+91-9825600907

To

All Registered Stock Brokers

Rapid changes in technology have made it easier to trade stocks electronically on the stock market. Technology-related risks include interruptions and problems with technology (technical glitches) and how they affect investors’ ability to trade. Because there are more and more of these kinds of problems, SEBI set up a working group to come up with ways to solve the problem. Based on what the working group said and what stakeholders and industry experts said, it was decided to set up the following framework to deal with technical glitches that happen in stock brokers’ trading systems.

What is a technical glitch?
Technical glitch means any problem with a stock broker’s systems, including problems with its hardware, software, networks, processes, or any electronic products or services it offers. The problem could be caused by insufficient infrastructure or systems, cyber-attacks or incidents, procedural errors and omissions, process failures, or something else. It could happen in their own systems or the ones they get from third parties. This could stop, slow down, or change the normal functions, operations, or services of the stock broker’s systems for five minutes or more.

Needs for Reporting

Stock brokers must tell the stock exchanges about a technical glitch as soon as possible, but no later than one hour after the glitch happened.

Within T+1 days of an incident, stock brokers must send the Exchange a Preliminary Incident Report (T being the date of the incident). The report must include the date and time of the incident, as well as details about what happened, what happened because of it, and what was done right away to fix the problem.

Within 14 days of the date of the problem, stock brokers must send the stock exchange a Root Cause Analysis (RCA) Report (as per Annexure I) of the problem.

The RCA report that stock brokers send in must include, among other things, the time of the incident, the cause of the technical glitch (including the root cause from the vendor(s), if applicable), the duration, a timeline of events, an analysis of the impact and details of corrective/preventive actions taken (or to be taken), the restoration of operations, etc.

Stock brokers must send the information listed in paragraphs 3.1, 3.2, and 3.3 to infotechglitch@nse.co.in, which is a common email address for all stock exchanges.

All technical problems that stock brokers report and that stock exchanges monitor on their own will be looked at by the stock exchanges together with the report/RCA, and the right steps will be taken.

Planning for capacity

As the number of investors grows, the trading system of the stock broker may become more difficult to use. For stock brokers to continue to serve their clients, they must plan for their capacity needs. Stock brokers must do capacity planning for the whole trading infrastructure, which includes server capacities, network availability, and the number of trading applications that can be served at the same time.

Stock brokers must keep an eye on the peak load of their trading applications, servers, and network architecture. The highest peak load seen by the stock broker during a calendar quarter will be used to figure out the peak load. At least 1.5 times (1.5x) the peak load must be added to the system.

Stock brokers must set up the right monitoring tools in their networks and systems so they can be notified quickly if the current use of capacity goes over the allowed limit of 70% of its installed capacity.

So that services don’t stop at the main data centre, stock brokers that the stock exchange specifies from time to time (from now on, “specified stock brokers”) must try to have full redundancy in their IT systems for trading applications and services related to trading.

Stock exchanges should put out clear rules about how often they should look at their available capacity, their peak load, and how much new capacity they need to handle future load on the system.

Management of software updates and testing

Because of the frequency with which software is updated or changed, stock brokers must verify that any and all modifications to their applications have been thoroughly tested before being deployed to live systems. If proper testing is not done after making changes to software, the modifications might break the product’s functionality. Therefore, stock brokers must use the following methodology for making and testing software-related system changes:

Brokers in the stock market are obligated to set up test driven environments for every software they or their suppliers build. The software development, deployment, and operations processes must include regression testing, security testing, and unit testing.

Certain stock brokers are required to do their software testing in a fully automated setting.

When building trading software, stock brokers must maintain a traceability matrix linking features to individual tests.

Brokers must establish a change management procedure to protect their information security resources from being compromised by unapproved or unanticipated modifications (hardware, software, network, etc.).

Stock brokers must ensure that their servers, operating systems, databases, middleware, network devices, firewalls, IDS / IPS desktops, and any other assets are kept up-to-date with the latest security patches and versions at all times.

The stock exchanges must publish comprehensive rules for everything from software testing to automated testing to a change management approach and regular asset updates.

Methods of surveillance:

One method for minimising the effects of technological problems is to keep an eye out for them on your own own. In this regard, the stock exchange is obligated to develop an API-based Logging and Monitoring Mechanism (LAMA) to be used between the stock exchange and the trading systems of certain stock brokers. For this method to work, some stock brokers will need to keep an eye on critical system and functional characteristics to guarantee that their trading platforms are always running smoothly. The stock exchanges are responsible for independently monitoring these critical metrics via the API gateway to evaluate the robustness of the trading systems of the authorised stock brokers.

