 · 16.2.2 The depositories shall capture details of the ultimate lender along with name of the trustee acting on behalf of such ultimate lender such as banks, NBFCs, etc. In case of issuance of debentures, name of the debenture issuer shall be captured in the depository system.

2 · 16.2.3 The depositories shall now capture the reasons for encumbrances in the depository system.

2 · 16.3 The freeze and unfreeze instructions executed by the Participant for recording all encumbrances will be subject to 100% concurrent audit.

2 · 16.4 The Depository Participant shall not facilitate or be party to any type of encumbrance outside the Depository system as outlined herein.

2 · 17 Cyber Security & Cyber Resilience framework for Depository Participant 88 1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024 on Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) for necessary

2 · 18 Standard Operating Procedure (SOP) for handling cyber security incidents of intermediaries and Categorisation of Intermediaries 89

2 · 18.1 DPs to have their own cyber security incident handling process document, SOP in place.

87 · Reference: SEBI Circular SEBI/HO/CFD/DCR-3/P/CIR/2022/27 dated March 07, 2022

88 · Reference: SEBI Circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018 & SEBI Circular SEBI/HO/MIRSD/TPD/P/CIR/2022/80 dated June 07, 2022

2 · 18.2 DPs to examine the incident and classify the incident High / Medium / Low as per their cyber security incident handling document. Decide Action / Response for the incident based on severity.

2 · 18.3 Report incident to Indian Computer Emergency Response Team (CERTIn).

2 · 18.4 DPs to provide the reference details of the reported incident to the respective depository and SEBI. They also need to provide details regarding whether CERT-In team is in touch with the DP for any assistance. If not reported to CERT-In, they should submit the reasons for the same to the depository and SEBI. DPs to communicate with CERT-In / MHA / Cybercrime police for further assistance.

2 · 18.5 DPs to submit details whether they have registered complaint with law enforcement agencies such as Police or cyber security cell. If yes, details need to be provided to MIIs and SEBI. If not, reason for not registering complaint should also be provided to MIIs and SEBI.

2 · 19 CERTTIn Advisory "Preventing Data Breaches / Data Leaks" 90

2 · 19.1 Common causes of data breach / data leak,

2 · 19.2 Best practices to prevent data breaches,

2 · 19.3 Steps to be taken when organisation/entity is affected by a data breach/data leak,

2 · 19.4 Best practices for individual users to safeguard against data breaches All Depositories are hereby advised to issue this advisory to their participants to prevent data breaches / data leaks in future.

2 · 20 Reporting for Artificial Intelligence (AI) and Machine Learning (ML) applications and systems offered and used by market intermediaries 91

2 · 20.1 There is increasing usage of AI (Artificial Intelligence) and ML (Machine Learning) as product offerings by market intermediaries and participants

90 · Reference: SEBI MIRSD email dated March 02, 2022

91 · Reference: SEBI Circular SEBI/HO/MIRSD/DOS2/CIR/P/2019/10 dated January 04, 2019

2 · 20.2 As most AI / ML systems are black boxes and their behaviour cannot be easily quantified, it is imperative to ensure that any advertised financial benefit owing to these technologies in investor facing financial products offered by intermediaries should not constitute to misrepresentation .

2 · 20.3 Any set of applications/software/programs/executable/systems (computer systems) –cumulatively called application and systems,

2 · 20.3.1 that are offered to investors (individuals and institutions) by market intermediaries to facilitate investing and trading,

2 · 20.3.2 to disseminate investments strategies and advice,

2 · 20.3.3 to carry out compliance operations / activities, where AI / ML is portrayed as a part of the public product offering or under usage for compliance or management purposes, is included in the scope of this section. Here, "AI" / "ML" refers to the terms "Artificial Intelligence" and" Machine Learning" used as a part of the product offerings. In order to make the scope of this section inclusive of various AI and ML technologies in use, the scope also covers Fin-Tech and Reg-Tech initiatives undertaken by market participants that involves AI and ML

2 · 20.4 Technologies that are considered to be categorized as AI and ML technologies in the scope of this section, are explained below:

2 · 20.4.1 Natural Language Processing (NLP), sentiment analysis or text mining systems that gather intelligence from unstructured data –In this case, Voice to text, text to intelligence systems in any natural language will be considered in scope. Eg: robo chat bots, big data intelligence gathering systems.

2 · 20.4.2 Neural Networks or a modified form of it – In this case, any systems that uses a number of nodes (physical or software simulated nodes) mimicking natural neural networks of any scale, so as to carry out

2 · 20.4.3 Machine learning through supervised, unsupervised learning or a combination of both. In this case, any application or systems that carry out knowledge representation to form a knowledge base of domain, by learning and creating its outputs with real world input data and deciding future outputs based upon the knowledge base. Eg: System based on Decision tree, random forest, K mean, Markov decision process, Gradient boosting Algorithms.

2 · 20.4.4 A system that uses statistical heuristics method instead of procedural algorithms or the system/application applies clustering or categorization algorithms to categorize data without a predefined set of categories

2 · 20.4.5 A system that uses a feedback mechanism to improve its parameters and bases it subsequent execution steps on these parameters.

2 · 20.4.6 A system that does knowledge representation and maintains a knowledge base

2 · 20.5 All registered Depository Participants offering or using applications or systems as defined in Para 2.20.4 , should participate in the reporting process by completing the AI/ML reporting form (See Annexure 15).

2 · 20.6 With effect from quarter ending March 2019, registered Depository Participants using AI/ML based application or system as defined in Para 2.20.4, are required to fill in the form (Annexure 15) and make submissions on yearly basis before June 30th ever year .

2 · 20.7 Depositories have to consolidate and compile a report, on AI/ML applications and systems reported by registered Depository Participants in the reporting format (Annexure 16) on yearly basis. The said report (Annexure 16) shall be submitted in soft copy only at AI_DEP@sebi.gov.in (for Depositories) to SEBI within 30 calendar days of the expiry of the due date for Depository Participants. .

2 · 21 Flashing a link to SCORES on the dashboard of Demat Accounts 92

2 · 21.1 A study was conducted under aegis of Quality Council of India (QCI) to understand some of the root causes of grievances / complaints on securities market related issues lodged on Centralised Public Grievance Redressal and Monitoring System (CPGRAMS) portal and the measures suggested to address the issues included providing a link to SCORES portal within Demat/Trading Account Dashboard of the Clients/ investors to make it easier to lodge grievances.

92 · Reference: SEBI Letter MIRSD2/DB/AEA/OW/2018/7292 dated March 07, 2018

2 · 21.2 The suggestion has been examined and it has been decided to implement the same. Accordingly, depositories are advised to issue necessary directions to depository participants to ensure that the Demat Account Dashboard of clients/investors provides a link to SCORES portal.

2 · 22 Displaying of information regarding SEBI Complaint Redress System (SCORES) in the website93

2 · 22.1 SEBI has commenced processing of complaints through SCORES since June, 2011.

2 · 22.2 With a view to make the complaint redressal mechanism through SCORES more efficient, all Depository Participants are directed to display the following information on their websites:

2 · 22.3 Further, all the Depository Participants to include procedure for filing of complaints on SCORES and benefits for the same in the welcome kit to be given to the investors at the time of their registration with them.

2 · 22.4 The Depositories are advised to bring the contents to the notice of Depository Participants for necessary action.

2 · 23 Block Mechanism in demat account of clients undertaking sale transactions 94

2 · 24 Validation of Instructions for Pay-In of Securities from Client demat account to Trading Member (TM) Pool Account against obligations received from the Clearing Corporations 95

93 · Reference: SEBI Letter SEBI/MIRSD/16742/2019 dated July 03, 2019

94 · Reference: SEBI Circular SEBI/HO/MIRSD/DOP/P/CIR/2021/595 dated July 16, 2021, SEBI Circular SEBI/HO/MIRSD/DoP/P/CIR/2022/109 dated August 18, 2022 & SEBI Circular SEBI/HO/MIRSD/DoP/P/CIR/2022/143 dated October 27, 2022

95 · Reference: SEBI Circular SEBI/HO/MIRSD/DoP/P/CIR/2022/119 dated September 19, 2022

2 · 25 MONITORING AND PERIODICAL REPORTING OF THE COMPLIANCE WITH THE REQUIREMENTS PERTAINING TO 'SECURITY AND COVENANT MONITORING ' SYSTEM HOSTED BY DEPOSITORIES96

2 · 25.1 Depositories shall ensure periodic monitoring regarding compliance with the requirements of various provisions pertaining to 'Security & Covenant Monitoring System' issued by SEBI from time to time, including circular https://www.sebi.gov.in/legal/master-circulars/may-2024/mastercircular -for -debenture -trustees -dts -_83419.html dated May 16, 2024, and shall also bring to the notice of SEBI, any instances of noncompliance, on a quarterly basis, not later than one month from the end of the quarter, in the format specified as under:

2 · 26 MAINTENANCE of a website by depository participants 97

2 · 26.1 Considering the advancement in technology and need to provide better services to the investors, all DPs are mandated to maintain a designated website.

2 · 26.2 Such website shall mandatorily display the following information, in addition to all such information, which have been mandated by SEBI/depositories from time to time.

2 · 26.2.1 Basic details of the DP such as registration number, registered address of Head Office and branches, if any.

2 · 26.2.2 Names and contact details such as email ids etc. of all key managerial personnel (KMPs) including compliance officer.

96 · Reference: SEBI Circular SEBI/HO/DDHS/RACPOD1/CIR/P/2023/0002 dated January 05, 2023

97 · Reference: SEBI Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/30 dated February 15, 2023

2 · 26.2.3 Step-by-step procedures for opening an account, filing a complaint on a designated email id, and finding out the status of the complaint, etc.

2 · 26.2.4 Details of Authorized Persons.

2 · 26.3 Any modification in the URL to the website of a DP shall be reported to the depositories within 3 days of such change .

2 · 27 Advisory for SEBI Regulated Entities (REs) regarding Cybersecurity best practices 98 Kindly refer SEBI Circular Number SEBI/HO/ITD1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024 on Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) for necessary compliance in respect of Depository Participants. Kindly refer https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyberresilience -framework -cscrf -for -sebi -regulated-entities-res-_85964.html dated August 20, 2024.

2 · 28 Combating Financing Of Terrorism (CFT) under Unlawful Activities (Prevention) Act, 1967 – Directions to Stock Exchanges, Depositories and all Registered Intermediaries Kindly refer SEBI Circular SEBI/HO/MIRSD/MIRSD-SEC-5/P/CIR/2023/022 dated February 03, 2023 (Guidelines on Anti-Money Laundering (AML) Standards and Combating the Financing g of f Terrorism m (CFT) /Obligations of f Securities Market Intermediaries under the Prevention of Money Laundering Act, 2002 and Rules framed thereunder)

2 · 29 Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) 99 Kindly refer SEBI Circular SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033 dated March 06, 2023 on Adoption Of Cloud Services by SEBI Regulated Entities for necessary compliance in respect of Depository Participants .

2 · 30 Cyber Security Operations Center for SEBI registered intermediaries 100 Kindly refer SEBI Circular Number SEBI/HO/ITD1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024 on Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) for necessary compliance in respect of Depository Participants. Kindly refer https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyberresilience -framework -cscrf -for -sebi -regulated-entities-res-_85964.html dated August 20, 2024.

98 · Reference: SEBI Circular SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/032 dated February 22, 2023

99 · Reference: SEBI Circular SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033 dated March 06, 2023

100 · Reference: SEBI Circular CIR/MRD/CSC/151/2018 dated December 14, 2018

3 · 1 Charges to be paid by Issuers 101

3 · 1.1 Depositories may levy and collect the charges towards custody from the issuers, on the basis of average no. of folios (ISIN position) during the previous financial year, as per the details given below:

3 · 1.1.1 Issuers to pay @ Rs.11.00 (*) per folio (ISIN position) in the respective depositories, subject to a minimum as mentioned below:

3 · 1.2 The average no. of folios (ISIN positions) for an Issuer may be arrived at by dividing the total number of folios for the entire financial year by the total number of working days in the said financial year.

3 · 1.3 Temporary ISIN shall not be considered for the purpose of computing the annual issuer charges.

3 · 2 Activation of ISIN in case of IPO and additional issue of shares/ securities

3 · 2.1 Depositories shall activate the ISINs only on the date of commencement of trading on the stock exchanges in case of IPOs for both the equity and debt securities. 102

3 · 2.2 Further, in order to curtail the transfer of additional issue of shares/ securities including by way of further public offerings, rights issue, preferential allotment, bonus issue etc of the listed company, prior to receipt of final listing / trading

101 · Reference: SEBI Circular SEBI/MRD/SE/DEP/Cir-4/2005 dated January 28, 2005, SEBI Circular MRD/DoP/SE/Dep/Cir-2/2009 dated February 10, 2009, SEBI Circular CIR/MRD/ DP/05/2011 dated April 27, 2011 and SEBI Circular CIR/MRD/DP/18/2015 dated December 09, 2015

102 · Reference: SEBI Circular SEBI/MRD/DEP/Cir-2/06 dated January 19, 2006 and SEBI Circular CIR/MRD/DP/ 21 /2012 dated August 02, 2012 and DDHS email dated February 20, 2020

3 · 2.3 In order to achieve the above, the Depositories are advised to allot such additional shares/securities under a new temporary ISIN which shall be kept frozen. Upon receipt of the final listing/ trading permission from the exchange for such additional shares/ securities, the shares/securities credited in the new temporary ISIN shall be debited and the same would get credited in the pre existing ISIN for the said security. Thereafter, the additional securities shall be available for trading.

3 · 2.4 The stock exchanges are advised to provide the details to the depositories whenever final listing / trading permission is given to securities. Further, in case of issuance of equity shares by a company, listed on multiple stock exchanges, the concerned stock exchanges shall synchronize their effective dates of listing / trading approvals and intimate the same to depositories in advance.

3 · 2.5 In similar lines, depositories are advised to follow similar process as provided above even in case of units of REITs/InvITs as securities of a listed company.

3 · 3 Streamlining the Process of Rights Issue 104

3 · 4 Registrar and Share Transfer Agent

3 · 4.1 Appointment of a single agency for share registry work 105

3 · 4.2 Inter -Depository transfers 106

103 · Reference: SEBI Circular CIR/MRD/DP/24/2012 dated September 11, 2012

104 · Reference: SEBI Circular SEBI/HO/CFD/DIL2/CIR/P/2020/13 dated January 22, 2020

105 · Reference: SEBI Circular D&CC/FITTC/Cir-15/2002 dated December 27, 2002

106 · Reference: SEBI Circular SMDRP/Policy/Cir-28/99 dated August 23, 1999

3 · 4.3 Common Registrars and Share Transfer agents 107

3 · 4.4 Dematerialisation requests 108

3 · 4.4.1 Registrars and Share Transfer agents shall accept partial dematerialisation requests and will not reject or return the entire dematerialization request where only a part of the request had to be rejected. In cases where a DP has already sent information about dematerialisation electronically to a Registrar but physical shares have not yet been delivered, the Registrar shall accept the demat request and carry out dematerialization on an indemnity given by the DP and proof of dispatch of document given by DP.

3 · 4.4.2 The above provision shall be applicable to all the securities like scrips, bonds, debentures, debenture stock or other marketable securities eligible to be held in dematerialised form in a depository as defined in Regulation 42 of the DP Regulations .

3 · 5 American Depository Receipts (ADRs)/Global Depository Receipts (GDRs)

3 · 5.1 Delivery of underlying shares of GDRs/ADRs in dematerialised form109

3 · 5.2 Tracking of underlying shares of GDRs/ADRs 110

107 · Reference: SEBI Circular SMDRP/Policy/Cir-28/99 dated August 23, 1999

108 · Reference: SEBI Letter D&CC/ 1099 / 2002 dated November 01, 2002

109 · Reference: SEBI Circular SMDRP/Policy/Cir-9/99 dated May 6, 1999

110 · Reference: SEBI Circular D&CC/FITTC/Cir-09/2002 dated July 4, 2002 and SEBI Circular D&CC/FITTC/Cir-10/2002 dated September 25, 2002

3 · 6 Framework for issue of Depository Receipts (DRs) 111

3 · 6.1 Reference is drawn to Section 41 of the Companies Act, 2013, Companies (Issue of Global Depository Receipts) Rules, 2014 ('GDR Rules'), the Depository Receipts Scheme, 2014 ('DR Scheme'), Reserve Bank of India ('RBI') notification dated December 15, 2014, Central Government notification dated September 18, 2019 and Central Government notification dated October 07, 2019.

3 · 6.2 Only 'a company incorporated in India and listed on a Recognized Stock Exchange in India' ('Listed Company') may issue Permissible Securities or their holders may transfer Permissible Securities, for the purpose of issue of DR, subject to compliance with the following requirements:

3 · 6.2.1 Listed Company is in compliance with the requirements prescribed under LODR Regulations and any amendments thereof.

3 · 6.2.2 Listed company shall be eligible to issue Permissible Securities, for the purpose of issue of DRs, if:

3 · 6.2.2.1 the Listed Company, any of its promoters, promoter group or directors or selling shareholders are not debarred from accessing the capital market by SEBI;

3 · 6.2.2.2 any of the promoters or directors of the Listed Company is a promoter or director of any other company which is not debarred from accessing the capital market by SEBI;

3 · 6.2.2.3 the listed company or any of its promoters or directors is not a wilful defaulter;

3 · 6.2.2.4 any of its promoters or directors is not a fugitive economic offender.

3 · 6.2.3 Existing holders shall be eligible to transfer Permissible Securities, for the purpose of issue of DRs, if:

3 · 6.2.3.1 the Listed Company or the holder transferring Permissible Securities are not debarred from accessing the capital market by SEBI;

3 · 6.2.3.2 the Listed Company or the holder transferring Permissible Securities is not a wilful defaulter;

3 · 6.2.3.3 the holder transferring Permissible Securities or any of the promoters or directors of the Listed Company are not a fugitive economic offender.

111 · Reference: SEBI Circular SEBI/HO/MRD/DOP1/CIR/P/2019/106 dated October 10, 2019, and SEBI Circular SEBI/HO/MRD/DCAP/CIR/P/2020/190 dated October 01, 2020

3 · 6.2.4 For the purpose of an initial issue and listing of DRs, pursuant to 'transfer by existing holders', the Listed Company shall provide an opportunity to its equity shareholders to tender their shares for participation in such listing of DRs.

3 · 6.2.5 Subsequent issue and listing of DRs, pursuant to 'transfer by existing shareholders' may take place subject to the limits approved pursuant to a special resolution in terms of GDR Rules.

3 · 6.2.6 A company proposing to make a public offer and list on a Recognized Stock Exchange, and also simultaneously proposing to issue Permissible Securities or transfer Permissible Securities of existing holders, for the purpose of issue of DRs and listing such DRs on an International Exchange, may seek in-principle and final approval from Recognized Stock Exchange as well as International Exchange. However, such issue or transfer of Permissible Securities for the purpose of issue of DRs shall be subsequent to, the receipt of trading approval from the Recognized Stock Exchange for the public offer.

3 · 6.2.7 Listed Company shall be permitted to issue Permissible Securities or transfer Permissible Securities of existing holders, for the purpose of issue of DRs, only in Permissible Jurisdictions and said DRs shall be listed on any of the specified International Exchange(s) of the Permissible Jurisdiction.

3 · 6.2.8 Listing of DRs on specified International Exchange shall meet the highest applicable level / standards for such listing by foreign issuers.

112 · Reference: SEBI Circular SEBI/HO/MRD2/DCAP/CIR/P/2019/146 dated November 28, 2019

3 · 6.2.9 Listed Company shall ensure compliance with extant laws relating to issuance of DRs, including, requirements prescribed here, the Companies Act, 2013, the Foreign Exchange Management Act, 1999 ('FEMA'), Prevention of MoneyLaundering Act, 2002, and rules and regulations made thereunder. For this purpose, Listed Company may also enter into necessary arrangements with Custodian, Indian Depository and Foreign Depository.

3 · 6.2.10 Listed Company shall ensure that DRs are issued only with Permissible Securities as the underlying.

3 · 6.2.11 Listed Company shall ensure that the aggregate of Permissible Securities which may be issued or transferred for the purpose of issue of DRs, along with Permissible Securities already held by persons resident outside India, shall not exceed the limit on foreign holding of such Permissible Securities under the applicable regulations of FEMA:

3 · 6.2.12 Listed Company shall ensure that the agreement entered with the Foreign Depository, for the purpose of issue of DRs, provides that the Permissible holder, including its Beneficial Owner(s), shall ensure compliance with holding limits prescribed under Para 3.6.2.19

3 · 6.2.13 Listed Company shall, through an intermediary, file with SEBI and the Recognized Stock Exchange(s), a copy of the initial document, by whatever name called, for initial issue of DRs issued on the back of Permissible Securities.

3 · 6.2.13.1 SEBI shall endeavor to forward its comments, if any, to the Recognized Stock Exchange(s) within a period of 7 working days from the receipt of the

113 · Reference: SEBI Circular SEBI/HO/MRD2/DCAP/CIR/P/2020/243 dated December 18, 2020

3 · 6.2.13.2 Recognized Stock Exchange(s) shall take into consideration the comments of SEBI while granting in-principle approval to the Listed Company and decide on the approval within 15 working days of receipt of application and required documents.

3 · 6.2.14 Listed Company shall ensure that any public disclosures made by the Listed Company on International Exchange(s) in compliance with the requirements of the Permissible Jurisdiction where the DRs are listed or of the International Exchange(s), are also filed with the Recognized Stock Exchange as soon as reasonably possible but not later than twenty-four hours from the date of filing.

3 · 6.2.15 Permissible holder means a holder of DR, including its Beneficial Owner(s), satisfying the following conditions:

114 · Reference: SEBI Circular SEBI/HO/MRD2/DCAP/CIR/P/2020/243 dated December 18, 2020

3 · 6.2.16 Listed Company shall ensure that the agreement entered between the holder of DRs, the Listed Company and the Depository provides that the voting rights on Permissible Securities, if any, shall be exercised by the DR holder through the Foreign Depository pursuant to voting instruction only from such DR holder.

3 · 6.2.17 In case of a simultaneous listing of, Permissible Securities on Recognised Stock Exchange(s) pursuant to a public offer / preferential allotment / qualified institutions placement under ICDR Regulations, and DRs on the International Exchange, the price of issue or transfer of Permissible Securities, for the purpose of issue of DRs by Foreign Depository, shall not be less than the price for the public offer / preferential allotment / qualified institutions placement to domestic investors under the applicable laws.

3 · 6.2.18 Where Permissible Securities are issued by a Listed Company or 'transferred by the existing holders', for the purpose of issue of DRs by the Foreign Depository, the same shall be issued at a price, not less than the price applicable to a corresponding mode of issue of such Permissible Securities to domestic investors under the applicable laws.

3 · 6.2.19 Indian Depositories, in consultation with each other, shall develop a system to ensure that aggregate holding of DR holders along with their holding, if any, through offshore derivative instruments and holding as a Foreign Portfolio Investor belonging to same investor group shall not exceed the limit on foreign holding under the FEMA and applicable SEBI Regulations. For this purpose, Indian Depositories shall have necessary arrangement with the Domestic Custodian and / or Foreign Depository.

3 · 6.2.19.1 Listed Company shall appoint one of the Indian Depository as the Designated Depository for the purpose of monitoring of limits in respect of Depository Receipts.

3 · 6.2.19.2 The Designated Depository in co-ordination with Domestic Custodian, other Depository and Foreign Depository (if required) shall compute, mon itor and disseminate the Depository Receipts (DRs) information as prescribed in the framework. The said information shall be disseminated on website of both the Indian Depositories. For this purpose, the Designated Depository shall act as a Lead Depository and the other depository shall act as a Feed Depository .

3 · 6.2.19.3 Domestic Custodian shall:

3 · 6.2.19.3.1 Provide one -time details of DRs in the format and manner as may be prescribed by the Indian Depositories.

3 · 6.2.19.3.2 Provide the requisite information as may be prescribed by Designated Depository for the purpose of computation of information in respect of Depository Receipts as and when requested.

3 · 6.2.19.3.3 Ensure that the underlying permissible securities, pertaining to a listed company, against which DRs are issued in the Permissible Jurisdiction, are held in a demat account, under a separate Type & Sub -Type as prescribed by the Indian Depositories for the purpose of issue of DRs.

3 · 6.2.19.3.4 Provide certificate / declaration / information, to the Designated Depository in the prescribed format upon termination/cancellation of DR program. For this, the issuer or Foreign Depository shall be required to report such termination / cancellation to the Domestic Custodian .

3 · 6.2.19.4 Procedure for the purpose of monitoring of limits

3 · 6.2.19.4.1 The Designated Depository shall forward the list of such companies (ISINs) for which it will be monitoring the DR issuance to Feed Depository. For any addition or deletion of ISINs, the Designated Depository shall communicate to the Feed Depository regarding the same through Incremental information sent on a periodic basis.

3 · 6.2.19.4.2 Feed Depository shall provide the ISIN wise demat holdings of investors tagged with separate sub-type to the Designated Depository on a daily basis.

3 · 6.2.19.4.3 The Designated Depository shall ascertain the details of holdings pertaining to Foreign Depository lying under demat account(s) tagged under such separate Type & Sub-Type as well as other

3 · 6.2.19.4.4 Calculation of headroom i.e. 'the limit up to which Permissible Securities can be converted to DRs', may be undertaken in the following manner:

3 · 6.2.19.4.5 The Indian Depositories shall exchange with each other their respective list of companies, for dissemination of DR headroom related information, which shall be consolidated by both depositories and thereafter published on their respective websites.

3 · 6.2.19.5 Re -issuance mechanism

3 · 6.2.19.5.1 For the purpose of re-issuance of permissible securities, a Foreign Investor shall request SEBI registered Broker with requisite quantity of securities (based on available headroom) required for re-issuance of depository receipts which shall be forwarded to the Domestic Custodian.

3 · 6.2.19.5.2 Based on last available headroom disseminated by Designated Depository, the Domestic Custodian shall grant approval (T- day where T is date of approval granted by Domestic Custodian) to such request received from SEBI registered Broker for re-issuance purpose which shall be valid for a period of 3 trading days (T+3) from the date of approval of request granted by Domestic Custodian.

3 · 6.2.19.5.3 The Domestic Custodian shall report such request approvals along with requisite quantity granted to Designated Depository on same day (i.e. T day) and based on which the Designated Depository shall block the quantity for the purpose of calculation of Headroom.

3 · 6.2.19.5.4 The Domestic Custodian shall report the status of utilisation of such approved request to the Designated Depository upon receipt of securities in the demat account of Foreign Depository for the purpose of calculation of Headroom. The domestic custodian shall report the

3 · 6.2.19.6 Monitoring of Investor group limits

3 · 6.2.19.6.1 FPI shall report the details of all such FPIs forming part of the same investor group as well as Offshore Derivative Instruments (ODI) subscribers and/or DR holders having common ownership, directly or indirectly, of more than fifty percent or on the basis of common control, to its Designated Depository Participant (DDP). The investor group may appoint one such FPI to act as a Nodal entity for reporting the aforesaid grouping information to its DDP in the format enclosed at Annexure 17. Further, such Nodal FPI shall report the investment holding in the underlying Indian security as held by ODI subscriber and / or as DR holder, including securities held in the Depository Receipt account upon conversion ('DR conversion' account), to its Domestic Custodian on a monthly basis (by the 10th of every month) in the format enclosed at Annexure 18. Similarly, the FPIs who do not belong to the same investor group shall report such investment holding details in the underlying Indian security as ODI subscriber and / or as DR holder, including securities held in the 'DR conversion' account, to its Custodian in the aforesaid format on a monthly basis (by 10th of the month) .

3 · 6.2.19.6.2 The DDP shall report FPI grouping information as reported by Nodal FPI to such Indian Depository (by 17th of the month) where FPI group demat accounts are held in the manner and format as specified by such Indian Depository. Similarly, the Custodian of Nodal entity (who also happen to be the DDP) shall report the investment holdings in the underlying Indian security as held by the ODI subscriber and / or DR holder in respect of the aforesaid FPI group on monthly basis to such Indian Depository (by 17th of the month) where FPI group demat accounts are held in the manner and format as specified by such Indian Depository.

3 · 6.2.19.6.3 The Depository which monitors the FPI group limits shall club the investment pertaining to DR holding, ODI holding and FPI holding of same investor group and monitor the investment limits as

3 · 6.2.20 Domestic Custodian shall maintain records in respect of, and report to, Indian depositories all transactions in the nature of issue and cancellation of depository receipts, for the purpose of monitoring limits.

3 · 6.2.21 Indian Depositories shall coordinate among themselves and with Domestic Custodian to disseminate:

3 · 6.2.22 The Foreign Depository shall not issue or pre-release the DRs unless the Domestic Custodian has confirmed the receipt of underlying Permissible Securities.

3 · 6.3 Words and expressions used and not defined here but defined in the DR Scheme, Securities Contracts (Regulation) Act, 1956 or the Securities and Exchange Board of India Act, 1992 or the Depositories Act, 1996 or the Companies Act, 2013 or the Reserve Bank of India Act, 1934 or the Foreign Exchange Management Act, 1999 or Prevention of Money-Laundering Act, 2002, and rules and regulations made thereunder shall have the meanings respectively assigned to them, as the case may be, in those Acts, unless the context requires otherwise.

3 · 6.4 In case of any difficulties in the application or interpretation or to relax strict enforcement of the aforesaid requirements, the Board may issue clarifications through guidance notes or circulars after receipt of request from the issuer.

3 · 6.5 The above provisions shall be applicable only to DR issuance by a Listed Company after the effective date i.e. October 10, 2019.

3 · 7 Redemption of Indian Depository Receipts (IDRs) into Underlying Equity Shares 115

3 · 8 Electronic Clearing System (ECS) facility

3 · 8.1 Use of ECS for refund in public/rights issues. 116

3 · 8.2 Updation of bank accounts details, MICR code and IFSC of bank branches by Depository Participants (DPs) 117

3 · 8.2.1 It has been informed by RBI that they have been receiving complaints from managers to the issues that the funds routed through the electronic mode are getting returned by destination banks because of incorrect or old account numbers provided by beneficiary account holders.

3 · 8.2.2 RBI has stated that Investors will have to ensure through their DPs that bank account particulars are updated in master record periodically, to ensure that their refunds, dividend payments etc. reach the correct account, without loss of time. RBI has also suggested incorporation of Indian Financial System Code (IFSC) of customer's bank branches apart from 9 digit MICR code; since IFSC of bank's branches is used for remittance through National Electronic Funds Transfer (NEFT).

3 · 8.2.3 It is advised that necessary action be taken in this matter to ensure that correct account particulars of investors are available in the database of depositories.

115 · Reference: SEBI Circular CIR/CFD/DIL/10/2012 dated August 28, 2012 & SEBI Circular CIR/CFD/DIL/6/2013 dated March 01, 2013

116 · Reference: SEBI Circular SEBI/MRD/DEP/Cir-3/06 dated February 21, 2006 & SEBI Circular SEBI/CFD/DIL/DIP/29/2008/01/02 dated February 1, 2008

117 · Reference: SEBI Letter MRD/DEP/PP/123624 /2008 dated April 23, 2008

3 · 9 Withdrawal by issuers from the depository 118

3 · 9.1 As regards voluntary withdrawal by issuers from the depository, it is informed that listed companies may not be allowed to withdraw from the depository system unless they delist their securities from the stock exchanges.

3 · 9.2 As regards companies under liquidation are concerned, it is informed that deactivation of the ISIN may be only done in cases where companies have been liquidated. In other cases , where companies are being liquidated, deactivation of ISIN resulting in total freezing may not be desirable as it will disallow investors to hold shares in dematerialized form

3 · 10 Further issue of shares under Section 43 of Companies Act and the Companies (Share Capital and Debentures) Rules, 2014 119

3 · 11 Redressal of investor grievances through SCORES platform 120

3 · 12 Streamlining issuance of SCORES Authentication for SEBI registered intermediaries121

3 · 13 Clarification on applicability of regulation 40(1) of SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 to open offers, buybacks and delisting of securities of listed entities 122

118 · Reference: SEBI Letter MRD/DoP/NSDL/VM/ 162378 /2009 dated May 06, 2009

119 · Reference: SEBI Letter MRD/DoP/MC/141442 /2008 dated October 17, 2008

120 · Reference: SEBI Circular CIR/OIAE/1/2014 dated December 18, 2014

121 · Reference: SEBI Circular SEBI/HO/OIAE/IGRD/CIR/P/2019/86 dated August 02, 2019

122 · Reference: SEBI Circular SEBI/HO/CFD/CMD1/CIR/P/2020/144 dated July 31, 2020

3 · 14 Streamlining the Process for Acquisition of Shares pursuant to Tender-Offers made for Takeovers, Buy Back and Delisting of Securities 123

3 · 15 Non -compliance with the Minimum Public Shareholding (MPS) requirements 124

3 · 16 Non -compliance with certain provisions of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 and the Standard Operating Procedure for suspension and revocation of trading of specified securities 125

3 · 17 Investor grievances redressal mechanism – Handling of SCORES complaints by stock exchanges and Standard Operating Procedure for non-redressal of grievances by listed companies 126

123 · Reference: SEBI Circular CFD/DCR2/CIR/P/2016/131 dated December 09, 2016

124 · Reference: SEBI Circular CFD/CMD/CIR/P/2017/115 dated October 10, 2017

125 · Reference: SEBI Circular SEBI/HO/CFD/CMD/CIR/P/2020/12 dated January 22, 2020

126 · Reference: SEBI Circular SEBI/HO/OIAE/IGRD/CIR/P/2020/152 dated August 13, 2020

3 · 18 Automation of Continual Disclosures under Regulation 7(2) of SEBI (Prohibition of Insider Trading) Regulations, 2015 - System driven disclosures127

3 · 19 A Trading Window closure period under Clause 4 of Schedule B read with Regulation 9 of SEBI (Prohibition of Insider Trading) Regulations, 2015 ("PIT Regulations") – Framework for restricting trading by Designated Persons ("DPs") by freezing PAN at security level 128

3 · 20 Reconciliation of Share Capital Audit1 t129

3 · 20.1 All the issuer companies shall subject themselves to a reconciliation of share capital audit to be undertaken by a qualified Chartered Accountant or a Company Secretary, for the purposes of reconciliation of the total admitted capital with both the depositories and the total issued and listed capital. The audit shall cover the following aspects and certify among others:

3 · 20.1.1That the total of the shares held in NSDL, CDSL and in the physical form tally with the issued / paid-up capital.

3 · 20.1.2That the Register of Members (RoM) is updated.

3 · 20.1.3That the dematerialisation requests have been confirmed within 21 days and state the shares pending confirmation for more than 21 days from the date of requests and reasons for delay.

3 · 20.1.4The details of changes in share capital (due to rights, bonus, preferential issue, IPO, buyback, capital reduction, amalgamation, de-merger etc) during the

127 · Reference: SEBI Circular SEBI/HO/ISD/ISD/CIR/P/2020/168 dated September 09, 2020 & SEBI Circular SEBI/HO/ISD/ISD/CIR/P/2021/578 dated June 16, 2021

128 · Reference: SEBI Circular SEBI/HO/ISD/ISD-SEC-4/P/CIR/2022/107 dated August 05, 2022

3 · 20.2 The issuer companies shall submit the audit report on a quarterly basis within 30 days of the end of each quarter to the stock exchange/s where they are listed. Any difference observed in the admitted, issued and listed capital shall be immediately brought to the notice of SEBI and both the Depositories by the stock exchanges. This report shall also be placed before the Board of Directors of the issuer company.

3 · 20.3 Any non-compliance by the issuer company shall be viewed seriously and suitable action shall be initiated under the Depositories Act, 1996 against the issuer company and its Directors.

3 · 21 Streamlining the Process of Public Issue of Equity Shares and convertibles 130

3 · 21.1 Kindly refer SEBI Circular SEBI/HO/CFD/PoD-2/P/CIR/2023/00094 dated June 21, 2023 (Master Circular for Issue of Capital and Disclosure Requirements)

3 · 21.2 Further the role of depositories in respect to the Process of Public Issue of Equity Shares and convertibles is as follows:

3 · 21.2.1 Validation by Depositories

3 · 21.2.1.1 The details of investor viz. PAN, DP ID / Client ID, entered in the Stock Exchange platform at the time of bidding, shall be validated by the Stock Exchange/s with the Depositories on real time basis.

3 · 21.2.1.2 Stock Exchanges and Depositories shall put in place necessary infrastructure for this purpose.

4 · 1 Online Registration Mechanism and Filing system for Depositories 131

4 · 1.1 In order to ease the process of application for recognition / renewal, reporting and other filings in terms of Securities and Exchange Board of India (Depositories and Participants) Regulations, 2018 and other circulars issued from time to time, SEBI has introduced a digital platform for online filings related to Depositories.

4 · 1.2 All applicants desirous of seeking registration as a Depository in terms of Regulation 3 of the Securities and Exchange Board of India (Depositories and Participants) Regulations, 2018, shall now submit their applications online, through SEBI Intermediary Portal at https://siportal.sebi.gov.in .

4 · 1.3 The applicants would be required to upload scanned copy of relevant documents such as any declaration or undertaking or notarised copy of documents as may be prescribed in Securities and Exchange Board of India (Depositories and Participants) Regulations 2018, and keep hard copy of the same to be furnished to SEBI whenever required.

4 · 1.4 Further, all other filings including Annual Financial Statements and Returns, Rules, Bye-laws, etc., shall also be submitted online.

4 · 1.5 The aforesaid online registration and filing system for Depositories is operational. Recognised Depositories are advised to note the same for immediate compliance.

4 · 1.6 Link for SEBI Intermediary Portal is also available on SEBI website – www.sebi.gov.in. In case of any queries and clarifications, users may refer to the manual provided in the portal or contact the SEBI Portal helpline on 022-26449364 or may write at portalhelp@sebi.gov.in .

4 · 2 Activity schedule for depositories for T+2 rolling Settlement1 t132 -As on date, the activity schedule for settlement is as per SEBI circular SEBI Circular SEBI/HO/MRD2/DCAP/P/CIR/2021/628 dated September 07, 2021 (i.e. T+1) . The activity schedule for T+2 settlement is mentioned under Para 4.83 .

4 · 3 Introduction of T+1 rolling settlement on an optional basis 133

4 · 3.1 SEBI, vide circular no. SMD/POLICY/Cir - /03 dated February 6, 2003, shortened the settlement cycle from T+3 rolling settlement to T+2 w.e.f. April 01, 2003.

4 · 3.2 SEBI has been receiving request from various stakeholders to further shorten the settlement cycle. Based on discussions with Market Infrastructure Institutions (Stock Exchanges, Clearing Corporations and Depositories), it has been decided to provide flexibility to Stock Exchanges to offer either T+1 or T+2 settlement cycle.

131 · Reference: SEBI Circular SEBI/HO/MRD/DSA/CIR/P/2018/1 dated January 29, 2018

132 · Reference: SEBI Circular DCC/FITTC/Cir-19/2003 dated March 4, 2003 and SEBI Circular MRD/DoP/SE/Dep/Cir-18/2005 dated September 2, 2005

133 · Reference: SEBI Circular SEBI/HO/MRD2/DCAP/P/CIR/2021/628 dated September 07, 2021

4 · 3.3 Accordingly, a Stock Exchange may choose to offer T+1 settlement cycle on any of the scrips, after giving an advance notice of at least one month, regarding change in the settlement cycle, to all stakeholders, including the public at large, and also disseminating the same on its website.

4 · 3.4 After opting for T+1 settlement cycle for a scrip, the Stock Exchange shall have to mandatorily continue with the same for a minimum period of 6 months. Thereafter, in case, the Stock Exchange intends to switch back to T+2 settlement cycle, it shall do so by giving 1-month advance notice to the market.

4 · 3.5 Any subsequent switch (from T+1 to T+2 or vice versa) shall be subject to minimum period and notice period as mentioned in Para 4.3.4 above.

4 · 3.6 There shall be no netting between T+1 and T+2 settlements.

4 · 3.7 The settlement option for security shall be applicable to all types of transactions in the security on that Stock Exchange. For example, if a security is placed under T+1 settlement on a Stock Exchange, the regular market deals as well as block deals will follow the T+1 settlement cycle on that Stock Exchange.

4 · 3.8 The provisions of this circular shall come into force with effect from January 01, 2022 .

4 · 4 Settlement of transactions in case of holidays 134

4 · 4.1 Due to lack of uniformity of holidays and force majeure conditions which necessitate sudden closure of one or more Stock Exchanges and banks in a particular state, result in situations where multiple settlements have to be completed by the Stock Exchanges on the working day immediately following the day(s) of the closure of the banks. Accordingly , the Stock Exchanges/Depositories are advised to follow the guidelines and adhere to the time line.

4 · 4.1.1 The Stock Exchanges shall clear and settle the trades on a sequential basis i.e., the pay -in and the pay-out of the first settlement shall be completed before the commencement of the pay-in and pay-out of the subsequent settlement/s.

4 · 4.1.2 The cash/securities pay out from the first settlement shall be made available to the member for meeting his pay-in obligations for the subsequent settlement/s.

4 · 4.1.3 Further, in -order to meet his pay-in obligations for the subsequent settlement, the member may need to move securities from one depository to another. The Depositories shall, therefore, facilitate the inter-depository transfers within one hour and before pay-in for the subsequent settlement begins.

4 · 4.1.4 The Stock Exchanges/Depositories shall follow a strict time schedule to ensure that the settlements are completed on the same day.

4 · 4.1.5 The Clearing Corporation/Clearing House of the Stock Exchanges shall execute Auto DO facility for all the settlements together, so as to make the funds and the

4 · 5 Deadline time for accepting non pay-in related instructions 135

4 · 5.1 The depositories are advised that any overrun of the time specified for 'spot delivery contract' in the SCRA would result in the contract becoming illegal under section 16 of the SCRA (unless it is put through the stock exchange). The Rights and Obligations of the BO and DP cannot add anything to or subtract anything from this position. However, it should be the responsibility of the DP to ensure that the client's contract is not rendered illegal on account of delayed execution of the delivery instruction.

4 · 5.2 Keeping the hardships to change all the existing Rights and Obligations of the BO and DP to enforce the above into consideration, it is advised that suitable bye laws can be made under section 26(2)(e) and (d) of Depositories Act, 1996 for imposing such obligation on the DPs. Therefore, it is advised to amend/insert bye laws which should expressly provide that the DPs shall execute the non pay-in related instructions on the same day or on the next day of the instruction. Further, pending such amendment, suitable instructions may be issued to DPs to adhere to such time limit.

4 · 5.3 The above clause may be suitably incorporated in the Rights and Obligations of the BO and DP while opening new accounts.

4 · 6 Approval of amendments to Bye Laws / Rules of Stock Exchanges and Depositories 136

4 · 6.1 Depositories and exchanges shall submit the following information while seeking SEBI approval for amendment to Bye Laws/ Rules/ Regulations and amendments thereto:

4 · 6.1.1 The objective/purpose of amendments.

4 · 6.1.2 Whether the amendment is consequential to any directive/circulars/ guidelines from SEBI/ Government and the details thereof.

4 · 6.1.3 Whether such amendments necessitate any consequential amendments to any other Bye Laws/ Rules/ Regulations.

4 · 6.1.4 The proceedings of the Governing Board or Governing Council, as the case may be, wherein these proposed amendments were approved by the Exchanges/ Depositories.

4 · 6.1.5 If documents other than Bye Laws/ Rules/ Regulations are sent for approval, the justification and need for forwarding the same to SEBI, indicating whether it forms a part of any Bye Law/ Rule/ Regulation.

135 · Reference: SEBI Letter MRD/VSS/ARR/ 12255/2004 dated June 10, 2004

136 · Reference: SEBI Circular LGL/Cir-2/2003 dated February 19, 2003

4 · 6.2 Further, all Exchanges shall ensure that requests for dispensation of the requirement of pre-publication shall be accompanied with proper justification and indicate how the public interest or interest of trade shall be served by such dispensation of pre-publication.

4 · 7 Periodical Report – Grant of prior approval to Depository Participants 137

4 · 7.1 The Depositories shall submit a periodical report to SEBI regarding the following changes, as per the format (Annexure 19) and in accordance with the guidelines given below:

4 · 7.1.1 Amalgamation, demerger, consolidation or any other kind of corporate restructuring falling within the scope of Chapter XV of the Companies Act, 2013 or the corresponding provision of any other law for the time being in force;

4 · 7.1.2 Change in Director, including managing director/ whole-time director;

4 · 7.1.3 Change in shareholding not resulting in change in control;

4 · 7.1.4 Any other purpose as may be considered appropriate by the Depositories.

4 · 7.2 Guidelines to fill up the Annexure and sending the same to SEBI

4 · 7.2.1 A separate annexure shall be submitted for each "Type of change" as specified in the format.

4 · 7.2.2 The report shall be signed by an authorized representative of the Depository and the same shall be stamped.

4 · 7.2.3 The Depositories shall furnish the report to SEBI by 7th day of month following the end of each quarter, starting with report for the quarter ending June 2011.

4 · 7.2.4 The report shall be submitted by e-mail at dp@sebi.gov.in. A hard copy of the report shall also be submitted to SEBI.

4 · 8 Preservation of Records 138

4 · 8.1 Depositories and Depository Participants (DPs) are required to preserve the records and documents for a minimum period of 8 years .

4 · 8.2 Depositories and DPs shall preserve respective original forms of documents either in physical form or an electronic record, copies of which have been taken by CBI, Police or any other enforcement agency during the course of their investigation till the trial is completed.

4 · 9 Participation as Financial Information Providers in Account Aggregator framework 139

137 · Reference: SEBI Circular CIR/MIRSD/9/2011 dated June 17, 2011

138 · Reference: SEBI Circular: MRD/DoP/DEP/Cir 20/2009 dated December 9, 2009 and SEBI/HO/MRD2/DDAP/CIR/P/2020/153 dated August 18, 2020

139 · Reference: SEBI Circular SEBI/HO/MRD/DCAP/P/CIR/2022/110 dated August 19, 2022

4 · 9.1 An Account Aggregator (AA), is a Reserve Bank of India (RBI) regulated NonBanking Finance Company (NBFC) that facilitates retrieval or collection of financial information, pertaining to a customer, from Financial Information Providers ("FIP") on the basis of explicit consent of the customer. The financial information shared through the Account Aggregator is not stored by the AA and it shall not be the property of the AA. This information is not to be used in any other manner except for the purpose of providing it to the customer or consented Financial Information User (FIU). Thus, Account Aggregator facilitates consolidation, organization, presentation of the financial information to the customer or FIU based on the explicit consent of the customer.

4 · 9.2 RBI has issued Non -Banking Financial Company –Account Aggregator Master Directions DNBR.PD.009/03.10.119/2016-17 dated September 02, 2016 for compliance by every Non-Banking Financial Company (NBFC-Account Aggregator) undertaking the business of AA.

4 · 9.3 Out of the list of entities mentioned as Financial Information Providers (FIPs) under the Clause 3 (xi) of the Master Directions, the Asset Management Companies (AMCs) through their Registrar and Transfer Agents (RTAs) and the Depositories are inter -alia specified as Financial Information Providers (FIPs) for the purpose of sharing of information. Thus, hereinafter the Depositories and AMCs (through their RTAs) are referred as FIPs in the securities markets.

4 · 9.4 The FIPs in the securities market will provide the "Financial Information", as specified in Clause 3(ix) of the RBI Master Directions, to the customers and FIUs who furnish the consent artefact (electronic consent as defined in RBI Master Guidelines) through any of the Account Aggregators registered with RBI. Further, FIPs in securities market shall enter into a contractual framework with the AAs, and the same shall distinctly specify the following:

4 · 9.5 The FIPs in the securities markets shall share the "Financial Information" pertaining to securities markets, through the AA only on receipt of a valid consent artefact from the customer through the Account Aggregator. The consent architecture is detailed under Clause 6 of the RBI Master Directions. Further, the FIPs in the securities markets shall also verify, through appropriate means, the following in the consent artefact:

4 · 9.6 Upon due verification of the consent artefact, the FIPs in the securities markets shall digitally sign the financial information and securely transmit the same to the AA in accordance with the terms contained in the consent artefact.

4 · 9.7 All responses of the FIPs in the securities markets shall be in real time.

4 · 9.8 To enable these data flows, the FIPs in the securities markets shall:

4 · 9.9 The FIPs in the securities markets are expected to adopt the technical specifications published by ReBIT, as updated from time to time and adopt required Information Technology (IT) framework and interfaces to ensure secure data flows to AA. The technology should also be scalable to cover any other AA as may be specified by Reserve Bank of India in future.

4 · 9.10 There shall be adequate safeguards built in IT systems of FIPs in the securities markets to ensure that it is protected against unauthorized access, alteration, destruction, disclosure or dissemination of records and data.

4 · 9.11 The FIPs in the securities markets shall also abide by the code of conduct as specified in the SEBI regulations applicable to them, including redressal of grievances of the customers.

4 · 9.12 The FIPs in the securities markets shall continue to comply with all the regulatory provisions under the SEBI Act, 1992, Depositories Act, 1996 and the regulations framed thereunder.

4 · 9.13 The provisions of this circular shall come into force with effect from August 19, 2022 .

4 · 9.14 The participation of depositories as FIPs in the AA ecosystem shall not impact the existing mechanism as per circular CIR/MRD/DP31/2014 dated November 12, 2014 of issuances of Consolidated Account Statement to the investors by depositories or AMCs/MF-RTAs providing consolidated information of the mutual fund investments and holdings of investors in demat accounts.

4 · 9.15 The Financial Information Providers (FIPs) in securities market must disclose prominently on their websites the names of the Account Aggregators through which the FIP shares the information about assets held with respect to securities markets with the customers and Financial Information Users (FIUs).

4 · 10 Facilitating transaction in Mutual Fund schemes through the Stock Exchange Infrastructure 140

4 · 11 Discontinuation of usage of pool accounts for transactions in units of Mutual Funds on the Stock Exchange Platforms 141

4 · 12 RTA interroperable Platform for enhancing investors' experience in Mutual Fund transactions / service requests 142

4 · 13 Pledge of Shares through depository system 143

4 · 13.1 Section 12 of the Depositories Act, 1996 and Regulation 79 of the Securities and Exchange Board of India (Depositories and Participants) Regulations, 2018 ("DP Regulations") along with the relevant Bye Laws of the Depositories clearly enumerate the manner of creating pledge. It is felt that there is a need to communicate to the BOs that any procedure followed other than as specified under the aforesaid provisions of law shall not be treated as pledge.

4 · 13.2 In order to clarify the same, the depositories are advised to issue a communiqué to the DPs advising them to inform BOs about the procedure for pledging of shares held in demat form as enumerated in the relevant sections of the Depositories Act ,

140 · Reference: SEBI Circular CIR/MRD/DSA/32/2013 dated October 04, 2013, SEBI Circular CIR/MRD/DSA/33/2014 dated December 09, 2014, SEBI Circular SEBI/HO/MRD/DSA/CIR/P/2016/113 dated October 19, 2016 , SEBI Circular SEBI/HO/MRD1/DSAP/CIR/P/2020/29 dated February 26, 2020 , SEBI Circular SEBI/IMD/CIR No. 11/183204/2009 dated November 13, 2009 and SEBI Circular CIR/IMD/DF/17/2010 dated November 09, 2010

141 · Reference: SEBI Circular SEBI/HO/IMD/IMD-IDOF5/P/CIR/2021/635 dated October 4, 2021

142 · Reference: SEBI Circular SEBI/HO/IMD/IMD-II DOF3/P/CIR/2021/604 dated July 26, 2021

143 · Reference: SEBI Letter MRD/DoP/MAS – OW/16723/2010 dated August 17, 2010

1996 · and DP Regulations. Depositories may also advise DPs that an off-market transfer of shares leads to change in ownership and cannot be treated as pledge. Further, this issue may also be taken up in the investor awareness programs wherein the manner of creation of pledge can be effectively communicated to the BOs directly.

4 · 14 Margin obligations to be given by way of Pledge/ Re-pledge in the Depository System 144

4 · 15 Foreign investments in infrastructure companies in securities markets 145

4 · 15.1 Pursuant to Government of India Policy, foreign investments in infrastructure companies in the securities markets, namely Stock Exchanges, Depositories and Clearing Corporations shall be as under:

4 · 15.1.1 Foreign investment shall be allowed in such companies with a separate FDI and FPI cap as per the prevailing policy of GoI;

4 · 15.1.2 FDI shall be allowed subject to specific prior approval (if any) as per the FDI policy of GoI;

4 · 15.1.3 FPI shall be allowed only through purchases in the secondary market; Clarification 146 -In respect of exchanges that are not listed, FPIs purchase of shares of such exchanges can be through transactions outside of the exchange provided it is not an initial allotment. However, if the exchange is listed, transactions by FPIs should be done through the exchange.

4 · 15.1.4 FPI shall not seek and will not get representation on the Board of Directors;

4 · 15.1.5 Foreign investors, including persons acting in concert, may hold equity shares in a depository as per the limits specified under Regulation 21 (2)

144 · Reference: SEBI Circular SEBI/HO/MIRSD/DOP/CIR/P/2020/28 dated February 25, 2020, SEBI/HO/MIRSD/DOP/CIR/P/2020/88 dated May 25, 2020, SEBI/HO/MIRSD/DOP/CIR/P/2020/90 dated May 29, 2020 , SEBI/HO/MIRSD/DOP/CIR/P/2020/143 dated July 29, 2020 and SEBI/HO/MIRSD/DoP/P/CIR/2022/44 dated April 04, 2022

145 · Reference: SEBI Circular MRD/DSA/SE/Dep/Cust/Cir-23/06 dated December 22, 2006

146 · Reference: SEBI Circular MRD/DSA/SE/Dep/Cust/CIR-30/08 dated October 23, 2008

4 · 15.2 The aforesaid limits for foreign investment in respect of recognised Stock Exchanges shall be subject to 5% shareholding limit as prescribed under the Securities Contracts (Regulation) (Stock Exchanges And Clearing Corporations) Regulations, 2018 .

4 · 16 Designated e-mail ID for regulatory communication with SEBI1 I147

4 · 17 Designated e-mail ID for redressal of investor complaints 148

4 · 17.1 Depositories and registered DPs shall designate an exclusive e-mail ID for the grievance redressal division/compliance officer exclusively for registering investor complaints.

4 · 17.2 The designated email ID and other relevant details shall be prominently displayed on the websites and in the various materials/pamphlets/advertisement campaigns initiated by the Depositories and DPs for creating investor awareness.

4 · 18 Redressal of complaints against Depositories through SEBI Complaints Redress System (SCORES) 149

4 · 18.1 The complaints received by SEBI against Depositories shall be electronically sent through SCORES. Depositories are advised to view the pending complaints at http://scores.gov.in/admin and submit the Action Taken Report (ATR) along with supporting documents electronically in SCORES. Updation of action taken shall not be possible with physical ATRs. Hence, submission of physical ATR shall not be accepted for complaints lodged in SCORES.

4 · 18.2 The Depositories shall do the following:

4 · 18.2.1 Indicate a contact person in case of SCORES, who is an employee heading the complaint services division/cell/department. Contact detail (i.e. phone no., email id, postal address) of the said contact person be made widely available for e.g. on the websites of Depositories.

4 · 18.2.2 Address/redress the complaints within a period of 21 calendar days upon receipt of complaint and keep the Board informed about the number and the nature of redressal

147 · Reference: SEBI Circular MIRSD/DPS- III/Cir-23/08 dated July 25, 2008

148 · Reference: SEBI Circular MRD/DoP/Dep/SE/Cir-22/06 dated December 18, 2006

149 · Reference: SEBI Circular CIR/MRD/ICC/16/2012 dated June 15, 2012

4 · 18.2.3 Maintain a monthly record of the complaints which are not addressed/redressed within 21 calendar days from the date of receipt of the complaint/information, alongwith the reason for such pendency.

4 · 18.2.4 Upload/update the ATR on the SCORES. Failure to do so shall be considered as non -redressal of the complaint and the complaint shall be shown as pending.

4 · 19 Limitation period for filing an arbitration reference 150

4 · 20 Disclosure of investor complaints and arbitration details on Depository website 151

4 · 20.1 Depositories shall disclose the details of complaints lodged by Beneficiary Owners (BO's)/investors against Depository Participants (DPs) on their website. The aforesaid disclosure shall also include details pertaining to penal action against the DPs.

4 · 20.2 The format for the reports for the aforesaid disclosure consists of the following reports:

4 · 20.2.1 Report 1A: Complaints received against DPs during current year

4 · 20.2.2 Report 1B: Redressal of Complaints received against DPs during previous year

4 · 20.2.3 Report 1C: Redressal of Complaints received against DPs during current year

4 · 20.2.4 Report 2A 152

4 · 20.2.5 Report 2B 153

4 · 20.2.6 Report 3A: Penal Actions against DPs during previous year

4 · 20.2.7 Report 3B: Penal Actions against DPs during current year

4 · 20.2.8 Report 4A: Redressal of Complaints lodged by investors against Listed Companies during previous year

150 · Reference: SEBI Circular CIR/MRD/DP/4/2011 dated April 7, 2011

151 · Reference: SEBI Circular SEBI/MRD/ OIAE/ Dep/ Cir- 4/2010 dated January 29, 2010

152 · Repealed by SEBI Circular SEBI/HO/OIAE/OIAE_IAD-1/P/CIR/2023/145 dated July 31, 2023 in respect of Master SEBI Circular for Online Resolution of Disputes in the Indian Securities Market.

153 · Repealed by SEBI Circular SEBI/HO/OIAE/OIAE_IAD-1/P/CIR/2023/145 dated July 31, 2023 in respect of Master SEBI Circular for Online Resolution of Disputes in the Indian Securities Market.

4 · 20.2.9 Report 4B: Redressal of Complaints lodged by investors against Listed Companies during current year

4 · 20.3 Depositories are accordingly advised to

4 · 20.3.1 disclose details as per the aforesaid reports in their website on a continuous basis

4 · 20.3.2 update the aforesaid reports on a quarterly basis, except the Report 1A, which shall be updated on a weekly basis

4 · 21 Disclosure of Complaints against the Depositories 154

4 · 21.1 In order to bring about transparency in the Investor Grievance Redressal Mechanism, it has been decided that all the Depositories shall disclose on their websites, the data on complaints received against them and redressal thereof, latest by 7th of succeeding month, as per the format enclosed at Annexure 20

4 · 21.2 These disclosure requirements are in addition to those already mandated by SEBI

4 · 22 Disclosure of regulatory orders and arbitration awards on Depository website 155 The provisions dealing with mediation, conciliation and arbitration have been superseded with the introduction of Online Dispute Resolution (ODR) Mechanism. Kindly refer https://www.sebi.gov.in/legal/master-circulars/dec-2023/mastercircular -for -online -resolution -of -disputes-in-the-indian-securities-market_80236.html dated December 28, 2023 (Master circular for Online Resolution of Disputes in the Indian Securities Market)

4 · 23 Disclosure of Investor Charter for Depositories and Depositor Participants 156&157

4 · 23.1 In order to facilitate investor awareness about various activities such as dematerialization/rematerialization of securities, transmission of securities, settlement instruction, consolidated account statement, grievance redressal mechanism etc., SEBI in November 2021 has formulated the Investor Charter for Depositories and Depository Participants (DPs) containing the information for investors on aforesaid issues and advised Depositories to disclose the same on their respective websites.

4 · 23.2 In view of the recent developments in the securities market including introduction of Online Dispute Resolution (ODR) platform and SCORES 2.0, it is felt necessary to modify the Investor Charter for Depositories and DPs, interalia, detailing the services provided to Investors, Rights of Investors, various activities of Depository through DPs with timelines, Dos and DON'T's for Investors, Responsibilities of Investors, Code of Conduct for Depositories and DPs and Grievance Redressal Mechanism which is placed at Annexure 21 .

4 · 23.3 In this regard, Depositories are advised to publish Investor Charter on their websites. Further, Depositories should ask DPs to bring to the notice of their clients (existing as well as new clients) through disclosing the Investor Charter

154 · Reference: SEBI Circular SEBI/HO/MRD1/MRD1_ICC1/P/CIR/2021/664 dated November 23, 2021

155 · Reference: SEBI Circular SEBI/MRD/ DP/ 19/2010 dated June 10, 2010

156 · Reference: SEBI Letter SEBl/HO/MlRSD/DOP/OW/P/2021/37347/1 dated December 15, 2021 157 Reference: SEBI Circular SEBI/HO/MRD/MRD -PoD -1/P/CIR/2024/66 dated May 29, 2024

4 · 23.4 Additionally, in order to bring about transparency in the Investor Grievance Redressal Mechanism, it has been decided that all the DPs shall disclose on their respective websites, the data on complaints received against them or against issues dealt by them and redressal thereof, latest by 7th of succeeding month, as per the format enclosed at Annexure 22 to this letter.

4 · 23.5 These disclosure requirements are in addition to those already mandated by SEBI.

4 · 24 Guideline for websites of depositories 158

4 · 24.1 This is with reference to the policy of website management of depositories.

4 · 24.2 As a good practice, the guidelines issued by National Informatics Centre for Indian Government website, which is available at https://guidelines.india.gov.in/ may be adopted by depositories.

4 · 24.3 Depositories are advised to comply with the aforesaid guidelines for their website and mobile app.

4 · 25 Arbitration / Appellate Arbitration fees on the remanded back matter for fresh arbitration proceedings 159

4 · 26 Establishment of connectivity by Clearing House / Clearing Corporation (CH/CC) with the Depository – Clarification 160

4 · 26.1 On examination of the provisions of Regulations 35(a) and 45 of the Securities and Exchange Board of India (Depositories and Participants) Regulations, it is advised that registration of a CC/CH of a stock exchange as a DP with SEBI is not mandatory and a pre-requisite for it to obtain connectivity with the depositories. However, if the CC/CH of a stock exchange desires to function as any other "Depository Participant", i.e. to open BO accounts for investors or clearing member account, registration as DP with SEBI is mandatory.

158 · Reference: SEBI Letter MRD/DSA/OW/11447/2/2019 dated May 8, 2019

159 · Reference: SEBI Letter SEBI/MRD/ICC/OW/P/2018/27066/1 dated September 25, 2018

160 · Reference: SEBI Letter MRD/DoP/ Dep/82334 /2006 dated December 14, 2006

4 · 26.2 In view of the above, Depositories are advised to provide continuous electronic means of communication / connectivity to the CH/CC of the Exchanges without insisting for a mandatory registration as DP with SEBI with a condition that such entities would not be permitted to open BO ac counts for investors or clearing member account.

4 · 27 Issue of Master Circular by Stock Exchanges, Clearing Corporations and Depositories 161

4 · 27.1 Stock Exchanges, Clearing Corporations and Depositories (hereinafter collectively referred to as 'Market Infrastructure Institutions (MIIs)') communicate with market participants including investors on a regular basis by way of circulars, directions, operating instructions, communiques or any other mode of communication (hereinafter collectively referred to as 'guidelines') for necessary compliance. This has led to a plethora of guidelines by the MIIs on various subjects.

4 · 27.2 Due to the issuance of such guidelines of varied nature and based on the feedback received from the market participants, to ensure that all market participants, including investors, find all applicable provisions on a specific subject at a place, the MIIs shall ensure the following:

4 · 27.2.1 Issue the respective Master Circulars consolidating all guidelines issued and applicable as on March 31 of every year, segregated subject-wise.

4 · 27.2.2 Take due care to include only the relevant guidelines into the respective Master Circular while reviewing all the existing guidelines on a particular subject.

4 · 27.2.3 Such Master Circular shall not include the following:

4 · 27.2.3.1 Bye-laws, Rules and Regulations issued by MIIs.

4 · 27.2.3.2 Status of any compliance by the market participant

4 · 27.2.3.3 Actions taken against any entity.

4 · 27.2.4 Each Master Circular shall contain a list of all guidelines incorporated therein as well as a provision rescinding all such guidelines with effect from the date of implementation of the Master Circular. All such rescinded guidelines shall be archived on the respective websites of the MIIs.

4 · 27.2.5 The Master Circulars shall contain a savings clause as under:

161 · Reference: SEBI Circular SEBI/HO/MRD/POD 3/CIR/P/2023/58 dated April 20, 2023

4 · 27.3 MIIs shall update the Master Circular incorporating all guidelines issued during the financial year, and issue the same on or before April 30 of each year.

4 · 28 Principles of Financial Market Infrastructures (PFMIs) 162

4 · 28.1 To promote and sustain an efficient and robust global financial infrastructure, the Committee on Payments and Settlement Systems (CPSS) and the International Organization of Securities Commissions (IOSCO) published the Principles for financial market infrastructures 1 (PFMIs) on April 2012. They replace the three existing sets of international standards set out in the Core Principles for Systemically Important Payment Systems (CPSIPS); the Recommendations for Securities Settlement Systems (RSSS); and the Recommendations for Central Counterparties (RCCP). CPSS and IOSCO have strengthened and harmonised these three sets of standards by raising minimum requirements, providing more detailed guidance and broadening the scope of the standards to cover new riskmana gement areas and new types of FMIs.

4 · 28.2 The PFMIs comprise 24 principles (Annexure 23) for Financial Market Infrastructure to provide for effective regulation, supervision and oversight of FMIs. They are designed to ensure that the infrastructure supporting global financial markets is robust and well placed to withstand financial shocks.

4 · 28.3 Full, timely and consistent implementation of the PFMIs is fundamental to ensuring the safety, soundness and efficiency of key FMIs and for supporting the resilience of the global financial system. In addition, the PFMIs play an important

162 · Reference: SEBI Circular SEBI/MRD/DRMNP/26/2013 dated September 04, 2013

4 · 28.4 The Principles apply to systematically important FMI entities such as Central Counterparty (CCP), Central Securities Depository (CSD)/ Securities Settlement System (SSS), Payment and Settlement Systems (PSS) and Trade Repository (TR) which are responsible for providing clearing, settlement and recording of monetary and other financial transactions. The principles are international standards set forth to –

4 · 28.4.1 Enhance safety and efficiency in payment, clearing, settlement, and recording arrangements,

4 · 28.4.2 Reduce systemic risk.

4 · 28.4.3 Foster transparency and financial stability and

4 · 28.4.4 Promote protection of participants and investors.

4 · 28.5 The different categories of FMIs, as identified under PFMIs, are listed below -

4 · 28.5.1 Central Counterparties (CCP)

4 · 28.5.2 Central Securities Depositories (CSD)

163 · Reference: SEBI Circular SEBI/HO/MRD-PoD-3/P/CIR/2023/190 dated December 19, 2023

4 · 28.5.3 Securities Settlement Systems (SSS)

4 · 28.5.4 Payment Systems (PSS)

4 · 28.5.5 Trade Repositories (TR)

4 · 28.6 SEBI regulated Depositories and Clearing Corporations are FMIs. These systemically important FMIs provide essential facilities and perform systemically critical functions in the market and shall be required to comply with the PFMIs specified by CPSS-IOSCO as applicable to them.

4 · 28.7 The issue of assessment of PFMI by SEBI regulated FMIs was deliberated in Secondary Market Advisory Committee of SEBI (SMAC). Based on the recommendations of SMAC, it has been decided that FMIs shall carry out selfassessment on a periodic basis against the PFMIs and disclose the same on their websites. For this purpose, the 24 principles for FMIs have been classified as "quantitative" and "qualitative" and their applicability for respective FMIs is as follows:

4 · 29 System and Network Audit of Market Infrastructure Institutions (MIIs) 164

4 · 29.1 Based on discussions with Stock Exchanges, Clearing Corporations, Depositories (hereinafter referred as 'Market Infrastructure Institutions – MIIs), and recommendations of the Technical Advisory Committee (TAC) of SEBI, the existing System Audit Framework has been reviewed.

4 · 29.2 MIIs are required to conduct System and Network Audit as per the framework and Terms of Reference (TOR) laid under Para 4.29.6 & 4.29.7 respectively . MIIs are also required to maintain a list of all the relevant SEBI circulars/ directions/ advices, etc. pertaining to technology and compliance thereof, as per format enclosed as Annexure 24 and the same shall be included under the scope of System and Network Audit.

4 · 29.3 MIIs are also required to submit information with regard to exceptional major Non -Compliances (NCs)/ minor NCs observed in the System and Network audit as per format enclosed as Annexure 25 and are required to categorically highlight those observations/NCs/suggestions pointed out in the System and Network audit (current and previous) which remain open.

4 · 29.4 The Systems and Network audit Report including compliance with SEBI circulars/ guidelines and exceptional observation format along with compliance status of previous year observations shall be placed before the Governing Board of the MII and then the report along with the comments of the Management of the MII shall be communicated to SEBI within a month of completion of audit.

164 · Reference: SEBI Circular SEBI/HO/MRD1/MRD1_DTCS/P/CIR/2022/58 dated May 02, 2022

4 · 29.5 Further, along with the audit report, MIIs are required to submit a Joint declaration from the Managing Director(MD)/Chief Executive Officer(CEO) and Chief Technology Officer (CTO) certifying:

4 · 29.5.1 the security and integrity of their IT Systems.

4 · 29.5.2 correctness and completeness of data provided to the Auditor

4 · 29.5.3 entire network architecture, connectivity (including co-lo facility) and its linkage to the trading infrastructure are in conformity with SEBI's regulatory framework to provide fair equitable, transparent and nondiscriminatory treatment to all the market participants

4 · 29.5.4 internal review of Critical Systems as defined under Para 4.31 was carried out during the Audit period, including the Failure Modes and Effects Analysis (FMEA).

4 · 29.6 Framework for System and Network Audit

4 · 29.6.1 For the System and Network Audit, the following broad areas shall be considered in order to ensure that the audit is comprehensive and effective:

4 · 29.6.1.1 The Audit shall be conducted according to the Norms, Terms of Reference (TOR) and Guidelines issued by SEBI.

4 · 29.6.1.2 The Governing Board of the Market Infrastructure Institution (MII) shall appoint the Auditors based on the prescribed Auditor Selection Norms and TOR.

4 · 29.6.1.3 An Auditor can perform a maximum of 3 successive audits. However, such auditor shall be eligible for re-appointment after a cooling-off period of two years.

4 · 29.6.1.4 Further, during the cooling-off period, the incoming auditor may not include:

4 · 29.6.1.5 The number of years an auditor has performed an audit prior to this circular shall also be considered in order to determine its eligibility in terms of Para 4.29.6.1.3 above.

4 · 29.6.1.6 The scope of the Audit may be broadened by the Auditor to inter-alia incorporate any new developments that may arise due to issuance of circulars/ directions/ advice by SEBI from time to time.

4 · 29.6.1.7 The audit shall be conducted once in a financial year and period of audit shall be 12 months. However, for the MIIs, whose systems have been identified as "protected system" by National Critical Information Infrastructure Protection Centre (NCIIPC), the audit shall be conducted on a half yearly basis and audit period shall be of 6 months. Further, the audit shall be completed within 2 months from the end of the audit period.

4 · 29.6.1.8 In the Audit report, the Auditor shall include its comments on whether the areas covered in the Audit are in compliance with the norms/directions/ advices issued by SEBI, internal policy of the MII, etc. Further, the audit report shall also include specific noncompliances (NCs), observations for minor deviations and suggestions for improvement. The audit report shall take previous audit reports into consideration and cover any open items therein. The auditor should indicate if a follow -on audit is required to review the status of NCs.

4 · 29.6.1.9 For each of the NCs/ observations and suggestions made by the Auditor, specific corrective action as deemed fit may be taken by the MII. The management of the MII shall provide its comments on the NCs, observations and suggestions made by the Auditor, corrective actions taken or proposed to be taken along with time-line for such corrective actions.

4 · 29.6.1.10 The Audit report along with the comments of management shall be placed before the Governing Board of the MII. The Audit report along with comments of the Governing Board shall be submitted to SEBI, within 1 month of completion of audit.

4 · 29.6.1.11 The follow -on audit should be completed within one month of the corrective actions taken by the MII. After the follow-on audit, the MII shall submit a report to SEBI within 1 month from the date of completion of the follow-on audit. The report shall include updated Issue -Log to indicate the corrective actions taken and specific comments of the Auditor on the NCs and the corrective actions.

4 · 29.6.1.12 In cases wherein follow -on audit is not required, the MII shall submit an Action Taken Report (ATR) to the Auditor. After verification of the

4 · 29.6.1.13 The overall timeline from the last date of the audit period till completion of final compliance by MII, including follow-on audit, if any, should not exceed one year/6 months(as applicable).In exceptional cases, if MII is of the view that compliance with certain observations may extend beyond said period, then the concerned MII shall seek specific approval from the Governing Board.

4 · 29.6.2 MII shall ensure compliance with the following norms while appointing Auditor:

4 · 29.6.2.1 The Auditor must have minimum 3 years of demonstrable experience in IT audit of securities market participants e.g. stock exchanges, clearing corporations, depositories, intermediaries, etc. and/ or financial services sector i.e. banking, insurance, Fin-tech etc.

4 · 29.6.2.2 The team performing system and network audit must have experience in / direct access to experienced resources in the areas covered under TOR. It is recommended that resources deployed by the Auditor for the purpose of system and network audit shall have relevant industry recognized certifications e.g. CISA (Certified Information Systems Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, GSNA (GIAC Systems and Network Auditor), CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium, commonly known as (ISC).

4 · 29.6.2.3 The Auditor shall have experience in working on Network audit/IT audit/governance/IT service management frameworks and processes conforming to industry leading practices like CobiT/ ISO 27001 and beyond.

4 · 29.6.2.4 The Auditor should have the capability to undertake forensic audit and undertake such audit as part of system and network audit, if required.

4 · 29.6.2.5 The Auditor must not have any conflict of interest in conducting fair, objective and independent audit of the exchange / depository/ clearing corporation. It should not have been engaged over the last

4 · 29.6.2.6 The Auditor should not have any cases pending against it, which point to its incompetence and/or unsuitability to perform the audit task.

4 · 29.6.2.7 The proposed audit agency must be empanelled with CERT-In.

4 · 29.6.2.8 Any criteria, in addition to the aforesaid criteria, that the MII may deem fit for the purpose of selection of Auditor.

4 · 29.6.3 The Audit report should cover each of the major areas mentioned in the TOR and compliance with SEBI circulars/directions/advices, etc. related to technology. The Auditor in the Audit Report shall give its views indicating the NCs to the standards or observations or suggestions. For each section, auditors should also provide qualitative inputs/suggestions about ways to improve the processes, based upon the best industry practices.

4 · 29.6.4 The auditor shall certify that entire network architecture, connectivity (including co-lo facility) and its linkage to the trading infrastructure are in conformity with SEBI's regulatory framework to provide fair equitable, transparent and non-discriminatory treatment to all the market participants.

4 · 29.6.5 The report should also include tabulated data to show NCs / observations for each of the major areas in the TOR.

4 · 29.6.6 The audit report to include point-wise compliance of areas prescribed in Terms of Reference (TOR) and areas emanating from relevant SEBI circulars/directions/advices along with any accompanying evidence.

4 · 29.6.7 Evidences should be specified in the audit report while reporting/ closing an issue.

4 · 29.6.8 A detailed report with regard to the system and network audit shall be submitted to SEBI. The report shall include an Executive Summary as per the following format:

4 · 29.7 Terms of Reference (TOR) for System and Network audit Program

4 · 29.7.1 The scope of audit shall encompass all the IT resources including hardware, software, network, policies, procedures etc. of MIIs (Primary Data Centre (PDC), Disaster Recovery Site (DRS) and Near Site (NS))

4 · 29.7.2 IT environment

4 · 29.7.2.1 Organization details

4 · 29.7.2.2 IT and network set up and usage

4 · 29.7.3 IT Governance

4 · 29.7.3.1 Whether IT Governance framework exists to include the following:

4 · 29.7.3.2 IT policies and procedures

4 · 29.7.3.3 Whether the above mentioned SOPs is reviewed at periodic intervals or upon the occurrence of any major event? In this regard, whether any organization policy has been formulated by the MII?

4 · 29.7.4 Business Controls

4 · 29.7.4.1 General Controls for Data Centre Facilities

4 · 29.7.4.2 Software change control

4 · 29.7.4.3 Data Communication/ Network Controls

4 · 29.7.4.4 Security Controls

4 · 29.7.4.5 Access Policy and Controls

4 · 29.7.4.6 Electronic Document Controls

4 · 29.7.4.7 General Access Controls

4 · 29.7.4.8 Performance Audit

4 · 29.7.4.9 Business Continuity / Disaster Recovery Facilities

4 · 29.7.4.10 IT/Network Support & IT Asset Management

4 · 29.7.5 Entity Specific Software used for or in support of trading/clearing systems / peripheral systems and critical processes

4 · 29.7.6 Human Resources Management

4 · 29.7.6.1 Screening of Employee, Third party vendors / contractors

4 · 29.7.6.2 Onboarding

4 · 29.7.6.3 Off boarding

4 · 29.7.6.4 Consequence Management (Incident / Breach of policies)

4 · 29.7.6.5 Awareness and Trainings

4 · 29.7.6.6 Non -Disclosure Agreements (NDAs) and confidentiality agreement

4 · 29.7.7 Network audit

4 · 29.7.7.1 The audit shall cover entire network infrastructure which shall inter -alia includes physical verification and tracing of the connectivity

4 · 29.7.7.2 The audit shall require tracing of the connectivity and network diagram based on the physical audit.

4 · 29.7.7.3 The audit shall cover the link, the path, device-level redundancy, no single-point failures, high availability, and fault tolerance aspects in the network.

4 · 29.7.7.4 The audit shall cover entire network that is used to connect members to the MIIs (POP, MPLS, VSAT, COLO, etc.)

4 · 29.7.7.5 The audit shall cover applications, internal networks, servers, etc. of the MIIs/offered by the MIIs to its members that are used for trading, risk management, clearing and settlement etc.

4 · 29.7.7.6 Network performance and design

4 · 29.7.7.7 Network Security implementation

4 · 29.7.7.8 Network health monitoring and alert system

4 · 29.7.7.9 Log management process

4 · 29.7.7.10 Service level definition for vendors/Service level management

4 · 29.7.7.11 Governance process for network service delivery by vendors

4 · 29.7.8 The results of all testing that was conducted before deployment of any IT system/application in production environment, shall be checked by auditor during system audit.

4 · 29.7.9 IT Vendor Selection and Management

4 · 29.7.9.1 Identification of eligible vendors

4 · 29.7.9.2 Dissemination process of Request for Proposal (RFP)

4 · 29.7.9.3 Definition of criteria of evaluation

4 · 29.7.9.4 Process of competitive analysis

4 · 29.7.9.5 Approach for selection

4 · 29.7.9.6 Escrow arrangement for keeping source code

4 · 29.7.10 E -Mail system

4 · 29.7.10.1 Existence of policy for the acceptable use of electronic mail

4 · 29.7.10.2 Regulations governing file transfer and exchange of messages with external parties

4 · 29.7.10.3 Rules based on which e -mail addresses are assigned

4 · 29.7.10.4 Storage, backup and retrieval

4 · 29.7.11 Redressal of Technological Complaints

4 · 29.7.11.1 Ageing analysis of technology complaints

4 · 29.7.11.2 Whether all complaints received are brought to their logical conclusion?

4 · 29.7.12 Any other Item(s)

4 · 29.7.12.1 Electronic Waste Disposal

4 · 29.7.12.2 Observation(s) based on previous Audit Report (s)

4 · 29.7.12.3 Any other specific area(s) that may be informed by SEBI.

4 · 29A Advisory on System and Network of MIIs 165

4 · 29A.1 MIIs should update the scope of system and network audit as and when any circular/letter/advisory etc. pertaining to technology is issued by SEBI.

4 · 29A.2 MIIs should include all IT resources, which shall inter -alia includes applications, underlying hardware, and other IT infrastructure components such as load balancers, network devices, security devices etc. in the system and network audit.

4 · 29A.3 In the system and network audit report, details such as physical locations/sites covered, engagement period of auditor, period during which audit was carried out and list of IT infrastructure/applications covered shall be specified.

4 · 29A.4 MIIs shall cover all "Critical Systems" in system and network audit. For noncritical systems, auditors may adopt sampling methodology.

4 · 29A.5 Sample size taken by auditor in order to ascertain the various compliances prescribed by SEBI shall be specified in the system and network audit report.

4 · 29A.6 Technical assessments such as review of network architecture and configuration review shall be included in the system and network audit.

4 · 29A.7 During system and network audit, evidence should be collected by inspecting physical assets, records/documents, testing of relevant systems, relevant system generated reports etc. in order to ascertain the compliance of various controls defined by SEBI.

4 · 29A.8 System and network audit report shall include the point-wise compliance of areas emanating from relevant SEBI circulars/directions/advices along with any accompanying evidence.

165 · SEBI email dated February 05, 2024

4 · 29A.9 Auditor shall certify that entire network architecture, connectivity (including co-lo facility) and its linkage to the trading infrastructure are in conformity with SEBI's regulatory framework to provide fair equitable, transparent and non-discriminatory treatment to all the market participants.

4 · 29A.10 Evidence verified/checked by auditor to ascertain the compliance of particular control shall be in line with the intent/requirement of the said control mentioned in the SEBI circular pertaining to system and network audit.

4 · 29A.11 All MIIs are advised to ensure the strict compliance of the said advisory and shall also bring the same to the notice of the concerned system and network auditors. The compliance of the aforesaid advisory shall be provided by MIIs along with their system and network audit report(conducted as per the applicable SEBI circular on system and network audit).

4 · 30 Testing Framework for the Information Technology (IT) systems of the Market Infrastructure Institutions (MIIs)166

4 · 30.1 MIIs (i.e. Stock Exchanges, Clearing Corporations and Depositories) are systemically important institutions as they, inter-alia, provide infrastructure necessary for the smooth and uninterrupted functioning of the securities market. Therefore, it is imperative to devise a comprehensive testing framework to manage the IT systems/applications of MIIs throughout their lifecycle, which can assist the MIIs in performing thorough risk assessment before deploying any IT systems in production/ live environment.

4 · 30.2 Based on the recommendations of the TAC, MIIs are hereby directed to ensure the following requirements while establishing the testing framework of their IT systems/applications:-

4 · 30.2.1 All MIIs should do extensive testing, validation and documentation whenever new systems/ applications or changes to existing systems/applications are introduced before the deployment in production/live environment.

4 · 30.2.2 A comprehensive methodology for system testing, functional testing, application security testing should be established and the same shall be approved by Standing Committee on Technology (SCOT) of respective MIIs. The scope of testing shall, inter-alia, cover business logic, system

166 · Reference: SEBI Circular SEBI/HO/MRD/TPD/P/CIR/2023/65 dated May 05, 2023

4 · 30.2.3 Testing should be carried out in a separate environment that replicates/mirrors the production environment in order to minimize any disruption.

4 · 30.2.4 All MIIs shall have the practice of traceability matrix to ensure that the test plan covers all intended functionality of the IT system and application.

4 · 30.2.5 All MIIs shall adopt the practice of using automated testing techniques to run the test cases automatically, which may increase the depth and scope of tests and ultimately help to improve the software quality.

4 · 30.2.6 All MIIs shall establish policy/procedures on the use of third party systems/applications/software codes to ensure these systems are subject to review and testing before they are integrated with the systems of the MIIs.

4 · 30.2.7 All MIIs shall ensure that core code components operate as intended and do not produce unintended consequences. Further, any new code shall not have any impact on the existing functionality. All MIIs shall also ensure that Application Programming Interface Testing is done so that the concerned application can interact with other applications without causing disruptions of any kind.

4 · 30.2.8 All MIIs should perform regression testing for changes (e.g. enhancement, rectification, etc.) to an existing IT system to validate that it continues to function properly after the changes have been implemented. After fixing the defects found during the testing, all MIIs shall perform regression testing again to ensure that other existing functionalities are not affected during fixing the defects. All MIIs shall explore to capture the automated test cases so that regression testing can be performed multiple times with much wider coverage test cases in a short time.

4 · 30.2.9 All MIIs may institute tools to measure test/code coverage to assess comprehensiveness of the test.

4 · 30.2.10 All Issues identified from testing, including system defects or software bugs, should be properly tracked and remediated immediately. Major issues that could have an adverse impact on the MII should be reported to their SCOT and addressed prior to deployment to the production environment.

4 · 30.2.11 All MIIs should ensure that the results of all testing, including results of User Acceptance Testing (UAT), that was conducted, are documented in the test report. The same shall be checked by the auditor during System and Network Audit.

4 · 30.2.12 All MIIs shall periodically conduct non-functional testing such as volume testing, resilience testing, scalability testing, performance testing, stress testing, application security testing, BCP testing, negative/destructive testing etc. for all IT systems/applications throughout their lifecycle (preimplementation, post implementation, after changes).

4 · 30.2.13 All MIIs shall perform white box testing or structural testing, which shall inter -alia include analyzing data flow, control flow, information flow, coding practices, exception and error handling within the system.

4 · 31 Guidelines for Business Continuity Plan (BCP) and Disaster Recovery (DR) 167

4 · 31.1 Upon examination and based on consultation with MIIs and TAC of SEBI, the modified framework for BCP and DR shall be as under:

4 · 31.1.1 Stock Exchanges, Clearing Corporations and Depositories (collectively referred as Market Infrastructure Institutions – MIIs) shall have in place BCP and DRS so as to maintain data and transaction integrity.

4 · 31.1.2 For Stock Exchanges : Apart from DRS, all Stock Exchanges shall also have a Near Site (NS) to ensure near zero data loss. For Clearing Corporations and Depositories: Apart from DRS, all Clearing Corporations and Depositories shall also have a Near Site (NS) to ensure zero data loss.

4 · 31.1.3 The DRS should preferably be set up in different seismic zones and in case due to certain reasons such as operational constraints, change of seismic zones, etc., minimum distance of 500 kilometer shall be ensured between PDC and DRS so that both DRS and PDC are not affected by the same disaster.

4 · 31.1.4 The manpower deployed at DRS shall have the same expertise as available at PDC in terms of knowledge/ awareness of various technological and procedural systems and processes relating to all operations such that DRS can function at short notice, independently.

167 · Reference: SEBI Circular SEBI/HO/MRD1/DTCS/CIR/P/2021/33 dated March 22, 2021 and SEBI Circular SEBI/HO/MRD/TPD-1/P/CIR/2024/119 dated September 12, 2024

4 · 31.1.5 All MIIs shall constitute an Incident and Response team (IRT)/ Crisis Management Team (CMT), which shall be chaired by the Managing Director (MD) of the MII or by the Chief Technology Officer (CTO), in case of non -availability of MD. IRT/ CMT shall be responsible for the actual declaration of disaster, invoking the BCP and shifting of operations from PDC to DRS whenever required. Details of roles, responsibilities and actions to be performed by employees, IRT/ CMT and support/outsourced staff in the event of any Disaster shall be defined and documented by the MII as part of BCP-DR Policy Document.

4 · 31.1.6 The Technology Committee of the MIIs shall review the implementation of BCP -DR policy approved by the Governing board of the MII on a quarterly basis.

4 · 31.1.7 MIIs shall conduct periodic training programs to enhance the preparedness and awareness level among its employees and outsourced staff, vendors, etc. to perform as per BCP policy.

4 · 31.2 Configuration of DRS / NS with PDC

4 · 31.2.1 Hardware, system software, application environment, network and security devices and associated application environments of DRS / NS and PDC shall have one to one correspondence between them.

4 · 31.2.2 MIIs should develop systems that do not require configuration changes at the end of trading members/ clearing members/ depository participants for switchover from the PDC to DRS. Further, MIIs should test such switchover functionality by conducting unannounced live trading from its DRS for at least 1 day in every six months. Unannounced live trading from DRS of MIIs shall be done at a short notice of 45 minutes a fter 90 days from the date of this circular.

4 · 31.2.3 In the event of disruption of any one or more of the 'Critical Systems' (as defined below), the MII shall, within 30 minutes of the incident, declare that incident as 'Disaster' and take measures to restore operations including from DRS within 45 minutes of the declaration of 'Disaster'. Accordingly, the Recovery Time Objective(RTO)the maximum time taken to restore operations of 'Critical Systems' from DRS after declaration of Disaster -shall be 45 minutes, to be implemented within 90 days from the date of the circular. 'Critical Systems' for an Exchange/

4 · 31.2.4 MIIs shall ensure that the Recovery Point Objective (RPO) - the maximum tolerable period for which data might be lost due to a major incident- shall be near zero. Further, MIIs shall have a documented methodology for data reconciliation when resuming operations from DRS or any other site as applicable .

4 · 31.2.5 For Stock Exchanges: Solution architecture of PDC and DRS / NS shall ensure high availability, fault tolerance, no single point of failure, near zero data loss, and data and transaction integrity For Clearing Corporations and Depositories: Solution architecture of PDC and DRS / NS shall ensure high availability, fault tolerance, no single

4 · 31.2.6 Any updates made at the PDC should be reflected at DRS/ NS immediately (before end of day) with head room flexibility without compromising any of the performance metrics.

4 · 31.2.7 Replication architecture, bandwidth and load consideration between the DRS / NS and PDC should be within stipulated RTO and ensure high availability, right sizing, and no single point of failure.

4 · 31.2.8 For Stock Exchanges: Synchronous replication or appropriate replication between PDC and NS shall be implemented to ensure near zero data loss. Asynchronous replication may be implemented between PDC and DRS and between NS and DRS.

4 · 31.2.9 Adequate resources (with appropriate training and experience) should be available at all times to handle operations at PDC, NS or DRS, as the case may be, on a regular basis as well as during disasters.

4 · 31.3 DR Drills / Testing

4 · 31.3.1 DR drills should be conducted on a quarterly basis. In case of Exchanges and Clearing Corporations, these drills should be closer to real life scenario (trading days) with minimal notice to DRS staff involved.

4 · 31.3.2 During the drills, the staff based at PDC should not be involved in

4 · 31.3.3 The drill should include running all operations from DRS for at least 1 full trading day.

4 · 31.3.4 Before DR drills, the timing diagrams clearly identifying resources at both ends (DRS as well as PDC) should be in place.

4 · 31.3.5 The results and observations of these drills should be documented and placed before the Governing Board of Stock Exchanges /Clearing Corporations/ Depositories. Subsequently, the same along with the comments of the Governing Board should be forwarded to SEBI within a month of the DR drill.

4 · 31.3.6 The System Auditor while covering the BCP – DR as a part of mandated annual System Audit should check the preparedness of the MII to shift its operations from PDC to DRS unannounced and also comment on documented results and observations of DR drills.

4 · 31.3.7 'Live' trading sessions from DR site shall be scheduled for at least two consecutive days in every six months. Such live trading sessions from the DRS shall be organized on normal working days (i.e. not on weekends / trading holidays). The Stock Exchange/ Clearing Corporation/ Depository shall ensure that staff members working at DRS have the abilities and skills to run live trading session independent of the PDC staff.

4 · 31.3.8 Stock Exchanges, Clearing Corporations and Depositories shall include a scenario of intraday shifting from PDC to DRS during the mock trading sessions in order to demonstrate its preparedness to meet RTO/RPO as stipulated above.

4 · 31.3.9 MII should undertake and document Root Cause Analysis (RCA) of their technical/ system related problems in order to identify the causes and to prevent reoccurrence of similar problems.

4 · 31.4 BCP -DR Policy Document

4 · 31.4.1 MIIs shall put in place a comprehensive BCP-DR policy document outlining the following:

4 · 31.4.2 The BCP -DR policy document of MII should be approved by Governing Board of the MIIs after being vetted by Technology Committee and thereafter communicated to SEBI. The BCP -DR policy document should be periodically reviewed at least once in six months and after every occurrence of disaster.

4 · 31.4.3 In case an MII desires to lease its premise at the DRS to other entities including to its subsidiaries or entities in which it has stake, the MII should ensure that such arrangements do not compromise confidentiality, integrity, availability, targeted performance and service levels of the MII's systems at the DRS. The right of first use of all the resources at DRS including network resources should be with the MII. Further, MII should deploy necessary access controls to restrict access (including physical access) of such entities to its critical systems and networks.

4 · 31.5 Stock Exchanges, Clearing Corporations and Depositories should ensure that Para 4.31.3.6 and 4.31.4.1(v) mentioned above are also included in the scope of System Audit .

4 · 32 IT (Information Technology) Governance For Depositories 168

4 · 32.1 SEBI constituted the Depository System Review Committee (DSRC) to undertake a comprehensive review of the Indian depository system. Based on the recommendations of DSRC, following guidelines are issued to strengthen the information Technology (IT) governance framework of depositories.

4 · 32.2 The Depositories shall formulate an IT strategy document and an Information

168 · Reference: SEBI Circular MRD/DMS/03/2014 dated January 21, 2014

4 · 32.3 The Depositories shall create an Office of Information Security and designate a senior official as Chief Information Security Officer (CISO) whose work would be to assess, identify and reduce information technology (IT) risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of policies and procedures.

4 · 32.4 SEBI has laid down Guidelines for Business Continuity Plan (BCP) and Disaster Recovery (DR) for MIIs under Para 4.31. In addition to the requirements under Para 4.31, depositories shall designate a senior official as the head of BCP function.

4 · 33 Guidelines for inspection of Depository Participants (DPs) by Depositories 169

4 · 33.1 Depository System Review Committee (DSRC) was constituted by SEBI to undertake a comprehensive review of the depository system of Indian Securities market.

4 · 33.2 As a first measure, DSRC has reviewed framework adopted by the depositories with regard to the inspection of depository participants (DPs). Considering the recommendations of the committee, it has been decided that depositories shall ensure the following while inspecting their DPs.

4 · 33.3 For conducting inspection of DPs, depositories shall inspect the following areas as mentioned below:

4 · 33.3.1 Depositories shall inspect the areas mentioned at Para 4.33.3.2 below during inspection of DPs with regards to any

4 · 33.3.1.1 Circulars / Guidelines issued by SEBI on the areas mentioned below

4 · 33.3.1.2 Guidelines / Operating Instructions / Directions from depositories on the areas mentioned below.

4 · 33.3.2 In case there are built in system checks at the depository that ensure compliance of any of the inspection areas/sub –areas with regard to Para 4.33.3.1.1 and Para 4.33.3.1.2 above, the depository may decide on the including the same during the inspection of DPs

169 · Reference: SEBI Circular SEBI/MRD/DMS/05/2014 dated February 07, 2014

4 · 33.4 For the purpose of determining the size of sample, depositories shall be guided by 'Adaptive Sample Size determination methodology' as mentioned below:

4 · 33.4.1 Sample Size for inspection area of ' Account Opening'

4 · 33.4.2 Sample Size for inspection area relating to DIS

4 · 33.4.3 Sample Sizes for inspection areas of ' Demat / Remat request' and 'Pledge/Unpledge'

4 · 33.4.4 Sample Size for inspection area of ' Client Data Modification', 'Miscellaneous areas' and 'Other depository specific requirements'

4 · 33.4.5 Other Aspects

4 · 33.5 For the purpose of computing total risk score of DPs, depositories shall be guided by "DP Rating Model / Categorization" as mentioned below:

4 · 33.5.1 Quantitative Score Calculation: Specific weights shall be assigned to each area as decided by each depository. The Total Quantitative Score shall be the summation of all individual inspection scores.

4 · 33.5.2 Qualitative Score Calculation: Specific weights shall be assigned to each area as decided by depository. The Total Qualitative Score shall be the summation of all area scores.

4 · 33.5.3 Total Score = Qualitative Score + Quantitative Score

4 · 33.6 Depositories should periodically undertake risk - impact analysis for each of the inspection areas, assign appropriate risk weightage, calculate risk scores for each DPs in the lines mentioned below.

4 · 33.7 Depositories shall categorize their DPs as 'High Risk', 'Medium to High Risk', ' Medium Risk', and 'Low Risk' DPs based on the percentile of risk score.

4 · 33.8 After arriving at the risk rating / categorization as mentioned above, for subsequent inspections, depositories shall use the DP risk rating/ categorization to decide on the frequency of inspection of DPs

4 · 33.9 Apart from the above, depositories may undertake specific purpose inspections for DPs which score high in the specific inspection areas as Para 4.33.3

4 · 33.10 Depositories shall jointly inspect DPs which are registered with both depositories to have better control over DPs, avoid duplicity of manpower, time and cost and also to reduce the possibility of regulatory arbitrage, if any. Depositories shall share the risk rating / categorization of common DPs with each other. For the purpose of determining sample size and frequency of the joint inspection of such common DPs, the higher risk categorization assigned by

4 · 34 Dissemination of information on action taken against Depository Participants on the website of Depositories 170

4 · 34.1 The following directions have been approved by SEBI:

4 · 34.1.1 Wherever powers are conferred upon Depositories to take actions in case of default/non-compliance by DPs, the data of such actions/noncompliance should be made available in public domain by the depository

4 · 34.1.2 A link may be provided in the SEBI website leading to the Depository website as detailed in Para 4.34.1.1 above.

4 · 34.2 Depositories are advised to make available on its website, the information pertaining to action taken against DP pursuant to joint inspection/suo-moto independent inspection carried out. For prospective cases, the same shall be uploaded within 10 days of concluding the matter.

4 · 35 Activity of Demat of warehouse receipts 171

4 · 36 Voting rights in respect of securities held in pool account1 t172

4 · 37 e -Voting Facility Provided by Listed Entities 173

170 · Reference: SEBI Letter SEBI/HO/MlRSD/DPlEA/OW/2021/10188/3 dated May 11, 2021

171 · Reference: SEBI Letter MRD/DP/SG-OW/202/2012 and MRD/DP/SG-OW/203/2012 dated January 4, 2012

172 · Reference: SEBI Letter SMDRP/NSDL/26563/2001 dated April 10, 2001

173 · Reference: SEBI Circular SEBI/HO/CFD/CMD/CIR/P/2020/242 dated December 09, 2020

4 · 38 Risk Management Policy at the Depositories 174

4 · 38.1 The depositories are advised to establish a clear, comprehensive and well documented risk management framework which shall include the following:

4 · 38.1.1 an integrated and comprehensive view of risks to the depository including those emanating from participants, participants' clients and third parties to whom activities are outsourced etc.;

4 · 38.1.2 list out all relevant risks, including technological, legal, operational, custody and general business risks and the ways and means to address the same;

4 · 38.1.3 the systems, policies and procedures to identify, assess, monitor and manage the risks that arise in or are borne by the depository;

4 · 38.1.4 the depository's risk-tolerance policy;

4 · 38.1.5 responsibilities and accountability for risk decisions and decision making process in crises and emergencies.

4 · 38.2 The Depositories shall put in place mechanism to implement the Risk Management Framework through a Risk Management Committee which shall be headed by a Public Interest Director 175 .The responsibilities of the said Committee shall include the following:

4 · 38.2.1 It shall meet periodically in order to continuously identify, evaluate and assess applicable risks in depository system through various sources such as investors complaints, inspections, system audit etc.;

4 · 38.2.2 It shall suggest measures to mitigate risk wherever applicable;

4 · 38.2.3 It shall monitor and assess the adequacy and effectiveness of the risk management framework and the system of internal control;

4 · 38.2.4 It shall review and update the risk management framework periodically.

4 · 38.3 The Board of the depository shall approve the Risk Management Framework and the Chief Risk Officer shall have access to the Board. The CRO shall be responsible, accountable and answerable to the board on overall risk management issues.

4 · 39 Code of Conduct & Institutional mechanism for prevention of Fraud or Market Abuse176

4 · 39.1 Pursuant to the report of the Committee on Fair Market Conduct ('Committee'), set up inter-alia to recommend appropriate Institutional

174 · Reference: SEBI Circular CIR/MRD/DP/1/2015 dated January 12, 2015

175 · Reference: SEBI Circular SEBI/HO/MRD/DOP2DSA2/CIR/P/2019/13 dated January 10, 2019

176 · Reference: SEBI Circular SEBI/HO/MRD/DCAP/CIR/P/2021/23 dated March 03, 2021

4 · 39.2 Based on the above, it has been decided that the Code of Conduct and Institutional Mechanism for prevention of fraud or market abuse shall be applicable to Stock Exchanges, Clearing Corporations and Depositories (herein after collectively referred as 'MIIs') also, on the lines of Regulation 9(1) to 9(4) of PIT Regulations.

4 · 39.3 Accordingly, depositories shall do the following:

4 · 39.3.1 Formulate a Code of Conduct to regulate, monitor and report trading by their designated persons and immediate relative of designated persons towards achieving compliance with the PIT Regulations, by adopting the minimum standards set out in Schedule C to the PIT Regulations.

4 · 39.3.2 Managing Director (MD) / Chief Executive Officer (CEO) of the depository shall be obligated to frame the referred code of conduct. The Board of Directors may ensure the compliance by MD/CEO in this regard.

4 · 39.3.3 Depository shall identify and designate a compliance officer to administer the aforesaid code of conduct.

4 · 39.3.4 The Board of Directors of the depository , in consultation with the aforesaid compliance officer, shall specify the designated persons to be covered by the code of conduct on the basis of their role and function in the organisation and the access that such role and function would provide to unpublished price sensitive information in addition to seniority and professional designation and shall include the position/designation as specified in the Regulation 9(4) of the PIT Regulations.

4 · 39.4 Depositories shall put in place an Institutional Mechanism for prevention of fraud or market abuse covering the following:

4 · 39.4.1 MD / CEO of the depository shall put in place adequate and effective system of internal controls to ensure compliance with the regulations and circulars issued by the Board from time to time, to prevent fraud or market abuse by depository or its designated persons and immediate relatives of designated persons.

4 · 39.4.2 The Board of Directors of the depository shall ensure that the MD/CEO ensures compliance with Para 4.39.3 and Para 4.39.4.1 above. The compliance officer of the depository shall administer the internal controls to prevent fraud or market abuse by designated persons and immediate relatives of designated persons of the depository .

4 · 39.4.3 The Regulatory Oversight Committee of the depository shall review compliance with the provisions of this Circular at least once in a financial year and shall also verify that the systems for internal control are adequate and are operating effectively.

4 · 39.4.4 Depository shall formulate written policies and procedures for inquiry in case of suspected fraud or market abuse by its designated persons and immediate relatives of designated persons, which shall be approved by its Board of Directors. Any enquiry / investigation against the designated persons and immediate relatives of designated persons of the depository may be undertaken under the supervision of Regulatory Oversight Committee comprising of PIDs and independent external expert with consideration of avoidance of conflict of interest, if any, so as to ensure maximum fairness and transparency.

4 · 39.4.5 Depository shall initiate appropriate inquiry upon becoming aware of any illegal or unethical practices or transactions of suspected fraud or market abuse by its designated persons and immediate relatives of designated persons and promptly inform its Board of Directors of such suspected fraud or market abuse and results of the inquiry.

4 · 39.4.6 Depository shall have an effective whistler-blower policy to enable stakeholders, including employees to freely communicate their concerns about illegal or unethical practices and report instances of fraud or market abuse or any suspicion of fraud or market abuse.

4 · 39.4.7 Depository shall ensure that the policy framed under Para 4.39.4.6 provides for suitable protection against any discharge, termination,

4 · 40 Outsourcing by Depositories 177

4 · 40.1 Depositories shall formulate and document an outsourcing policy duly approved by their Board based on the guidelines given below and the principles outlined at Para 2.4.4 .

4 · 40.2 Core and critical activities of depositories shall not be outsourced. The core activities of the depositories shall include but not limited to the following:

4 · 40.2.1 Processing of the applications for admission of Depository Participants (DPs), Issuers and Registrar & Transfer Agents (RTAs).

4 · 40.2.2 Facilitating Issuers/RTAs to execute Corporate Actions.

4 · 40.2.3 Allotting ISINs for securities.

4 · 40.2.4 Maintenance and safekeeping of Beneficial Owner's data.

4 · 40.2.5 Execution of settlement and other incidental activities for pay-in/ pay -out of securities.

4 · 40.2.6 Execution of transfer of securities and other transactions like pledge, freeze, etc.

4 · 40.2.7 Provision of internet based facilities for access to demat accounts and submitting delivery instructions.

4 · 40.2.8 Ensuring continuous connectivity to DPs, RTAs, Clearing Corporations and other Depository.

4 · 40.2.9 Monitoring and redressal of investor grievances.

4 · 40.2.10 Inspection of DPs and RTAs.

4 · 40.2.11 Surveillance Functions.

4 · 40.2.12 Compliance Functions.

4 · 40.3 Core IT (Information Technology) support infrastructure / activities for running the core activities of depositories shall not be outsourced to the extent possible.

177 · Reference: SEBI Circular CIR/MRD/DP/19/2015 dated December 09, 2015

4 · 40.4 The depositories shall conduct appropriate due diligence in selecting the third party to whom activity is proposed to be outsourced and ensure that only reputed entities having proven high delivery standards are selected.

4 · 40.5 Depositories shall ensure that outsourced activities are further outsourced downstream only with the prior consent of the depository and with appropriate safeguards including proper legal documentation/ agreement.

4 · 40.6 Depositories shall ensure that risk impact analysis is undertaken before outsourcing any activity and appropriate risk mitigation measures like back up/ restoration system are in place.

4 · 40.7 An effective monitoring of the entities selected for outsourcing shall be done to ensure that there is check on the activities of outsourced entity. Depositories shall strive to automate their processes and workflows to the extent possible which shall enable real time monitoring of outsourced activities.

4 · 40.8 The outsourcing policy document shall act as a reference for audit of the outsourced activities. Audit of implementation of risk assessment and mitigation measures listed in the outsourcing policy document and outsourcing agreement/ service level agreements pertaining to IT systems shall be part of System Audit of Depositories .

4 · 41 Cyber Security and Cyber Resilience framework of Depositories 178

4 · 41.1 Guidelines for MIIs regarding Cyber security and Cyber resilience 179

178 · Reference: SEBI Circular CIR/MRD/DP/13/2015 dated July 06, 2015 , Circular SEBI/HO/MRD1/MRD1_DTCS/P/CIR/2022/68 dated May 20, 2022 and Circular SEBI/HO/MRD/TPD/P/CIR/2023/147 dated August 24, 2023

179 · SEBI Circular SEBI/HO/MRD/ TPD/P/CIR/2023/146 dated August 29, 2023

4 · 41.2 Advisory on Encryption of Data at Rest and Data in Motion 180

4 · 41.3 Advisory on Cyber security and Cyber resilience 181

4 · 41.3.1 MIIs shall ensure real -time monitoring of their IT environment with the capability of generation of real-time alerts. Logs from all servers/networks and other infrastructure shall be aggregated into SOC/SIEM and team at SOC shall proactively monitor/take actions on the alerts generated from the ingested data.

4 · 41.3.2 MIIs shall proactively monitor both inbound and outbound traffic.

4 · 41.3.3 MIIs shall build appropriate defense strategies to deal with DDoS, Insider Threat, Phishing and Ransomware-as-a-Service ("RaaS") attacks.

4 · 41.3.4 MIIs should carry out employee awareness campaigns, psychometric tests, continuous face to face engagement with employees, simulation exercises etc. for employees handing critical activities/tasks to deal with any social engineering/phishing attacks.

4 · 41.3.5 MIIs shall physically segregate the network implemented for doing various kind of automation for physical security of building vis-à-vis networks implemented for core activities.

4 · 41.3.6 MIIs shall identify the vulnerabilities in their IT environment through regular scans and all critical high-impact vulnerabilities shall be closed on an urgent basis.

4 · 41.3.7 MIIs shall follow proper change management policy to ensure adequate testing and closure of vulnerabilities before deploying into production environment. Further, appropriate monitoring shall be done with respect to any change management implemented by MIIs.

4 · 41.3.8 MIIs shall ensure that they maintain online as well as offline backups of their data and appropriate testing shall be conducted on these backups to ensure confidentiality, integrity and availability.

180 · SEBI email dated September 28, 2023

181 · SEBI email dated January 16, 2024

4 · 41.3.9 MIIs shall ensure continuous security monitoring of third-party involvement, such as access of systems to vendors, to mitigate any cyber security risks.

4 · 41.3.10 MIIs shall follow the principle of zero trust architecture while providing access to IT systems. Further, MIIs shall monitor privilege access to any IT systems proactively.

4 · 41.3.11 MIIs should also beef up physical security of their premises.

4 · 41.4 Measures taken to strengthen the cyber resilience of MIIs 182

4 · 41.5 Patch Management policy of MIIs 183

4 · 41.6 Cyber Security Operation Center (C-SOC) 185

4 · 41.6.1 Recognizing the need for a robust Cyber Security and Cyber Resilience framework at Market Infrastructure Institutions (MIIs), i.e., Stock Exchanges, Clearing Corporations and Depositories, a detailed regulatory framework on cyber security and cyber resilience has been prescribed.

4 · 41.6.2 With the view to further strengthening the aforesaid framework, particularly in respect of monitoring of cyber threats and cyber resiliency, the matter was discussed with SEBI's TAC, SEBI's High Powered Committee on Cyber Security (HPSC-CS) and the MIIs.

4 · 41.6.3 Accordingly, it has been decided that MIIs shall have a Cyber Security Operation Center (C-SOC) that would be a 24x7x365 set-up manned by

182 · SEBI letter dated December 26,2023

183 · SEBI letter dated January 12, 2024

184 · https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilienceframework -cscrf -for -sebi -regulated-entities-res-_85964.html

4 · 41.6.4 The C -SOC shall function in accordance with the framework specified at Para 4.41 Illustrative list of broad functions and objectives to be carried out by a C-SOC are mentioned below:

4 · 41.6.4.1 Prevention of cyber security incidents through proactive actions:

4 · 41.6.4.2 Monitoring, detection, and analysis of potential intrusions / security incidents in real time and through historical trending on security-relevant data sources.

4 · 41.6.4.3 Response to confirmed incidents, by coordinating resources and directing use of timely and appropriate countermeasures.

4 · 41.6.4.4 Analysis of the intrusions / security incidents (including Forensic Analysis and Root Cause Analysis) and preservation of evidence.

4 · 41.6.4.5 Providing situational awareness and reporting on cyber security status, incidents, and trends in adversary behaviour to appropriate organizations including to CERT- In and NCIIPC.

4 · 41.6.4.6 Engineer and operate network defense technologies such as Intrusion Detection Systems (IDSes) and data collection / analysis systems.

4 · 41.6.4.7 MIIs to adopt security automation and orchestration technologies in C -SOC to automate the incident identification, analysis and response as per the defined procedures.

4 · 41.6.5 Further to the above, the C -SOC of MII shall, at the minimum, undertake the following activities:

4 · 41.6.5.1 In order to detect intrusions / security incidents in real time, the CSOC should monitor and analyze on a 24x7x365 basis relevant logs of MII's network devices, logs of MII's systems, data traffic, suitable cyber intelligence (intel) feeds sourced from reliable vendors, inputs received from other MIIs, inputs received from external agencies such as CERT-In, etc. The cyber intelligence (intel) feeds

4 · 41.6.5.2 To this end, appropriate alert mechanisms should be implemented including a comprehensive dashboard, tracking of key security metrics and provide for cyber threat scorecards.

4 · 41.6.5.3 The C -SOC should conduct continuous assessment of the threat landscape faced by the MII including undertaking periodic VAPT (Vulnerability Assessment and Penetration Testing).

4 · 41.6.5.4 The C -SOC should have the ability to perform Root Cause Analysis, Incident Investigation, Forensic Analysis, Malware Reverse Engineering, etc. to determine the nature of the attack and corrective and/or preventive actions to be taken thereof.

4 · 41.6.5.5 The C -SOC should conduct periodic (at the minimum quarterly) cyber-attack simulation to aid in developing cyber resiliency measures. The C -SOC should develop and document mechanisms and standard operating procedures to recover from the cyberattacks within the stipulated RTO of the MII. The C-SOC should also document various scenarios and standard operating procedures for resuming operations from Disaster Recovery (DR) site of MII.

4 · 41.6.5.6 The C -SOC should conduct periodic awareness and training programs at the MII and for its members / participants / intermediaries with regard to cyber security, situational awareness and social engineering.

4 · 41.6.5.7 The C -SOC should be capable to prevent attacks similar to those already faced. The C-SOC should also deploy multiple honey pot services which are dynamic in characteristics to avoid being detected as honey pot by attackers.

4 · 41.6.6 As building an effective C-SOC requires appropriate mix of right people, suitable security products (Technology), and well-defined processes and procedures (Processes), an indicative list of areas that MIIs should consider while designing and implementing a C-SOC are as follows:

4 · 41.6.6.1 The MII shall ensure that the governance and reporting structure of the C -SOC is commensurate with the risk and threat landscape of the MII. The C -SOC shall be headed by the Chief Information Security Officer (CISO) of the MII. The CISO shall be designated as a Key Managerial Personnel (KMP) and relevant provisions

4 · 41.6.6.2 While the CISO is expected to work closely with various departments of MIIs, including MII's Network team, Cyber Security team and Information Technology (IT) team, etc., the reporting of CISO shall be directly to the MD & CEO of the MII.

4 · 41.6.6.3 The roles and responsibilities of CISO may be drawn from Ministry of Electronics and IT Notification No. 6(12)/2017-PDP-CERT-In dated March 14, 2017 .

4 · 41.6.6.4 The C -SOC should deploy appropriate technology tools of adequate capacity to cater to its requirements. Such tools shall, at the minimum, include Security Analytics Engine, Malware detection tools, Network and User Traffic Monitoring and Behaviour Analysis systems, Predictive Threat Modelling tools, Tools for monitoring of System parameters for critical systems / servers, Deep Packet Inspection tools, Forensic Analysis tools, etc.

4 · 41.6.6.5 Each MII is advised to formulate a Cyber Crisis Management Plan (CCMP) based on its architecture deployed, threats faced and nature of operations. The CCMP should define the various cyber events, incidents and crisis faced by the MII, the extant cyber threat landscape, the cyber resilience envisaged, incident prevention, cyber crisis recognition, mitigation and management plan. The CCMP should be approved by the respective Standing Committee on Technology / ITStrategy Committee of the MIIs and the governing board of the MII. The CCMP should also be reviewed and updated annually.

4 · 41.6.6.6 The C -SOC should have well -defined and documented processes for monitoring of its systems and networks, analysis of cyber security threats and potential intrusions / security incidents, usage of appropriate technology tools deployed by C-SOC, classification of threats and attacks, escalation hierarchy of incidents, response to threats and breaches, and reporting (internal and external) of the incidents.

4 · 41.6.6.7 The C -SOC should employ domain experts in the field of cyber security and resilience, network security, data security, end-point security, etc.

4 · 41.6.6.8 The MIIs are also advised to build a contingent C-SOC at their respective DR sites with identical capabilities w.r.t. the primary CSOC in line with the circulars issued by SEBI in this regard . Additionally, the MIIs should perform monthly live-operations from their DR -C -SOC .

4 · 41.6.6.9 The C -SOC should document the cases and escalation matrices for declaring a disaster.

4 · 41.6.7 In view of the feedback received from MIIs, it has been decided that MIIs may choose any of the following models to set-up their C-SOC:

4 · 41.6.7.1 The responsibility of cyber security of an MII, adherence to business continuity and recovery objectives, etc. should lie with the respective MII, irrespective of the model adopted for C-SOC.

4 · 41.6.7.2 The respective risk committee(s) of the MII should evaluate the risks of outsourcing the respective activity.

4 · 41.6.7.3 The MII may outsource C-SOC activities in line with the guidelines as given below:

4 · 41.6.8 A report on the functioning of the C-SOC, including details of cyberattacks faced by the MII, major cyber events warded off by the MII, cyber security breaches, data breaches should be placed on a quarterly basis before the board of the MII.

4 · 41.6.9 The system auditor of the MII shall audit the implementation of the aforesaid guidance in the annual system audit of the MII. The Scope and/or Terms of Reference (ToR) of the annual system would accordingly be modified to include audit of the implementation of the aforementioned areas.

4 · 41.6.10 Further, the C -SOC shall share relevant alerts and attack information with members / participants / intermediaries of the MII, other MIIs, external cyber response agencies such as CERT-In, and SEBI.

4 · 42 Recommendations of high powered steering Committee187

4 · 43 Database for Distinctive Number (DN) of Shares 188

4 · 43.1 Share capital reconciliation of the entire issued capital of the company by the issuer or its agent is a mandatory requirement under Regulation 75 of the DP Regulations .

4 · 43.2 In order to ensure centralised record of all securities, including both physical and dematerialised shares, issued by the company and its reconciliation thereof, the Depositories are advised to create and maintain a database of distinctive numbers (DN) of equity shares of listed companies with details of DN in respect of all physical shares and overall DN range for dematerialised shares.

186 · https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilienceframework -cscrf -for -sebi -regulated-entities-res-_85964.html

187 · Reference: SEBI Letter SEBI/HO/MRD/CSC/OW/P/2019/10055 dated April 22, 2019

188 · Reference: SEBI Circular CIR/MRD/DP/10/2015 dated June 05, 2015

4 · 43.3 The DN database shall make available, information in respect of issued capital, such as DN Range, number of equity shares issued, name of stock exchange where the shares are listed, date of in -principle listing / final trading approval / dealing permission, shares held in physical or demat form, date of allotment, shares dematerialized under temporary (frozen) ISIN (International Securities Identification Number) or Permanent (active) ISIN etc., at one place.

4 · 43.4 Based on consultations with the Depositories and Stock Exchanges, the following guidelines are given for the operationalisation of the DN database –

4 · 43.4.1 Instructions to the Depositories

4 · 43.4.1.1 The depositories shall create and maintain a database to capture DN in respect of all physical equity shares and overall DN range for dematerialised equity shares issued by listed companies.

4 · 43.4.1.2 The depositories shall provide an interface to the Stock Exchange, Issuers/RTAs for online updation and to the DPs for online enquiry.

4 · 43.4.1.3 The database shall include the following information -

4 · 43.4.1.4 The depositories shall ensure that the database maintained by them is continuously updated and synchronised. The initial synchronisation may be in batch mode and shall thereafter shift to online mode.

4 · 43.4.1.5 The Depositories, in co-ordination with the Stock Exchanges, having nationwide trading terminals and the Issuers/RTAs, shall facilitate the process of populating the database with details of equity share capital and the corresponding DN information.

4 · 43.4.2 Instructions to the Stock Exchanges

4 · 43.4.2.1 The Stock Exchanges shall provide the following information of all companies listed on the concerned Stock Exchange-

4 · 43.4.2.2 The Stock Exchanges shall use the interface provided by the Depositories for the following -

4 · 43.4.2.3 In case the DN data on listed shares as per the records of Issuers/RTAs does not match with records of the Stock Exchanges, the Stock Exchanges shall coordinate with the Issuer/RTA to reconcile such differences.

4 · 43.4.3 Instructions to the Issuers/RTAs

4 · 43.4.3.1 Issuers/RTAs shall use the interface provided by the Depositories for the following -

4 · 43.4.3.2 Issuers/RTAs shall take all necessary steps to update the DN database. If there is mismatch in the DN information with the data provided/updated by the Stock Exchanges in the DN database, the Issuer/RTA shall take steps to match the records and update the same.

4 · 43.4.3.3 Failure by the Issuers/RTAs to ensure reconciliation of the records as required in terms of para above shall attract appropriate actions under the extant laws.

4 · 43.4.4 Instructions to the DPs

4 · 43.4.4.1 The DPs shall use the interface provided by the Depositories to check the DNs of certificates of equity shares submitted for dematerialisation and ensure that appropriate ISIN is filled in Dematerialisation Request Form, as applicable, while processing request for dematerialisation.

4 · 43.5 Despite follow-ups by Depositories, certain companies were yet to comply with the above provisions. Hence, in order to protect the interest of investors the following is directed 189 :-

4 · 43.5.1 Action against non-compliant companies

4 · 43.5.1.1 With effect from August 01, 2019:-

189 · Reference: SEBI Circular SEBI/HO/MRD/DOP2DSA2/CIR/P/2019/87 dated August 01, 2019

4 · 43.5.1.2 The names of companies that are not in compliance with aforementioned provisions shall be prominently disseminated on the website of the exchanges/depositories, indicating that the concerned companies have not complied with the above provisions .

4 · 43.5.1.3 Prior to revocation of suspension of trading of shares of any company, exchanges shall ensure compliance by the company with the above provisions and ensure availability of updated details of company's promoters (especially their PAN) and directors (especially their PAN and DIN), apart from ensuring compliance with other applicable regulatory norms.

4 · 43.5.2 The concerned Stock Exchanges and Depositories shall coordinate with each other and take necessary steps to implement these provisions.

4 · 43.5.3 SEBI may also take any other appropriate action(s) against the concerned listed companies and its promoters/directors for non-compliance with the above provisions .

4 · 44 Ticker on Website -For Investor awareness190

4 · 44.1 In order to create wider awareness about the same, Depositories and Depository Participants are advised to run the following ticker on their websites:

4 · 44.2 Depositories are advised to communicate the above to their depository participants and ensure its implementation.

4 · 45 Separate mobile number/ email id for the clients of Depository Participants (DPs) 191

4 · 45.1 It has been observed that DPs do not have the procedure to check that separate mobile number/ email id is uploaded for each client.

4 · 45.2 In view of the same , Depositories are advised to instruct their participants to en sure that separate mobile number/E-mail address is uploaded for each client. However, under exceptional circumstances, the participants may, at the specific

190 · Reference: SEBI Email on "Ticker on Website -For Investor awareness" dated November 05, 2015

191 · Reference: SEBI Email on Separate mobile number/ email id for the clients of Depository Participants (DPs) dated January 16, 2015.

4 · 46 Comprehensive guidelines for Investor Protection Fund (IPF) and Investor Services Fund (ISF) at Stock Exchanges and Depositories 192

4 · 46.1 The comprehensive guidelines for IPF are as under:

4 · 46.1.1 Investor Protection Fund

192 · Reference: SEBI Circular SEBI/HO/MRD/MRD-PoD-3/P/CIR/2023/81 dated May 30, 2023 (superceded SEBI Circular SEBI/HO/MRD/DP/CIR/P/2016/58 dated June 07, 2016)

4 · 46.1.2 Miscellaneous

4 · 47 Enhanced Supervision of Depository Participant 193

193 · Reference: SEBI Circular SEBI/HO/MIRSD/MIRSD2/CIR/P/2016/95 dated September 26, 2016, SEBI Circular CIR/HO/MIRSD/MIRSD2/CIR/P/2017/64 dated June 22,2017 & SEBI Circular SEBI/HO/MIRSD/ MIRSD_DPIEA/P/CIR/2022/83 dated June 20, 2022

4 · 48 Amendment pursuant to comprehensive review of Investor Grievance Redressal Mechanism194

4 · 49 Investor Grievance Redressal Mechanism195

4 · 49.1 SEBI has implemented an online platform (SCORES) designed to help investors to lodge their complaints, pertaining to securities market, against listed companies and SEBI registered intermediaries.

4 · 49.2 In line with the same, to enable investors to lodge and follow up their complaints and track the status of redressal of such complaints from anywhere, all Depositories are advised to design and implement an online web based complaints redressal system of their own, which will facilitate investors to file complaints and escalate complaints for redressal in accordance with their respective byelaws, rules and regulations.

4 · 49.3 The system should be web enabled and provide online access 24 x 7 with the following salient features:

4 · 49.3.1 Complaints/Grievance Redressal Committee (GRC)* and reminders thereon are lodged online at anytime from anywhere;

4 · 49.3.2 An email is generated instantaneously acknowledging the receipt of the complaint and allotting a unique registration number for future reference and tracking;

4 · 49.3.3 The matter/case moves online to the entity (intermediary or listed company) concerned for its redressal;

4 · 49.3.4 The entity concerned can indicate the mode i.e. online or offline for GRC *

4 · 49.3.5 The access of the online system should be given to the Trading Members and Depository Participants.

194 · Reference: SEBI Circular SEBI/HO/DMS/ CIR/P/2017/15 dated February 23, 2017, SEBI Circular SEBI/HO/MRD1/ICC1/CIR/P/2021/625 dated September 02, 2021 and SEBI Circular SEBI/HO/MRD1/ICC1/CIR/P/2022/94 dated July 04, 2022

195 · Reference: SEBI Circular SEBI/HO/MRD1/ICC1/CIR/P/2022/94 dated July 04, 2022 and (Amended vide SEBI Circular SEBI/HO/OIAE/OIAE_IAD-1/P/CIR/2023/145 dated July 31, 2023)

4 · 49.3.6 The entity concerned uploads an Action Taken Report (ATR) on the Complaints/GRC * ;

4 · 49.3.7 All Depositories peruse the ATR and dispose of the Complaints/GRC if it is satisfied that the complaint has been redressed adequately;

4 · 49.3.8 The concerned investor can view the status of the complaint online;

4 · 49.3.9 The entity concerned and the concerned investor can seek and provide clarification(s) online to each other;

4 · 49.3.10 The life cycle of a Complaints/GRC * has an audit trail; and

4 · 49.3.11 All the Complaints/GRC * are saved in a central database which would generate relevant MIS reports to enable all Depositories to take appropriate policy decisions and or remedial actions.

4 · 49.3.12 There should be a provision to link the online system with SCORES.

4 · 49.4 The system is intended to expedite redressal / disposal of investors' complaints as it would also obviate the need for physical movement of complaints. Further, the possibility of loss, damage or misdirection of the physical complaints would be avoided. It would also facilitate easy retrieval and tracking of complaints at any time.

4 · 49.5 All Depositories are advised to widely publicise (including in media) its online web based complaints redressal system.

4 · 49.6 During the COVID pandemic, Stock Exchanges were advised to conduct GRC * and arbitration / appellate arbitration meetings/hearings online for faster redressal of complaints. The online process saves time and cost of the parties involved which is in the interest of investors.

4 · 49.7 Therefore, it has been decided that the depositories shall follow the hybrid mode (i.e. online and offline) of conducting GRC * .

4 · 50 Digital Mode of Payment1 t196

4 · 50.1 SEBI has notified the SEBI (Payment of Fees and Mode of Payment) (Amendment) Regulations, 2017 on March 06, 2017 to enable digital mode of payment (RTGS/NEFT/IMPS , etc.) of fees/penalties/remittance/other payments etc.

4 · 50.2 Pursuant to above, SEBI has been receiving direct credit of amounts from various intermediaries / other entities.

4 · 50.3 In order to identify and account such direct credit in the SEBI account, intermediaries/other entities shall provide the information as mentioned in Annexure 26 to SEBI once the payment is made.

4 · 50.4 The above information should be emailed to the respective department(s)as well as to Treasury &Accounts division at tad@sebi.gov.in

4 · 51 Framework for Innovation Sandbox 197

4 · 51.1 Capital market in India have been early adopters of technology. SEBI believes that encouraging adoption and usage of financial technology ('FinTech') would have a profound impact on the development of securities market. FinTech can act as a catalyst to further develop and maintain an efficient, fair and transparent securities market ecosystem.

4 · 51.2 To create an ecosystem which promotes innovation in the securities market, SEBI feels that FinTech firms should have access to market related data, particularly, trading and holding data, which is otherwise not readily available to them, to enable them to test their innovations effectively before the introduction of such innovations in a live environment.

4 · 51.3 The "Innovation Sandbox", would be a testing environment where FinTech firms and entities not regulated by SEBI including individuals (herein afterwards referred to as participants/ applicants) may use the environment for offline testing of their proposed solutions in isolation from the live market, subject to fulfillment of the eligibility criteria, based on market related data made available by Stock Exchanges, Depositories and Qualified Registrar and Share Transfer Agents (QRTAs).

4 · 51.4 The components and structure of the Innovation Sandbox can be broadly classified into design, legal and administrative categories. The method of

196 · Reference: SEBI Circular SEBI/HO/GSD/T&A/CIR/P/2017/42 dated May 16, 2017

197 · Reference: SEBI Circular SEBI/MRD/CSC/CIR/P/2019/64 dated May 20, 2019

4 · 51.4.1 Design Components

4 · 51.4.2 Legal components

4 · 51.4.3 Administrative Components

4 · 51.4.4 Interface for Innovation Sandbox

4 · 51.5 The eligibility criteria for inclusion into the Innovation Sandbox are as follows:

4 · 51.6 A Steering Committee comprising of representatives from the Market Infrastructure Institutions (MIIs) and QRTAs shall develop the operating guidelines as mentioned at Para 4.51 . 4.3 (c) towards the components and structure of the Innovation Sandbox as articulated in the Features, Structure and Eligibility criteria of Innovation Sandbox in Para 4.51 . 4 and Para 4.51 . 5 . The Steering Committee shall also include members drawn from the areas of FinTech start -ups, academia and angel investors or any other area as may be prescribed by SEBI. At the initial stage, SEBI representative shall be a permanent invitee to this Committee.

4 · 51.7 Post issuance of operating guidelines, the Steering Committee shall carry out all the functions as envisaged in the Administrative Components at Para 4.51 . 4 viz. receive, evaluate and process the applications received for participating in the Innovation Sandbox, approve / reject applications so received, grievance redressal etc. The Steering Committee shall also be responsible for registering/onboarding the applicant post approval of the application and monitor the participant throughout the lifecycle of the project.

4 · 51.8 Each of the MIIs and QRTAs shall build their own interface and APIs. Any approved sandbox applicant can then get access to the APIs of the respective MIIs and QRTAs where the applicant would test its solution

4 · 51.9 The Sandbox applicant may give a presentation to the Steering Committee upon completion of the testing and exit from the Innovation Sandbox.

4 · 51.10 The Steering Committee overseeing the testing of the applicant's solution within the sandbox shall maintain an Objective and Key Result Areas (OKRA) document for effective oversight on the entire process.

4 · 51.11 The entire sandbox participation lifecycle (applying, tracking, on-boarding, monitoring, reporting, etc.) should move towards a complete digital environment within a time -bound manner, not exceeding 24 months, towards ensuring transparency and efficiency.

4 · 51.12 The Steering Committee, to begin with, shall evolve decisions based on consensus and have a Chairperson from among the group on a rotation basis.

4 · 51.13 Based on the functioning of the Steering Committee, SEBI would prescribe other norms for governance, as and when required.

4 · 51.14 SEBI envisages the Innovation Sandbox to have the following benefits:

4 · 51.14.1 Product showcase

4 · 51.14.2 Product regulation

4 · 51.14.3 Industry interoperability

4 · 52 Revised Framework for Innovation Sandbox 198

4 · 53 Framework for Regulatory Sandbox 199

4 · 54 Monitoring of Foreign Investment limits in listed Indian companies 200

4 · 54.1 As per FEMA, the onus of compliance with the various foreign investment limits rests on the Indian company. In order to facilitate the listed Indian companies to ensure compliance with the various foreign investment limits, SEBI in

198 · Reference: SEBI Circular SEBI/HO/ITD/ITD/CIR/P/2021/16/2021 dated February 02, 2021

199 · Reference: SEBI Circular SEBI/HO/MRD-1/CIR/P/2020/95 dated June 05, 2020, updated vide SEBI Circular SEBI/HO/ITD/ITD/CIR/P/2021/575 dated June 14, 2021 200 Reference: SEBI Circular IMD/FPIC/CIR/P/2018/61 dated April 05, 2018

4 · 54.2 For the architecture of the new system , kindly refer para titled 'Monitoring of Investment Limit at individual level ' of SEBI Circular SEBI/HO/AFD2/CIR/P/2022/175 dated December 19, 2022 (Master Circular for Foreign Portfolio Investors, Designated Depository Participants and Eligible Foreign Investors)

4 · 54.3 The depositories shall put in place the necessary infrastructure and IT systems for operationalizing the monitoring mechanism referred above .

4 · 55 Disclosure of performance of CRAs on Stock Exchange and Depository website 201

4 · 56 Handling of Clients' Securities by Trading Members/Clearing Members 202

4 · 57 Early Warning Mechanism to prevent diversion of client securities 203

4 · 58 Standard Operating Procedure in the cases of Trading Member /Clearing Member leading to default2 t204

201 · Reference: SEBI Circular SEBI/ HO/ MIRSD/ DOS3/ CIR/ P/ 2018/ 140 dated November 13, 2018

202 · Reference: SEBI Circular CIR/HO/MIRSD/DOP/CIR/P/2019/75 dated June 20, 2019, SEBI Circular SEBI/HO/MIRSD/DOP/CIR/P/2019/95 dated August 29, 2019 and SEBI Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2022/153 dated November 11, 2022

203 · Reference: SEBI Circular SEBI/HO/MIRSD/DOP/CIR/P/2018/153 dated December 17, 2018

204 · Reference: SEBI Circular SEBI/HO/MIRSD/DPIEA/CIR/P/2020/115 dated July 01, 2020 and SEBI Circular SEBI/HO/MIRSD/DPIEA/P/CIR/2022/72 dated May 27, 2022

4 · 59 Mapping of Unique Client Code (UCC) with demat account of the clients 205

4 · 60 Reporting for Artificial Intelligence(AI) and Machine Learning (ML) applications and systems offered and used by Market Infrastructure Institutions (MIIs) 206

4 · 60.1 SEBI is conducting a survey and creating an inventory of the AI / ML landscape in the Indian financial markets to gain an in-depth understanding of the adoption of such technologies in the markets and to ensure preparedness for any AI / ML policies that may arise in the future.

4 · 60.2 Any set of applications / software / programs/ executable / systems (computer systems) cumulatively called application and systems, to carry out compliance operations/activities, where AI/ML is used for compliance or management purposes, is included in the scope of this circular. In order to make the scope inclusive of various AI and ML technologies in use, the scope also covers FinTech and Reg-Tech initiatives undertaken by MIIs that involves AI and ML.

4 · 60.3 Technologies that are considered to be categorized as AI and ML technologies in the scope of this section, are as follows:

4 · 60.3.1 Natural Language Processing (NLP), sentiment analysis or text mining systems that gather intelligence from unstructured data. – In this case, Voice to text, text to intelligence systems in any natural language will be considered in scope. E.g.: robo chat bots, big data intelligence gathering systems.

4 · 60.3.2 Neural Networks or a modified form of it. – In this case, any systems that uses a number of nodes (physical or software simulated nodes) mimicking natural neural networks of any scale, so as to carry out

205 · Reference: SEBI Circular SEBI/HO/MIRSD/DOP/CIR/P/2019/136 dated November 15, 2019

206 · Reference: SEBI Circular SEBI/HO/MRD/DOP1/CIR/P/2019/24 dated January 31, 2019

4 · 60.3.3 Machine learning through supervised, unsupervised learning or a combination of both. – In this case, any application or systems that carry out knowledge representation to form a knowledge base of domain, by learning and creating its outputs with real world input data and deciding future outputs based upon the knowledge base. E.g.: System based on Decision tree, random forest, K mean, Markov decision process, Gradient boosting Algorithms.

4 · 60.3.4 A system that uses statistical heuristics method instead of procedural algorithms or the system / application applies clustering or categorization algorithms to categorize data without a predefined set of categories

4 · 60.3.5 A system that uses a feedback mechanism to improve its parameters and bases it subsequent execution steps on these parameters.

4 · 60.3.6 A system that does knowledge representation and maintains a knowledge base.

4 · 60.4 All MIIs shall fill in the AI / ML reporting form (Annexure 27) in respect of the AI or ML based applications or systems as defined in Para 4.60.3 offered or used by them, and submit the same in soft copy only at AI_MII_SE@sebi.gov.in(for stock Exchanges)/AI_MII_DEP@sebi.gov.in (for depositories) /AI_MII_CC@sebi.gov.in (for Clearing Corporations) to SEBI on a quarterly basis within 15 days of the expiry of the quarter .

4 · 61 Measures to expedite Dematerialisation of securities 207

4 · 61.1 In order to enable prompt execution of demat requests, Depositories shall provide additional details, such as PAN, Address and Residential status of investors in the DRF itself.

4 · 61.2 To include a provision in DRF to capture 2 signatures – one registered with DP at the time of demat account opening and the other registered with issuer/RTA at the time of allotment /transfer. The request submitted by BO would be only processed when both two signatures i.e . one registered with RTA and other registered with DP matches with two respective signatures on DRF. In case of

207 · Reference: SEBI Letter MRD/DoPII/DSAII/MIRSD/DOS3/OW/2018/28162/1 dated October 22, 2018

4 · 61.3 To advise Depository Participants to update bank account details of all demat account holders in their records.

4 · 62 Capacity Planning Framework for the Depositories 208

4 · 62.1 Depositories have been identified as financial Market Infrastructure Institutions which facilitate and perform systemically critical functions in the securities market. In view of their importance in the smooth functioning of the securities market, the framework for capacity planning of the Depositories was also discussed in TAC. Based on recommendations of the committee, it has been decided to put in place following requirements for Depositories while planning capacities for their operations:

4 · 62.1.1 The installed capacity shall be at least 1.5 times (1.5x) of the projected peak load.

4 · 62.1.2 The projected peak load shall be calculated for the next 60 days based on the per hour peak load trend of the past 180 days.

4 · 62.1.3 The Depositories shall ensure that the utilisation of resources in such a manner so as to achieve work completion in 70% of the allocated time.

4 · 62.1.4 All systems pertaining to Depository operations shall be considered in this process including all technical components such as network, hardware, software, etc., and shall be adequately sized to meet the capacity requirements.

4 · 62.1.5 In case the actual capacity utilization exceeds 75% of the installed capacity for a period of 15 days on a rolling basis, immediate action shall be taken to enhance the capacity.

4 · 62.1.6 The actual capacity utilisation shall be monitored especially during the period of the day in which pay-in and pay-out of securities takes place for meeting settlement obligations.

4 · 62.2 Depositories shall implement suitable mechanisms, including generation of appropriate alerts, to monitor capacity utilisation on a real-time basis and shall proactively address issues pertaining to their capacity needs.

208 · Reference: SEBI Circular SEBI/HO/MRD/DP/CIR/P/2017/29 dated April 03, 2017

4 · 63 Trading Supported by Blocked Amount in Secondary Market209

4 · 63.1 In its continuing endeavour to provide protection to the investors from the default of member(s) ['trading member' (TM) / 'clearing member' (CM)], SEBI has decided to introduce a supplementary process for trading in secondary market based on blocked funds in investor's bank account, instead of transferring them upfront to the trading member, thereby providing enhanced protection of cash collateral. The said facility shall be provided by integrating Reserve Bank of India (RBI) approved Unified Payments Interface (UPI) mandate service of single-block-and-multipledebits with the secondary market trading and settlement process and hereinafter referred as 'UPI block facility'

4 · 63.2 Under the proposed framework, funds shall remain in the account of client but will be blocked in favour of the clearing corporation ('CC') till the expiry date of the block mandate or till block is released by the CC, or debit of the block towards obligations arising out of the trading activity of the client, whichever is earlier. Further, settlement for funds and securities will be done by the CC without the need for handling of client funds and securities by the member.

4 · 63.3 Further, while a UPI block upon creation shall be considered towards collateral, the same shall also be available for settlement purposes. For the clients who prefer to block lump sum amount, their block can be debited multiple times, subject to available balance, for settlement obligations across days.

4 · 63.4 The main features of the framework are as under:

4 · 63.4.1 General features:

4 · 63.4.1.1 Availing UPI block facility shall be at the option of the investor.

4 · 63.4.1.2 Shall be introduced as a non -mandatory facility to be provided by the stock broker.

4 · 63.4.1.3 Since an investor is allowed to have trading accounts across multiple stock brokers, an investor can choose to avail UPI block facility under some broker(s) and non-UPI based trading under others. However, once opted for UPI block facility (until they opt out after fulfilling all obligations) under particular broker(s), the following needs to be adhered to in respect of UPI block facility under that broker(s):

4 · 63.4.1.3.1 All cash collaterals shall be provided through UPI block only.

4 · 63.4.1.3.2 Cash equivalent collateral such as bank guarantees and fixed deposits shall not be permitted.

209 · Reference: SEBI Circular SEBI/HO/MRD/MRD-PoD-2/P/CIR/2023/99 dated June 23, 2023

4 · 63.4.1.3.3 Securities collateral to be provided through pledge/re-pledge system and only those securities can be provided which are in

4 · 63.4.1.3.4 Funds pay-in settlement to be done through UPI block only.

4 · 63.4.1.4 Collateral and settlement shall continue to be segment-wise, and the client/TM/CM shall need to transfer/reallocate collateral between segments.

4 · 63.4.1.5 Running account settlement shall not be supported. CC shall settle the account of clients using UPI block facility on a daily basis, i.e., any payout due to the client shall be paid out to the client on the settlement day.

4 · 63.4.1.6 Single block limit of Rs. 5 lakhs shall apply [currently applicable for UPI based securities market transaction]. However, multiple blocks can coexist subject to the overall limit applicable in UPI

4 · 63.4.2 Eligibility of investors: All investors who are permitted to use RBI's UPI facility, and meeting the criteria defined by CCs, shall be eligible.

4 · 63.4.3 Process (in brief):

4 · 63.4.3.1 The stock brokers providing the facility shall notify the details of investors desirous of availing the service to the stock exchange. The stock exchange shall validate the bank and demat account maintained in the Unique Client code ('UCC') systems and used for block creation and settlement. The exchanges shall provide relevant details to the CC.

4 · 63.4.3.2 The block shall be created by client using the UPI application ('UPI app') based on the blocking request initiated through stock broker app. While creating the blocking request under the proposed block mechanism, relevant information such as TM Code, CM Code, Unique Client Code, segment etc. shall be captured by the stock broker and sent to UPI.

4 · 63.4.3.3 The UPI block shall get created in favour of the CC and can be debited by the CC only.

4 · 63.4.3.4 The block shall support multiple debits – i.e., for a block created on day 1, it can be partially debited multiple times till the exhaustion of amount or expiry/release of the block, whichever is earlier.

4 · 63.4.3.5 Since the CC shall directly maintain/update the client collateral value based on the blocking information received from the UPI railroads of National Payment Corporation of India ('NPCI') through the CC's sponsor bank, the stock brokers shall not allocate any collateral for clients under the facility of UPI block. Other procedures such as deemed

4 · 63.4.3.6 The CC shall debit the UPI block created in its favor to the extent of client level obligations, and receive the same in its account, without funds going through the clearing bank account of the CM. Securities provided as early pay -in (EPI) by the clients, using the block mechanism provided by depositories shall be received by the CC as per the prevailing process.

4 · 63.4.4 Settlement

4 · 63.4.4.1 There shall be two rounds of pay-in and one round of pay-out.

4 · 63.4.4.2 In Round 1 Pay-in, settlement obligation shall be calculated at client level, individually, for the clients opting for UPI block facility. There shall be no netting of obligations across different clients opting for UPI block facility and the settlement obligations shall be inclusive of standard statutory levies such as securities transaction tax (STT), stamp duty etc. The first deadline for pay-in shall be for the UPI clients. Clients with payable funds shall provide UPI block atleast to the extent of obligations, and clients with deliverable securities shall ensure availability of securities to the extent of obligations through the prevailing Early Pay-in (EPI) block mechanism wherein the securities given as EPI are blocked in favour of CC in the demat account of the client undertaking sale transaction. At the end of the Round 1 pay-in deadline defined by the CCs, the clients who have not provisioned for their pay-in shall be considered as short.

4 · 63.4.4.2.1 Round 2 Pay-in

4 · 63.4.4.2.1.1 The second round of funds obligation shall be a single net settlement of funds obligation at CM level for

4 · 63.4.4.2.1.2 The second round of securities obligation shall be a single net settlement at CM level for

4 · 63.4.4.2.1.3 The CMs shall be required to provide the aforementioned funds/securities obligations to the CC.

4 · 63.4.4.2.1.4 If the CMs fail to fulfil the obligation, then such members shall be treated as short and relevant provisions for shortage handling/default management shall apply

4 · 63.4.4.3 Pay-out - The pay-out shall be done in a single round after the two pay-in rounds. The CC shall give pay-out of funds directly to the bank account of the clients opting for UPI block facility, provided they have fulfilled their payin obligations. The CCs shall provide instructions to depositories for securities pay-out to the clients, which shall be directly delivered to client's account without the need of handling of such securities pay-out by TM/CM. For all other clients and proprietary account of CM/TM, there shall be single net settlement by CC to CM as is currently being done.

4 · 63.4.5 Release of block

4 · 63.4.5.1 Client can request for release of block to TM through TM app. TM shall request CM, and CM shall request CC. In case the TM, CM and CC do not have any residual claim, the CC shall release the block through UPI. Upon release of the block, the client's bank shall unfreeze the amount in the account of the client. Information regarding release shall be shared by NPCI with CC (through CC's sponsor bank) who in-turn shall transmit it to CM and TM. Further, since the release of the block is going to result in collateral being unallocated in favour of the client, as per the existing process, the CC shall send a notification to the client regarding the collateral being removed

4 · 63.4.6 Various scenarios

4 · 63.4.6.1 An analysis of how various scenarios i.e.

4 · 63.4.7 Dealing with shortages:

4 · 63.4.7.1 Cash Market: Funds shortage

4 · 63.4.7.1.1 CC shall provide pay-out of securities to the client's demat account and instruct the depository to auto-pledge such securities to the TM's "client unpaid securities pledgee account".

4 · 63.4.7.1.2 CC shall maintain the shortage amount of client. The obligation shall devolve on TM's CM, who shall settle the same with CC.

4 · 63.4.7.1.3 If client provides additional block subsequently, the CC shall debit the amount to the extent of shortfall and provide the same to the CM.

4 · 63.4.7.1.4 In case client fails to provide the amount, then TM can sell the securities pledged in favour of Client Unpaid Securities Pledgee Account (CUSPA) and/ or provided by way of margin pledge and mark early pay-in.

4 · 63.4.7.1.5 Out of the funds pay-out due to the client, amount to the extent of shortfall shall be paid to the CM who fulfilled the obligation. The remaining funds, if any, shall be paid out to the client.

4 · 63.4.7.1.6 The CC shall continue to maintain and update the residual short amount of the client, if any.

4 · 63.4.7.2 Cash Market: Securities shortage

4 · 63.4.7.2.1 Funds pay-out shall not be provided to the client. The amount shall be withheld by CC and used towards requirement of funds in lieu of securities delivered short.

4 · 63.4.7.2.2 Funds required in lieu of securities shortage in excess of funds payout shall be debited from block amount of client. In case of insufficient blocked amount, the same shall devolve on clearing member.

4 · 63.4.7.2.3 Auction shall be conducted to buy the securities short delivered by UPI clients.

4 · 63.4.7.2.4 If actual amount required towards auction purchase or financial closeout exceeds the pay-out amount referred to in Para 4.63.4.7.2.2

4 · 63.4.7.2.5 In case of any devolvement on member, the short amount of client shall be maintained and in case any blocking is done in future, the block shall be debited to the extent of shortfall and provided to the clearing member

4 · 63.4.7.3 Shortfall: Derivatives

4 · 63.4.7.3.1 CC shall debit block to the extent of pay-in requirements, irrespective of whether such debit causes a margin shortfall. In exceptional circumstances, if pay-in exceeds the margin, the residual amount shall devolve on CM.

4 · 63.4.7.3.2 In case of margin shortfall, TM/CM can close-out the position of the client and resultant loss shall be debited to the block or resultant profit shall be paid out to the client by the CC. Till the time TM/CM closes out the position, the provisions related to deemed allocation of proprietary collateral shall apply.

4 · 63.4.7.3.3 In case obligations have devolved on CM, any pay-out resulting from close -out of positions, or any new block created by client, to the extent of devolvement, shall be provided to the CM.

4 · 63.5 Since the framework requires certain changes to be made in the systems and processes of clearing corporations, stock exchanges, depositories, stock brokers and NPCI, the concerned entities are expected to make requisite changes and test the systems and processes for robustness thereafter to make the facility live by January 01, 2024.

4 · 63.6 To begin with, the facility may be made available in the equity cash segment. The CCs may extend the facility to additional segments subsequently.

4 · 63.7 Further, detailed operational guidelines including mode of brokerage collection shall be issued by CCs in consultation with relevant stakeholders such as stock exchanges, depositories etc.

4 · 64 Enhanced Due Diligence for Dematerialization of Physical Securities 210

4 · 64.1 In terms of Regulation 40 of LODR Regulations, transfer of securities held in physical mode is not permitted. Standardised norms with respect to documentation/procedure for transfer of physical securities were issued by SEBI .

4 · 64.2 To augment the integrity of the system in processing of dematerialization request

210 · Reference: SEBI Circular SEBI/HO/MIRSD/RTAMB/CIR/P/2019/122 dated November 05, 2019

4 · 64.2.1 All Listed companies or their RTAs shall provide data of their members holding shares in physical mode, viz . the name of shareholders, folio numbers, certificate numbers, distinctive numbers and PAN etc. (hereinafter, static database) as on March 31, 2019, to the Depositories. The common format for this data shall be specified jointly by the Depositories and be communicated to Issuer companies / their RTAs.

4 · 64.2.2 Depositories shall capture the relevant details from the static database as per above para and put in place systems to validate any dematerialization request received after December 31, 2019. Accordingly, the depository system shall retrieve the shareholder name(s) recorded against the folio number and certificate number in Static Data for each DRN request received after this date and validate the same against the demat account holder(s) name as available in the records of the Depositories.

4 · 64.2.3 In case of mismatch of name on the share certificate(s) vis-à-vis name of the beneficial owner of demat account, the depository system shall generate flag/alert. In instances, where such flags/alerts have been generated, the following additional documents explaining the difference in name shall be sought, namely

4 · 64.2.3.1 Copy of Passport

4 · 64.2.3.2 Copy of legally recognized marriage certificate

4 · 64.2.3.3 Copy of gazette notification regarding change in name

4 · 64.2.3.4 Copy of Aadhar Card

4 · 64.2.4 In the case of complete mismatch of name on the share certificate(s) vis-àvis name of the beneficial owner of demat account, the applicant may approach the Issuer company/RTA for establishing his title/ownership.

4 · 65 Framework For Adoption Of Cloud Services By SEBI Regulated Entities (REs) 211

4 · 66 Committees at Market Infrastructure Institutions 212&213

211 · Reference: SEBI Circular SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033 dated March 06, 2023

212 · Reference: SEBI Circular SEBI/HO/MRD/DOP2DSA2/CIR/P/2019/13 dated January 10, 2019 , and SEBI email dated February 06, 2020

213 · Reference: SEBI Circular SEBI/HO/MRD/MRD-PoD-3/2024/088 dated June 25, 2024

3 · Standing Committee on Technology (SCOT)

214 · As per SECC Regulations, 2018 and D&P Regulations, 2018, any employee of an MII may be appointed on the governing board in addition to the managing director and such director shall deemed to be a non-independent director. Such employee of MII appointed to the governing board has been termed as "Executive Director".

4 · 66.1 Further, while Para 4.66 A provides for the composition that is specific to each statutory committee at depository, the overarching principles for composition and quorum of the statutory committee at depositories shall be as under, which shall be applicable to all committees.

4 · 66.1.1 On each committees at depositories , the number of Public Interest Directors (PIDs) shall not be less than the total of number of shareholder directors, Key Management Personnel (KMPs), independent external persons, etc. put together, wherever shareholder directors, KMPs, independent external persons, etc. are part of the concerned committee

4 · 66.1.2 PID shall be chairperson of each committee at depository

4 · 66.1.3 To constitute the quorum for the meeting of the depository committee, the number of PIDs on each of the committees at depositories shall not be less than total number of other members (shareholder directors, KMPs, independent external persons, etc. as applicable) put together.

4 · 66.1.4 The voting on a resolution in the meeting of the committees at depositories shall be valid only when the number of PIDs that have cast their vote on such resolution is equal to or more than the total number of other members (shareholder directors, KMPs, independent external persons, etc., as applicable) put together who have cast their vote on such resolution.

4 · 66.1.5 The casting vote in the meetings of the committees shall be with the chairperson of the committee.

4 · 66.1.6 Apart from that specifically provided in Para 4.66 A, whenever required, a committee may invite Managing Director, other relevant KMPs and employees of the depository. However , such invitee shall not have any voting rights.

4 · 66.2 Further, depositories are directed to adhere to the following:

4 · 66.2.1 Over and above the statutory committees mentioned at Para 4.66 A above, the committees that are mandated by relevant law for listed companies shall apply mutatis mutandis to depositories .

4 · 66.2.2 Depositories shall lay down policy for the frequency of meetings, etc., for the statutory committees.

4 · 66.2.3 PIDs in Committees at depositories:

4 · 66.2.3.1 DP Regulations prescribes that a PID on the board of a depository shall not act simultaneously as a member on more than five committees of that depository .

4 · 66.2.3.2 It is clarified that the above limitation on maximum number of committees that a PID can be member of, shall be applicable only to statutory committees prescribed by SEBI under DP Regulations, and circulars issued thereunder. The said requirement shall not be applicable to committees constituted under Companies Act, 2013, LODR Regulations, amongst others.

4 · 66.2.3.3 In case of non -availability of adequate number of PIDs in a depository, the relevant depository shall take steps to induct more PIDs in order to fulfil the requirement of composition of committees within a depository .

4 · 66.2.4 Meeting of PIDs:

4 · 66.2.4.1 As per code of conduct for PIDs provided DP Regulations, the PIDs shall be required to meet separately every six months. It is added that all the PIDs shall necessarily attend all such meetings of PIDs

4 · 66.2.4.2 The objective of such meetings, shall include inter alia reviewing the status of compliance with SEBI letters/ circulars, reviewing the functioning of regulatory departments including the adequacy of resources dedicated to regulatory functions, etc. PIDs shall also prepare a report on the working of the committees of which they are member and circulate the same to other PIDs. The consolidated report in this regard shall be submitted to the governing board of the depositories. Further, PIDs shall identify the important issues which may involve conflict of interest for the depository or may have significant impact on the market and report the same to SEBI, from time to time.

4 · 66.2.5 Independent external persons in committees at depositories:

4 · 66.2.5.1 The independent external persons forming a part of committees shall be from amongst the persons of integrity, having a sound reputation and not having any conflict of interest. They shall be specialists in the field of work assigned to the committee; however ,

4 · 66.2.5.2 Depositories shall frame the guidelines for appointment, tenure, code of conduct, etc., of independent external persons. Extension of the tenure may be granted to independent external persons at the expiry of the tenure, subject to performance review in the manner prescribed by SEBI for PIDs. Further, the maximum tenure limit of Independent external persons in a committee of depository shall be at par with that of PIDs, as prescribed under Regulation 25(3) of the DP Regulations .

4 · 66.3 Performance review of Public Interest Directors (PIDs)215:

4 · 66.3.1 In respect of Public Interest Directors (PIDs) appointed in the governing board of depositories, Regulation 25(3) of DP Regulations, provides the following:

4 · 66.3.2 For complying with the aforementioned regulation, while developing a framework for performance review of PIDs, depositories need to consider the following:

4 · 66.3.2.1 Policy for Performance review of PIDs:

4 · 66.3.2.1.1 The Nomination and Remuneration committee (NRC) of the depositories will be responsible for framing the performance review policy for PIDs.

4 · 66.3.2.1.2 Such performance review policy shall include criteria for performance evaluation, methodology adopted for such evaluation and analyzing the results, amongst others.

215 · Reference: SEBI Circular SEBI/HO/MRD/DOP2DSA2/CIR/P/2019/26 dated February 5, 2019

4 · 66.3.2.1.3 Performance review policy of PID shall include scope for both internal evaluation as well as external evaluation.

4 · 66.3.2.1.4 Further, as performance review is not a static process and requires periodical review, NRC shall also be responsible for reviewing such performance review policy, at least once in 3 years.

4 · 66.3.2.1.5 Such performance review policy and changes made therein, shall be approved by the governing board of depository.

4 · 66.3.2.2 Guiding criteria of Performance Review:

4 · 66.3.2.3 Evaluation mechanism:

4 · 66.3.2.3.1 PIDs shall be subjected to internal evaluation as well as external evaluation, carrying equal weightage.

4 · 66.3.2.3.2 Internal evaluation: All the governing board members shall evaluate the performance of each PID, on an annual basis at the end of every financial year.

4 · 66.3.2.3.3 External evaluation: PIDs shall also be subject to external evaluation during their last year of the term in a depository , by a management or a human resources consulting firm. The consultant shall take into consideration the performance of the PID for the entire tenure served in a given depository, at least up to 4 months before expiry of his/ her term. In order to avoid any bias or conflict of interest, external consultant should not be a related party or associated with the depository, the concerned PID or any other governing board members.

4 · 66.3.2.3.4 Such performance review should be carried out in fair & objective manner and the review should be recorded with clarity and verifiable facts in a standardized format covering all the relevant criteria / aspects.

4 · 66.3.2.3.5 While evaluating conflict of interest of a PID, the governing board of the depository shall also take into consideration provisions of Clause 2(d) of Schedule II Part C of DP Regulations under the head 'Public Interest Director'; and conflict of interest, if any, of any PIDs should be disclosed to SEBI by the governing board with their comments/ views.

4 · 66.3.2.4 Disclosure: Performance evaluation criteria for PIDs shall be disclosed in their annual report as well as on the website of the concerned depository .

4 · 66.3.2.5 Recommendation to SEBI: After taking into account the performance of a PID in the concerned depository, on the basis of internal evaluation and external evaluation both carrying equal weightage, NRC shall consider and recommend extension of his / her tenure to the Governing Board of the depository. The Governing Board of the depository shall in-

4 · 66.3.2.6 In addition to the other requirements prescribed in performance review policy of the depositories along-with norms specified in DP Regulations , the following may be considered by NRCs of depositories:

4 · 66.3.2.6.1 It shall be ensured that the concerned PID hasn't remained absent for three consecutive meetings of the governing board and has attended seventy-five per cent of the total meetings of the governing board in each calendar year; failing which PID shall be liable to vacate office.

4 · 66.3.2.6.2 It shall be ensured that PIDs in the governing boards of depositories are selected from diverse fields of work, in terms of their qualification and experience.

4 · 66.3.3 The application for extension of term of a PID shall be accompanied with the attendance details of PID in the meetings of various mandatory committees and of the governing board of the depository along-with specific reasons for seeking extension of his/her term as a PID. Such specific reasons shall include facts such as whether the concerned PID, during the term served, had identified any important issues concerning any matter which may involve conflict of interest, or have significant impact on functioning of depository, or may not be in the interest of securities market as a whole, and whether the PID had reported the same to SEBI.

4 · 66.3.4 In terms of DP Regulations, a minimum of two names shall be submitted by the depository at the time of making request for appointment of PID and extension of the term of existing PID, including appointment of PID for the purpose of broad basing the governing board, against each such vacancy.

4 · 66.3.5 The aforementioned norms specify the minimum requirements that have to be complied with by depositories, however the NRCs of depositories may adopt additional and more stringent norms while framing a policy for performance review of PIDs. With regard to the detailed criteria for performance evaluation, as provided in Para 4.66.3.2.2 , the same shall serve as an illustrative guide for depositories to frame performance evaluation criteria , both for internal as well as external evaluation, and the same may be adopted by depositories as considered appropriate, with additional criteria, if any.

4 · 66.3.5.1 Additionally, with regard to tenure of existing PIDs as on February 5, 2019 , following is clarified:

4 · 66.3.5.1.1 The term of existing PIDs serving in a MII for more than three years, can be extended, subject to his / her performance review and a maximum tenure of 6 years as PID in that particular MII.

4 · 66.3.5.1.2 The term of existing PIDs, that have already served for six years or more in a single MII, shall not be eligible for further extension in that MII.

4 · 66.4 Parameters for Performance Evaluation of Market Infrastructure Institutions 216

4 · 66.4.1 Regulation 31(6) of the SEBI (Depositories and Participant Regulations, 2018 (hereafter referred to as "D&P Regulations, 2018") states that every recognised depository (referred as Market Infrastructure Institutions (MIIs)) shall appoint an independent external agency to evaluate its performance and the performance of its statutory committees within such periodicity and in such a manner as may be specified by the Board.

4 · 66.4.2 In order to bring consistency and uniformity with respect to evaluations to be done by the external agency, it was felt that basic minimum standards and principles should be developed along with weightages. Accordingly, the matter was discussed at the Industry Standards Forum (ISF) of MIIs where the broad criteria, the weightage for each criterion, sub-parameters under each criterion, etc. were deliberated. For each sub -parameter, sample Key Performance Indicators (KPIs), both quantitative and qualitative in nature, were identified by SEBI in consultation with the ISF.

4 · 66.4.3 Based on the deliberations at the ISF of MIIs and subsequent internal deliberations, the broad framework with basic minimum criteria for independent external evaluation of performance of MIIs has been approved by the Board in its meeting held on June 27, 2024. The minimum criteria for the independent external evaluation of performance of MIIs and their w eightages are as under:

216 · Reference SEBI Circular no. SEBI/HO/MRD/POD -III/CIR/P/2024/127 dated September 24, 2024

4 · 66.4.4 A broad framework in this regard, developed in consultation with ISF of MIIs is provided at SEBI Circular no. SEBI/HO/MRD/POD -September 24, 2024 Annexure-A

4 · 66.4.5 Rating Framework

4 · 66.4.6 Principles for appointment of Independent External Agency: The following principles shall be adhered to by the MIIs for selection of an independent external agency:

4 · 66.4.6.1 The Independent External Agency shall be appointed with prior No Objection Certificate (NOC) from SEBI and on such terms and conditions, including fees, timelines, etc. as may be approved by the Governing Board of the MII.

4 · 66.4.6.2 The Independent External Agency shall have requisite domain knowledge, experience and expertise on matters concerning the securities market and the functioning of the MII.

4 · 66.4.6.3 MII shall ensure that there is no conflict of interest in the appointment of the Independent External Agency and the Agency had not been employed/hired by the MII for the evaluation period and till submission of the report.

4 · 66.5 Timelines for External Evaluation

4 · 66.5.1 The independent external evaluation shall take place once in three years for each MII. In this regard, the following shall be ensured:

4 · 66.5.1.1 The first independent external evaluation shall be only for the Financial Year

4 · 66.5.1.2 b) The subsequent independent external evaluation(s) shall be for a block of next three FYs and so on. Upon completion, a report in this regard shall be submitted to the Governing Board of the MII and SEBI within 6 months from the end of the 3rd FY to be evaluated.

4 · 66.6 Performance Evaluation Metrics for KMPs including MD

4 · 66.6.1 The SEBI D&P Regulations, 2018 require MIIs to clearly define the roles & responsibilities and the Key Performance Indicators (KPIs) of each Key Management Personnel (KMP) and have performance management mechanisms for their evaluation. Further, these KPIs have to inculcate regulatory, risk management and compliance outcomes.

4 · 66.6.2 In order to effectively reflect the efforts of the Managing Director (MD) and KMPs towards outcomes of various functions under Verticals 1 (Critical Operations) and Vertical 2 (Regulatory, compliance, risk management and investor grievances), MIIs shall ensure that their internal performance evaluation metrics have allocated sufficient weightage for these outcomes.

4 · 66.6.3 The performance evaluation of MD should provide at least 50% weightage towards Verticals 1 and 2 related outcomes.

4 · 66.6.4 The performance evaluation of MD and KMPs shall include the minimum criteria as specified for the MIIs at Annexure-A. However, for KMPs the criteria and corresponding weightages may be adjusted depending upon the specific roles and responsibilities assigned to such KMPs.

4 · 67 Exemption from clubbing of investment limit for foreign Government agencies and its related entities217 and Write -off of shares held by FPIs 218

4 · 68 Stealing of Customers data registered with NSE/ BSE

4 · 68.1 Central Economic Intelligence Bureau, Department of Revenue, GOI brought to the notice of SEBI that certain fraudsters are collecting data of customers who already

217 · Reference: SEBI Circular IMD/FPI&C/CIR/P/2020/07 dated January 16, 2020

218 · Reference: SEBI Circular SEBI/HO/IMD/FPI&C/CIR/P/2020/177 dated September 21, 2020

4 · 68.2 In this regard , Stock exchanges and Depositories to advise, sensitize their stockbrokers, investors on the above issue and also that necessary steps, safeguards are taken so that data of the customers/investors registered with the Members/Participants are not shared or revealed to unauthorised persons.

4 · 69 Advisory regarding remote access and telecommuting2 g219

4 · 69.1 In reference to the meeting of the TAC held on April 30, 2020, the Market Infrastructure Institutions (MIIs) were advised to implement the following measures after taking into consideration the COVID-19 situation:-

4 · 69.1.1 The MII shall have proper remote access policy framework incorporating the specific requirements of accessing the enterprise resources securely located in the data centre from home, using internet connection.

4 · 69.1.2 For implementation of the concept of trusted machine as end users, the MII shall categorize the machines as official desktops/laptops and accordingly the same may be configured to ensure implementation of solution stack considering the requirements of authorized access. Official devices shall have appropriate security measures to ensure that the configuration is not tampered with. The MII shall ensure that internet connectivity provided on all official devices shall not be used for any purpose other than the use of remote access to data centre resources.

4 · 69.1.3 If personal devices (BYOD) are allowed for general functions, then appropriate guidelines should be issued to indicate positive and negative list of applications that are permitted on such devices. Further, these devices should be subject to periodic audit.

4 · 69.1.4 The MII shall implement the various measures related to Multi-Factor Authentication (MFA) for verification of user access so as to ensure better data confidentiality and accessibility. VPN remote access through MFA shall also be implemented. It is clarified that MFA refers to the use of two or more factors to verify an account holder's claimed identity.

4 · 69.1.5 The MII shall ensure that the trusted machine is the only client permitted to access the data centre resources. The MII shall ensure that the Virtual Private Network (VPN) remote login is device specific through the binding of the

219 · Reference: SEBI MRD email dated May 18, 2020

4 · 69.1.6 The MII shall explore a mechanism for ensuring that the employee using remote access solution is indeed the same person to whom access has been granted and not another employee or unauthorized user. A suitable videorecognition method has to be put in place to ensure that only the intended employee uses the device after logging in through remote access. The MII shall implement short session timeouts for better security. Towards this end, it is suggested that the MII may consider running a mandatory monitor on the device that executes:

4 · 69.1.6.1 At random intervals takes a picture with the webcam and uploads the same to the MII's server,

4 · 69.1.6.2 At random intervals pops up and prompts biometric authentication with a timeout period of a few seconds. If there is a timeout, this is flagged on the MII server as a security event.

4 · 69.1.7 The MII shall ensure that appropriate risk mitigation mechanisms are put in place whenever remote access of data centre resources is permitted for service providers.

4 · 69.1.8 Remote access has to be monitored continuously for any abnormal access and appropriate alerts and alarms should be generated to address this breach before the damage is done. For on-site monitoring, the MII shall implement adequate safeguard mechanism such as cameras, security guards, nearby coworkers to reinforce technological activities.

4 · 69.1.9 The MII shall ensure that the backup, restore and archival functions work seamlessly, particularly if the users have been provided remote access to internal systems.

4 · 69.1.10 The MII is advised to exercise sound judgement and discretion while applying patches to existing hardware and software and apply only those patches which were necessary and applicable.

4 · 69.1.11 The Security Operations Centre (SOC) engine has to be periodically monitored and logs analyzed from a remote location. Alerts and alarms generated should also be analyzed and appropriate decisions should be taken to address the security concerns. The security controls implemented for the Remote Access requirements need to be integrated with the SOC Engine and should become a part of the overall monitoring of the security posture.

4 · 69.1.12 The MII shall update its incidence response plan in view of the current pandemic.

4 · 69.1.13 The MII shall implement cyber security advisories received from SEBI, CERTIN and NCIIPC on a regular basis.

4 · 69.2 Further, all the guidelines developed and implemented during pandemic situation shall become SOPs post Covid-19 situation for future preparedness.

4 · 70 Standard Operating Procedure for handling of technical glitches by Market Infrastructure Institutions (MIIs) and payment of "Financial Disincentives" thereof2 f220

4 · 70.1 MIIs (i.e. Stock Exchanges, Clearing Corporations and Depositories) are systemically important institutions as they, inter-alia, provide infrastructure necessary for the smooth and uninterrupted functioning of the securities market.

4 · 70.2 With increasing dependence on technology, as the operations and functioning of MIIs are fully automated right from order entry to order matching to trade confirmation leading up to clearing and settlement of trades, the instances of technical glitches at MIIs, leading to business disruption/unavailability of services provided by MIIs, have been occurring, despite various mechanisms stipulated by SEBI such as Business Continuity Planning, Disaster Recovery policies, System Audit etc.

4 · 70.3 The general practice in the computing/technology industry to deal with business disruption/unavailability of services, is to work with specified downtime and for downtimes beyond such specified time, a pre-defined penalty structure is included in Service Level Agreement.

4 · 70.4 Considering the criticality of smooth functioning of systems of MIIs (as any disruption adversely impacts all classes of investors / market participants as well as the credibility of the securities market), specifying a pre-defined threshold for downtime of systems of MIIs becomes desirable. For any downtime or unavailability of services, beyond such pre-defined time, there is a need to ensure that "Financial Disincentive" is paid by the MIIs. This will encourage MIIs to constantly monitor the performance and efficiency of their systems and upgrade/ enhance their systems etc. to avoid any possibility of technical glitches/disruption/disaster and restart their operations expeditiously in the event of glitch/disruption/disaster.

4 · 70.5 Accordingly, after extensive discussion with various stakeholders, it has been decided that, MIIs shall :

4 · 70.5.1 Follow the Standard Operating Procedure (SOP) for handling technical glitches as detailed under Para A below; and

220 · Reference: SEBI Circular SEBI/HO/MRD1/DTCS/CIR/P/2021/590 dated July 05, 2021 and SEBI Circular SEBI/HO/MRD/TPD-1/P/CIR/2024/124 dated September 20, 2024

4 · 70.5.2 Comply with the "Financial Disincentive" structure as detailed under Para B below .

2 · 1. With regard to incidents resulting in business disruption, the following shall be submitted by the MIIs to SEBI:

2 · 2. All communication and information with regard to technical glitch shall be shared by the MII with SEBI through a dedicated e-mail id viz. techglitch@sebi.gov.in

2 · 3. SEBI on identification of the Technical Glitch resulting into Financial Disincentive to the MIIs, or upon receipt of the information of any such instance shall provide an opportunity to the concerned MIIs to make their submissions in respect of the facts of the case.

2 · 4. MIIs shall carry out internal examination pertaining to occurrence of technical glitches to ascertain individual accountability and take appropriate action including suitable recording and reckoning in the performance appraisal of those individuals. SEBI would retain the right to initiate enforcement action against the individuals at the MII, if there is sufficient ground to do so.

4 · 70.6 The aforesaid "Financial Disincentives", when triggered automatically under predefined conditions, as detailed in Para 4.70.5 B , shall be credited to the Investor Protection Fund/Core Settlement Guarantee Fund maintained by the MII.

4 · 71 Standard Operating Procedure for handling of Stock Exchange Outage and extension of trading hours thereof2 f221

4 · 71.1 Trading hours of stock exchanges are pre-defined and known to all market participants including the other Market Infrastructure Institutions (MIIs) to enable them to carry out activities related to continuous trading in securities.

4 · 71.2 If due to any technical reason or otherwise, continuous trading on stock exchanges is disrupted, it is of paramount importance that not only all market participants including other MIIs, are promptly informed about the outage but also the trading hours are extended, if required, so as to provide opportunity for smooth closure of intraday positions.

221 · Reference: SEBI Circular SEBI/HO/MRD-TPD-1/CIR/P/2023/7 dated January 09, 2023

4 · 71.3 With a view to ensure that any outage at stock exchange(s) is handled in a harmonized and consistent manner, the matter was discussed with the MIIs and Standard Operating Procedure with regard to handling of such stock exchange outage in Cash Market and Equity Derivatives segment is detailed below.

4 · 71.4 Stock Exchange Outage shall mean stoppage of continuous trading, either suo moto by exchange or by virtue of reasons beyond control of stock exchange. Further, stoppage of continuous trading shall not include trading halt on account of index based market -wide circuit breaker.

4 · 71.5 The stock exchange that suffered the outage (referred to as affected stock exchange) shall intimate about the outage to various stakeholders as mentioned below:

4 · 71.6 Further, the affected stock exchange shall update about the ongoing outage in the time intervals of 45 minutes from the initial intimation, as mentioned at Para 4.71.5 above, until normalcy to operations is restored. Extension of trading hours, if applicable (as mentioned subsequently from Para 4.71.10 to 4.71.16), shall be mentioned in the intimation by the affected stock exchange.

4 · 71.7 In the event of disruption of trading in one or more market segments of affected stock exchange, qualifying as outage, trading in other unaffected segments of the affected exchange shall continue and all other unaffected exchanges shall continue to trade in all of their market segments.

4 · 71.8 Affected stock exchange would restore operations to normalcy at the earliest including from the Disaster Recovery Site and carry out various activities, in terms of Para 4.31 on Business Continuity Planning (BCP) and Disaster Recovery (DR) and Para 4.70 on Standard Operating Procedure for handling of technical glitches

4 · 71.9 A pre-opening session similar to normal pre-opening session would be conducted for effective price discovery, before resumption of trading. Further, there shall be an advance intimation of at least 15 minutes to various market participants with regard to resumption of trading or start of pre-opening session, as applicable.

4 · 71.10 If the trading on the affected stock exchange resumes to normalcy at least one hour (excluding 15 minutes of pre-opening session, if applicable) before the normal scheduled market closure, trading hours on that day for all stock exchanges would remain unchanged.

4 · 71.11 If the trading on the affected stock exchange does not resume to normalcy even one hour (excluding 15 minutes of pre-opening session, if applicable) before the scheduled market closure, trading hours for all stock exchanges would automatically get extended for additional one and half hours for that day and the same would be intimated by the affected stock exchange to market participants, other MIIs and SEBI latest by one hour fifteen minutes before the normal scheduled market closure. Subsequent to the communication from the affected stock exchange, the unaffected stock exchanges would also suitably issue a notice with regard to extension of trading hours on their stock exchanges.

4 · 71.12 If the trading on the affected stock exchange does not resume to normalcy even 45 minutes (excluding 15 minutes of pre-opening session, if applicable) post normal scheduled market closure, in the case of extension of trading hours, no further trading would be allowed on the affected stock exchange for that day and other stock exchanges would continue to operate till the extended time provided at Para 4.71.11 above to enable smooth closure/settlement of intraday positions. The affected exchange would have to suitably intimate the same to market participants, other MIIs and SEBI latest by 45 minutes post normal scheduled market closure.

4 · 71.13 If the occurrence of outage as mentioned in Para 4.71.4 above, happens during the last trading hour of normal operation and latest before 15 minutes of normal scheduled market closure, trading hours for all stock exchanges would automatically get extended by one and half hours for that day and the same would be intimated by the affected stock exchange to market participants, other MIIs and SEBI immediately but not later than 10 minutes from the occurrence of outage. Subsequent to the communication from the affected stock exchange, the unaffected stock exchanges would also suitably issue a notice with regard to extension of trading hours on their stock exchanges.

4 · 71.14 Exchanges to put in place a common close out policy, to ensure uniform methodology of settlement of open positions, in case continuous trading didn't happen in Cash Market or Equity Derivative Segment of the exchange during last half an hour of trading for the day due to outage.

4 · 71.15 Extension of trading hours, if any, for Cash Market would result in equivalent extension of trading hours in Equity Derivative Segment and vice versa, provided trading hours at the start of the day are aligned for both Cash Market and Equity Derivative Segment. Further, Extension of trading hours in the Cash Market would also result in equivalent extension to other secondary market mechanisms conducted during trading hours such as Offer For Sale, Buy back etc.

4 · 71.16 For illustration, a few scenarios pertaining to extension of trading hours are tabulated herewith with the assumptions that trading hours for two exchanges A and B in Cash Market and Equity Derivative Segment, at start of the day, are from 09:15 to 15:30 (i.e. excluding pre-opening and post-closing session) and all segments of exchange B are operating unaffected.

4 · 72 Standard Operating Procedure (SOP) for Reporting of Cyber Security Incidents/ breaches/ deficiencies by MIIs and Imposition of "Financial Disincentive 222

4 · 72.1 Stock exchanges, Depositories and Clearing Corporations are collectively referred to as securities Market Infrastructure Institutions (MIIs). These institutions are systemically important for the country's financial development and provide the infrastructure necessary for the securities market. A smooth and uninterrupted functioning of operations of the MIIs is essential for ensuring the continuity of the securities market. It is, therefore, critical for the MIIs to constantly monitor the performance of their internal processes and systems and upgrade/ enhance their systems with respect to cyber security and cyber resilience so as to eliminate cyber security deficiencies and prevent or minimize the possibility of a cyber security breach.

4 · 72.2 However, incidents of technical and administrative lapses at MIIs were observed some of which have arisen due to non -compliance with the extant regulatory framework for cyber security and cyber resilience and which have hindered the smooth functioning of the MIIs and threatened the continuity of the securities market. In the event of such incidents, it should be incumbent on MIIs to address cyber security deficiencies and breaches in a timely manner by taking appropriate corrective actions. It was also observed that the MIIs were non -compliant with the extant regulatory framework for cyber security and cyber resilience in the cyber audit reports and reports from other agencies.

4 · 72.3 It is decided to levy a "Financial Disincentive" on MIIs in the event of the following cases:

222 · Reference: SEBI Letter SEBI/HO/MRD/CSC/OW/P/2019/22202/1 dated August 28, 2019

4 · 72.3.1 Non -compliance with the extant cyber security regulations and guidelines resulting in cyber security breaches, cyber-attacks, cyber security deficiencies or any other cyber security incidents

4 · 72.3.2 Lackadaisical approach or undue delay in addressing cyber security deficiencies and breaches

4 · 72.3.3 Non -reporting/ delay in reporting a cyber security incident/ breach

4 · 72.4 In this regard, an SOP for reporting of cyber security breaches and deficiencies by MIIs and imposition of "Financial Disincentive" is placed below for information and necessary compliance.

4 · 72.5 "Cyber security deficiency" shall be defined as loophole, vulnerability or noncompliance observed in

4 · 72.6 "Cyber security incident" shall be defined as any real or suspected adverse event in relation to cyber security that violates, explicitly, implicitly, applicable cyber security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of computer resource for processing or storage of information or changes to data or information without authorization.

4 · 72.7 "Cyber security breach" shall be defined as any incident or security violation that results in unauthorized or illegitimate access or use by a person as well as an entity , of data, applications, services, networks and/or devices through bypass of the underlying cyber security protocols, policies and mechanisms resulting in the compromise of the confidentiality, integrity or availability of data/information maintained in a computer resource or cyber asset. A cyber security breach is a subset security incident.

4 · 72.8 "Information security practices" shall be defined as implementation of cyber security policies and standards in order to minimize the cyber security incidents and cyber security breaches.

4 · 72.9 "Cyber security policy" shall be defined as a set of documented business rules and processes for protecting information and the computer resource.

4 · 72.10 "Cyber security protocol" shall be defined as the official procedure or system of rules governing the cyber security operations of a MII. The cyber security protocol is usually as subset of the cyber security policy.

4 · 72.11 "Operational guidelines" refers to any additional set of rules and procedures issued internally by a MII that compliments its cyber security protocol and information security practices.

4 · 72.12 The following reporting structure for cyber security deficiencies / breach shall be adopted by the MIIs:

4 · 72.13 The “Financial Disincentives” shall be levied in the following cases:

4 · 72.13.1 Cyber Security breaches, cyber-attacks and any other cyber security incidents occurring on account of non-compliance of SEBI cyber security policies and guidelines and delay in reporting the Root Cause Analysis to SEBI in case of breaches, attacks and incidents.

4 · 72.13.2 Cyber Security deficiencies occurring on account of non-compliance of SEBI cyber security policies and guidelines observed during biannual cyber security audits mandated under Para 4.82 or reports from other agencies.

4 · 72.13.3 A cyber security breach / incident should be reported as soon as it is discovered as per the reporting structure specified at Para 4.72.12. A "Financial Disincentive" of INR 10,000,00/- {ten lakhs} shall be levied on those MIIs that

4 · 72.13.4 Failure to timely address the cyber security deficiencies / breaches within the deadline set by SEBI/ HPSC-CS. The progressive slab-wise structure for imposition of "Financial Disincentives" shall be followed from the expiry of the deadline specified by SEBI/ HPSC-CS.

4 · 72.14 Notwithstanding the reporting structure mentioned at Para 4.72.12 above, the penalties would start being levied by SEBI at Para 4.72.13 .

4 · 72.15 Further, with view to making such "Financial Disincentives" effective and meaningful, the amount realized from the same may be credited to the "Investor Protection and Education Fund" of SEBI in accordance with Section 11(1) of SEBI Act, 1992 read with Regulation 4(1)(j) of the Securities and Exchange Board of India (IPEF) Regulations, 2009, which is as follows:

4 · 72.16 The "Financial Disincentive" specified above shall continue to accrue till the time the issue has been addressed by the MII by taking appropriate corrective actions and the same has been validated by an independent third party.

4 · 72.17 The amount of "Financial Disincentive" realized as per the above structure shall be credited by MII to Investor Protection and Education Fund administered by SEBI as mentioned at Para 4.72.15 .

4 · 72.18 Imposition of aforesaid "Financial Disincentive" shall be irrespective of any other action(s) initiated/taken by SEBI.

4 · 73 Implementation of Cyber Capability Index223

4 · 74 Advisory for SEBI Regulated Entities (REs) regarding Cybersecurity best practices224 Kindly refer SEBI Circular Number SEBI/HO/ITD1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024 on Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs).

4 · 75 Norms for Scheme of Arrangement by unlisted Stock Exchanges, Clearing Corporations and Depositories225

4 · 75.1 To harmonize and bring uniformity in the norms related to scheme of arrangement for unlisted MIIs in line with provisions currently applicable to listed MIIs, comments of unlisted MIIs were sought and the matter was deliberated in Secondary Market Advisory Committee (SMAC). Taking into account the recommendations of SMAC, the framework for Scheme of Arrangement by unlisted MIIs has been introduced .

4 · 75.2 The detailed framework for scheme of arrangement by unlisted MIIs is given as under:

4 · 75.2.1 The unlisted MII desirous of undertaking a scheme of arrangement or involved in a scheme of arrangement as per the provisions of Companies Act 2013 shall file the draft scheme of arrangement along with a non-refundable fee with SEBI

223 · Reference: SEBI Letter SEBI/HO/MRD/CSC/OW/P/2019/28527/1 dated October 30, 2019 , SEBI/HO/MRD/CSC/OW/P/2019/28517/1 dated October 30, 2019 and SEBI MRD email dated November 04, 2019

224 · Reference: SEBI Circular SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/032 dated February 22, 2023

225 · Reference: SEBI Circular SEBI/HO/MRD/MRD-PoD-3/P/CIR/2023/45 dated March 28, 2023

4 · 75.2.2 The unlisted MII shall pay a fee to SEBI at the rate of 0.1% of the paid-up share capital of the unlisted or transferee or resulting company, whichever is higher, post sanction of the proposed scheme, subject to a cap of INR 5,00,000.

4 · 75.2.3 The provisions may not apply to schemes which solely provide for merger of a wholly owned subsidiary or its division with the parent company. However, such draft schemes shall be filed with SEBI for the purpose of disclosures and the same shall be disseminated on the websites of the unlisted MII.

4 · 75.3 Information to be provided to SEBI:

4 · 75.3.1 The unlisted MIIs shall provide the following information to SEBI while filing the draft scheme of arrangement for obtaining the observation letter or no objection letter:

4 · 75.3.2 The valuation report referred to in Para 4.75.3.1(c) above and the fairness opinion referred to in Para 4.75.3.1 (e) above shall be provided by a Registered Valuer and Independent SEBI Registered Merchant Banker respectively. The Registered Valuer and the merchant banker referred therein shall not be treated as independent in case of existence of any conflict of interest among themselves or with the company, including that of common directorships or partnerships.

4 · 75.4 Processing of the Draft Scheme by SEBI

4 · 75.4.1 Upon receipt of the application from the unlisted MII, SEBI shall provide its observation letter or no -objection letter on the draft Scheme to the MII. While processing the draft Scheme, SEBI may seek clarifications from any person relevant in this regard including the unlisted MII and if required, may also seek an opinion from an Independent Chartered Accountant.

4 · 75.4.2 SEBI shall endeavour to provide its observation letter or no-objection letter on the draft Scheme within 30 days from the later of the following:

4 · 75.5 Validity of observation letter or no-objection letter: The validity of the observation letter or no -objection letter of SEBI shall be for six months from the date of issuance, within which the Scheme shall be filed with any Court or Tribunal, as required, for approval.

4 · 76 Procedures for ensuring compliance with Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2018 (SECC Regulations) by Listed Stock Exchanges226

4 · 76.1 Regulation 45 of the SECC Regulations provides for listing of stock exchanges. As per Regulation 45(1) of the SECC Regulations, the Board may specify such conditions as it may deem fit in the interest of the securities market.

226 · Reference: SEBI Circular MRD/DSA/01/2016 dated January 01, 2016

4 · 76.2 Accordingly, it has been decided to prescribe the following modalities so as to ensure compliance with the provisions of SECC Regulations:

4 · 76.2.1 Ensuring holding of 51 per cent by public at all times by the listed stock exchange:

4 · 76.2.1.1 The listed stock exchange shall disseminate the details of its shareholding with category wise breakup, on a continuous basis, on its website. Similarly, the stock exchange where the shares are listed, shall also display the above information.

4 · 76.2.1.2 The depositories shall put in place necessary system to ensure that the shareholding of trading members or their associates and agents does not exceed 49 per cent. For this purpose, the depositories shall put in place systems for capturing the shareholding data of trading members or their associates and agents and ensure that there is a mechanism for coordination between the depositories towards sharing of information. The depositories shall also monitor the aggregate shareholding limit of the trading members or their associates and agents based on their demat balance, on a daily basis, at the end of the day. The stock exchange where the shares are listed shall share a list of all trading members or their associates and agents with the depositories to facilitate monitoring of demat balances.

4 · 76.2.1.3 The trading members or their associates and agents shall obtain prior approval of the listed stock exchange for further acquisition of shares, once the aggregate shareholding of the trading members or their associates and agents crosses the limit of 45 per cent. The trading members or their associates and agents shall refer to the shareholding pattern under the category of trading members or their associates and agents, to determine/ascertain the available head room before placing the order.

4 · 76.2.1.4 In the event of trading members or their associates and agents making purchases without requisite approval as stated above, the depositories shall initiate consequential action such as freezing of voting rights and all corporate benefits in respect of such shareholding till the time the same is divested.

4 · 76.2.1.5 The divestment of any excess shareholding beyond the specified limit would be through a special window provided by the stock exchange where the shares of the stock exchange are listed.

4 · 76.2.2 Ensuring shareholding threshold of 5 per cent or 15 per cent as the case may be in terms of SECC Regulations:

4 · 76.2.2.1 The depositories shall put in place a mechanism to ensure that no shareholder of listed stock exchange gets credit of shares beyond 5 per cent or 15 per cent, as applicable. The depositories shall generate an alert when such holding exceeds 2 per cent and monitor the same under intimation to SEBI.

4 · 76.2.2.2 The Depository would inform the listed stock exchange as and when threshold limit is breached and take consequential action such as freezing of voting rights and all corporate actions in respect of such excess holding till the same is divested through the special window.

4 · 76.3 The stock exchanges, both listed and where the securities are listed, and depositories shall ensure that aforesaid mechanism is in place .

4 · 77 Measures to strengthen tracking and reporting of delay in pay-in/pay-out for rolling settlement227

4 · 77.1 SEBI carried out review of existing SOP with regard to tracking of instances of delay in normal rolling settlement and reporting thereof to SEBI along with the joint monthly report submitted by the CCs/depositories.

4 · 77.2 The Competent Authority has approved the following measures subsequent to the aforesaid review to strengthen tracking of intermediate activities in rolling settlement and reporting of settlement delays. This is without prejudice to financial disincentives, if any, emanating from delay in completion of pay-in/pay-out activities.

4 · 77.3 For tracking of intermediate activities constituting rolling settlement

4 · 77.3.1 CCs and Depositories may put in place systems to ensure:

4 · 77.3.1.1 All intermediate activities that may impact rolling settlement (i.e. from trade date to settlement) are streamlined and the process flow is optimized. If there are dependencies / data shared with other CC/Depository, discussions may be done with the concerned CC / Depository with regard to optimization. Further, all intermediate activities are time stamped with start and finish time of the activity.

4 · 77.3.1.2 Such intermediate activities are defined along with outer timelines for each activity after discussion with the concerned stakeholders such as members/participants, DVP agent, participating banks, other Market Infrastructure Institutions (MIIs) etc. to achieve final pay-in and pay-out within SEBI stipulated timelines.

227 · Reference: SEBI Email dated January 31, 2022

4 · 77.3.1.3 Process flow and associated timelines, so decided, are intimated to all the stakeholders and delay in completion of any of these activities, should be traceable and attributable to one or more entity / MII, as the case may be.

4 · 77.3.1.4 Procedures to handle various exceptions i.e. scenarios that could result in settlement delay are documented along with the steps to be taken towards completing settlement processes at the earliest in case of exceptions.

4 · 77.3.2 On the basis of the aforesaid, CCs and Depositories may separately prepare a Comprehensive Standard Operating Procedure (CSOP) which is mutually agreed upon by other CCs and Depositories as far as all the timelines and exception handling are concerned. This CSOP would be submitted to SEBI after approval of the Governing Boards of CCs and Depositories.

4 · 77.3.3 Further, the said CSOP shall also cover action points emanating from 4.77.4 below and would be reviewed periodically by the MIIs to incorporate any regulatory/system changes.

4 · 77.4 For reporting of Delay in rolling settlement cycle

4 · 77.4.1 In case of delay in completion of any of the intermediate activities beyond their pre -agreed time, the respective CCs/Depositories would inform the impacting CCs/Depositories regarding delay in completion of the intermediate activity at their end on immediate basis .

4 · 77.4.2 CCs shall intimate delay in settlement beyond the stipulated timelines for settlement for rolling settlement to SEBI (under intimation to depositories). This intimation should be given within one hour of such SEBI stipulated timelines and should inter -alia mention -reasons for delay, entity/MII responsible for the delay and likely completion time of the settlement process.

4 · 77.4.3 CCs and Depositories shall submit a separate report to SEBI, on a monthly basis (from February 2022 onwards, replacing the existing joint monthly report), wherein following details are inter-alia provided:

4 · 77.4.3.1 Day wise completion time for pay-in and pay-out activities

4 · 77.4.3.2 Details about settlement delays for the month

4 · 77.4.3.3 Intermediate activity that caused the delay and reason(s) thereof

4 · 77.4.3.4 Steps taken to address the root cause of the issue

4 · 77.4.3.5 Review of instances of delay to understand areas of improvement etc.

4 · 77.4.4 CCs / Depositories would also submit a report to their Governing Boards on quarterly basis with regard to instances of delay attributable to them in the said quarter. If settlement delay is on account of technical reasons, findings are to be evaluated by the SCOT of the CC / Depository before referring to the Governing Board. The report would inter-alia include the details of individual

4 · 78 Advisory on Security Patch Management Policy 228

4 · 78.1 All the MIIs are advised to ensure the following:

4 · 78.1.1 The security patch management policy is audited by an external auditor.

4 · 78.1.2 Appropriate changes, if necessary, are made to the existing policy on security patch management.

4 · 79 Strengthening Resiliency of Websites of Stock Exchanges, Clearing Corporations and Depositories (MIIs) 229

4 · 79.1 MII shall take necessary steps to ensure that its website(s) are resilient to cyberattack(s).

4 · 79.2 Redundant websites: MII shall host its website(s) at multiple DNS (Domain Naming Servers) and hosts. MII shall put-in place suitable systems to switch to alternate website(s) hosted on a different DNS / hosts in the event of a cyber-attack on its primary website(s) and at the same time, shall take necessary steps to recover from the cyber-attack on the its primary website(s).

4 · 79.3 Web Application Firewall (WAF): MII shall mandatorily deploy Web Application firewalls of demonstrated capabilities.

4 · 79.4 Continuous monitoring of the website(s): MII shall deploy suitable and adequate resources for 24x7 monitoring of its website(s), including monitoring of their website(s) through the SOCs (Security Operations Center).

4 · 79.5 MII shall periodically conduct penetration testing of its website(s) and related systems, at the minimum, once in a calendar year.

4 · 79.6 In cases where services of 3rd party vendors / service providers are availed by the MII for hosting of its website(s) and for other related areas, MII shall ensure that the cyber security and resilience framework of such 3rd party vendors / service providers are as per the requirements specified by SEBI for MIIs. Further, MII shall include audit of the cyber security and resilience framework of such 3rd party vendors / service providers (limited to the services availed by MIIs) in the scope of its annual system audit.

4 · 79.7 MII shall implement the principles mentioned in the 'Guidelines for Indian Government Websites' developed by National Informatics Centre (NIC) and adopted by Department of Administrative reforms and Public Grievances (DARPG) on the areas of 'Website Hosting', 'Website Management', 'Development',

228 · Reference: SEBI Email dated September 12, 2022

229 · Reference: SEBI Letter SEBI/HO/MRD/DSA/OW/P/2016/31948 dated November 24, 2016 captioned "Strengthening Resiliency of Websites of Stock Exchanges, Clearing Corporations and Depositories (MIIs)"

4 · 79.8 MII shall frame and implement a Web Server Security Policy that should cover Network and Host Security Policy, Web Server Backup and Logging Policy, Web Server Administration and Updation Policy, Classification of documents to be published on Web Server, Password Management Policy, Encryption Policy, and Physical Security

4 · 79.9 In addition to the above, MIIs shall ensure implementation of the following:

4 · 79.9.1 MIIs shall advise their auditors to give additional emphasis on the Application Security audit.

4 · 79.9.2 MIIs shall include suitable IT / Cyber security related certifications requirements in the criteria for selection of software developers / vendors.

4 · 79.9.3 MIIs shall ensure that their software vendors undertake security audit of their systems on a periodic basis (at least once a year).

4 · 80 Bolstering Cyber Resiliency 230

4 · 80.1 In order to bolster cyber resiliency MIIs should take following steps:

4 · 80.1.1 In addition to the current detection and prevention tools deployed at the MIIs for Network Traffic Analysis and other SIEM solutions, MIIs should start using User and Entity Behaviour Analytics (UEBA) tools for combating cyber threats.

4 · 80.1.2 The Indian -CERT has set -up a Cyber Swachhta Kendra for analyzing BOTs/malware characteristics and providing information and enabling citizens for removal of BOTs/malware. MIIs should share their public facing IPs with the Cyber Swachhta Kendra for monitoring purposes.

4 · 80.1.3 The Standing Committee on Technology (SCOT) of Exchanges and Clearing Corporations and the IT Strategy Committees (IT-CS) of Depositories should on a quarterly basis review the cyber security preparedness of the respective MIIs and also appraise the Board of MII regarding the same.

4 · 80.1.4 MIIs should place the details of Cyber-threat vectors and Cyber-attack scenarios and the corresponding action plan / steps taken to manage such threat vectors and scenarios, before its SCOT or IT -CS for assessing the adequacy of steps taken / efficacy of plans and further improvements. Thereafter, the MII should place a report in this regard before its Board before submitting the same to SEBI.

4 · 80.1.5 In addition to the periodic vulnerability assessment and penetration testing conducted by MIIs to evaluate security posture of the MII, the MIIs should

230 · Reference: SEBI Email dated November 11, 2017 captioned Bolstering Cyber Resiliency

4 · 81 Advisory on Cyber Audit and VAPT2 T231

4 · 81.1 All MIIs should update the scope of the audit as and when any guidelines or advisory related to cyber security is issued by SEBI.

4 · 81.2 During cyber audit, evidence should be collected by inspecting physical assets, records/documents, testing of relevant systems, relevant system generated reports etc. in order to ascertain the compliance of various controls defined by SEBI.

4 · 81.3 The cyber audit report is to be submitted in the Standardized format . Please refer to SEBI Circular on CSCRF dated August 20, 2024 for the said standardised format.

4 · 81.4 Along with cyber audit reports, all MIIs are required to submit to SEBI the comments of their SCOT and Governing Board.

4 · 81.5 Scope of cyber audit shall also include testing the functional efficacy of the SOC.

4 · 81.6 VAPT exercise shall cover all possible ingress and egress points including broker ICT setup, co-location facility etc.

4 · 81.7 All MIIs shall conduct Periodic Training for the concerned employees regarding Cyber Security in line with SEBI Circular on CSCRF dated August 20, 2024and the same has to be checked by the Auditors during cyber audit.

4 · 81.8 The audit report shall include control wise compliance of all SEBI circulars/advisories along with the evidences.

4 · 81.9 All MIIs are advised to include the directions issued by SEBI pursuant to discussion in HPSC -CS in their regular bi-annual cyber audit.

4 · 81.10 In order to ascertain the compliance of identification of critical assets as per SEBI Circular on CSCRF dated August 20, 2024, process of identification of critical assets and its implementation should be assessed during cyber audit.

4 · 81.11 For minimum baseline standards followed for conducting VAPT, please refer to SEBI Circular on CSCRF dated August 20, .

231 · Reference: SEBI Email dated December 28, 2022

4 · 82 Comprehensive Review of Cyber Security at Stock Exchanges, Clearing Corporations and Depositories (MIIs) 232

4 · 83 Activity schedule for depositories for T+1 rolling Settlement2 t233&234&235

4 · 83.1 The activity schedule for T+1 Rolling Settlement is as under:

4 · 84 Advisories related to Technology

4 · 84.1 Advisory on Technology related Investments and Planning by Market Infrastructure Institutions (MIIs) 236

4 · 84.1.1 The operations and functioning of MIIs are driven by technology systems, with their critical operations requiring robust technology infrastructure to enable trading, transfer/ holding of securities, clearing and settlement and information dissemination etc. as applicable. MIIs, in a sense, today can be categorized as a technology company, running a constellation of IT systems, serviced by different technology vendors.

232 · Reference: SEBI Letter SEBI/HO/MRD/DSA/OW/P/2018/000005436/5 dated February 21, 2018

233 · Reference: SEBI Circular DCC/FITTC/Cir-19/2003 dated March 4, 2003 and SEBI Circular MRD/DoP/SE/Dep/Cir-18/2005 dated September 2, 2005

234 · Circular No.SEBI/HO/MRD2/DCAP/P/CIR/2021/628 dated September 07, 2021

235 · SEBI/HO/MRD/MRD -PoD -2/P/CIR/2024/137 dated October 10, 2024

236 · SEBI letter dated December 27, 2023

4 · 84.1.2 Recent years have witnessed rapid pace of market development including significant growth of investor activity and market volumes. This has been coupled with evolving landscape of technology catering to securities market. Existing business processes have been increasingly getting digitized by the MIIs, due to change in market dynamics as well as Regulatory mandates. With such significant changes in the technology systems at MIIs, there is a need for upgradation of existing systems to make them up to date to cater to future growth as well as to implement Regulatory changes. It is therefore important that technology systems of MIIs keep up with the advancement and sophistication in the field of technology.

4 · 84.1.3 To ensure the aforesaid, continuous monitoring of technology infrastructure and systems, along with that of allied processes, is needed for early identification of requirements pertaining to additional investments in technology infrastructure/ systems and technology related human resources.

4 · 84.1.4 Accordingly, MIIs are advised to:

4 · 84.1.4.1 Review existing strategies/ frameworks for technology related investments/ expenses.

4 · 84.1.4.2 Formulate short term, medium term and long term Technology Investment Plan and Technology Human Resource Plan and periodically review them. Further, MIIs to ensure that such plans are pro -active, future -oriented and attuned to the criticality of technology for its functioning.

4 · 84.1.4.3 Formulate a comprehensive framework for budgeting of annual financial requirements for technology related investments/ expenses.

4 · 84.1.4.4 Review organisational structure and employee strengths across various IT/ technology related departments/verticals. This should include review of outsourcing policies and responsibility mapping of internal staff for such outsourced functions.

4 · 84.1.4.5 Review internal governance frameworks, human resource strategies and risk frameworks pertaining to technology operations.

4 · 84.2 Advisory on automation/review of operational processes involving IT systems of Market Infrastructure Institutions (MIIs) 237

4 · 84.2.1 Rapid advancement in the field of technology, over the past few years, has not only resulted into operations of Market Infrastructure Institutions (MIIs) increasingly getting automated and executed through an array of IT systems but also into continuous upgrade/enhancements in these systems to meet technology / regulatory / business needs.

4 · 84.2.2 On the other hand, in the recent past, instances of disruption in business operations of MIIs have been observed on account of system related issues. Root cause for some of these glitches could be traced back to manual error/oversight during setting up of certain system configuration or error in executing Begin of Day (BoD) or End of Day (EoD) activities.

4 · 84.2.3 Continuous availability of systems is cornerstone of operations of the MIIs. While MIIs have business continuity policies and vendor management / outsourcing framework, adequate focus also needs to be provided to error free execution of aforesaid routine activities. Increased and effective use of automation and system driven pre-checks/alerts along with Standard Operating Procedures for routine daily activities / troubleshooting / production release of components, become critical in eliminating technology / operational risk.

4 · 84.2.4 In view of the aforesaid, MIIs are advised to:

4 · 84.2.4.1 Carry out comprehensive review of all the operational processes related to EoD and BoD activities and put in place a framework to periodically review them. The said review may be carried out from the perspective of automation of these activities, formulation of SOPs and system driven validations/monitoring alerts covering various scenarios to ensure uninterrupted and error-free functioning of systems as well as timely generation of EoD/BoD reports for members and market participants.

4 · 84.2.4.2 Put in place similar framework for one off / non-routine events/activities such as introduction of new component/functionality, troubleshooting, activities pertaining to mock trading etc.

237 · SEBI letter dated April 23, 2024

4 · 84.2.4.3 Ensure that all activities/processes related to or impacting system configuration, for clauses 4.84.2.4.1 and 4.84.2.4.2 above, are carried out or overseen by employee(s) of MII competent to understand the operational implications of such technical activities

4 · 84.3 Process for freezing/un-freezing of accounts/holdings pursuant to issuance of orders of SEBI/ Securities Appellate Tribunal(SAT)/ Supreme Court of India/ other courts238

4 · 84.3.1 At present, orders issued by SEBI and/or Hon'ble SAT/Supreme Court of India/other courts (hereinafter referred to as tribunal/court) are intimated to Market Infrastructure Institutions (MIIs), Mutual Funds(MFs) and Registrar and Transfer Agents (RTAs) for taking consequent actions by the concerned Department of SEBI.

4 · 84.3.2 In order to streamline and expedite the said process of taking consequent actions pursuant to issuance of orders by SEBI and/or tribunal/court, directing freezing/ un-freezing of accounts/holdings, it has been decided to introduce a new automated mechanism, which would be monitored by a Centralized Coordination Cell of SEBI. The salient features of the new mechanism are as follows: -

4 · 84.3.2.1 An automated process would be set up for sending intimations by SEBI to MIIs, MFs and RTAs in a standardized format from the SEBI's Case Management System(CMS) portal in respect of issuance of orders by SEBI and/or tribunal/court for freezing/un-freezing of accounts/holdings for seamless implementation of the directions.

4 · 84.3.2.2 A Centralized Coordination Cell under the Enforcement Department-1 (EFD-1) of SEBI has been formed to monitor/ensure timely compliance with directions for freezing/un-freezing of accounts/holdings in a time bound manner. The cell will undertake the necessary co-ordination with MIIs, MFs, RTAs and/or the concerned department of SEBI for timely implementation of the directions.

238 · SEBI letter dated February 22, 2024

4 · 84.3.2.3 In order to ensure that the consequent actions pursuant to issuance of orders by SEBI and/or tribunal/court are acted upon on an immediate basis, the intimations regarding the orders of SEBI and/or tribunal/court directing freezing/ un-freezing of accounts/holdings , would be sent to the generic email IDs of MIIs, MFs and RTAs.

4 · 84.3.2.4 MIIs, MFs and RTAs shall establish clear ownership of their dedicated generic email ID at all times and ensure that there is due diligence at their end to ensure compliance with orders of SEBI and/or tribunal/court in a time bound manner.

4 · 84.3.2.5 In case of any query/ further clarification required by MIIs, MFs and RTAs, they can contact the generic email ID of the Centralized Coordination Cell of EFD -1 of SEBI. The Centralized Coordination Cell would ensure that the clarification is sent to the concerned MII/MF/RTA in a time bound manner by coordinating with the concerned department of SEBI.

4 · 84.3.2.6 MIIs, MFs and RTAs shall develop the capability to generate the relevant system generated reports with respect to directions passed by SEBI and/or tribunal/court vis-a-vis actions taken by them for reconciliation/monitoring.

4 · 84.3.3 The following schematic diagram illustrates the functioning of aforesaid devised automated process:

4 · 84.3.4 In view of the above, MIIs are requested to take necessary steps to put in place requisite systems/mechanisms/framework for implementation of the above .

4 · 85 Wind -Down Plan of Depositories 239

4 · 85.1 The Depository System Review Committee (DSRC) during assessment of the depository framework vis-a-vis the Committee on Payment and Settlement Systems-International Organisation of Securities Commissions (IOSCO) principles for Financial Market Infrastructure, recommended that there is a need for the depositories to have a well-documented framework for orderly winding down of the depository operations including making necessary legal provisions in the Depositories Act, 1996 and the rules and regulations framed thereunder.

4 · 85.2 In view of the recommendations of DSRC, the Securities and Exchange Board of India (Depositories and Participants) Regulations, 1996 were amended to include a provision regarding wind-down plan. Accordingly, in terms of Regulation 51 of the Securities and Exchange Board of India (Depositories and Participants) Regulations, 2018, every depository shall devise and maintain a wind -down plan in accordance with guidelines specified by the Board.

4 · 85.3 In this regard, the following broad guidelines are hereby issued:

239 · SEBI letter No. MRD/DoPII/DSAII/OW/2019/ 3662/1 dated February 07, 2019

4 · 86. Charges levied by Market Infrastructure Institutions – True to label 240

4 · 86.1 Market Infrastructure Institutions (MIIs) being public utility institutions act as first level Regulator and are entrusted with the responsibility of providing equal, unrestricted, transparent and fair access to all market participants. The principle of equal, fair and transparent access by MIIs is highlighted in Regulation 39 (3) of Securities Contracts (Regulations) (Stock Exchange and Clearing Corporations) Regulations, 2018 and Regulation 82 of SEBI (Depositories and Participants) Regulations, 2018.

4 · 86.2 Upon examination of existing processes related to charges levied by MIIs on their members (i.e. stock brokers, depository participants, clearing members), it was observed that a volume based slab -wise charge structure is followed by some MIIs. These charges are levied in lieu of various services offered by MIIs and are recovered from the end clients by members. It has also been observed that members generally recover such charges from the end clients on daily basis whereas MIIs receive aggregate charges from the members on monthly basis.

4 · 86.3 The aforesaid process can result in a situation wherein the aggregated charges collected by the members from the end clients is higher than the end of month charges paid to the MII (due to slab benefit). This can also result in an incorrect or misleading disclosure to the end client about the charges levied by MIIs.

4 · 86.4 The aforesaid matter was deliberated with the Secondary Market Advisory Committee (SMAC) of SEBI, wherein it was observed that in addition to impacting transparency, the existing slab-wise charge structure of MIIs can also create a hindrance for the MIIs in ensuring equal and fair access to all market participants by impacting level playing field between members owing to their size differentials.

4 · 86.5 In view of the aforesaid concerns and as per deliberations with SMAC, it has been decided that the MIIs would comply with following additional principles while designing the processes for charges levied on their members which are to be recovered from the end clients:

4 · 86.6 The MII charges which are to be recovered from the end client should be True to Label i.e. if certain MII charge is levied on the end client by members (i.e.

240 · Circular No. SEBI/HO/MRD/TPD-1/P/CIR/2024/92 dated July 01, 2024

4 · 86.7 The charge structure of the MII should be uniform and equal for all its members instead of slab -wise viz. dependent on volume/activity of members.

4 · 86.8 To begin with, the new charge structure designed by MIIs should give due consideration to the existing per unit charges realized by MIIs so that the end clients are benefitted with the reduction of charges.

9 · Aadhaar Letter issued by UIDAI 241

242 · Reference: SEBI Circular SEBI/HO/MRD -PoD2/CIR/P/2024/93 dated July 01, 2024

243 · Reference: SEBI Circular SEBI/HO/MRD -PoD2/CIR/P/2024/93 dated July 01, 2024

1 · Vision

2 · Mission

3 · Details of business transacted by the Depository and Depository Participant (DP)

4 · Description of services provided by the Depository through Depository Participants (DP) to investors

5 · Details of Grievance Redressal Mechanism

6 · Guidance pertaining to special circumstances related to market activities: Termination of the Depository Participant

7 · Dos and Don’ts for Investors [link to be provided by the Depositories]

8 · Rights of investors [link to be provided by the Depositories]

9 · Responsibilities of Investors [link to be provided by the Depositories]

10 · Code of Conduct for Depositories [link to be provided by the Depositories] (Part D of Third Schedule of SEBI (D & P) regulations, 2018)

11 · Code of Conduct for Participants [link to be provided by the Depositories]

10 · A participant shall co-operate with the Board as and when required.

11 · A participant shall maintain the required level of knowledge and competency and abide by the provisions of the Act, Rules, Regulations and circulars and directions issued by the Board. The participant shall also comply with the award of the Ombudsman passed under the Securities and Exchange Board of India (Ombudsman) Regulations, 2003.

12 · A participant shall not make any untrue statement or suppress any material fact in any documents, reports, papers or information furnished to the Board.

13 · A participant shall not neglect or fail or refuse to submit to the Board or other agencies with which it is registered, such books, documents, correspondence, and papers or any part thereof as may be demanded/requested from time to time.

14 · A participant shall ensure that the Board is promptly informed about any action, legal proceedings, etc., initiated against it in respect of material breach or noncompliance by it, of any law, Rules, regulations, directions of the Board or of any other regulatory body.

15 · A participant shall maintain proper inward system for all types of mail received in all forms.

16 · A participant shall follow the maker—Checker concept in all of its activities to ensure the accuracy of the data and as a mechanism to check unauthorised transaction.

17 · A participant shall take adequate and necessary steps to ensure that continuity in data and record keeping is maintained and that the data or records are not lost or destroyed. It shall also ensure that for electronic records and data, upto-date back up is always available with it.

18 · A participant shall provide adequate freedom and powers to its compliance officer for the effective discharge of his duties.

19 · A participant shall ensure that it has satisfactory internal control procedures in place as well as adequate financial and operational capabilities which can be reasonably expected to take care of any losses arising due to theft, fraud and other dishonest acts, professional misconduct or omissions.

20 · A participant shall be responsible for the acts or omissions of its employees and agents in respect of the conduct of its business.

21 · A participant shall ensure that the senior management, particularly decision makers have access to all relevant information about the business on a timely basis.

22 · A participant shall ensure that good corporate policies and corporate governance are in place.