In cooperation with stock brokers, stock exchanges must determine the most important metrics. These critical metrics must be tracked in real time or very close to it by stock exchanges and stock brokers that have been designated.

To keep track of the most important metrics and any technical issues that may arise with stock brokers’ trading platforms, stock exchanges must have a special monitoring unit. If any of the critical parameters tracked under LAMA are broken, the cell is also obligated to promptly notify the relevant stock broker.

In the usual sequence of events, stock exchanges and stock brokers will keep records of the most important metrics for 30 days. In the event of a technological error, however, records pertaining to that error must be kept for a full two years.

“Business Continuity Planning” or “BCP”

Planning for a disaster and a secondary location where operations may continue in the event of a major catastrophe; also known as “business continuity planning” or “BCP”

Business continuity and disaster recovery plans are required for stock brokers with a minimum number of clients across all exchanges, as may be established by stock exchanges from time to time.

Stock brokers are required to create a detailed Business Continuity Plan and Crisis Recovery Policy defining the normal operating procedures to be followed in the case of a disaster. As part of daily operations, a proper structure should be implemented to monitor the status of all vital systems. To reduce the likelihood of disruptions to operations, the BCP-DR policy document must be evaluated on a regular basis.

The DRS should ideally be installed in areas with varying levels of seismic activity. If such physical separation is not feasible for any reason, such as operational considerations, then the Primary Data Centre (PDC) and DRS must be located at least 250 kilometres apart to reduce the risk of both being destroyed by the same natural catastrophe. To guarantee data is synchronised between the main data centre and the DR site, the DR site must be accessible from the primary data centre.

During DR exercises, authorised stock brokers must perform live trading from the DR location. All activities must be conducted from DRS for at least 1 full trading day during DR drills/live trading. The frequency of DR drills and live trading from the DR site must be determined by stock exchanges in conjunction with designated stock brokers.

Stock brokers should form decision-making teams responsible for making plans for transferring operations to a disaster recovery site, allocating sufficient resources to that site, and establishing a method to bring that site online in the event of a main data centre outage.

There must be a one-to-one relationship between the DRS and PDC in terms of hardware, system software, application environment, network and security devices, and related application environments. All activities at PDC or DRS must have access to sufficient resources at all times.

The Recovery Time Objective (RTO), i.e. the maximum time taken to restore operations from DRS after the declaration of Disaster, and the Recovery Point Objective (RPO), i.e. the maximum tolerable period for data loss due to a major incident, shall be determined by the stock exchanges in consultation with the stock brokers.

High availability, appropriate sizing, and no single point of failure must be guaranteed across the board, including in the replication architecture, bandwidth, and load considerations between the DRS and PDC within the specified RTO. Changes done in the PDC will show up instantly in DRS.

The stock exchanges may require some stock brokers to achieve ISO certification in the areas of information technology and information technology-enabled infrastructure and operations.

The System Auditor, in the course of performing the required yearly System Audit, will examine the BCP – DR and provide comments on the recorded findings and observations of the stock broker’s DR drills to ensure that it is ready to transition its operations from PDC to DRS.

Stock exchanges must define “critical systems” and “disaster” and give comprehensive instructions for reviewing business continuity plans, conducting disaster recovery exercises, running disaster recovery sites from primary data centres, acquiring ISO certification, and more.

The stock market must institute a system of financial penalties for stock brokers who fail to comply with the rules or who have technological difficulties with their trading platforms.

The occurrences of technical errors in stock brokers’ trading systems, as well as the RCAs conducted by stock exchanges on these errors, must be made public.

The stock exchange shall construct the mechanisms required for implementation of the requirements of this circular, and shall provide relevant guidance to the stock brokers for compliance with the provisions of this circular.

To protect the interests of investors in securities and to promote the development of, and to regulate, the securities market, the Securities and Exchange Board of India is issuing this circular in accordance with the authority granted to it by Section 11 (1) of the Securities and Exchange Board of India Act, 1992.

You may find this circular under the SEBI website’s “Legal Framework” and “Circulars” sections at www.sebi.gov.in.

The effective date of this circular is April 1, 2023.

 

For Understanding and implementation

Get in touch with us

Regards and Thanks

Estabizz Fintech Private Limited.

( One Place for all Stock Brokers Needs )

You cannot copy content of this page

error: