SECURITIES AND EXCHANGE BOARD OF INDIA Memorandum to …
Transcript of SECURITIES AND EXCHANGE BOARD OF INDIA Memorandum to …
Page 1 of 9
SECURITIES AND EXCHANGE BOARD OF INDIA
Memorandum to the Board
No. 58 / 2014
Report of the Depository System Review Committee
1. SEBI Board in its meeting held on July 28, 2011 suggested that demat system
may be reviewed on the basis of CPSS-IOSCO principles by an external
expert appointed by SEBI.
2. To give effect to the decision of the SEBI Board, an expert committee was
constituted as the 'Depository System Review Committee (DSRC)' by SEBI in
June 2012 under the Chairmanship of Shri M. Balachandran (Chairman, NPCI
and former CMD, Bank of India) and included the following external members:
i. Prof. H. Krishnamurthy (Principal Research Scientist, IISc Bangalore)
ii. Shri R. S. Loona (Managing Partner, Alliance Corporate Lawyers and
former Executive Director, SEBI)
iii. Prof. Vikram Kuriyan (Clinical Prof. of Finance, Indian School of
Business)
3. The mandate of the committee was guided by the following Terms of
Reference:
i. Assessment of Existing Policy Framework of Depositories and identify
areas for review.
ii. Assessment of Depository System with CPSS-IOSCO principles,
recommendations of CESR-ECB pertaining to CSDs so as to
benchmark with Global Best Practices.
iii. Identifying areas for continuous improvement of systems, procedures
and practices and make recommendations thereof.
iv. Identify systemically important market infrastructure
providers/institutions/ depository participants and their inter-linkages
Page 2 of 9
and identify areas and suggest safeguards to prevent single point
failures and denial of depository service.
v. Review existing system of inspection by depositories and suggest
changes to strengthen the monitoring/oversight of depository
participants.
4. In the area of inspection and oversight function of depositories including for IT
Governance, the committee decided to carry out a detailed analysis and
formed a sub-committee for this purpose comprising Prof. Krishnamurthy,
representatives of NSDL, CDSL and officials of SEBI. The recommendations
of the sub-committee were presented to SEBI as part of an interim report. The
committee submitted its interim report in May 2013. A copy of the Interim
Report of the committee is annexed to the Board Memorandum (Annexure A).
5. The interim recommendations of the committee are as follows:
A. IT Governance Depositories should implement the following for their IT governance structure:
a) There should be an IT strategy committee at the board level of
depositories.
b) There should be an approved and comparable IT strategy/plan document
which needs to be reviewed annually by the depositories and their DPs.
c) There should be an IT Steering committee to assist the IT Strategy
Committee in implementation of IT strategy. The IT steering committee
should comprise of representatives from IT, HR, Legal and various
business functions as appropriate.
d) Information Security policy should be approved by the board and reviewed
annually.
e) There should be an office of information security and a senior official
should be designated as Chief Information Security Officer (CISO) whose
work would be to assess risk and identify the threat / vulnerabilities.
Page 3 of 9
B. Oversight and Inspection Framework
The committee carried out an extensive review of the oversight and inspection
framework for Depository Participants. The key recommendations of the
committee are as follows:
i. Inspection of Depository Participant by Depositories:
a) Inspections should be risk based rather than compliance based to
provide economic benefits such as fewer inspections for less risky
participants and frequent inspections for more risky ones. The
inspection reports should not only identify risk areas but should also
proactively suggest risk mitigation.
b) The sample size selection should be dynamic and should depend on
the past compliance of a DP in that area.
c) The inspection process of DPs and their service centers should be
automated through usage of appropriate technology. If such close
inspection / oversight modality is not possible directly by Depositories
through their own personnel, the possibility of outsourcing service
centre inspections may be explored, and a suitable outsourcing policy
may be framed.
ii. Delivery Instruction Slips (DIS) Issuance and Processing:
a) Appropriate infrastructure and other requirements, to facilitate scanning
and uploading of the DIS image, should be implemented at the DP’s
end and the depositories should put in place a suitable mechanism to
maintain a database of the scanned DIS.
b) DIS should be standardized across DPs to facilitate easy identification
and tracking of DIS issuance and processing.
c) The depositories should put in place systems such that all significant
DIS related information is available to them for off site inspections.
6. These recommendations were accepted and implemented vide SEBI circulars
dated February 07, 2014, January 21, 2014 and January 07, 2014.
Page 4 of 9
7. After submitting the interim report, the committee took up the issues relating to
assessment of existing policy framework of depositories, assessment of
depository system on the basis of CPSS-IOSCO Principles for Financial
Market Infrastructures, identification of areas for continuous improvement of
systems, procedures and practices and identification of systemically important
Market Infrastructure Institutions and their Inter-Linkages.
8. The committee held extensive discussions and deliberations with depositories
and other market participants related to the depository system. The committee
submitted its final report to SEBI on August 27, 2014. A summary of the
recommendations made by the committee in addition to the interim
recommendations given above is as follows:
A. Assessment of Existing Policy Framework of Depositories
Based on its review of the policy framework for depositories, the committee
recommended the following:
i. SEBI should ensure that the system and technology related requirements
which are verified prior to granting certificate for commencement of
business, are also maintained on an ongoing basis through regular
inspections and system audits.
ii. SEBI may put in place a mechanism so that depositories maintain
complete reconciled record of total issued and listed capital, including both
physical and dematerialized shares.
iii. Depositories are uniquely placed to scale up and utilize their infrastructure
to dematerialize not just securities but also other financial assets subject to
adequate regulatory framework and checks and balances being put in
place. The committee felt that this will promote the integration of the Indian
Page 5 of 9
Financial markets and allow the consumers greater access to and control
of a wide portfolio of financial assets.
iv. With greater integration of depositories with other financial service
providers, there is possibility of interconnectivity of depositories with
financial institutions/ FMIs/ international CSDs in future. Interconnectivity
may require standardization of messaging formats used by depositories.
The committee recommended that it may be desirable to standardize
messaging formats in the long term.
v. With regard to KYC, the committee noted that the e-KYC service launched
by Unique Identification Authority of India (UIDAI) has been accepted by
SEBI as valid process of KYC verification. The committee also informed
that NPCI has entered in to an MoU with UIDAI in order to aid financial
inclusion through Aadhaar enabled bank accounts and financial
transactions. The Committee recommended that use of e-KYC through
NPCI should be popularised among DPs.
B. Assessment of Depository System on the basis of relevant globally
accepted Principles for Financial Market Infrastructures so as to
benchmark with Global Best Practices.
The committee observed that while the Depositories are broadly compliant
with the CPSS-IOSCO principles for FMIs, certain areas needed to be
strengthened. In view of this, the committee recommended the following:
i. Risk Management Framework for depositories: FMI principles lay emphasis
on the need to have robust risk management framework to identify, monitor
and manage various risks emanating from multiple sources to its
operations.
The committee recommended that there should be a Board approved
policy providing for a well documented comprehensive risk management
Page 6 of 9
framework at both depositories. The risk management group/
committee formed by the depositories should be active and meet
periodically to continuously identify, evaluate and assess applicable risks in
depository system through various sources vis-à-vis investors complaints,
inspections, system audit etc. and suggest measures to mitigate risk
wherever applicable. A Chief Risk officer should be made responsible,
accountable, accessible & answerable to the board on overall risk
management issues.
ii. Orderly winding down of depositories: The Committee observed that there
is no laid down system or procedure for orderly winding up of depositories
in the event of potential scenarios such as voluntary winding up by
depositories, depositories going bust due to general business risk, fraud at
the end of depositories, or depositories wound up due to regulatory action
or court order. In Indian depository micro structure, there are two
depositories. In the event of failure, disruption or winding up of one
depository, all the demat accounts and securities held with stressed
depository can be potentially moved to another depository without affecting
the interest of investors. The committee recommended that there is a need
to have a well documented framework for orderly winding down of the
depository operations including making necessary legal provisions in the
regulations, rules and Depositories Act.
C. Identification of Areas for Continuous Improvement of Systems,
Procedures and Practices
The committee identified a few areas which needed further focus from the
perspective of maintaining a robust depository system. Based on its review
of these areas, the committee recommended the following:
i. In order to achieve wider financial inclusion and encourage participation of
investors from Tier II and Tier III towns in the securities market, the DPs
Page 7 of 9
need to widen their reach in these areas. For this purpose, there is a need
to devise an incentive structure for depository participants so that they
encourage investors to open demat accounts with them. In this regard, the
revenue source of depositories may be augmented and DPs may be
incentivized by having a revenue sharing mechanism between the
depositories and DPs which may encourage the DPs to expand their reach
in tier II & III towns. Bank DPs with their large branch network and wider
reach in the tier II & III towns can play a crucial role in furthering the
objectives of financial inclusion. DPs may be compensated for the cost
incurred in account opening, especially Basic Service Demat Accounts
(BSDA) as it will act as a motivator for DPs to open more accounts.
ii. The committee recommended that SEBI may review the quantum of funds
required to be transferred to IPF by depositories and arrive upon a sizable
limit for corpus of IPF. Only profits from depository operations may be
transferred to IPF. SEBI may also formulate an Investment Policy for the
IPF. The funds of the IPF may be utilized for conducting Investor
Awareness and Education Programmes and supporting the depositories'/
DP's initiatives for financial inclusion in a variety of ways.
iii. The committee noted that certain DPs allow the promoters of companies to
use tripartite agreements usually referred to as Non-Disposal Agreement/
Non-Disposal Undertaking (NDU) to extend facilities to its clients for
lending / borrowing of shares instead of following the pledging facility
available in the depository system. The committee recommended that DPs
should not be party to such arrangements as there is no regulatory
mechanism whereby depositories and DPs can treat shares covered by
NDU as pledged / encumbered, leading to potential for fraud and multiple
pledging.
iv. In the area of outsourcing by Depositories, there is a need for further focus
and strengthening of guidelines on the lines given below:
Page 8 of 9
a) Care should be exercised while outsourcing and wherever possible
depositories should put in place various controls to ensure that there is
check on the activities of outsourced entity especially to monitor that
outsourced activities are not further outsourced downstream.
b) Core and critical activities of depositories should not be outsourced.
c) Core IT support infrastructure / activities for running the core activities
of depositories to the possible extent should not be outsourced.
d) Wherever outsourcing is allowed, depositories should ensure that risk
impact analysis is undertaken, only reputed entity having proven high
delivery standards are selected, appropriate back up / restoration
system are put in place, monitor and have checks and over all controls
over the outsourced entity on real time basis.
e) Audit of implementation of risk assessment and mitigation measures
listed in the outsourcing policy document and outsourcing agreement/
service level agreements pertaining to IT systems should form part of
System Audit of Depositories.
D. Identification of Systemically Important Market Infrastructure
Institutions and their Inter-Linkages
In view of transformation of securities market infrastructure brought about
by advances in information technology (IT) and dependence of Financial
Market Infrastructure Institutions on technology, the committee examined
the technology infrastructure of the Depositories and reviewed the usage of
technology in the Depository system. The committee recommended the
following:
i. The IT infrastructure deployed should have high availability and no single
point of failure. In the event of failure of any sub-system or component
or software the resultant solution has to work, may be with
acceptable levels of degraded performance, and the corrective mechanism
put in place to ensure that the rectification takes place within 4 hours. The
Page 9 of 9
DPs have to put in place appropriate mechanisms in order to ensure no
compromise to data integrity and transaction integrity.
ii. Depositories should take steps to ensure that the IT Infrastructure of DPs
has high availability and fault tolerance, uptime guarantee of 99.5%
measured on a monthly basis with mean time to restore (MTTR) of not
more than 4 hrs, data integrity and transaction integrity and appropriate
security access and control framework.
9. The committee has categorised its recommendations as short term, medium,
term and long term goals. A copy of the final report is annexed to the Board
memorandum for perusal (Annexure B).
10. The Report of the Depository System Review Committee is placed before the
Board for its consideration. The Board is requested to take note of the interim
recommendations of the committee which have been implemented by SEBI as
stated at para 6 and to authorise Chairman to take necessary action on the
basis of the final report as deemed appropriate.
Interim Report of the Depository System Review Committee
Page 1 of 61
Annexure A
Interim Report of the Depository System Review Committee
Interim Report of the Depository System Review Committee
Page 2 of 61
Contents
Executive Summary .............................................................................................................................................. 3
Preamble and Introduction ............................................................................................................................... 9
Oversight and Inspection Framework ........................................................................................................ 16
Risk Modeling and DP rating .......................................................................................................................... 25
DIS issuance & processing ............................................................................................................................... 46
IT Governance ...................................................................................................................................................... 50
Technology Enabled Future Road Map ....................................................................................................... 58
Interim Report of the Depository System Review Committee
Page 3 of 61
Executive Summary
The introduction of Depository System has been instrumental in eliminating various drawbacks in
handling of physical share securities in terms of problems related to transfer of shares, bad deliveries,
loss of share certificates etc. and it enabled fast and efficient settlement (T+2 settlement cycle).
Technology has been a major driver in ushering this electronic revolution in securities markets, thereby,
making securities markets more in sync with the fast changing technological environment. This, in
tandem with the dynamic nature of securities markets, presents challenges before Regulators in
maintaining orderly development of securities markets and also to protect the interest of investors.
Over the years, SEBI as a regulatory body has responded by tightening of the regulatory framework of
Depositories consisting of Regulations, circulars issued by SEBI, byelaws and circulars of the
Depositories, etc. However, there had emerged inadequacies in the systems which were misused by
certain market participants for their benefit, which led to an examination and order by a two member
committee of SEBI in 2009, which inter-alia recommended review of the depository system through an
independent body of experts.
Therefore, a Depository System Review Committee (DSRC) was constituted on June 25, 2012 under the
Chairmanship of Mr. M. Balachandran (former CMD of Bank of India) along with Prof H.Krishnamurthy
(IISc Bangalore), Mr.R.S.Loona (Ex ED SEBI), Prof Vikram Kuriyan (ISB) as members to undertake a
comprehensive review of the Indian Depository System and to benchmark against global best practices.
The committee while reviewing the system as a first measure examined
I. Inspection and Oversight
a. The oversight over the depository’s functioning including the inspection of DPs by them.
b. Inspection of depositories by SEBI
II. Risk Model and rating of DPs
III. DIS issuance & processing
IV. IT Governance
The DSRC while examining the inspection system & processes observed that the matter would need to
be looked at from two angles, viz:
A. inspection of DPs by Depositories and
B. oversight by SEBI on the functioning of Depositories and their operational control of DPs
Therefore, a sub-committee was formed comprising Prof. Krishnamurthy (DSRC Member),
representatives of NSDL and CDSL, and officials of SEBI Market Regulation Department - Division of
Market Supervision to look into aforementioned issues, review the current inspection process of the
Depositories and to frame comprehensive inspection guidelines.
The Committee noted a major change in many countries in the move from rule based supervision to
principle based supervision. Developed countries like the U.K. (A.R.R.O.W.), Singapore (C.R.A.F.T.) and
Interim Report of the Depository System Review Committee
Page 4 of 61
emerging markets like Malaysia, Thailand, China, South Africa, and Taiwan follow a risk based inspection
methodology. Thereby, enhancing the need to move from compliance based oversight & inspection
towards risk based oversight & inspection. This report discusses the need for inspections to be efficient
and effective by being more focused on risk assessment. In order to be more effective, the inspection
focus needs to be dynamic, keeping in view the changing risk profile, technological advancements and
innovations in products and market structure.
A) The committee observed that the inspection of DPs by Depositories is done as a routine annual
exercise which mainly focuses on compliance. Light monetary penalties are imposed in cases where non-
compliance / deviations are observed. Therefore, it was felt by the committee that inspection
techniques and methods should be reviewed based on thorough understanding of potential failure
modes and inspection should be made risk based. Further, DPs should be classified into risk buckets with
appropriate risk weights for the purpose of rating of DPs and an integrated risk model be developed.
In the aftermath of the financial crisis, wherein Financial Stability Board (FSB) and the G20 Leaders
identified the need for more intense and effective supervision particularly to systemically important
financial institutions (SIFIs) as weak risk controls at financial institutions are still being witnessed.
Further, sharing of information regarding all activities undertaken by SIFIs regulated by various
authorities need to be encouraged for improvement in supervision to ensure that it is effective,
proactive and outcomes-focused.
One of the key risks identified is operational risk, which is more dynamic in view of technological
changes, information security, systemic risk, newer products being offered and increase in sophistication
of institutions. Therefore, in the context of depositories, risk based inspection must focus more on
operational risk especially the aspects like business continuity and information security.
Since the resources available with regulators are relatively limited, the main responsibility of risk
assessment and mitigation would rest with the depositories and their participants through internal
audit, risk management and compliance. However, risk based inspections would address this through
deploying limited resources to the riskiest institutions and areas, prioritized based on an assessment of
the risks therein. As such, inspection approaches and areas of focus need to be periodically reviewed to
confirm that, for instance, institutions and areas previously classified as “low or moderate risk” still
warrant this assessment.
Effective inspection requires finding the right balance between focusing on areas of higher risk while
also ensuring some periodic coverage of all aspects, including, for example, those that might prove risky.
Striking the right balance is an ongoing challenge; however, regulatory developments should allow
inspectors to explore and leverage off deeper information sets and analysis. This includes the
information that can be made available from depositories and other centralized sources of data, and
information from implementation of recovery and resolution plans which provide supervisors with new
insights. This, therefore, puts technology into perspective and hence the need for increased use of
technology based inspections.
Interim Report of the Depository System Review Committee
Page 5 of 61
The committee felt that in a risk based inspection framework, identification of various sources of risks in
the system will be critical and quantification of same will enable effective monitoring of participants. For
assessing the quantitative factors, one of the parameters is complaints received against DPs as this data
provides vital information regarding the quality of services provided to investors by the DPs and also
provides information regarding unauthorized usage of securities / manipulation if any. Further, non-
compliances (number of violations) observed during inspection of DPs is also another parameter which
can be quantified. However, there could also be various unquantifiable risks which can be covered
through qualitative factors. The qualitative factors includes governance in terms of corporate as well as
IT governance, management quality & capacity, reputation & goodwill, efficiency & economy of services
rendered, etc. Therefore committee felt the need to have weighted average risk model to include both
quantitative factors and qualitative factors to objectively assess and measure the risk profile of the DPs
and categorize them into various Risk Buckets viz. high, medium, low. This bucketing will allow the
Depositories to allocate more resources to high risk and non-compliant DPs and focus relatively less on
low risk DPs.
The interim report of the DSRC covers the current inspection process and practices by Depositories
and the recommendations of the committee on the same and IT Governance of Depositories and DPs
and best practices for DIS and future roadmap for strengthening the system.
In summary, while risks and dynamicity has increased in the system, the inspection system has remained
rooted to compliance based. Therefore, the need for risk based inspection and an integrated risk model
and moving towards oversight and inspection regimen enabled by technology based methods and tools.
To accomplish this objective, the report prescribes through the recommendations an inspection
framework based on risk assessment, which comprises of inspection guidelines, quantitative risk model
and bucketing and enhanced use of technology for effective supervision.
List of Recommendations
I. Inspection and Oversight
1. Inspection of Depositories by SEBI
The objectives of the inspection of depositories by SEBI are broadly to examine whether the
procedures and practices of the depository are in compliance with the Depositories Act,
1996, SEBI (Depositories and Participants) Regulations, 1996, SEBI circulars, the bye-laws
etc. This involves examining whether the processes, operations and systems are in
accordance with SEBI (Depository and Participants) Regulations, 1996; look into the
complaints redressal mechanism of the depository, assess whether the IT infrastructure
Including its security system are adequate with suitable business continuity arrangements,
checking the compliance level of the previous inspection findings.
Depositories should be inspected on an annual basis
Interim Report of the Depository System Review Committee
Page 6 of 61
SEBI should examine the information received through Monthly Development Reports
(MDRs) on a regular basis and capture from various angles the deficiencies in the
functioning of Depositories and DPs and convey their observations to the Depositories,
especially on the latter’s findings of the inspection of DPs.
SEBI should revamp and then examine the information received through Monthly
Development Reports (MDRs) on a regular basis and SEBI should analyze the MDRs and
convey their observations / comments to the Depositories, specifically on findings of
the inspection of DPs.
The SEBI's inspection of the Depositories should ensure that the critical observations of
SEBI’s Inspection of DPs are reflected in the critical observations of the DP inspection by
depositories.
There should be an annual interface between SEBI and Depositories to review
comprehensively and deliberate on the inspection findings on the DPs and areas of
repeat violations, non compliance, and overall status of rectification.
2. Inspection of Depository Participants by Depositories
The inspection techniques and methods should be reviewed based on thorough
understanding of potential failure modes
Consolidated / integrated risk based inspection framework for joint inspection
of DPs which are registered on both depositories and have large number of BO
accounts and custody value should be introduced.
There should be disclosures in the annual report of depositories regarding
inspections conducted and various actions taken pursuant to inspections
In order to assess the effectiveness of inspection methodology of the
depositories, the critical observations of SEBI noted during its inspection of DPs
should be communicated to depositories so as to counter check and verify
whether finding of the depository and SEBI are broadly in sync with each other.
Inspections should be risk based rather than compliance based to provide economic
benefits such as fewer inspections for less risky participants and frequent inspections for
more risky ones. The inspection reports should not only identify risk areas but should
also proactively suggest risk mitigation.
The sample size selection should be dynamic and should depend on the past compliance
of a DP in that area.
The inspection process of DPs and their service centers should be automated through
usage of appropriate technology. If such close inspection / oversight modality is not
possible directly by Depositories through their own personnel, the possibility of
outsourcing service centre inspections may be explored, and a suitable outsourcing
policy may be framed.
II. Risk Model and Rating of DPs
Interim Report of the Depository System Review Committee
Page 7 of 61
Committee recommended a weighted average risk model on quantitative and qualitative
factors to arrive at a risk score and thereafter categorize the DPs into various Risk Buckets
viz. high, medium, low. This bucketing will allow the Depositories to pay more attention and
allocate more resources to high risk and non-compliant DPs and focus relatively less on low
risk DPs. The parameters on which risk score is assigned are as follows:
Past Inspection findings, a good compliance record indicates a low risk profile and hence
will result into a low Risk Score; alternatively, a non compliant DP will be assigned a high
risk score. Repetitive violations of the same kind result into a higher risk score being
assigned to the DP.
The complaints received against the DP by various entities
The size of the DP
The Nature of the DP viz. stock broker, Bank DP will result into a different score being
assigned to the DP in conjunction with the above parameters, as different
III. DIS issuance & processing:
Standardization of DIS across Depositories will facilitate easy identification and tracking
of DIS issuance and processing. Further, it will also ensure that issue of loose slips at the
end of DP will also be monitored and regulated. The depositories should revise their
EOD reporting requirements / structure such that all significant information relevant for
their inspections available in the back office of DP should also be available with them.
The appropriate infrastructure and other requirements to facilitate scanning and
uploading of the DIS image should be implemented at the DP’s end and the Depositories
should put in place a suitable mechanism to maintain a database of the scanned DIS and
use it for easing the inspection process within a timeframe of 6 months.
Truncated image of DIS captured at branches / service centers of DPs should be
accessed and available to Depositories directly for effective monitoring of the
transactions from a market surveillance perspective.
IV. Sample Selection Guidelines
The sample size for each activity will range from minimum of 2,000 samples to
maximum 6,000 samples. Sample selection shall be adaptive by taking into
consideration various risk parameters for following activities and dynamically adjusted
depending on the risk rating of DP.
Account opening
DIS execution
Investor complaints
Demat / Remat / Pledge / Unpledged
Client master Changes Samples and other miscellaneous areas
Interim Report of the Depository System Review Committee
Page 8 of 61
V. IT Governance and Internal Audit
The inspection process should ensure verification of the following:
o The depositories and their DPs should have an approved IT strategy / plan document
which needs to be reviewed annually.
o A System Audit framework should be prescribed for DPs.
o Create an IT Steering committee to assist the IT Strategy Committee in implementation
of IT strategy.
o Information Security policy should be approved by the boards and reviewed annually
o Create an office of information security and designate a senior official as Chief
Information Security Officer (CISO) whose work would be to assess risk and identify the
threat/ vulnerabilities.
o In the event of disaster, there should be no disruption in services and in case there is a
disruption, there should be near zero data loss
o Designate a senior official as Head of BCP function
o Increased use of technology so as to ensure effective off site inspections of DPs and
their branches and service centers
o The subcommittee also desired to enhance the efficacy of internal audit of DPs and
towards accomplishing the objective suggested that :
Areas for concurrent audit to include high risk areas such as account opening
and modification, issuance and execution of DIS, investor grievance redressal,
POA modifications, etc.
Review scope and format of reports of Internal Audit
Software utilities to identify data entry errors
Insurance coverage
Periodicity of Inspection of new participants
People carrying out Inspection of DPs
Capital Adequacy
Annual system audit and Comprehensive BCP/DR guidelines
Interim Report of the Depository System Review Committee
Page 9 of 61
Preamble and Introduction
The enactment of Depositories Act in August 1996 paved the way for introduction of Depository system
in India. India has adopted Dematerialization system wherein by operation of law, physical shares
certificate is replaced with shares in electronic form. In the books of company, depository is the
registered owner and depository in turn maintains electronic ledger of the securities wherein movement
of securities from one account to another are recorded and maintained to ascertain the beneficial
owners. In the year 1996, National Securities Depository Limited (NSDL) was the first depository to be
established in India followed by Central Securities Depository Limited (CDSL) in the year 1999.
Introduction of Depository system has eliminated various drawbacks in handling of physical securities in
terms of problems related to transfer of shares, bad deliveries, loss of share certificates etc. and enabled
fast and efficient settlement. The Depositories Act 1996 and SEBI (Depositories and Participants)
Regulation 1996 form the backbone of the regulatory framework for depositories and depository
participants.
In the depository system, the depositories provide various services to investors / clients through their
agents i.e. depository participants. The broad services provided by these participants are as follows:
Account opening
Demat / Remat
Other services such as PoA, pledge / un pledge, transmission, freeze / unfreeze, etc.
Inter-depository transfers
Transactions / transfers - pay in, payout, early pay in, etc.
A snapshot1 of the Indian Depository System is as under:
Sr. No.
Types of DPs
CDSL NSDL
DPs BOs Custody Value (in Rs. Cr.)
DPs BOs Custody Value (in Rs. Cr.)
1 Banks 35 5,94,900 3,23,946 53 48,74,899 42,13,576
2 Custodians 11 63,207 4,45,251 6 6,99,702 26,24,861
3 Stock Brokers 506 72,71,775 2,45,498 212 68,62,581 9,31,791
4 Clearing Corporations 17 2,17,794 11,854 8 667 630
5 Others (RTA and NBFC) 6 3,157 2,237 4 63,376 48,738
6 Total 575 81,50,833 10,28,786 283 1,25,01,225 78,19,596
From the above table, it is noted that stock broker DPs hold maximum number of BO accounts whereas Bank DPs hold maximum in terms of custody value. Going forward and with financial inclusion initiative kicking in, it is envisaged that Bank DPs will play a substantial role in expanding the DP footprint to the new areas and segments of investors.
1 For the month ending November 2012
Interim Report of the Depository System Review Committee
Page 10 of 61
The different type of instruments along with their dematerialized custody value is as under:
Number of ISINs:
Type of Instrument
No. of ISINs at the end
of the month
(30/11/2012)
Demat Custody value as
on 30/11/2012 (Figures in
Rs. Cr)
Equity shares # 15,140 58,69,602
a. Listed 10,947 56,27,720
b. Unlisted 4,193 2,41,882
Preference shares 969 50,633
Debts # 14,735 11,92,099
a. Listed 6,514 10,27,578
b. Unlisted 8,221 1,64,521
Mutual Fund Units 7,402 17,976
Others 18,148 6,89,286
Total 56,394 78,19,596
From the above table it can be inferred that other instruments apart from equity will increase the choice
for investors and the demat custody value for such instruments will see an increase in the future.
Over a period of time, there had emerged inadequacies in the system which has been taken advantage,
sometimes wrongly, by the market participants for their benefit. SEBI noticed such inadequacies when
its surveillance system observed large scale off market transfers prior to the date of listing which upon
detailed analysis indicated that thousands of fictitious / benami demat accounts were fraudulently
opened by certain operators who ultimately used these demat accounts for cornering of shares in
various IPOs. Further, in another matter SEBI had observed that one of the depositories had failed to
exercise due diligence at the time of dematerialization of DSQ shares which lead to trading of unlisted
shares on stock exchanges. In this connection, SEBI had reviewed the operations of Depositories and the
following observations were made:
1. Adequacy of Bye laws on internal monitoring, review and control process - The adequacy of Bye
laws of Depositories should be assessed through independent experts
2. Audit System – No specific comments on the adequacy of audit system or audit process.
3. Supervision – Lack of an effective supervisory mechanism or if the mechanism was adequate the
failure to operate it effectively, and the consequent failure to prevent, detect and remedy
fraudulent transactions in dematerialized accounts. The system needs to be reviewed by
independent experts to develop revamped and strengthened supervisory system to proactively
anticipate and prevent fraudulent activity and safe guard the integrity of the systems.
4. Inspection – The inspections of DPs failed to detect the large scale fraud illustrating the inherent
weakness of the systems, procedures and practices in conducting inspections. It was felt
prudent to review the inspection system using suitable independent experts to develop a
Interim Report of the Depository System Review Committee
Page 11 of 61
revamped and strengthened inspection system to proactively anticipate and prevent fraudulent
activity and safe guard the integrity of the systems.
5. Data Reliability – The system established and operated was not adequately strong in
safeguarding the reliability of the data uploaded into it.
6. Sanctions and penalties – A consistent approach has not been taken on the issue of sanctions for
various types of violations and the basis for differentiation of approach is less than clear which is
not conducive for orderly development of the market. Urgent action was required to be taken to
review existing policy and practice and develop a clear, rational and transparent policy
framework on sanctions and penalties.
7. Lack of Physical Verification of DP applicants - Given the crucial role of DPs in the depositories
system, ordinary prudence and due diligence required that depository should have at a
minimum, physically inspected DP applicants before approving their status and that mere
reliance on third party certification is neither adequate nor justifiable.
8. KYC system and implementation – The staff of the DP only should carry out in-person
verification. The DP should not outsource or assign the activity of in-person verification to an
outside agency.
9. Introduction of a correspondence address field – No adverse comments.
10. Allowing use of Agents to open accounts – No adverse comments.
In light of the above observations, to ensure that the operations were conducted in better compliance
the system was revamped. The Depositories and DPs subject themselves to independent audit
conducted on the following operations to assess whether they are adequate to ensure the integrity of
the overall depository system and the securities market:
1. Selection of DPs
2. Opening and operation of Depository accounts including the KYC system
3. Audit
4. Supervision
5. Inspection
6. Penalties and Sanctions.
Pursuant to the various inadequacies observed in the depository system, the depositories in
consultation with SEBI, to remedy the shortcomings, took various steps which are as under:
1. Strengthening of KYC Norms:
a. Verification of the identity and address of the beneficial owners.
b. PAN made mandatory for opening of dematerialized accounts.
c. In-person verification of the applicants by staff of the DP at the time of account opening.
d. Mandatory 100% verification of the account opening documents by the Concurrent
Auditor.
e. KYC non complaint accounts frozen till compliance are ensured.
Interim Report of the Depository System Review Committee
Page 12 of 61
2. Audit procedures and System Audit:
a. DPs have to conduct internal and concurrent audit programs as part of their risk
mitigation measures.
b. The Depositories were mandated to subject themselves to comprehensive system audit
on annual basis and place the report along with compliance status before the Governing
Board of depositories before forwarding the same to SEBI.
c. The depositories were advised to review the scope and format of reports of Internal
Audit on half yearly basis.
d. The depositories were advised to submit the report as well as certificate of the internal
auditor to SEBI certifying effective implementation of adequate internal control
procedures and operational control
3. Improving disclosures and Surveillance:
a. Information regarding details of dematerialization, re-materialization, and off-market
transaction were mandated to be disseminated on websites of Depositories.
b. Examination of off-market transfer of IPO shares where many (five or more)
dematerialized account holders make off market transfers to a target account.
c. De-dupe Software were developed to identify and stop multiple demat accounts being
opened with the same or similar PAN, bank account and MICR code
d. ISIN of companies issuing shares (IPOs) are activated only on the day of commencement
of trading.
e. Software utilities were developed and installed to identify and prevent data entry
errors.
f. Identifying frozen demat accounts receiving IPO credits
g. The ISIN of the companies issuing shares by way of Initial Public Offer frozen for debits
and credits while crediting the shares and the ISIN reactivated on the day of
commencement of trading on the stock exchanges.
h. SMS alert facility to the investors was introduced for debits, credits and various changes
such as address change, etc., in the demat accounts.
i. Monitoring of Minor BO accounts
j. An independent surveillance cell formed to coordinate the surveillance activities with
SEBI, FIU-India and other investigating agencies
k. Concurrent audit to include high risk areas such as account opening and modification,
issuance and execution of DIS, investor grievance redressal, POA execution and
modifications, etc.
4. Strengthening of the Regulatory Framework for Depositories:
a. Review of completeness of bye-laws and procedure for monitoring given the evolving
nature of DP operations.
b. Enhanced insurance cover with facility for free reinstatement and automatic
reinstatement of sum insured
5. Penalties and Sanctions:
a. The penalty structure was made uniform at both the depositories.
Interim Report of the Depository System Review Committee
Page 13 of 61
6. Inspection of DPs
a. Both the Depositories viz NSDL & CDSL had carried out a special review of their
inspection function/ system & procedures by an external auditor and accordingly
updated / framed their manual for conducting inspection of their participants based on
the inputs of respective auditor.
b. The depositories to update their Operations cum Manual Process Flow for Inspection of
Participant every quarter
c. Both depositories to follow a common sampling plan for carrying out inspection.
d. Conduct inspection of new DP within a limited time frame (say 6 months) to provide
guidance.
Subsequently, while disposing the matter of NSDL, the SEBI Board observed in its order
(BOARD/SEBI/1/2010) dated February 02, 2010 that"...there is scope for continuous improvement of
systems, procedures and practices in conducting inspections, The systems need to be reviewed by
suitable independent experts and a comprehensive and strengthened inspection system needs to be
developed and put in place. Such a review can, inter alia, include the issue of further use of technology
for preventing or alerting to the possibility of fictitious accounts - a cardinal issue in the integrity of
financial systems."
In light of various observations made by a two member committee appointed earlier in 2008, on the
functioning of depositories, SEBI Board in its meeting held on July 28, 2011 decided that the "Depository
system " be reviewed by an independent expert group on the basis of CPSS-IOSCO principles.
Accordingly, Depository System Review Committee (DSRC) was constituted on July 15, 2012 under the
Chairmanship of Mr. M. Balachandran to undertake a comprehensive review of the Indian Depository
system.
The terms of reference of the committee are:
a) Overall assessment / adequacy of existing depository framework and identify areas for review.
b) Assessment of depository system on the basis of relevant CPSS-IOSCO principles, recommendations
of CESR-ECB pertaining to Central Securities Depositories (CSDs) so as benchmark with the global
best practices.
c) Identify areas for continuous improvement of systems, procedures and practices and make
recommendations thereof.
d) Identify systemically important market infrastructure providers / institutions / depository
participants and their inter-linkages and identify areas and suggest safeguards to prevent single
point failures and denial of depository service.
e) Review existing system of inspection by depositories and suggest changes to strengthen monitoring
/ oversight of depository participants.
The first meeting of the committee was held on August 14, 2012 and the committee has held five
meetings so far. The committee decided that the existing systems, procedures and process be studied so
as to identify deficiencies, inadequacies, cost efficiency and scope for providing better services to
Interim Report of the Depository System Review Committee
Page 14 of 61
investors. Further it was also felt a study of depository systems in international jurisdictions could be
helpful so as to understand and indentify best practices which may deserve to be introduced in Indian
context. In the mean time the committee took up an appraisal to understand the overall operations and
activities of Indian depositories, and therefore committee visited CDSL and NSDL and had detailed
discussions with the top management team of both depositories.
Based on their initial observations of the functioning and assessment of potential risks in the system, the
committee, as a first in the agenda, took up the issue of Inspection of Depositories and the DPs by
depositories for examination. DPs being the agents of Depositories act as touch points for the customers
on behalf of depositories and the various services of the depositories are rendered indirectly through
these participants. Therefore, an effective oversight of these participants is a critical obligation of
depositories. Inspection is one of the effective means of oversight and supervision and helps in
identifying inadequacies and risks in the system. Further, it can also help the depositories to ensure
compliance and adherence to the recommendations of CPSS-IOSCO. The relevant recommendations
whose adherence can be directly assessed by inspection are as under:
Operational Reliability - identification & mitigation of operational risks through proper systems,
controls and procedures that ensure reliability, security and scalability.
Protection of Customers' Securities - Accounting practices and safekeeping procedures to fully
protect customers' securities including protection against claims of a custodian's creditors
Governance - Arrangements to fulfill requirements for public interest and promote the
objectives of owners and users
Efficiency - The systems should be efficient w.r.t. safe and secure operations in a cost effective
manner
Transparency - Proper information to be provided to the customers to help them in identifying
and evaluating risks and costs associated with the services rendered
Regulation & oversight - transparent and effective regulation and oversight with clear defined
roles and responsibilities.
The depositories are mandated by SEBI to inspect their participants on an annual basis. The depositories
conduct these inspections through an in-house team with a gap of around a year between two
inspections of the same DP. Currently a spreadsheet based system is used by depositories to
individually take information / data from databases through reports and then used for determination of
samples / adaptive samples. Since sample size and sample selection are critical pre-inspection activities
which requires sifting of data and analysis, use of proper technology can be a catalytic enabler in arriving
at an appropriate sample and its size which truly represents the criticality and risks associated with a
particular activity. Further, technology can be used in the archiving and record keeping of various
inspection findings to help prepare an appropriate integrated risk model which can quantify risks leading
to risk bucketing of DPs for efficient and effective regulation and oversight.
Interim Report of the Depository System Review Committee
Page 15 of 61
Against the aforesaid background, the committee desired to provide immediate attention to the
following issues:
1. Whether Inspections should be risk based rather than compliance based to provide economic
benefits such as fewer inspections for less risky participants and frequent inspections for more
risky ones.
2. Whether the inspection techniques and methods should be reviewed based on thorough
understanding of potential failure modes
3. Whether the inspection process of DPs and their service centers should be automated through
usage of appropriate technology for the following purpose:
a. to Make it more quality oriented and less labour intensive so as to enhance the productivity of inspection process
b. To Safeguard integrity of data and reduce the risk of failure. c. to Reduce inspection and maintenance costs without compromising integrity and
reliability of samples collected d. to Offer a flexible technique to continuously improve and adapt to changing
environment 4. Whether DPs should be classified into risk buckets with appropriate risk weights for the purpose
of rating of DPs.
In order to address the above issues, review the current inspection process of the Depositories, and to
frame comprehensive inspection guidelines, the DSRC formed a sub-committee consisting of Prof.
Krishnamurthy (DSRC Member), representatives of NSDL and CDSL, and officials of SEBI Market
Regulation Department - Division of Market Supervision. The findings and suggestions of the
subcommittee are incorporated in this report.
Interim Report of the Depository System Review Committee
Page 16 of 61
Oversight and Inspection Framework
The enactment of SEBI Act, 1992 bestows upon SEBI, the responsibility of protecting the interests of
investors in securities and to promote the development of, and to regulate, the securities markets and
for matters connected therewith or incidental thereto. Further, the enactment of Depositories Act, 1996
provides for regulation of depositories in securities and for matters connected therewith or incidental
thereto.
The statutory provisions in the SEBI Act (Sections 11 and 11B) and the Depositories Act (Section 19)
confer powers and responsibilities on SEBI to achieve the objectives of the abovementioned laws i.e. to
protect the interests of investors and safeguard the orderly development of the securities market.
These provisions cover all “persons” who fall within Section 12 of the SEBI Act, including depositories.
Section 19(ii) of the Depositories Act empowers SEBI “to prevent the affairs of any depository or
participant (DP) being conducted in the manner detrimental to the interest of the investors and
securities market.” The responsibility for conducting its affairs in a manner not detrimental to the
interest of investors of the securities market thus lies on each depository/ DP and SEBI has the duty to
prevent or correct any failure on the part of depositories / DPs to fulfill this obligation.
The above statutory responsibility is reflected in regulatory provisions such as the following:
Section 26 of the Depositories Act, 1996 requires depositories to frame bye laws which may
inter-alia provide for…….
(i) The procedure for ensuring safeguards to protect the interest of the participants and
beneficial owners,
(ii) The internal control standards including procedure for auditing reviewing and monitoring.”
Regulation 34 of the Securities and Exchange Board of India (Depositories and Participants)
Regulations, 1996 (hereinafter referred to as “Depositories Regulation”), provides that “every
depository shall have adequate mechanisms for the purpose of reviewing, monitoring and
evaluating the depository’s controls systems, procedures and safeguards.”
Regulation 35 of the Depositories Regulation provides that “every depository shall cause an
inspection of its controls, systems, procedures and safeguards to be carried out annually and
forward a copy of the report to the Board.”
Regulation 59 of the Depositories Regulations provides that SEBI may appoint one or more
persons as inspecting officers to undertake inspection of the books of account, records,
documents and infrastructure, systems and procedures, or to investigate the affairs of a
depository, participant, beneficial owner, an issuer or its agent for any of the purposes specified
therein.
These provisions show the extensive authority and responsibility given to depositories to carry out
inspection in an intensive manner to prevent and detect system and operational failures and fraudulent
transactions. Further, SEBI Act and Depositories Act, in the interest of investors, empowers SEBI to inter-
Interim Report of the Depository System Review Committee
Page 17 of 61
alia inspect into the affairs of a depository or a participant. Depositories are also mandated to monitor
and supervise their DPs regularly so as to ensure that apart from potential fraud / irregularities
detection, various services rendered to investors are effectively and efficiently delivered by participants
in a cost effective manner.
The criticality of effective supervision through inspection came to the fore when IPO irregularities and
inadequacies of Depository Systems in the matter of dematerialization of DSQ shares were found and
the two member committee (Dr Mohan Gopal and Shri Leeladhar) formed to look into the said issues
observed that the inspections by depositories had failed to detect the fraud illustrating the inherent
weakness of the systems, procedures and practices in conducting inspections. The committee,
therefore, recommended review of the inspection system using suitable independent expert to develop
a revamped and strengthened inspection system.
Current Inspection Framework
The current inspection framework at the end of SEBI and depositories are as mentioned below.
Inspection of Depositories by SEBI
As per the inspection policy of SEBI, depositories are inspected annually. SEBI has clearly laid down
inspection manual approved by the Whole Time Member of SEBI which is updated on a regular basis.
Besides annual comprehensive inspections, SEBI also conducts specific purpose inspections.
The objectives of the inspection of depositories are broadly to:
a) Examine whether the procedures and practices of the depository are in compliance with the
Depositories Act, 1996, SEBI (Depositories and Participants) Regulations, 1996, SEBI circulars,
the bye-laws etc.
b) Check whether the books of account are being maintained by the depository, in the manner
specified in SEBI (Depository and Participants) Regulations, 1996;
c) Look into the complaints received by depositories from participants, issuers, issuers' agents,
beneficial owners or any other person;
d) Assess whether the IT infrastructure including its security system are adequate with suitable
business continuity arrangements.
e) Check whether violations and deficiencies pointed out in the last inspection report have been
rectified and procedures and systems have been suitably modified/ enhanced so that the
violations and or deficiencies would not occur again.
Interim Report of the Depository System Review Committee
Page 18 of 61
The broad areas covered in the inspection are as under:
1. Organization Structure: Infrastructure, committees and their working, bye-laws of the
depositories, employees, compliance officer etc.
2. Administrative and Monitoring Control: Process flow and operational manual, cooperation with
other entities
3. Issuer’s/ RTAs: Admission of issuer’s security, administration of issuers of securities, RTAs,
allocation and activation of ISIN, reconciliation of issuers’ records, corporate action.
4. Depository participants : Admission, renewal, withdrawal of participants , supervision &
inspection of participants
5. Operations : General operations of the depository
6. Systems Audit: Systemic issues of the depository
7. Financial Analysis: Financial performance, net worth, insurance, contingency funds etc.
8. Connectivity with other entities such as depository participants, clearing houses/corporations,
issuers, RTAs and stock exchanges
9. Other Aspects: Maintenance of books of accounts etc
10. Chinese walls in operations and systems between the capital market de/re materialization
related functions and non core activities undertaken by the depositories.
As per the existing procedure, SEBI calls for data from depositories through pre-inspection questionnaire
and the same is analyzed manually. The data so analyzed enables SEBI to identify areas which needs
greater focus and verifications during on-site inspection. Any major observations noted during on-site
inspections are discussed with the management of depositories for their immediate information and
compliance. Further, periodically follow up with the depositories is done till all pending observations are
fully implemented. The time taken to complete the entire exercise starting from pre-inspection data,
analysis of data, on-site inspection, and preparation of report and follow up with depositories may take
up to 6 months. Since the entire process is manual and labor intensive with minimal usage of
technology, the time taken in certain cases may further increase depending on number of inspecting
officials.
The current inspection methodology of SEBI is primarily compliance based wherein focus is on
ascertaining the compliance status of various guidelines and safeguards mandated by SEBI from time to
time.
Apart from inspection of depositories, SEBI also conducts annual inspection of DPs on selective basis and
such inspection is again primarily compliance based. Further, SEBI also receives monthly development
reports (MDR) from depositories which contain various details including number of routine / specific
purpose inspections of DPs conducted by them along with the name of the DPs and various actions /
penalties imposed by them.
Interim Report of the Depository System Review Committee
Page 19 of 61
Details of SEBI inspection of CDSL are as follows:
Period of Inspection Date of commencement
Nature of Inspection
August 2002- Jan 2004 Feb 23, 2004 Comprehensive Inspection
Feb/March 2004 – March 2005 July 5, 2005 Comprehensive Inspection
April 2005-March 2007 March 26, 2007 Comprehensive Inspection
N.A. Oct 19, 2010 Special purpose inspection to ascertain systems , processes and Inspection mechanism of Depository
April 2007- August 31, 2012 Nov 23, 2012 Comprehensive Inspection
Details of SEBI inspection of NSDL are as follows:
Period of Inspection Date of commencement
Nature of Inspection
August 2002- March 2005 April 28, 2005 Comprehensive Inspection
April 2005-May 2007 July 29, 2007 Comprehensive Inspection
N.A. Oct 11, 2010 Special purpose inspection to ascertain systems , processes and Inspection mechanism of Depository
The number of DPs inspected by SEBI from 2009-10 onwards is as follows
Year 2009-10 2010-11 2011-12
Number of DPs inspected 9 11 13
The major findings of SEBI inspection of Depositories are as follows:
NSDL CDSL
NSDL’s monitors Exposure limit of SBDP on a weekly basis rather than on a daily basis as advised by SEBI.
As regards to the process of appointment of system auditor, CDSL does not have a practice of obtaining a certificate from auditors towards conflict of interest
NSDL admits issuers/ companies who are not satisfying the eligibility criteria in certain cases even though the byelaws and operating manual does not provide for the discretion to relax the conditions.
It is observed that CDSL does not confirm from the pledgee that the securities are available for pledge as stated in the Regulations.
It was observed from the data provided by NSDL that 7270 cases of rejections were reported out of which 6345 were because of wrong DPID and 925 were for wrong client status in case of IPOs.
It was observed that there might be a case that even though the Depository provides training to two persons of inspecting firms, the inspections of RTAs/DPs might be carried out by the persons who
Interim Report of the Depository System Review Committee
Page 20 of 61
are not trained for carrying out the inspections by the Depository.
NSDL had not taken appropriate penal action against DPs for repetitive violations by DPs observed by them during inspections. NSDL’s action has never gone beyond imposition of monetary penalties.
It was observed that the inspection report does not have any comment on the status of implementation of various circulars and communiqué issued by SEBI and CDSL to DPs/RTAs.
The Depository has not set any internal standards for the depository officials for preparation of the inspection report, for issue of letter of observation/first letter and for analysis of the reply submitted by the DP/RTA i.e. for preparation of action and presenting the case to DAC etc.
The inspection reports are not analytical in nature. From the inspection report it is very difficult to draw a conclusion as it is in ‘Yes’ and ‘No’ format.
The inspection reports of the RTAs are in very standardized formats and they do not seem to be focusing on any specific areas of concern observed/identified by the different departments of the Depository. Further, it was observed that the inspection department of the Depository does not take any feedback from other departments such as operations, investor grievances etc to analyze the areas which require more attention during the inspection.
It was observed that the DAC of the Depository had reduced the penalty levied for the violations pointed out in the inspection reports by 75% which defeats the very purpose of having penalty structure.
The inspection report does not have any comment on the status of implementation of various circulars and communiqué issued by SEBI and NSDL to RTAs.
During discussion with CDSL it was found that it takes two to seven weeks to update the net-worth records in the AVPS monitoring system after receipt of the net-worth certificate.
There were some cases where inspection reports were considered to be closed even when RTAs had not sent compliance report to NSDL for the violations made in the inspection reports. There were as many as 25 such cases of RTAs observed during the period covered under inspection.
The Reconciliation of capital is done at RTA’s end and not even inspected by the inspection team. This could lead to major issues of capital mismatch not coming to notice if the RTA commits any error of commission/omission or colludes with the issuer.
In this regard, it is pertinent to mention that SEBI does not analyze the data which could be retrieved
out of MDRs or call for the inspection reports from the depositories on their findings about DPs and
therefore no cross verification of Depositories findings with SEBI's own findings seemed to have been
done.
In view of above, the committee has suggested:-
1. SEBI should revamp and then examine the information received through Monthly Development
Reports (MDRs) on a regular basis and SEBI should analyze the MDRs and convey their
observations / comments to the Depositories, specifically on findings of the inspection of DPs.
2. The critical observations of SEBI’s Inspection of DPs should be cohesive with the critical
observations of the DP inspection by depositories. In this context, the adequacy of inspection of
Interim Report of the Depository System Review Committee
Page 21 of 61
DPs by depositories needs to be checked by SEBI during its inspection of Depositories or
otherwise.
3. There should be an annual interface between SEBI and Depositories to review comprehensively
the inspection findings on the DPs and areas of repeat violations, non compliance, and overall
status of rectification.
4. Depositories should be inspected on an annual basis
Inspection of DPs by Depositories
The DPs are inspected and supervised by Depositories in accordance with Depositories Regulations and
while these inspections are intended to be more comprehensive. But it was observed that the current
process of inspection of DPs by the depositories is more a checklist based labor intensive process. The
committee was informed that inspection policy of depositories covers the following:
Annual inspection of operations and system of every DP.
Inspections are conducted by in-house audit team with a gap of 11-13 months between two
inspections of the same DP.
Inspection of new DP is conducted within 3 months of the date of commencement of its
business.
Period of inspection of a DP is generally the period from the last date of previous inspection till
the end of the month immediately preceding the actual date of inspection.
Major areas that are looked into during the inspection of DPs by Depositories are:
Account opening (KYC and In person verification), account modification, account closure
Dematerialization / rematerialization, pledge/ unpledge, freeze / unfreeze of securities
Issuance of DIS booklets & Execution of transactions
Complaint handling
The maintenance of all mandatory registers.
Back office software
The DSRC and its sub-committee deliberated on the inspection process and the depositories were asked
to make a presentation regarding the inspection of their participants. It was noted that NSDL has 283
DPs with 320 DPMs and 5,000 service centers. Similarly, CDSL has 575 DPs, 222 branches and 13,000
service centers. It may be noted that branches are those DP offices which are connected live with
Depositories where as service centers are those offices of DPs which only act as investor service points
handling collection of forms, data, account opening & related in-person verifications, and complaints.
Yet, services centers are connected with the main office through back office system of DP. The service
centre enters the data which flows electronically to main office and the corresponding physical
applications are sent to respective main office / related branch which are then verified and stored.
The salient features of inspection of DPs by depositories are:
Interim Report of the Depository System Review Committee
Page 22 of 61
Yearly inspections of all DPs and their live connected branches.
Inspection of service centers of DPs are on sample basis which constitutes less than 5% of total
service centers.
Majority of non-compliances result in imposition of monetary penalty as a deterrent measure.
The sampling policy is uniform across both the depositories and the sample selection is done
automatically on the basis of information available with the depositories on various parameters
in the following areas :
o Account Opening and KYC Documentation
o Account Modification
o Dematerialization / Rematerialisation/ Repurchase
o Issuance and Processing of DIS
o Account Closure
o Freeze/ Unfreeze
o Pledge/ Unpledge/ Hypothecation/ Invocation
o Transmission
o POD for Transaction Statements
The sampling is adaptive sampling based on the historical non-compliance data wherein sample
size varies dynamically from one DP to other DP.
The maximum sample size in any particular area is 1000 (irrespective of size of the portfolio -
cumulative or incremental) which however, is doubled in case of repetitive violations.
The penalties imposed are displayed on the website of the depositories.
One of the important areas looked into during on-site inspection is verification of process of
Delivery Instruction Slips (DIS) issuance and processing.
Audit / verification of various back office checks mandated by depositories.
From the above, following is observed:
Most of DPs are registered as participants with both the depositories, therefore they are
subjected to inspections by the depositories separately
By the very nature of their registration criteria, all DPs are carrying out other activities such
stock broking, banking, custodian, NBFC, RTA etc.
Inspections are checklist based annual exercises focusing only on compliance.
Inspections merely result in imposing monetary penalties rather than rectifying and improving
the systems, process and procedures.
The frequency of inspections is the same irrespective of size, nature and risk profile of DPs.
All service centers are not inspected by the depositories.
Depositories do not have details of the DIS booklets issued by DPs to their BOs which get
verified only at the time of on-site inspection resulting in loss of man hours and resources.
Depositories do not have all the information available in the back office of DPs with them such
as DIS numbers, mapping, KYC documents, account details, etc.
Interim Report of the Depository System Review Committee
Page 23 of 61
Having regard to the number of DPs and their service centers, volumes transacted nature and extent of
non compliance, the complaints etc the inspection process is sought to be revamped with following
suggestions:
The inspections should be risk oriented and the inspection reports should not only identify risk
areas but should also proactively suggest risk mitigation.
Consolidated / integrated risk based inspection framework for joint inspection of DPs by both
the depositories,
The pre and post inspection process of DPs and their service centers should be automated
through usage of appropriate technology so as to make it more quality oriented and less labor
intensive which will ultimately enhance the productivity of inspection process. There should be
architecture for facilitating the system generated flow of information/ data required for
regulatory oversight and / or routine review either on line or in batch mode on prescribed
frequency.
Alternatively, if such close inspection / oversight modality is not possible directly by Depositories
through their own personnel, the possibility of outsourcing service centre inspections through
accredited / duly empanelled external audit firms may be explored.
There should be disclosures in the annual report of depositories regarding inspections
conducted, major findings and various actions taken pursuant to inspections.
Classifying DPs into risk buckets with appropriate risk weights for the purpose of rating of DPs.
Further, for the categorization of risks, relative weights should be derived and more weights
should be assigned to the operational aspects with provision for triggers on slippages.
There should be an annual interface between Depositories to review comprehensively the
inspection findings on the DPs and areas of repeat violations, non compliance, and overall status
of rectification.
Both depositories should have uniform penalty structure so that DPs do not take advantage of
regulatory arbitrage.
Integrated risk based inspection framework
In the aftermath of the financial crisis, wherein Financial Stability Board (FSB) and the G20 Leaders
identified the need for more intense and effective supervision particularly to systemically important
financial institutions (SIFIs) as weak risk controls at financial institutions are still being witnessed. Some
of the entities registered as DP may be SIFIs. Therefore, keeping in view the global focus of effective
supervision on SIFIs, sharing of information of all activities undertaken by SIFIs regulated by various
authorities need to be encouraged for improvement in supervision to ensure that it is effective,
proactive and outcomes-focused.
If the above suggestions are implemented the same may strengthen the existing inspection framework
at the end of depositories. Further, there is a need to provide special attention to those DPs who are
also engaged in various other activities (some of which are risky in nature) apart from acting as DPs,
Such DPs may be subjected to more frequent inspections / monitoring in order to avoid and / or detect
Interim Report of the Depository System Review Committee
Page 24 of 61
any irregularities / fraud or early warning signals hinting at possible failure which if go undetected may
affect the confidence of the investors and also threaten the integrity of depositories.
The aforesaid potential risks threatening the effectiveness of depository system as a whole calls for
having consolidated / integrated risk based inspection framework for joint inspection of operations of
DPs which are registered on both depositories and have large number of BO accounts and custody
value. Further, it will be also useful and meaningful for SEBI and depositories to identify and effectively
monitor such DPs which are perceived to be risky on the basis of various parameters like compliance
level, quality of management, and complaints. It will also enable to monitor whether DPs have
information security, business continuity and disaster recovery plans in place. These checks will ensure
that connectivity between depositories and other market infrastructure institutions services are not
disrupted and various services to investors are effectively delivered at all times.
Interim Report of the Depository System Review Committee
Page 25 of 61
Risk Modeling and DP rating Risk is normally defined as an exposure to the possibility of loss, injury, or other adverse or unwelcome
circumstance; a chance or situation involving such a possibility. ISO defines risk as an effect of
uncertainty on objectives; these uncertainties include events that may or may not occur and
uncertainties caused by ambiguities and lack of information. Unmanaged risk can prove disastrous and
the recent global crisis is a testimony of this fact. Therefore, for survival, it becomes imperative to
understand the risks and to learn to manage them.
Understanding of the risks involves awareness of risks; known risks - that can be identified and
measured (through quantitative analysis), unknown risks – which can be identified but cannot be
measured (through qualitative analysis), and unknowable risks – which cannot be identified.
Risk management, therefore, must include a blend of quantitative and qualitative analysis to provide a
high level of insight and consistent communication to management of evolving conditions enabling the
firm to respond effectively to emerging opportunities and risks. Further, risk management must also
include stress testing and scenario analysis to supplement the risk model outputs so as to factor in the
risks arising from rare but plausible events.
The current system of inspection of DPs by depositories has a policy of annual inspection focusing on
compliance rather than risk. Given that DPs apart from acting as DPs also concurrently undertake
various other activities, it will be appropriate to assess the risk on a holistic basis with focus on risk
based inspection and develop a risk model for the DPs. The risk model should include both quantitative
factors and qualitative factors to objectively assess and measure the risk profile of the DPs. Also, when
both securities and monies are handled under one roof / management there is a greater need to have
risk based supervision so as to ensure that possible failure / insolvency / fraud by such systematically
important institutions are detected well in advance which will in turn uphold integrity of financial
system.
Some of other activities undertaken by DPs are regulated by SEBI (stock broker, custodians, RTAs, etc)
and some activities (NBFC / Banks) are regulated by RBI. These activities have inherent risks associated
while dealing in their capacity as Banks / NBFC/ brokers / Custodians / RTAs etc, which can have an
impact directly or indirectly on the functioning or overall assessment of risk profile of a DP. In case both
primary and other activities (stock broker / custodian / RTAs) undertaking by DPs are regulated by SEBI,
associated risk profile of such entities needs to be seen together in order to have better understanding
of overall risk profile and the systemic risk that such entities could pose to market integrity. This line of
thinking gained traction, in the aftermath of the financial crisis, wherein Financial Stability Board (FSB)
and the G20 Leaders identified the need for more intense and effective supervision particularly to
systemically important financial institutions (SIFIs) as weak risk controls at financial institutions are still
being witnessed. Further, sharing of information regarding all activities undertaken by SIFIs regulated by
various authorities need to be encouraged for improvement in supervision to ensure that it is effective,
Interim Report of the Depository System Review Committee
Page 26 of 61
proactive and outcomes-focused. Out of all categories of DPS registered with SEBI, activities like stock
broker, custodian, clearing house and RTA are also regulated by SEBI. Relevant information regarding
the same can be made available by Stock Exchange / SEBI wherever applicable. Therefore, it will be
appropriate to incorporate this parameter in the proposed risk model so as to have overall assessment
of entity.
In order, to formulate a risk model various risks emanating from activities undertaken by DPs need to be
identified and measured. Thereafter, these risks may be continuously monitored so as to take various
measures to mitigate /insulate such risks. For this exercise to be effective, it is essential to categorize all
activities handled into core and critical activities and carry out risk matrix. With a view to understand the
system, the depositories were advised to submit the list of activities which they perceive as risky from
their perspective taking into account all the complaints and inspection observations.
On the basis of the submitted information, it is noted that depositories categorize the activities which
have 100% internal / concurrent audit and where penalties were levied as high risk, the other activities
where penalties were levied are categorized as medium risk and those activities where minor deviations
are observed are categorized as low risk.
In view of the above, various activities which are perceived to be risky are as under:
1. Account Opening / KYC - The major risk associated with this activity is the opening of fictitious accounts.
2. DIS issuance & processing / Unauthorized Transfer - Lack of monitoring / supervision of this activity may lead to a situation where securities lying in the BO accounts could be moved unauthorized (without the knowledge of BO holder) by the DP which can seriously jeopardize the integrity of depository system and thereby damage the confidence of investors.
3. Trading of unlisted shares - Reconciliation of shares (Physical + electronic shares) of both depositories must ensure that shares more than issued capital do not float in the market.
4. Pledge / un-pledge of shares – Particularly such cases where promoters were able to pledge same shares with various entities.
5. Complaints handling – Types and instances of complaints can point to various inadequacies in the system
6. Power of Attorney - Since power of attorney give the legal right to use the demat account; there is a risk of usage of securities to derive gains for POA holders, at the cost of beneficial owner.
7. Non core activities - Risks emanating from other activities undertaken by the depository which are not in the domain of securities markets can permeate into the core activities of the depository.
The low risk activities are as under:
1. Demat / remat 2. Issue of transaction statement 3. Closure of accounts 4. Inter-depository transfers
Interim Report of the Depository System Review Committee
Page 27 of 61
Complaints received in the system form an integral part of the market intelligence systems through
which various risks / irregularities / fraud come to the notice of regulators. The analysis of complaints
data provides vital information regarding the quality of services provided to investors by the DPs and
also provides information regarding unauthorized usage of securities / manipulation. Therefore, the
complaints received against the DPs as available in SCORES database of SEBI were analyzed on the basis
of category of complaints and number of complaints which is given below:
Sr. No Category of complaints Total complaint received since June 2010 till date
1 Others (Miscellaneous) 704
2 Non closure/ delay in closure of account 425
3 Wrong/ Excess Charges 371
4 Unauthorized Transaction in account 245
5 Manipulation 185
6 Delay in Dematerialization request processing 147
7 Delay in / Non-Execution of DIS 135
8 Non-updation of changes in account (address/ signatories/bank details/ PAN/ Nomination etc.)
111
9 Delay in/ Non-Receipt of Statements from DP 101
10 Charges for Opening/closure of Account 84
11 Non acceptance of DIS for transfer 72
12 Delay in Issuance / Re-issuance of DIS Booklet 64
13 Transmission related 61
14 Deactivation/ Freezing/ Suspension related 58
15 Delay in/ Non-Receipt of Original certificate after demat rejection 52
16 Discrepancy in Transaction statement 51
17 Non Acceptance of demat/remat request 44
18 Delay in activation/ opening of account 37
19 Unauthorized changes in account (address/ signatories/bank details/PAN etc.)
33
20 Closure of account without intimation by DP 30
21 Denial in opening an account 21
22 SMS related 20
23 Non receipt of Account Opening Kit 17
24 Insistence on Power of Attorney in favor of DP 15
25 Account opened in another name than as requested 13
26 Pledge related 12
27 Non Receipt of copy of DP Client Agreement/Schedule A of Charges 11
28 Delay in Rematerialization request processing 10
29 De-freezing related 9
30 Charges paid, but not credited 8
Grand Total 3146
From the above table it can be observed that majority of the complaints relate to:
Interim Report of the Depository System Review Committee
Page 28 of 61
Unauthorized transactions in accounts and manipulation
Improper services rendered such as Non closure/ delay in closure of account, Wrong/ Excess Charges, Delay in / Non-Execution of DIS, Non-updation of changes in account (address/ signatories/bank details/ PAN/ Nomination etc.), Delay in/ Non-Receipt of Statements from DP, Delay in Dematerialization request processing, etc.
Hence, it will be appropriate that complaints database as available at the end of depositories be extensively and effectively used for the purpose of quantitative analysis in the risk model wherein appropriate weights be derived for activities based on number of complaints received. However, there may still be certain risks associated with the activities and their related processes and procedures which can go unnoticed and continue to be in the system, if no complaint is received related to those areas. In this regard, the inspections conducted by regulators help in identifying / detecting such risks, if any, and take proactive / preventive steps to mitigate these risks. Therefore, instances of inspection observations related to inadequacies noticed in the various activities and their related processes and procedures also need to be used for the purpose of quantitative analysis in the risk model. Based on the same, appropriate weights may be derived for such activities. As explained earlier, there are various unknown risks associated with any system and those risks are covered through qualitative analysis. Hence, it is imperative to include qualitative factors in the risk model to arrive at the total risk score. The qualitative factors may include governance in terms of corporate as well as IT governance, management quality & capacity, reputation & goodwill, efficiency & economy of services rendered, etc. In view of the above, it is suggested to develop a risk model on the lines as indicated below:
1. Assignment of weights – Depositories may assign weights for various activities taking into consideration following factors:
a. Category of registrations as DPs – eg. Different weight for a stock broker DP as compared to a bank DP
b. Size of operations - Different weight for a big DP (value of custody, no of BOs and no of services centers) as compared to a smaller DP for a particular activity
c. Repetitive violations of the same kind to result into a higher weight being assigned to the respective activity.
d. Technological glitches in the past at the end of DPs e. Quality of back office systems of DP.
2. Calculation of Complaint Weight
Type & nature of complaint Weight (A)
No of Complaints Received during the period covered under inspection
Complaint score CW=A x B
Interim Report of the Depository System Review Committee
Page 29 of 61
(B)
1. Account Opening Related
a) Denial in opening an account
b) Account opened in another name than as requested
c) Non receipt of Account Opening Kit
d) Delay in activation/ opening of account
e) Non Receipt of copy of DP Client Agreement/Schedule A of Charges
Total Weight for Account Opening Related Issues
2. Demat/Remat Related
a) Delay in Dematerialization request processing
b) Delay in Rematerialisation request processing
c) Delay in/ Non-Receipt of Original certificate after demat rejection
d) Non Acceptance of demat/remat request
Total Weight for Demat/Remat Related
3. Transaction Statement Related
a) Delay in/ Non-Receipt of Statements from DP
b) Discrepancy in Transaction statement
Total Weight for Transaction Statement Related
4. Improper Service Related
a) Insistence on Power of Attorney in its favour
b) Deactivation/ Freezing/ Suspension related
c) Defreezing related
d) Transmission Related
e) Pledge Related
f) SMS Related
g) Non-updation of changes in account (address/ signatories/bank details/ PAN/ Nomination etc.)
Total Weight for Improper Service Related
5. Charges Related
a) Wrong/ Excess Charges
b) Charges paid but not credited
c) Charges for Opening/closure of Account
Total Weight for Charges Related
6. Delivery Instruction Related (DIS )
a) Non acceptance of DIS for transfer
b) Delay in/ non Execution of DIS
c) Delay in Issuance / Reissuance of DIS Booklet
Total Weight for Delivery Instruction Related (DIS )
7. Closure
a) Non closure/ delay in closure of account
b) Closure of a/c without intimation by DP
Total Weight for Closure
Interim Report of the Depository System Review Committee
Page 30 of 61
8. Manipulation/ Unauthorized Action
a) Unauthorized Transaction in account
b) Manipulation
c) Unauthorized changes in account (address/ signatories/bank details/PAN etc.)
Total Weight for Manipulation/ Unauthorized Action
9. Company/ RTA related
a) Action – Cash
b) Action – Non–Cash
c) Initial Public Offer/ Follow-on Public Offer Related
Total Weight for Company/ RTA related
10. Others
3. Sample Selection Guidelines
A sample selected for an activity will depend on the Nature of that Activity, the non compliances
observed in the past inspection of the DPs. Initially a base sample is determined based on the activity
and has a cap of 2000. This base sample is then multiplied by a factor dependent on the DP Risk Rating
to arrive at a Final Sample size. The final sample size has a cap of 6000 samples.
1. General Guidelines
The sample selection for account opening should cover all categories of clients such as individuals, HUF, Corporate, FIIs etc. Account Opening Forms (AOF) relating to FIIs should be checked on a 100% basis.
A. Account Opening
Base sample size: 5% of AOF or 150 AOFs whichever is higher with a maximum cap of 2000 accounts.
The sample selected should maintain the proportion of new accounts opened in each category.
Final Sample Size: The sample size is also dependent on past rating of DP. The following multipliers should be implemented in order to determine final sample size for the current inspection
DP Rating Multiplier
High risk 3
Medium High risk 2
Medium risk 1.5
Low risk 1
B. DIS Execution
Base sample size: 10% of DIS or 200 DIS whichever is higher with a maximum cap of 2000 DIS.
Interim Report of the Depository System Review Committee
Page 31 of 61
Final Sample Size: The sample size is also dependent on past rating of DP. The following multipliers should be implemented in order to determine final sample size for the current inspection
DP Rating Multiplier
High risk 3
Medium High risk 2
Medium risk 1.5
Low risk 1
Intra Depository Transfers (IDT) samples will be 5% of the total samples verified for DIS.
Out of total intra depository instructions to be verified, the percentage of on and off market instructions would be in the ratio of 1/3 and 2/3.
DIS issuance sample will be 5% of the total samples verified.
C. Demat / Remat / Pledge / Unpledged Samples
5% of Demat Remat / Pledge / Unpledged Samples processed or 100 requests whichever is
higher with a maximum cap of 500 demat requests.
D. Base Sample Size for Client master Changes Samples and other miscellaneous areas
Address change samples=50
o 1/3rd of the samples should be from Urban, Semi Urban and Rural Areas
Nomination Change samples=25
Signature change Samples=100
Addition/Deletion/Modification of POA = 100
Addition or deletion of authorized signatories of POA=100
Freeze Samples=50
Unfreeze Samples=100
Bank Details Change Samples=100
PAN modification samples=100
Account closure initiated by clients=25
Closure initiated by DPs=25
Demat rejection=30
Statement of Transactions=25
Slip issuance/ validation and Blocking=100
Change in e-mail Id=50
Change in mobile number=50
Change in SMS flag=50
Change in standing instruction flag=50
Transmission Samples=50% of total samples
Last visit compliance=100% of total samples
Interim Report of the Depository System Review Committee
Page 32 of 61
The final sample size should be arrived at after multiplying with the respective multiplier
corresponding to the DP Risk Rating.
E. Investor grievance Samples
100% of investor complaints or 100 investor complaints whichever is lower. The sample should
include 25% representations of complaints on following types
Unauthorized transactions
DIS related complaints
Delay in opening / closure accounts
Excessive charges
F. Other Aspects
A uniform Base sample size of 100 should be adopted in case of all other activities. In case of the total number of samples being less than 100 then 100% of the samples should be verified.
4. Calculation of Inspection Weight
Activities and their processes & procedures Weight (A)
(No of Instances)/ Sample size (B)
Inspection Score IW = A*B
A Account Opening
1 Proof of identity, proof of address and other KYC document is not collected
2 Correspondence address of third party is accepted, without adhering to the guidelines prescribed.
3 PANs is not obtained for all the accounts, wherever applicable
4 PANs are not verified with the database of Income Tax Department and stamp of "PAN Verified" is not affixed on the photocopy of the PAN card(s) for all the accounts?
5 Copies of all the documents submitted by the applicant is not self- attested
6 Copies of all the documents submitted by the applicant are not accompanied with originals for verification / properly attested by entities authorized for attesting the documents.
7 Cases where 'in - person' verification of the account holders is not done before activation of the account as per guidelines
8 Cases where prescribed DP – Client agreement is not been executed for all the accounts
9 Cases where a separate DP – Client agreement has not been executed with clients who want to hold warehouse receipts in their account
10 Cases where data entered In DPM system does not matches
Interim Report of the Depository System Review Committee
Page 33 of 61
with the details mentioned in the account opening form
11 Cases where signature of account holder(s) as given in the account opening form is not been scanned in the DPM system clearly and correctly.
12 Cases where all KYC application b forms and account opening forms are not completely filled?
13 Cases where KYC application form and supporting documents of the clients is not been sent to KRA within 10 working days from the date of execution of documents by clients.
14 Cases where Participant has not uploaded existing clients' KYC data on KRA system and sent KYC documents to KRA as per SEBI guidelines.
15 Cases where Participant has not used the KYC data of a client obtained from the KRA only for the purposes it is meant for.
16 Cases where account is opened with suffix HUF or in the name of firm.
17 The information on Financial Status and Nature of Business of clients is obtained in the account opening Form.
18 If the DP has opened any PMS Demat account, DP ensures the compliance of communiqués issued by Depositories.
19 There is adequate mechanism to ensure that the details of account opening forms are entered correctly in the Depositories.
20 Validation on PAN format i.e. 5 characters, 4 numbers & 1 character.
21 Guardian details are mandatory for Minor BO.
22 Joint holders In case of a minor account.
23 In case of Minor turning major, a report is generated one month before minor turns major and on the date of minor turning major, account is frozen for debit by Depositories.
24 Joint holders are allowed in case of HUF account
25 Account is activated only before capture of signature.
26 Authorized Signatory is missing
27 Nomination is allowed only for accounts of category other than individual.
28 Bank details are missing if ECS flag is activated.
29 Power of attorney is mandatory for margin trading accounts.
Total Weight for Account Opening
B Client Data Modification
1
Cases where clients' request for changes in data (e.g. address, signature, bank details, nomination closure / freezing / unfreezing of account) have been processed as per prescribed procedure?
Interim Report of the Depository System Review Committee
Page 34 of 61
2 Modification to account details is done only after accepting account modification form/letters duly signed by BO and the same is updated in Depository Software.
Total Weight for Client Data Modification
C Demat / Remat / Conversion / Reconversion request
1 Cases where demat / conversion requests have been accepted and processed not as per the prescribed procedure
2 Cases where date of receiving the demat / conversion request and date of forwarding the documents to Issuer / Registrar & Transfer Agent has not been recorded correctly
3
Cases where demat / conversion requests received have been sent to Issuer / Registrar & Transfer Agent not within seven days from the date of receipt of the request from the account holder
4
Cases where sufficient provisions / arrangements for safe keeping of security certificates received from account holders for dematerialization and certificates received after rejection of the demat request from Issuer / Registrar & Transfer Agent is not maintained
5 Cases where demat / conversion request was rejected due to error attributable to Participant
6 Cases where the Participant has not taken necessary corrective and preventive measures to avoid rejections attributable to Participant
7 Cases where remat / reconversion requests have been accepted and processed not as per the prescribed procedure
8
In case of demat account closure / shifting of the demat account from one DP to another, DP has complied with the procedure of refunding AMC for the balance quarter/s, in case the same is collected upfront on annual/half yearly basis.
9
In case of accounts being shifted from one DP to another by using Account Transfer option in the Transfer/Transmission module or where waiver has been claimed for inter depository transfer, the procedure prescribed in this regard has been followed
10 Register of documents received and sent for dematerialization is maintained.
11 Securities for dematerialization to Registrar & Transfer Agents / Issuers are sent after defacing and mutilating the certificates.
12 The Demat requests are accepted and processed as per procedure laid down by Depositories
13 Demat requests received from BOs are sent to the Issuer/ RTA/AMC within seven days from the date of receipt of demat request.
14 There is a proper procedure for recording of demats dispatch details such as dispatch ref. no., dispatch date, name of courier
Interim Report of the Depository System Review Committee
Page 35 of 61
etc.
15 In case of demat/remat requests rejected due to the errors attributable to the DP, corrective actions are taken so that such instances are not repeated in future.
16 The certificates along with rejection letters are returned to the concerned BO within 7 days of receipt of the same from the RTA.
17 Proper records of dispatch such as DRN, dispatch ref no., dispatch date, name of courier / signature of BO are kept.
18 DP has a system of inward of Demat request (DRF)/MF DRF received which clearly gives information about date of receipt of DRF from BO.
19 ISIN is invalid and/or inactive.
20 BO is not active.
21 Demat request cannot be set from CM settlement accounts.
22 Demat cannot be setup if BO is frozen for credit/ both.
23 BO should belong to same DP or its Sub DP.
24 A letter is generated by the system after creation of demat request addressed to the RTA of the ISIN
25 Balance should exist in BO account.
26 ISIN should be active.
27 BO inactive.
28 BO is not of same DP or its Sub DP.
29 Proper balance type (Free / Lock in) is not selected.
30 A letter is generated by the system after creation of remat request addressed to the RTA of the ISIN.
Total weight for Demat / Remat / Conversion / Reconversion request
D Delivery Instruction Slip (DIS)
1 There is proper inventory control mechanism for instruction slip booklets.
2 The physical inventory is tallied with the inventory records at prescribed intervals.
3 The first instruction slip booklet is being issued as per the procedure prescribed for the same.
4 There is system to issue delivery instruction booklets to the BOs based ONLY on the requisition slip which forms part of the earlier issued instruction slip booklet.
5 Requisition slip has preprinted instruction slip serial number range of the booklet of which it forms a part.
6 If any instruction slip booklet is not issued on the basis of requisition slip, the proper procedure prescribed is followed.
Interim Report of the Depository System Review Committee
Page 36 of 61
7 There is control over issue of instruction slips to the BOs e.g. proper records of instruction slip serial numbers vis-à-vis account number.
8 Provision for blocking of DIS sr. numbers which are already used is existing.
9 The DP has not issued more than 10 loose DIS to any account holder in a financial year (April to March)
10
The DP has complied with the procedure for initiation of closure / transfer of balances / rematerialisation within 2 days of receipt of account closure request, in case of account closure initiated by BO.
11 The off-market and inter depository instructions are executed in Depository Software as per the execution date written by the BO.
Total weight for Delivery Instruction Slip (DIS)
D(A) Issuance of DIS
1 Cases where issuance of DIS or loose DIS to account holder is not done as per prescribed procedure.
Total weight for Issuance of DIS
D(B) Verification of DIS
1 Cases where date and time stamp is not affixed on the DIS received
2 Cases where Participant has not affixed 'late stamp' on DIS received beyond the prescribed deadline time
3 Cases where Participant has not verified that the DIS received from client was actually issued to same client ID.
4
Cases where serial number of all the executed DIS(s) (irrespective of whether executed through back office or directly in DPM system) and DIS(s) reported as lost / misplaced / stolen by the account holder are not blocked in the back office or in the DIS issuance register to prevent any re- acceptance
5
Cases where DIS(s) given by account holder are not available for all instructions executed in DPM system (instruction other than those given by account holders through Speed-e / electronically)
6 Cases where signature(s) on DIS does not match with the signature(s) scanned in the DPM system
7 Cases where corrections / cancellation on DIS, if any, are not authenticated by the client (all holders for joint accounts)
8 Cases where Participant accepts instructions by fax from account holder and not adhere to the guidelines
9 Cases where Participant is accepting delivery instruction in form of an annexure to a DIS, and it is not done as per the prescribed procedure
Interim Report of the Depository System Review Committee
Page 37 of 61
10 Cases where information under columns "Consideration" and "Reason / Purpose" are not mentioned for off market instructions.
11 Cases where maker - checker system to process the instructions is not followed.
12 Cases where additional level of verification for high value and dormant instructions is not there.
13 Cases where instructions executed in the DPM system is not as per DIS
14 Cases where Participant accepts instructions in electronic form which is not as per the procedure
Total weight for Verification of DIS
E Transaction
1 BO not of same DP or SUB DP
2 Settlement ID is missing for transaction from or to CM account.
3 Debit Transaction is allowed if Seller BO is frozen for Debit / Both.
4 Credit Transaction is allowed if Buyer BO is frozen for Credit / Both.
5
Transaction can be setup even if balance is not present in account at the time of setup. The transaction (off-market) will be in overdue status till sufficient quantity is received and if not available on EOD of execution date, the transaction will fail.
6 If Confirmation waiver flag is “Y” then no need for buyer BO to enter buy transaction.
7 Future dated transactions setup more than 10 days.
8 ISIN is invalid and/or inactive.
9 A report on high value transactions is not generated
10 A report on transactions taken place in dormant accounts is not generated
11 Buyer BO account is inactive.
12 Other than free balance is transferred.
Total weight for Transaction
F Transaction Statement
1
Cases where TS generated from back office, does not match with statement generated from DPM system or Cases where transaction statements are not provided to the account holders as per prescribed frequency
2 Records for transaction statements provided to BO, giving details such as account number, date of dispatch; period for which the statement was dispatched etc. is maintained.
Total weight for Transaction Statement
Interim Report of the Depository System Review Committee
Page 38 of 61
G Compliance under Prevention of Money Laundering Act, 2002 (PMLA)
1 Cases where Participant has not adopted a policy to comply with its obligations under PMLA
2
Cases where Participant has not complied with all the policies and procedures as prescribed under PMLA Act, 2002 and SEBI guidelines such as customer due diligence, suspicious transaction monitoring and reporting, record keeping etc.
3 Cases where Participant has not appointed a 'Principal officer' as required under PMLA
4 Cases where there is no mechanism to deal appropriately with the alerts provided by Depositories
5 Cases where suspicious transaction is reported to FIU and not informed to Depositories
Total weight for Compliance under PMLA
H Maintenance of record and documents
1 Cases where Participant has not informed Depositories about place(s) of record keeping
2 Cases where Participant has outsourced record keeping activity (partly or fully) in contradiction to prescribed guidelines.
Total weight for Maintenance of records and documents
I Service Centre
1 Service centre (whether offering the services as a DPM setup, branch, franchisee, collection centre, drop box centre or called by any other name)
2 Cases where Depositories’ approval has not been obtained for all the service centres opened during the audit period
3 Cases where prescribed procedure has been followed for any service centre closed / terminated during the audit period.
4
Cases where data of all the service centres (DPM setup, branch, franchisee, collection centre, drop box centre or called by any other name) displayed on the Depositories website is not updated and correct
5
Cases where NCDO / NISM / NCFM qualified person in Depository operations is not appointed at each service centres (DPM setup, branch, franchisee, collection centre or called by any other name except drop box centre)
Total weight for Service Centre
J Status of compliance for deviations / observations noted in last inspection
1 Cases where Participant has not complied with all the deviations noted during last inspection conducted by Depository
Total weight for Compliance status
Interim Report of the Depository System Review Committee
Page 39 of 61
K Miscellaneous areas
1 Cases where transmission cases have not been processed as per prescribed procedure
2 Cases where Participant has not collected requisite documents to claim waiver of settlement fees
3 Cases where Power of Attorney documents are not duly executed and the same have been entered into DPM?
4 Cases where all investors' grievances have not been redressed as per the procedure and within the stipulated time
5 Cases where pledge and hypothecation instructions are not processed as per prescribed procedure
6 Cases where Participant has not executed software utilities provided by DEPOSITORIES on a monthly basis and take appropriate action. In respect of the exceptions identified
7 Cases where forms in use for various activities are as prescribed
8
Cases where any supplementary agreement / letter of confirmation / power of attorney obtained / executed with account holder which are in contravention to prescribed DP - Client agreement / Depositories guidelines
9 Cases where Internal Audit Report / Concurrent Audit Report is not submitted In the prescribed format within the stipulated time period
10
Cases where Internal audit report/ Concurrent audit report submitted without inclusion of management comments for deviations noted by auditors or not providing compliance duly certified by auditors on the observations made by the Depository
11 Cases where non-submission of net worth certificate based on the audited annual accounts by the Participants in the prescribed format for 31st March within prescribed time limit.
12 Cases where non-submission of annual financial statement within the prescribed time limit
13 Cases where non filing of information sought by Depository either periodically or specifically through circulars / letters etc.
14 Cases where Half yearly Compliance certificate is not submitted within the stipulated time.
15 Cases where client grievances (except disputes /court cases) is not redressed within 30 days.
16 Cases where non-submission of monthly report of Client Complaints
Total weight for Miscellaneous areas
L System areas
1 Cases where hardware and software installed on machines used for depository operations are not as per the specifications mentioned in the latest Form B submitted to Depositories
Interim Report of the Depository System Review Committee
Page 40 of 61
2 Cases where updated antivirus is not installed on the server and all the client machines
3 Cases where ASR set is not prepared as per prescribed guidelines
4 Cases where robocopy feature is not working on one client machine
5 Cases where all the software installed on server and client machines are not licensed
6 Cases where RAID has not been configured as per the prescribed guidelines
7 Cases where database reorganization and shrinking are not done as per the prescribed guidelines
8 Cases where scheduled switch to fallback connectivity is not done and the record thereof is not maintained
9 Cases where all the hardware / equipments used for depository operations are not covered under AMC / warranty?
10 Cases where adequate physical and logical access restrictions for usage of system is not In place
11
Using the DPM system for any other purpose or loading any other software or alteration of parameters/ configuration/ software other than DPM application software/prescribed system software found loaded In the system.
12 Back office software has been installed in Main DP /Live connected branch DP.
Total weight for system area
M POA
1 DP has mandatorily registered the BO for SMS Alert facility, at the time of setting up POA.
2 POA in favor of a stock broker DP contains clauses as per SEBI guidelines.
3 Power of Attorney (POA) documents are duly executed as per SEBI guidelines and the same have been appropriately entered into Depository Software.
4 Power of Attorney register is maintained
Total weight for POA
N Inter depository Transfers
1 ISIN is not active and not present on both the depositories.
2 BO ID is suspended, inactive or closed.
3 BO does not belong to same DP or its Sub DP.
4 Settlement ID is mandatory if transfer is from or to a CM account.
5 Transaction can be for current date or for future date.
6 Only free balance can be transferred.
Interim Report of the Depository System Review Committee
Page 41 of 61
7
Inter depository transaction can be setup even if balance is not present in account at the time of setup. The transaction will be in overdue status till sufficient quantity is received and if not available till inter depository cutoff time on execution date, the transaction will fail.
Total weight for Inter depository transfers
O Account Transfer
1 Other than free balance is transferred.
2 Both the accounts do not have same product and category.
3 BO account status not changed to “To Be Closed” even if transfer request fails.
4 Both BO’s are not with any DP’s of depositories.
5 Transferor BO account is not closed automatically after the transaction is executed.
6 Account Transfer is charged.
Total weight for Account Transfer
P Transfer and Transmission
1 Only free balance can be transferred.
2 Transferee BO account should be active.
3 Transferor BO account is not closed automatically after the transaction is executed.
4 Transactions in Transfer & transmission are charged.
Total weight for Transfer and Transmission
Q Early Pay-in
1 BO ID is suspended, inactive or closed.
2 BO should be of same DP or SUB DP.
3 Instruction cannot be set up from CM payout account for BSE.
4 Future dated transactions can be setup for settlement ids in next 7 days.
5 CM does not belong to the exchange.
6 CMID is inactive.
7 Settlement ID does not belong to exchange id.
8 Settlement ID is past dated.
9 BO ISIN has insufficient balance.
10 For CM accounts balance does not exist in respective settlement pocket.
Total weight for Early Pay-in
R BO Obligation
Interim Report of the Depository System Review Committee
Page 42 of 61
1 BO ID is either suspended , inactive or closed.
2 BO is not of same DP or SUB DP.
3 Future dated transactions are setup for settlement ids in time more than next 7 days.
4 CM does not belong to the exchange for which the BOC is being set up.
5 CMID is inactive.
6 Settlement ID does not belong to exchange id.
7 Settlement ID is past dated i.e. pay-in / Payout is over for the settlement.
Total weight for BO Obligation
S Pledge
1 Pledgor and Pledgee BO are not of depositories.
2 Pledgor and Pledgee BO are closed or suspended for debit / credit / both).
3 ISIN is inactive.
Total weight for Pledge
T Freeze/Unfreeze
1 Freeze can be for debit / credit/ or both debit as well as credit.
2 Freeze can be on the BO account i.e. all ISINs the account are frozen, Freeze can be on one ISIN in the account or freeze can be on part quantity of a ISIN in the account.
3 Partial freeze can be only for debits.
4 Freeze request can be activated on current date or future date.
5 BO should belong to same DP or its Sub DP.
6 Future dated partial freeze on CM settlement account is not allowed.
Total weight for Freeze / Unfreeze
U Compliance of previous inspection Observations
1 Total number of non-compliances
Total weight for previous inspection Observations
Qualitative factors
Qualitative Factors Weight (A)
Point on the scale of 1to 10 (B)
Total score * (B)
1 Ownership and Governance
Interim Report of the Depository System Review Committee
Page 43 of 61
2 IT security and Business Continuity
3 Regulatory / procedural Compliance
4 Automation of Systems and processes for critical activities
5 Quality of Management
6 Financial Status / profitability of DPs
7 Pending enquires / Penalties imposed by SEBI / Depositories on DP operations
8 Complaints redressal
9 Adverse findings of other activities (eg. Broking / custodian / banks etc)
Following indicative factors need to be taken into account for arriving at above mentioned qualitative score: Ownership and Governance:
1. Constitution of Board of DP – Number of promoter directors, Independent Directors etc. 2. Role of non-executive directors/Independent directors 3. Compliance officer/Risk officer position if any on the board of DP
Quality of Management:
1. Experience, Fit and Proper and Qualification of Key Personnel 2. Existence of Succession planning for top management especially in control functions 3. Chinese walls between the activities in terms of manpower, resources etc 4. Training and development of employees. 5. Adequacy of staff strength. 6. Compliance level of previous inspection observations/ directions of regulatory bodies
IT security and Business Continuity:
1. High Availability 2. Appropriate Interconnected Architecture: 3. Appropriate Recovery Time Objective (RTO) and Recovery Point Objective (RPO) and
near “Zero Data Loss” 4. Periodic Drills that simulate the real life scenarios on a regular basis. 5. Technological glitches in the past period and remedies taken. 7. Information security. 8. Upgradation of technology
Financial Status / profitability of DPs :
1. The net-worth of the DPs (whether reducing or increasing from previous years) 2. Net Profits of DPs operations.
Interim Report of the Depository System Review Committee
Page 44 of 61
Complaints redressal:
1. Complaint redressal system 2. Percentage of complaints pending and resolved.
Adverse findings of other activities (eg. Broking / custodian / banks etc):
1. Actions taken by Stock exchange and SEBI / RBI with respect to other activities 2. Actions taken by other depository.
Procedural / Regulatory compliances:
No. Procedural / Regulatory compliances Compliance Status (YES / NO)
1 DP has designated e-mail id for investor grievance and displayed the same on the website as per SEBI circular no.MRD/DOP/Dep/SE/cir-22/06 dated December 18,2006.
2 The daily report with respect to High Value Transactions (including null report) being generated by depositories is stored by the Main and branch DPs.
3 Alterations done in the contents of agreement are as prescribed by depositories.
4 Procedure prescribed by depositories as per operating instruction 16.7 is followed in case DP has opted an exemption from sending transaction statements to BOs in respect of demat accounts with no transactions and no security balances
5 Transaction Statements are sent for the quarter in which the request for account closure has been received from the BOs with the words “Account Closed / Marked for Closure”.
6 Proof of dispatch of statement of accounts sent after processing of account closure request is preserved.
7 30 days notice is given to the BO before closing his account, in case account closure is initiated by DP.
8 All formats used by the DP are in conformity with depositories prescribed format.
9 The statement of account (transaction/holding statement) is being sent to BOs as per depositories requirements.
10 Concurrent audit reports are submitted by the concurrent auditor to the DP on monthly basis by 10th of the next month.
11 The major negative observations in the concurrent audit are informed to depositories.
12 DP follows maker-checker concept in all of its activities to ensure the accuracy of the data and as a mechanism to check unauthorized transaction.
13 The register as prescribed by depositories regarding the alerts being provided is maintained properly and actions taken are recorded as per procedure.
14 The staff operating the DPs is trained as per the requirement of depositories.
15 The details of the compliance officer/ investor relations officers/ authorized signatories/ office address and change if any is informed by DP to depositories in the prescribed format.
16 The scope of activity of the service centers is clearly documented and adhered to.
Interim Report of the Depository System Review Committee
Page 45 of 61
17 Reconciliation between the branches / service centers and main DP takes place for the purpose of maintenance of account opening form, Demat request, instruction slips and blank instruction booklets issued by and / or received from the branch.
18 The details of statement of transactions generated from back office match with the statement or report generated from depositories.
19 The back office (including web site) is updated regularly for the transactions done on the depositories.
20 Account opening forms, agreements and supporting documents of all BOs are being kept in a manner so that they can be retrieved at any time.
21 DP operations are carried out after following all communiqués issued by Depository.
22 Agreement executed is in order in all respects.
23 Investor Grievance Register is maintained.
24 Statement of account is sent under digital signature of DP official.
25 Nomination register is maintained.
26 The discrepancies and /or non-compliances observed during previous inspection and last two internal audits are rectified and /or complied with.
27 The DP has implemented the procedures as confirmed in the previous compliance report for the last inspection and/ or internal audit report.
28 Supplementary agreement executed or undertaking / letter obtained or any modification made in any document which does not have clauses contradictory to depository prescribed agreement.
29 Cases where OM is not prepared , the same is updated , it is not available to all the staff
Total score table = Total quantitative scores + Total Qualitative Scores Based on the total scores, DPs can be categorized into High Medium High, Medium and Low.
Risk Categorization Percentile of Risk Score No of DPs
HIGH Top 80%ile
MEDIUM HIGH 46-79%ile
MEDIUM 21-45%ile
LOW 0-20%ile
Further reports / dash board on various parameters can also be carried out like activity wise analyses to identify / categorize DPs which are high on risk etc.
Interim Report of the Depository System Review Committee
Page 46 of 61
DIS issuance & processing
One of the important areas looked into during on-site inspection is verification of process of Delivery
Instruction Slips (DIS) issuance and processing.
In this regard, the following is observed
Depositories do not have details of the DIS booklets issued by DPs to their BOs which get
verified only at the time of on-site inspection resulting in spending huge man hours and
resources.
Depositories do not have all the information available in the back office of DPs such as DIS
numbers, mapping, KYC documents, account details, etc.
Considering that the activity relating to issuance and monitoring of Delivery Instruction Slips (DIS) is one
of the high risk activities, the committee felt that lack of monitoring / supervision of this activity may
lead to a situation where securities lying in the BO accounts could be moved in an unauthorized manner
(without the knowledge of BO) by the DP which can seriously jeopardize the integrity of depository
system and thereby damage the confidence of investors.
Such a possibility is very high in case of broker DPs due to the very nature of their activities where both
trading and securities accounts are held with the same entity. Further, due to inadequate focus /
prioritization on such high risk activity at the time of inspection, it may go unnoticed for long times and
may threaten the market integrity. Therefore, this issue was examined whether the transactions
involving DIS could be digitalized and whether images of the DIS on transactions could be captured for
verification & archived. The existing system of issue, processing and monitoring of DIS at the end of DPs
is as under:
a) Size, contents and structure of DIS are not uniform across the Depositories.
b) Most DPs use back office software for their operations which includes processing of transactions
(DIS and related issues).
c) The back office software is procured by DPs from third party vendors. The Depositories only
prescribe the checks and minimum requirements which is checked / verified by the depositories
at the time of start of their DP operations.
d) After the account is opened by depositories, each DP issues its own DIS booklet to the BO
holders and maintains the details of DIS in their back office software. The booklet issued is
mapped to respective BO.
e) Presently there are no checks at the end of depositories to verify the information (regarding DIS)
submitted by DP through uploading of back-office data to the depositories as the information
regarding the DIS serial numbers of BOs are not available at the end of depositories.
f) With respect to transactions processed, the DPs submit / upload End of Day (EOD) reports to the
depositories which only contain the details of the transactions executed and other relevant
details like DIS serial number, maker checker ID etc available at the back office of DP are not
included.
Interim Report of the Depository System Review Committee
Page 47 of 61
To check the efficacy of the above system, checks and balances for DIS issuance and processing an
analysis of the Insurance claims against the DPs was conducted to understand the major sources of
claims and the type of DPs against whom such claims were made .It was learnt that insurance claims
made against the DPs are predominantly due to fraudulent transfer of shares as indicated below and the
DPs are mostly stock broker DPs. In some cases fraudulent transfer of shares of amounting to 1 Crore 11
lakhs has also been observed. Frauds are predominantly done by employees who appear to have moved
the securities without DIS in DP who perform multiple activities and this trend still prevalent .
CDSL Statistics
Year Name of the DP Nature of loss Claim Settled Rejected Outstanding/
Amount Pending
Rs. Rs. Rs.
2007-08 Motilal Oswal Securities Ltd.
Unauthorised transfer- signatures on the DISs were forged by employee of the DP
3,586,629 2,445,392 1,141,237 -
LKP Shares and Securities Ltd.
Non-uploading of file 2,250,000 2,140,902 109,098 -
Inter-depository failure
902,751 756,083 146,668 -
Total 6,739,380 5,342,377 1,397,003 -
2008-09
Shilpa Stock Brokers Pvt. Ltd.
Unauthorised transfer- infidelity of employee
658,800 - 658,800 -
Anand Rathi Financial Services Ltd.
Unauthorised transfer- signature on the DIS was forged by employee of the DP
1,695,553 - - 1,695,553
Select Stock Brokers Ltd
Unauthorised transfer- infidelity of employee
130,000 - - 130,000
Angel Broking Limited
Non-execution of DIS 493,028 429,345 63,683 -
Dindayal Biyani Stock Brokers Ltd.
Punching error 74,575 23,789 50,786 -
Total 3,051,956 453,134 773,269 1,825,553
2009-10 Sunchan Securities Ltd.
Unauthorised transfer- signatures on the DISs were forged by employee of the DP
4,531,483 - - 4,531,483
Sam Global Securities Ltd.
Unauthorised transfer- signatures on the DISs were forged by employee of the DP
756,000 - 756,000
Saurashtra Capital Service Pvt. Ltd.
Non-execution of DIS 289,277 239,277 50,000 -
Anand Rathi Financial Services Ltd.
Unauthorised transfer- signature on the DIS was forged by employee of the DP
1,268,768 1,268,768
Total 6,845,528 239,277 806,000 5,800,251
Interim Report of the Depository System Review Committee
Page 48 of 61
2010-11 Asit C. Mehta Unauthorised transfer- signatures on the DISs were forged
1,333,705 - - 1,333,705
Emkay Global Financial Services Ltd.
Unauthorised transfer 6,242,155 - - 6,242,155
Sushil Financial Services Pvt. Ltd.
Unauthorised transfer Potential Potential
Total 1,333,705 1,333,705
2011-12 LKP Securities Limited
Unauthorised transfer Potential - - Potential
i. Mahendrabhai Patel
5,99,000
ii. Chandrakant Patel 2,14,000
iii. Taraben Patel 2,87,000 1,100,000
Total - 11,00,000
Karuna Financial Services Pvt. Ltd.
Auction of securities due to wrong entry of Delivery Instruction Slip (DIS).
2,88,560.64 - - 2,88,560.64
Pace Stock Broking Services Pvt. Ltd.
Loss of Securities due to wrong punching of Delivery Instruction Slip (DIS).
Potential - Claim Withdrawn
IIT Investrust Limited
Auction of securities due to wrong punching of Delivery Instruction Slip (DIS).
Potential 1,42,279
Rejected
Asit C. Mehta Alleged Unauthorized Transfer of Securities
Potential - Potential
Total 15,30,840 1,530,840
2012-13 Karmic Stock Broking Pvt. Ltd
Punching Error 58311 8311 50000 -
Wellindia Securities Ltd.,
Unauthorized Transfer of Securities
19,57,136 - - 19,57,136
NSDL Statistics
Name of Claimant(s) Details/Nature of claim
Amount of Claim lodged (Rs. in lakh)
Remarks
Claims under Policy Year:2010-11 (From October 29, 2010 to October 28, 2011)
Stock Holding Corporation of India
Fraudulent transfer of shares 60.00 Claim Settled
Mansukh Securities & Finance Ltd.
Fraudulent transfer of shares 50.00 Claim Outstanding
Integrated Enterprises Fraudulent transfer of shares 111.00 Claim Outstanding
Stock Holding Corporation of India
Employee Dishonesty 35.00 Claim Outstanding
Standard Chartered Bank Loss due to delivery instruction 2.43 Claim Rejected for want of documents from DP
Claims under Policy Year:2011-12 (From October 29, 2011 to October 28, 2012)
Interim Report of the Depository System Review Committee
Page 49 of 61
Zuari Investment Ltd. Fraud by employee & consumer court award
0.60 Claim Outstanding
Religare Financial Loss to Third Parties 250.00 Assessment still going on by insurance company
Religare - Gopal Mani Financial Loss to Third Parties 25.00 Assessment still going on by insurance company
In view of above, the following is suggested:
a) Centralized generation of DIS (DPID + DIS serial number) will enable depositories to have better
control over issuance of DIS booklets to BO. Further, this step will also ensure that issue of loose
slips at the end of DP will also be monitored and regulated.
b) Standardization of DIS across Depositories.
c) The depositories should revise their EOD reporting requirements / structure such that all
significant information which resides in the back office of DP shall be available to depositories.
d) If the truncated (image version) of DIS were to be captured directly by DPs out of their branches
/ service centers and also Depositories directly and simultaneously with a provision for archiving
the image files, the information gathered will enable effective monitoring of the transactions
from market surveillance perspective.
Interim Report of the Depository System Review Committee
Page 50 of 61
IT Governance
The rapid and dramatic changes in the financial market microstructure have been lead by a plethora of
new financial products & changing market designs and improved information technology. Technology is
the driver’s seat that modulates not only the quality of infrastructure but even the product designs. The
most significant development is the way technology has erased the geographical boundaries, even
creating new alternatives.
Innovations through Information Technology have led to a paradigm shift and revolutionized the
structure and the functioning of the securities market, the most important revolution being electronic
trading, clearing & settlement. Dematerialization of securities has been one of the important landmark
in the securities market, made possible by technology, which not only changed the way trading was
being done but also eliminated various market evils such as delay in transfer of shares, possibility
of forgery on various documents leading to bad deliveries &, legal disputes etc., possibility of theft of
share certificates, prevalence of fake certificates in the market, mutilation or loss of share certificates in
transit.
The dependence on technology in securities markets is such that most of the financial markets
infrastructure institutions (Stock Exchanges, Depositories, Clearing and Settlement Corporations, etc.)
have started to using technology extensively in various areas which reduced the latency, cost and
manpower. Further flow of information / data among FMIs has also been fully automated. This
dependence on technology have brought along a set of challenges to deal with such as obsolescence,
capacity handling, multiplicity & complexity of systems, dependence on vendors and their associated
risks, denial of services, external threats (cyber attacks, cyber frauds / crimes), internal threats,
governance & management of technology, continuity of business and disaster recovery in case of
exigencies , etc.
The reliance on technology has led to introduction of a new set of risk i.e. technology risks, which not
only have a direct impact in terms of operations of the institution but can also act as a catalyst in
cascading other risks such as credit risk, settlement risk and market risk. Further, inadequate
technology implementation can also induce strategic risk due to distortion of information / data as well
as compliance risk due to non adherence of any legal or regulatory requirement. These issues, therefore,
not only have the potential to undermine investor confidence & trust and can lead to reputation risks.
In view of the above, the committee endorses the subcommittee's recommendations on the various
issues specifically technology usage in the depository system for efficiency and effectiveness of
inspections. Therefore, the technology architecture of CDSL and NSDL was examined. Further, the
depositories were asked to provide the following information:
1. Various checks and balances prescribed by them in the front and back office systems of DPs
2. Information available at back office of DPs and which is not uploaded to the depository system
and only checked at the time of inspections.
Interim Report of the Depository System Review Committee
Page 51 of 61
On the basis of the information submitted and the examination of system architecture, the following is
observed:
1. CDSL
VPN SW (Fort)
ETH
Leased Line
VSAT MPLS
Service Providers
BSE DAKCBSE FORT
Fort routing switch
DAKC routing switch
BCC routing switch
HYD routing switch
CDSL Internal F/W (Fort)CDSL Internal F/W (DAKC)
VPN SW (DAKC)
CDAS Server (DAKC)
EASI Server (DAKC)
DAKC User LAN
Fort USER LAN
VPN SW (HYD)
Internal FW(BCC)CDSL Internal F/W (Hyd)
CDAS Server (HYD)
EASI Server (HYD)
HYD User LANBCC USER
LANInternet
INT F/W with IPS
INT F/W with IPS
BSE Network Infrastructure
2
7
1
435
6
WAN USER TRAFFIC
LAN USER TRAFFIC
CDSL Network connectivity
IDMR MQ
IDMR MQNSDL Lease Line
NSDL Lease Line
Router
Router
CDSL has a centralized architecture and database. DPs enter the data in the system provided by
CDSL.
CDSL have deployed 3 tier architecture depository software applications (CDAS – Centralized
Depository Accounting System).
This application is accessed by users (DP & RTA) through WAN based connectivity.
They also have a web based software applications for DPs, RTAs, BOs and CMs (EASI – Electronic
Access to Security Information and EASIEST – Electronic Access to Security Information and
Execution of Secured Transaction) which provides online and upload based transactions using
digital signature.
DPs do not have separate front end software. Each DP is required to have back office software
for the purpose of DIS issuance & usage controls, BO signature capture & retrieval, and
importing various reports generated by the CDSL system for updating transaction status /
reconciliation.
The centralized architecture of CDSL provides following distinct advantages to the users:
Interim Report of the Depository System Review Committee
Page 52 of 61
o The initial set-up cost for Issuer Companies/their RTAs and Depository Participants is
low.
o Information on investor's holdings is available to the Depository Participant and the
Issuer or its RTA instantly.
o Database is replicated between main site and DR site using Oracle Data Guard facility.
The important checks available in the CDAS system of CDSL are:
o Mandatory PAN details
o PAN Validation
o Account activated only after capture of signature
o Debit and credits frozen in case of frozen BO accounts
o ISIN should be valid and active
o BO should be active
o Availability of balance in BO account
The various checks available in the back office system of CDSL DPs are:
o Maker checker for all transactions entered
o Verification of BO signature at the entry of instructions
o Inventory control of printed DIS books
o Record or cancel slips / slip books which are reported lost / returned by the BO
o Inventory control of DIS issued to POA holders
o Two step verification of high value DIS (value of more than Rs. 5 lacs) and for the
transactions originating from dormant accounts
o Daily updation of back office from CDAS system
CDSL has 4 sites i.e. Main, DR data center, operational site at Fort, Mumbai and business
continuity center at Belapur, Navi Mumbai. All these 4 sites are interconnected with each other
using 45 Mbps/ 100 Mbps Ethernet leased lines. All leased lines setup are configured in
redundancy from 2 different service providers.
During DR operations, CDSL users are seamlessly connected to DR site without any change at
user end.
CDSL complies with ISO 27001 standards for information security.
CDSL has been awarded BS25999-2:2007 certification for its Business continuity Management
Systems in April 2012
Interim Report of the Depository System Review Committee
Page 53 of 61
2. NSDL
NSDL Depository system is a J2EE architecture standard based 3 tier implementation comprising
presentation layer (web servers), business logic layer (application server) and Data layer
(Database servers).
The design affords both horizontal and vertical scalability and is tested for linear scalability for
execution of four times the current daily volume of instructions in one hour.
The current installed capacity can service the current entire day volume of instruction in just an
hour.
The system is deployed on cluster of Intel and UNIX servers, and Mainframe with processor
sparring facility and enterprise class storage with RAID and DISK sparring facility ensuring
redundancy and no single point of failure.
Similarly, all routers, network devices firewall have equipment level redundancy and configured
with automatic failover.
Interim Report of the Depository System Review Committee
Page 54 of 61
For servers NSDL undertakes OS hardening by disabling unused ports and services. Further, the
infrastructure is periodically subjected to vulnerability assessment scan to confirm that
unwanted ports and services are indeed closed and the patch level of OS is as required
NSDL has designed their software in two distinct parts 1) Depository Software (DM, eDPM) and
2) DP Software (Local DPM Software) which is the front office. Participants can submit
Instructions using e DPM hosted at NSDL and Local DPM available at Participant’s end can be
used to fulfill reporting requirement. This provides flexibility to Participants to generate report
on demand and for any period and on real time basis.
The Application code is subjected to application security test to ensure that it is not vulnerable
to SQL injection, cross site scripting and such attacks.
The front office can be used to operate complete DP functionality including account opening,
transfer & modifications, delivery, pledge, etc.
The DPs use back office for purposes such as DIS controls, billing, transaction controls, and
internet based trading, etc.
The important checks available in the front office are:
o The system can be accessed only by authorized users over intranet as well as internet
using e-token with digital certificate based PKI challenge response mechanism which
provides for two factor authentication based on ‘what you have’ and “what you know”
principle of security.
o The access is granted strictly on ‘need to know’ and ‘need to do’ basis.
o The system requires two separate users maker and checker to execute any transaction.
o The system further ensures that same user cannot assume both maker and checker role
thereby enforcing good practice of segregation of duty and preventing one user to
unilaterally execute the Instruction.
o The system maintains complete audit trail for transactions including IP address of the
workstation from which the Instruction originated.
o NSDL has recently developed end to end security for data files exchanged between
Participant Back Office (BO) and Depository system. This facility allows Participants to
encrypt as well as digitally sign files right at the stage of generation from their BO
system.
o Compulsory daily backup and end of day internal reconciliation
o Online reconciliation of position balance post execution of each transaction.
o End of Day internal reconciliation of balances across all clients (i.e. including the ones
who have not transacted). In addition, external reconciliation of changed Positions
between Local DPM and eDPM for a Business day is carried out.
o Audit trail for transactions
o Important Business validations are specified below:-
PAN is mandatory and is also structurally validated for opening of Beneficiary
Account.
Activation of Account is subject to capture of mandatory fields including
signature.
Interim Report of the Depository System Review Committee
Page 55 of 61
Account will not be allowed any debits and credits if the Account is suspended
for debit and credit. Credits are allowed if Account is frozen for only debits.
Transactions are allowed for ISIN in ‘Active’ Status. In addition, Account should
be in ‘Active’ status and should have sufficient Balance in the free Account for
any debit transaction.
Source Account should be present with the participant initiating the
Transaction. Source and Target Account should be present in the Depository
System
The important checks available in the back office are:
o Control on issuance & usage of DIS using unique DIS serial number
o Automatic blocking of used DIS
o Blocking of slips / slip books which are reported lost / returned by the BO
o Maker checker segregation for critical functions
o Verification of high value transactions and for the transactions originating from dormant
accounts
o Investor grievances controls
o Verification of BO Signature at the time of entry of Instruction
NSDL has provided facilities to Participants to automatically update their back office with
depository related exports as well as submit instructions captured in back office in a hands free
manner and thereby eliminating operational errors.
NSDL has deployed identical infrastructure as production at its Disaster Recovery Site located in
another city with on-line storage based replication over high bandwidth low latency link with
near Zero RPO (Recovery Point Objective).
NSDL complies with ISO 27001 standards for information security
NSDL has established capability as a part of BCP readiness to conduct business operations from
its branches, cold site and remotes site over secure VPN with ‘what you have and what you
know’ security. Such recovery is done through alternate business teams nominated for
functional recovery, in the disaster events. The system seamlessly connects such business users
to data center from which operations is conducted.
In view of the above, the following is suggested:
1. There should be an IT strategy committee at the board level of depositories.
2. The depositories and their DPs should have an approved and to the extent comparable IT strategy /
plan document which needs to be reviewed annually.
3. A System Audit framework should be prescribed for Depositories and DPs
4. Create an IT Steering committee to assist the IT Strategy Committee in implementation of IT
strategy. The IT steering committee should comprise of representatives from IT, HR, Legal and
various business functions as appropriate.
5. Information Security policy should be approved by the board and reviewed annually
6. Create an office of information security and designate a senior official as Chief Information Security
Officer (CISO) whose work would be to assess risk and identify the threat / vulnerabilities.
Interim Report of the Depository System Review Committee
Page 56 of 61
7. In the event of disaster, the disruption in the services provided by the depository system may affect
not only the market integrity but also the confidence of investors. It is therefore imperative that
there should be no disruption in services and in case there is a disruption, there should be near zero
data loss. In this context, the following needs to be ensured:
High Availability: There should not be any single point of failure and no denial of service.
Appropriate Interconnected Architecture: The architecture should ensure data replication
without compromising data and transaction integrity.
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) requirements as 4 hours and
30 minutes, respectively, and ensuring that the technology implemented and the processes
adopted are capable of fulfilling the RTO / RPO objectives.
“Zero Data Loss” and implementing the same through appropriate mechanism; e.g.
synchronous replication / near site
Periodic Drills that simulate the real life scenarios on a regular basis and conducting these drills
on a week day
8. Designate a senior official as Head of BCP function
9. Increased use of technology so as to ensure effective off site inspections of DPs and their branches
and service centers. For this purpose, the following needs to be en
Installation and usage of licensed software
Generation and control through centralized DIS issuance
Standardization and scanning of DIS
Revise EOD reporting requirements / structure such that all significant information which
resides in the back office of DP should be available to depositories
Daily reconciliation of various records in the back office with records in the front office
Use of Technology for Off-Site and Onsite Inspection
The current system of inspection of DPs by Depositories has the following features:
Annual inspection of operations and system of every DP based on sample data.
Inspection conducted by both CDSL and NSDL in-house audit team with a gap of 11-13
months between two inspections of the same DP.
Inspection of new DP conducted within 3 months of the date of commencement.
Period of inspection of a DP is the period from the last date of previous inspection till the end of
the month immediately preceding the actual date of inspection.
Selection of DPs, sample size and sample selection are critical issues which need to be carefully done for
effective inspection. Currently, Irrespective of nature and size of DPs, the sample size is capped at 500
which are multiplied in case of repetitive violations. Currently a "spreadsheet based" system is used by
depositories to individually take information / data from databases through reports and then used for
determination of samples / adaptive samples.
Interim Report of the Depository System Review Committee
Page 57 of 61
In view of the above, since the critical activities of sample size and sample selection is currently manual,
it will be appropriate to use technology to have checks and balances in place whereby various sources of
database are integrated such that the sample size and sample selection truly represents the risks
underlying various activities through appropriate algorithms, which if done manually may bring in
discretion which may affect the quality of inspection.
Off Site Inspection
Currently, it is noted that one of the major activities which is undertaken at on-site inspection is
verification of the process of DIS and processing of DIS. In order to address this issue, it has already been
suggested that DIS should be scanned and images captured in the depository system whereby same can
be used for verified off-site rather than on-site.
Supervision of services centers is currently weak as number of service centers inspected every year is
very less compared to total number of service centers across the country. This can be a cause of concern
due to lack of supervision over such services centers. Therefore, there is a need to have appropriate
technology in place to make sure that all information regarding service centers is available at the Back
office software system of DPs. The same should also be available with depositories so that they can be
monitored offline without having to go on-site thereby saving manpower, time and cost.
Besides depositories, SEBI also inspects DPs leading to duplicity and thereby wastage of time and
resources. This can be avoided if SEBI is able to have off-line access to the inspection modules of
depositories so that inspection observations are monitored for better supervision.
Interim Report of the Depository System Review Committee
Page 58 of 61
Technology Enabled Future Road Map
The DSRC has been entrusted with the task of examining the existing Inspection and Oversight
mechanism and come out with suitable recommendations taking into account the technological
advancements in the field and the operational risks associated with the functioning of the Depositories
and the DPs.
Apart from the suggestions / recommendations, it was also decided to come out with the way forward
keeping in mind specifically the technology support available today to ensure that the
Inspection framework and the associated guidelines are meaningful and purposeful.
The Inspection framework of the DPs by the Depositories and the Depositories by the regulator has to
take into account the technological advancements that could bring in more efficiency and productivity
by capturing the relevant data for ensuring compliance or risk mitigation. Efforts required for
completing the Inspection process has to be drastically reduced both in terms of the time for completion
and the resources required to accomplish the task.
For the purpose of carrying out the Inspection comprehensively the first and foremost aspect is to have
authentic and accurate data. This data is generated at the DP level and mostly is available in
the electronic format. It is important to ensure that all the DPs do have the data required for Inspection
to be available in the electronic format in a definite time frame expeditiously. This exercise will result
in ensuring technology enabled Inspection framework to be implemented for all the DPs.
The DPs need to have internal mechanisms put in place to ensure that the data is complete, consistent
and meet the stated requirements of the Inspection framework and guidelines from time to time.
Before the start of the Inspection, DPs have to give an undertaking that they conform to this
requirement. The Inspection that will be taken up in 2013-2014 has to address this issue clearly and
bring out inadequacies if any, for the DPs to put in corrective mechanisms in place.
It is to be noted that the details regarding all aspects of the KYC, scanned copy of the DIS and other
relevant data regarding the transactions are captured and made available. Apart from the
data available as scanned copies, extract of the relevant portion of the data in the form of tables has to
be made available for access by the Depositories.
The Inspection carried out by the Depositories, should be made as online inspection, by accessing the
resources and information located at the DPs using the online connectivity. This approach will enable
the Depositories to take up not only the Annual Inspection as a compliance requirement but more
importantly periodic mid-term whenever required.
The physical Inspection carried out by the Depositories has to be need based and justifiable as this will
involve considerable human effort. The way forward is to ensure all the mandatory requirements to be
met by the DPs are available for remote access through appropriate authentication mechanisms and
only in cases where the physical Inspection is justified, it will be taken up.
Interim Report of the Depository System Review Committee
Page 59 of 61
The IT resources located at the DPs both in the front office and the back office have to meet clearly
defined performance metrics in order to ensure that the service delivery is as per expectations.
The IT resources, including the software environment has to adhere to the stated levels of
Performance and Scalability
Availability and Fault tolerance
Security and Access Control
Conformance to standards
It is important to understand that the initiatives of the GoI will fructify in ensuring large number of retail
investors taking part in the Securities Market and therefore the load on the systems at the DP as well
as the Depositories will exponentially increase. Technology based Inspection framework is the only
option to ensure effective and timely completion of the Inspection process.
The report recommends moving towards a risk based mechanism in place of the existing compliance
based mechanism. Therefore, it is important to ensure that the Inspection periodicity is adaptive and
flexible. This is possible by categorizing the results of the Inspection into multiple levels of compliance
rather than the binary decision making. The levels of compliance will dictate the future course of action
by redefining the periodicity as well as the sample size. Adaptive sampling methodology is to be
implemented by the Depositories based on a case by case basis depending on the outcome of the
preceding Inspection.
The current approach used for deciding the sample size does not take into account the above issue and
therefore the Depositories need to come out with specific approaches to deciding on the sample size to
ensure that Quality is not compromised. To arrive at this and ensure that the exercise is meaningful
and purposeful, one of the important aspects that need to be kept in mind is the data integrity.
Periodic checks with respect to the data integrity needs to be taken up in addition to accuracy and
reliability. The depositories have to take up the compliance to data integrity check by having appropriate
software framework that will include suitable integrity checks.
Based on the outcome of the earlier Inspection, the Depositories have to come out with specific tailor
made check lists for each one of the DPs and the DPs have to present the data in appropriate formats
in their servers for access by the Depositories to complete the evaluation quickly. If required, it should
be possible to drill down to have access to the primary data as and when required. The process that is
used by the DPs to create the derived data required for the Inspection process has to have one to one
correspondence with the primary data and has to be automated fully to avoid human intervention
through appropriate software tools or scripts.
The technology infrastructure deployed by the DPs to handle the task has to be robust, mature and
secure and the implementation mechanism followed adheres to the industry best practices. It is
desirable that periodic audit of the implementation is carried out by reputed external agencies and the
suggestions and recommendations are implemented. The authentication framework put in place by the
Interim Report of the Depository System Review Committee
Page 60 of 61
DPs for access by the Depositories as well as otherwise needs to be robust and secure and has to be
audited periodically.
The DPs also conduct other lines of business and may have the IT resources which are common across
multiple business lines. It is important that the resources which are allocated for this activity
is electronically isolated and access is permitted only to authorized resources. The employees of the DPs
who are allocated additional responsibilities in addition to the primary activities of the DP operations
have to maintain discipline stipulated for access to other resources through appropriate mechanisms.
One of the important aspects of this exercise is to evaluate and categorize the IT resources deployed by
the DPs for this activity based on the following criteria.
High Availability and Fault tolerance:
The IT infrastructure deployed should not have any single point of failure. In the event of failure of any
sub-system or component or software the resultant solution has to work, may be with acceptable
levels of degraded performance, and the corrective mechanism put in place to ensure that the
rectification takes place within 4 hours. The administration, monitoring and management of the
solution have to be proactive to identify and correct the faults before the failure occurs, in most of the
cases. It is recommended that the IT infrastructure deployed by the DPs do have an uptime guarantee of
99.5 % measured on a monthly basis with mean time to restore (MTTR) of not more than 4 hrs. Apart
from the IT resources, the processes put in place, the implementation and management of the same
play a crucial role in ensuring compliance to the above requirement.
Data Requirement:
The DPs have to put in place appropriate mechanisms in order to ensure no compromise to data
integrity and transaction integrity. Implementation of near site is NOT mandatory. If the DPs have
implemented innovative mechanisms to ensure no data loss (similar to the implementations of NSDL
and CDSL) it would suffice.
Performance and Scalability:
As mentioned before, it is estimated, in view of the initiatives of the GoI, large number of retail
investors will become a part of the market in the near future and therefore, the IT infrastructure should
be in a position to handle the increased load with acceptable levels of performance. More importantly
the performance should be consistent taking into account the scalability concerns
Security and Access Control:
One of the major concerns of the Industry today is increased levels of automation to address the ever
increasing load and also the need to provide connectivity to the external environments. The
infrastructure is expected to be open and at the same time secure enough.
Interim Report of the Depository System Review Committee
Page 61 of 61
One of the primary requirements of security is to have a robust and secure authentication framework.
The DPs have to put in place appropriate authentication framework and should collect the necessary
data from the system administrator logs to clearly address the issue of aspects related to the access of
the resources in the event of any attempts to gain entry into the system. As the environment is open to
access from the external networks including the Internet, the DPs have to put in place appropriate
checks and balances to ensure that only trusted and secure users are in a position to access the
resources
Business Continuity and Disaster Recovery:
In the event of any minor events like the failure of either the sub-system or component or the
software, high availability built in and the fault tolerant mechanisms implemented will be in a position
to address the requirement of continued delivery of services.
In the event of any major disaster, the entire IT infrastructure at the primary site is not available for the
delivery of services and therefore the DPs have to put in place an appropriate Disaster Recovery
mechanism with acceptable levels of RTO and RPO.
The DPs need to have a business continuity plan and the guidelines stipulated in the BCP will dictate
the appropriate solution architecture for the Disaster Recovery centre and also the connectivity
between the DC and the DR.
Inspection of the DPs by the Depositories and the Depositories by the Regulator has to keep in mind
the above metrics and evaluate the IT solution architecture deployed, come out with suitable
classification of the same and remedial measures that need to be implemented within the stipulated
timelines to ensure that the technology framework is robust, mature and secure.
Acknowledgement
At the outset, the committee members would like to thank the SEBI Chairman, Shri U.K. Sinha
for constituting the Depository Systems Review Committee and entrusting this assignment to
the committee.
This report of the Depository Systems Review Committee has been made possible with the
support and contributions of many individuals and organisations. The committee would like to
gratefully acknowledge their significant efforts and contributions.
The committee sincerely thank for the valuable guidance and support provided by SEBI former
Executive Director Shri S Ramann, the current Executive Directors Shri Muralidhar Rao, Shri J
Ranganayakulu and CGM Shri P K Bindlish.
The committee appreciates and acknowledges the significant efforts put in by the teams of Ms.
Maninder Cheema, Deputy General Manager, SEBI and Mr. B. J. Dilip , Deputy General
Manager, SEBI which included Mr. Atif Alvi , Mr. M. A . Shinod, Mr. Vikas Komera and Mr. Amit
Nigam.
The committee is also grateful to the officials of National Securities Depository Limited and
Central Depository (Services) India Limited for making detailed presentations on their systems
framework and giving valuable inputs to the committee. The committee would like to convey
its gratitude to Ms Deena Mehta of Asit C Mehta Securities and other stakeholders like HDFC,
ICICI Securities, NPCI and SWIFT for their valuable insights and inputs.
Table of Contents
Preamble 1
Executive Summary 2
Chapter 1 - Assessment of Existing Policy Framework for Depositories 9
I. Structure and Role of Depositories 9
II. Depositories Act 10
III. SEBI Depositories and Participants Regulations 11
IV. Policy Circulars/ Guidelines Issued by SEBI 14
V. Observations of the Committee 14
Chapter 2 - Assessment of Depository System on the basis of relevant Globally accepted
Principles for Financial Market Infrastructures so as to benchmark with Global Best
Practices
16
I. Benchmarking the Indian Depositories with Globally accepted Principles 16
II. Recommendations by the Committee 21
Chapter 3 - Identification of Areas for Continuous Improvement of Systems, Procedures
and Practices
22
I. Business Model of Depository Participants 22
II. Complaints against Depositories and Depository Participants 26
III. Investor Protection Fund (IPF) of Depositories 28
IV. Use of Non Disposal Undertaking (NDU) for Lending/ Borrowing of Securities 30
V. Outsourcing Guidelines for Intermediaries 31
Chapter 4 - Identification of Systemically Important Market Infrastructure Institutions and
their Inter-Linkages
33
I. System Architecture of Depositories 34
II. Business Continuity and Disaster Recovery 41
Chapter 5 - Oversight and Inspection Framework 42
I. Guidelines for Inspection of Depository Participants by Depositories 43
II. Delivery Instruction Slips (DIS) Issuance & Processing 50
Way Forward 52
Annexure I 56
Annexure II 58
List of Abbreviations 64
Page 1 of 65
Preamble
The Depository Systems Review Committee (DSRC) was constituted by Securities and Exchange
Board of India (SEBI) in June 2012 pursuant to decision of the SEBI Board to the effect that the
"Depository system" be reviewed by an independent expert group. The mandate of the
Committee was guided by the following terms of reference:
i. Overall assessment / adequacy of existing depository framework and identification of
areas for review.
ii. Assessment of depository system on the basis of relevant CPSS-IOSCO principles,
recommendations of CESR-ECB pertaining to Central Securities Depositories (CSDs) so as
benchmark with the global best practices.
iii. Identification of areas for continuous improvement of systems, procedures and
practices and make recommendations thereof.
iv. Identification of systemically important market infrastructure providers / institutions /
depository participants and their inter-linkages and identify areas and suggest
safeguards to prevent single point failures and denial of depository service.
v. Review of existing system of inspection by depositories and suggest changes to
strengthen monitoring / oversight of depository participants.
The Committee was constituted under the Chairmanship of Shri M. Balachandran and included
the following members:
i. Shri M Balachandran (Chairman, NPCI and former CMD, Bank of India)
ii. Prof H Krishnamurthy (Principal Research Scientist, IISc Bangalore)
iii. Shri R S Loona (Managing Partner, Alliance Corporate Lawyers and former Executive
Director, SEBI)
iv. Prof Vikram Kuriyan (Clinical Prof. of Finance, Indian School of Business)
In order to carry out its mandate, the committee interacted with SEBI officials, held discussions
with various market participants, and visited the two depositories, CDSL and NSDL to
understand their systems. Detailed presentations were made by the Depositories, DPs and
organizations such as SWIFT and NPCI, some banks, brokers as well as investment bankers to
enable the committee to gain understanding of the issues involved. Details of meetings held by
the committee along with the list of persons who made presentations is enclosed as Annexure
I.
Page 2 of 65
Executive Summary
The committee held extensive discussions and deliberations with depositories and other
market participants related to the depository system in order assess the adequacy of the
system and to identify areas for focused review. Based on these interactions, the committee
identified the following major areas for review:
i. Existing policy framework of the Depositories
ii. Benchmarking against global standards
iii. IT Governance of Depositories
iv. Existing framework of inspection and oversight of depositories and depository
participants
The committee was conscious of the technological advancements made recently in the financial
sector and in the securities market in particular. The recommendations of the committee are
geared to leverage these technological advancements to improve the ease of operations,
enhance operational efficiency and to effectively minimise the risks in the system.
In the area of inspection and oversight function of depositories, the committee decided to carry
out a detailed analysis and formed a sub-committee for this purpose comprising of Prof.
Krishnamurthy, representatives of NSDL and CDSL and officials of SEBI. The recommendations
of the sub-committee were presented to SEBI as part of an interim report and SEBI is
understood to have initiated measures based on these recommendations. The
recommendations of the sub-committee presented in the interim report are included as part of
the final report.
A summary of the recommendations made by the committee is as follows:
1. Assessment of Existing Policy Framework of Depositories
A review of the policy framework for depository system revealed that the regulatory framework
and the various policy measures put in place appear to be adequate. Depositories function
under the framework of the Depositories Act and the SEBI (Depositories and Participants)
Regulations, 1996. Necessary amendments to the regulations are made when felt necessary. In
addition, SEBI issues guidelines and circulars to update and revise the systems and processes
according to the needs of the market.
Page 3 of 65
SEBI has put in place risk management measures such as In-person verification (IPV) and
mandatory PAN requirement which ensure that instances of fraudulent /fictitious accounts are
prevented. Other measures have been taken like freezing further issue of capital under
temporary ISIN until trading approval is obtained to prevent their transfer and mingling with
pre-existing shares. This enhances the integrity of the process for security issuances.
Based on its review of the policy framework for depositories, the committee recommends the
following:
I. SEBI to ensure that the system and technology related requirements which are verified
prior to granting certificate for commencement of business, are also maintained on an
ongoing basis through regular inspections and system audits. This is an important aspect
of the depository system architecture and SEBI should regularly update its oversight
processes to ensure ongoing compliance.
II. Reconciliation of records of shareholding is very critical to maintaining integrity of the
capital markets. The responsibility for reconciling records of total issued capital, listed
capital and capital held by depositories in dematerialized form lies with issuer. SEBI may
put in place a mechanism so that depositories maintain complete reconciled record of
total issued and listed capital, including both physical and dematerialized shares.
III. Depositories are uniquely placed to scale up and utilize their infrastructure to
dematerialize not just securities but also other financial assets subject to adequate
regulatory framework and checks and balances being put in place. This aspect which the
committee intended to recommend based on interactions with the stake holders was
well received by the depositories and also the market participants. In this background it
is pertinent to take note of the Budget announcement made in the interim budget
presentation in February 2014 and again in the budget speech in July 2014. The July
2014 budget announcement aims to "Introduce one single operating demat account so
that Indian financial sector consumers can access and transact all financial assets
through this one account." The committee feels that the above proposal would
promote the integration of the Indian Financial markets and allow the
consumers greater access to and control of a wide portfolio of financial assets.
IV. With greater integration of depositories with other financial service providers, there is
possibility of interconnectivity of depositories with financial institutions/ FMIs/
international CSDs in future. Interconnectivity may require standardization of messaging
Page 4 of 65
formats used by depositories. The committee recommends that it may be desirable to
standardise messaging formats in the long term.
V. With regard to KYC, the committee noted that the e-KYC service launched by Unique
Identification Authority of India (UIDAI) has been accepted by SEBI as valid process of
KYC verification. The committee also informed that NPCI has entered in to an MoU with
UIDAI in order to aid financial inclusion through Aadhaar enabled bank accounts and
financial transactions.The Committee recommends that use of e-KYC through NPCI
should be popularised among DPs.
2. Assessment of Depository System on the basis of relevant globally accepted Principles for
Financial Market Infrastructures so as to benchmark with Global Best Practices.
The committee observed that while the Depositories are broadly compliant with the CPSS-IOSCO principles for FMIs, certain areas needed to be strengthened. The committee therefore recommends the following:
I. Risk Management Framework for depositories: FMI principles lays emphasis on the need to
have robust risk management framework to identify, monitor and manage various risks
emanating from multiple sources to its operations.
The committee therefore recommends that there should be a Board approved policy
providing for a well documented comprehensive risk management framework at both
depositories. The risk management group/ committee formed by the depositories should
be active and meet periodically to continuously identify, evaluate and assess applicable risks
in depository system through various sources viz a viz investors complaints, inspections,
system audit etc. and suggest measures to mitigate risk wherever applicable. A Chief Risk
officer should be made responsible, accountable, accessible & answerable to the board on
overall risk management issues.
II. Orderly winding down of depositories: The Committee observed that there is no laid down
system or procedure for orderly winding up of depositories in the event of potential
scenarios such as voluntary winding up by depositories, depositories going bust due to
general business risk, fraud at the end of depositories, or depositories wound up due to
regulatory action or court order. In Indian depository micro structure, there are two
depositories. In the event of failure, disruption or winding up of one depository, all the
demat accounts and securities held with stressed depository can be potentially moved to
another depository without affecting the interest of investors. These measures are
Page 5 of 65
technically possible in the existing market micro structure, though there is no laid down
written document detailing the process and procedure for orderly winding up of
depositories. The committee recommends that there is a need to have a well documented
framework for orderly winding down of the depository operations including making
necessary legal provisions in the regulations, rules and Depositories Act.
3. Identification of Areas for Continuous Improvement of Systems, Procedures and Practices
The committee identified few areas which needed further focus from the perspective of
maintaining a robust depository system. Complaints received from investors against DPs and
Depositories were analyzed for this purpose. The committee reviewed the business model of
Depository Participants as it was observed that there are no stand alone DPs. Certain practices
such as use of Non Disposal Undertaking (NDU) for Lending/ Borrowing of Securities were
examined from the perspective of risk posed to Depositories and DPs. The committee also
looked into the use of Investor Protection Fund (IPF) of Depositories and outsourcing policy
followed by Depositories. Based on its review of these areas, the committee recommends the
following:
I. In order to achieve wider financial inclusion and bring investors in securities market from
Tier II and Tier III towns, the DPs need to widen their reach in these areas. For this purpose,
there is a need to devise an incentive structure for depository participants so that they
encourage investors to open demat accounts with them. The revenue source of
depositories may be augmented and DPs may be incentivized by having a revenue sharing
mechanism between the depositories and DPs which may encourage the DPs to expand
their reach in tier II & III towns. Bank DPs with their large branch network and wider reach
in the tier II & III towns can play a crucial role in furthering the objectives of financial
inclusion. DPs may be compensated for the cost incurred in account opening, especially
Basic Service Demat Accounts (BSDA) as it will act as a motivator for DPs to open more
accounts. Incentive structure may be devised so that DPs get compensation on any
incremental account opened by them in tier II & III towns.
II. Complaints received against depositories and DPs are resolved quickly except for
complaints relating to delay in demat/ remat. In such cases, the delay is at the end of
issuers and RTAs rather than the Depositories. Considering the nature of complaints and the
fact that there were negligible pending complaints, the committee feels that Depositories
do not require a corpus comparable to stock exchanges for their Investor Protection Fund.
The committee therefore recommends that SEBI may review the quantum of funds required
to be transferred to IPF by depositories and arrive upon a sizable limit for corpus of IPF.
Page 6 of 65
Only profits from depository operations may be transferred to IPF. SEBI may formulate an
Investment Policy for the IPF. The funds of the IPF may be utilized for conducting Investor
Awareness and Education Programmes and supporting the depositories'/ DP's initiatives for
financial inclusion in a variety of ways.
III. The committee noted that certain DPs allow the promoters of companies to use tripartite
agreements usually referred to as Non-Disposal Agreement/ Non-Disposal Undertaking
(NDU) to extend facilities to its clients for lending / borrowing of shares instead of following
the pledging facility available in the depository system. The committee recommends that
DPs should not be party to such arrangements as there is no regulatory mechanism
whereby depositories and DPs can treat shares covered by NDU as pledged/ encumbered,
leading to potential for fraud and multiple pledging.
IV. In the area of outsourcing by Depositories, there is a need for further focus and
strengthening of guidelines on the lines given below:
a) Care should be exercised while outsourcing and wherever possible depositories should
put in place various controls to ensure that there is check on the activities of outsourced
entity especially to monitor that outsourced activities are not further outsourced
downstream.
b) Core and critical activities of depositories should not be outsourced.
c) Core IT support infrastructure / activities for running the core activities of depositories
to the possible extent should not be outsourced.
d) Wherever outsourcing is allowed, depositories should ensure that risk impact analysis is
undertaken, only reputed entity having proven high delivery standards are selected,
appropriate back up / restoration system are put in place, monitor and have checks and
over all controls over the outsourced entity on real time basis.
e) Audit of implementation of risk assessment and mitigation measures listed in the outsourcing policy document and outsourcing agreement/ service level agreements pertaining to IT systems should form part of System Audit of Depositories
4. Identification of Systemically Important Market Infrastructure Institutions and their Inter-
Linkages
In view of transformation of securities market infrastructure brought about by advances in
information technology (IT) and dependence of Financial Market Infrastructure Institutions on
technology, the committee examined the technology infrastructure of the Depositories and
Page 7 of 65
reviewed the usage of technology in the Depository system. The committee therefore
recommends the following:
I. The IT infrastructure deployed should have high availability and no single point of failure. In
the event of failure of any sub-system or component or software the resultant solution has
to work, may be with acceptable levels of degraded performance, and the corrective
mechanism put in place to ensure that the rectification takes place within 4 hours. The DPs
have to put in place appropriate mechanisms in order to ensure no compromise to data
integrity and transaction integrity.
II. Depositories should implement the following for their IT governance structure:
a) There should be an IT strategy committee at the board level of depositories.
b) There should be an approved and comparable IT strategy/plan document which needs
to be reviewed annually by the depositories and their DPs.
c) There should be an IT Steering committee to assist the IT Strategy Committee in
implementation of IT strategy. The IT steering committee should comprise of
representatives from IT, HR, Legal and various business functions as appropriate.
d) Information Security policy should be approved by the board and reviewed annually.
e) There should be an office of information security and a senior official should be
designated as Chief Information Security Officer (CISO) whose work would be to assess
risk and identify the threat / vulnerabilities.
f) Depositories should take steps to ensure that the IT Infrastructure of DPs has high
availability and fault tolerance, uptime guarantee of 99.5% measured on a monthly basis
with mean time to restore (MTTR) of not more than 4 hrs, data integrity and transaction
integrity and appropriate security access and control framework.
5. Oversight and Inspection Framework
The committee carried out an extensive review of the oversight and inspection framework for
Depository Participants. Recommendations in this area were given in the interim report of the
committee and are reported to be under implementation by SEBI. The key recommendations of
the committee are as follows:
I. Inspection of Depository Participant by Depositories:
a) Inspections should be risk based rather than compliance based to provide economic
benefits such as fewer inspections for less risky participants and frequent inspections for
more risky ones. The inspection reports should not only identify risk areas but should
also proactively suggest risk mitigation.
Page 8 of 65
b) The sample size selection should be dynamic and should depend on the past compliance
of a DP in that area.
c) The inspection process of DPs and their service centers should be automated through
usage of appropriate technology. If such close inspection / oversight modality is not
possible directly by Depositories through their own personnel, the possibility of
outsourcing service centre inspections may be explored, and a suitable outsourcing
policy may be framed.
II. Delivery Instruction Slips (DIS) Issuance and Processing:
a) Appropriate infrastructure and other requirements, to facilitate scanning and uploading
of the DIS image, should be implemented at the DP’s end and the depositories should
put in place a suitable mechanism to maintain a database of the scanned DIS.
b) DIS should be standardized across DPs to facilitate easy identification and tracking of DIS
issuance and processing.
c) The depositories should put in place systems such that all significant DIS related
information is available to them for off site inspections.
Page 9 of 65
Chapter 1
Assessment of Existing Policy Framework for Depositories
The enactment of Depositories Act in August 1996 paved the way for introduction of Depository
system in India. India has adopted Dematerialisation system wherein by operation of law,
physical shares certificate is replaced with shares in electronic form. In the books of company,
depository is the registered owner and depository in turn maintains electronic ledger of the
securities wherein movement of securities from one account to another are recorded and
maintained to bestow rights to the investors as the beneficial owners.
The introduction of Depository System has been instrumental in eliminating various drawbacks
in handling of physical share certificates in terms of problems related to transfer of shares, bad
deliveries, loss of share certificates etc. and it enabled fast and efficient settlement (T+2
settlement cycle).
I. Structure and Role of Depositories National Securities Depository Limited (NSDL) was the first depository to be established in India
in the year 1996, followed by Central Securities Depository Limited (CDSL) in the year 1999.
Depositories are systemically important post-trading infrastructures. They perform crucial
services such as custody and safekeeping of securities, settlement and efficient processing of
securities transactions in financial markets. Some of the benefits brought about by the
depository system are listed below:
1. Holding securities assets for the whole market: With almost all the new issues now in demat
mode, the depositories now hold custody of the securities assets for the entire market. The
total custody value of the securities held in Indian depository system as on March 31, 2014
amounts to Rs.1,00,27,479 crores.
2. Facilitate holding of securities in dematerialised form: Depositories have enabled the
securities to be held in electronic form, resulting in a host of benefits to the investors by
eliminating the risks associated with holding securities in physical form.
3. Facilitate Transfer of Securities: Depositories enable the efficient transfer of securities
through electronic book entry. This enables quick ownership of securities on settlement
resulting in increased liquidity, avoids confusion in the ownership title of securities,
Page 10 of 65
provides easy receipt of public issue allotments and enables quick receipt of benefits from
corporate actions like stock splits and bonuses.
4. Facilitate free, secure and efficient movement of securities: The depository system, which
links the depositories with the issuers/ RTAs, depository participants (DPs), and Clearing
Corporation/ Clearing house of stock exchanges, facilitates secure and efficient movement
of securities.
5. Spreading the concept of dematerialisation among the retail investors: The depositories
through their investor education and awareness programs inform and educate the investors
on the benefits of dematerialisation and encourage them to hold the securities in demat.
6. Protect the interest of two primary stakeholders in the securities market: the investors in
securities and the issuers of those securities:
a. The interests of investors are protected by ensuring the proper recording of the
beneficial ownership of the securities by enabling securities transactions to be
processed and settled by book entry.
b. The interests of the issuers are protected by ensuring the integrity of security issues so
that securities initially created equals the total number of securities in circulation at any
time. This is achieved by daily reconciliation of the records between the depositories
and Issuers/ RTA.
II. Depositories Act
Depositories Act, 1996 is the primary enactment which enabled setting up of Depositories.
Depositories Act provides for setting up and regulation of depositories for dematerialisng
securities and for matters connected therewith or incidental thereto. It requires depositories to
obtain a certificate of commencement from SEBI. It also mandates SEBI to satisfy itself that the
depository has adequate systems and safeguards to prevent manipulation of records and
transactions before granting certificate to depository.
The Act broadly outlines the framework for providing depository services through participants
or agents and lays down the rights and obligations of the depositories, participants, issuers and
beneficial owners (BOs). It gives option to the investors to hold the security either in demat/
physical form and has mandated depositories to indemnify BOs for any loss incurred by them. It
also gives power to SEBI to conduct Enquiry, Inspection, call for information and in certain cases
Page 11 of 65
give directions. It prescribes penalty for various offences and empowers SEBI to adjudicate for
the purpose of imposing penalty.
III. SEBI (Depositories & Participants) Regulations
Under the mandate of the Depositories Act, SEBI has framed the SEBI (Depositories and
Participants) Regulations, 1996 to carry out the purposes of the Depositories Act. These
regulations chiefly provide for the following:
Procedure for grant of certificate of registration and certificate of commencement of
business to the depositories, eligibility criteria for sponsors of the depositories, criteria for
fit and proper person for the depositories, participants, sponsors and shareholders and
networth requirement for the depositories.
System level requirements for protecting automatic data processing system, securing
network communications, establishing standard transmission and encryption formats for
electronic communications and maintaining data back up.
Ownership and governance norms for the depositories, Code of conduct for the
depositories, their directors and key management personnel and depository participants,
appointment of compliance officer etc.
Rights and obligations of the depositories, participants and issuers, agreement to be
entered between depository, participant and issuer, records to be maintained, systems and
procedures, connectivity , reconciliation etc.
External and Internal monitoring, review and evaluation of systems and control.
Securities eligible for dematerialization.
Restriction on carrying out activity not incidental to the activity of the depository.
Some of the above provisions of the policy framework are elaborated below:
1. Grant of certificate of commencement of business to Depositories
Regulation 13(1) requires SEBI to take into account all matters relevant to the efficient and
orderly functioning of the depository before granting certificate of commencement of
business. In particular they include the following:
The automatic data processing systems of the depository have been protected against
unauthorized access, alteration, destruction, disclosure or dissemination of records and
data
Page 12 of 65
The network through which continuous electronic means of communications are
established between the depositories, participants, issuers and issuer’s agents is secure
against unauthorized entry or access
The depository has established standard transmission and encryption formats for
electronic communications of data between the depository, participants, issuers and
issuer’s agents
The physical or electronic access to the premises, facilities, automatic data processing
systems, data storage sites including back up sites and to the electronic data
communication network connecting the depository, participants, issuers and issuers’
agents is controlled, monitored and recorded
The depository has a detailed operations manual explaining all aspects of its functioning,
including the interface and method of transmission of information between the
depository, issuers, issuers’ agents, participants and beneficial owners
The depository has established adequate procedures and facilities to ensure that its
records are protected against loss or destruction and arrangements have been made for
maintaining back up facilities at a location different from that of the depository.
2. Governance norms
Clear, transparent and well documented governance norms and procedures are crucial for
the efficient functioning of any organization. It is especially true in the case of depositories
who hold in their custody the securities of the entire capital market. In this respect the
Bimal Jalan Committee made several recommendations on the Ownership and Governance
of Market Infrastructure Institutions. SEBI accepted many of these recommendations and
implemented them by making suitable amendments to the Regulations in the year 2012.
3. Restriction on other activity
Depositories Act and the DP Regulations restrict the activity of the depositories to the
dematerialisation of securities. As per Regulation 7 (c), the depository shall not carry on any
activity other than that of a depository unless the activity is incidental to the activity of the
depository. However, a depository may carry out such activity not incidental to its activities
as a depository, if such activity has been assigned by the Central Government or by a
regulator in the financial sector. Provided that the activity is carried out through the
establishment of a Strategic Business Unit (SBU) specific to each activity with the prior
approval of SEBI and subject to such conditions as may be prescribed by SEBI including
transfer of such activity to a separate company within such time as may be specified by it.
Page 13 of 65
4. Insurance against risks
A depository is required to take adequate measures including insurance to protect the
interests of the beneficial owners against risks likely to be incurred on account of its
activities as a depository.
5. Reconciliation
Every depository participant is required to reconcile its records with every depository in
which it is a participant, on a daily basis. The issuer or its agent reconcile the records of
dematerialized securities with all the securities issued by the issuer, on a daily basis.
Every issuer is required to submit audit report on a quarterly basis to the concerned stock
exchanges audited by a qualified chartered accountant or a practicing company secretary,
for the purposes of reconciliation of the total issued capital, listed capital and capital held
by depositories in dematerialized form, the details of changes in share capital during the
quarter and the in principle approval obtained by the issuer from all stock exchanges where
it is listed in respect of such further issued capital.
6. Inspection of Depositories
In Order to examine whether the procedures and practices of the depository are in
compliance with the Depositories Act, 1996, SEBI (Depositories and Participants)
Regulations, 1996, SEBI circulars, the bye-laws etc., SEBI conducts regular inspection of
depositories. As a general rule, such inspections are carried out once in a year. SEBI also
conducts specific purpose inspection which is decided on case to case basis depending on
the requirement of the situation.
7. Systems and procedures
Every depository is required to have systems and procedures which will enable it to co-
ordinate with the issuer or its agent, and the participants, to reconcile the records of
ownership of securities with the issuer or its agent, as the case may be, and with
participants, on a daily basis.
8. Connectivity
Every depository is required to maintain continuous electronic means of communication
with all its participants, issuers or issuers' agents, as the case may be, clearing houses and
clearing corporations of the stock exchanges and with other depositories.
Page 14 of 65
9. Business Continuity Plan
A depository is mandated to have adequate Business Continuity Plan for data and electronic
records to prevent, prepare for, and recover from any disaster.
IV. Policy Circulars / Guidelines Issued by SEBI
In addition to the D&P Regulations, SEBI issues circulars / guidelines from time to time to
regulate various aspects of Depository and depository participant operations. The committee
took a brief overview of the various circulars issued by SEBI relating to depository functions and
noted that measures like In-person verification (IPV) and mandatory PAN requirement ensure
that instances of fraudulent /fictitious accounts does not happen. Further, measures like
freezing further issue of capital under temporary ISIN until trading approval is obtained,
prevent their transfer and mingling with other shares. This enhances the integrity of the
process for security issuances.
V. Observations of the Committee
The committee examined the broad policy framework mentioned above and method of its
implementation in the depositories. Observations of the committee in this regard are given
below:
1. It is important for SEBI to ensure that the system and technology related requirements
which are verified prior to granting certificate for commencement of business, are also
maintained on an ongoing basis. The committee noted that SEBI ensures the same
through regular inspections and system audits. The committee emphasised that this is
an important aspect of the depository system architecture and SEBI should regularly
update its oversight processes to ensure ongoing compliance.
2. The committee further noted that reconciliation of records of shareholding is very
critical to maintaining integrity of the capital markets. The responsibility for reconciling
records of total issued capital, listed capital and capital held by depositories in
dematerialized form lies with issuer. This means that while depositories maintain
reconciled records for dematerialized holding, there is no single place where records of
physical shareholding are available in a complete and reconciled manner. The
committee therefore recommends that SEBI may put in place a mechanism so that
depositories maintain complete reconciled record of total issued and listed capital.
Page 15 of 65
3. On the issue of restriction of depositories from carrying out any other activity, the
committee felt that depositories are uniquely placed to scale up and utilize their
infrastructure to dematerialize not just securities but also other financial assets subject
to adequate regulatory framework and checks and balances being put in place. In this
regard, the committee notes that the Honourable Union Minister of Finance, Shri P
Chidambaram, in the interim budget speech of 2014 on 17th February 2014 stated that
one of the steps envisaged for the financial sector is " to create one record for all
financial assets of every individual". This vision was further spelt out in the Budget
Speech by Finance Minister Shri Arun Jaitley in his proposal to "Introduce one single
operating demat account so that Indian financial sector consumers can access and
transact all financial assets through this one account." The committee further notes
that FSLRC as part of its recommendations also suggested "allowing depositories to
store securities including Government Securities and record of other financial services in
electronic form only". All these proposals aim to achieve a unified financial markets
coupled with greater choice and ease of access for the consumers. The committee feels
that the above proposal would promote the integration of the Indian Financial markets
and allow the consumers greater access to and control of a wide portfolio of financial
assets. This aspect which the committee intended to recommend based on interactions
with the stake holders was well received by the depositories and also the market
participants.
4. With greater integration of depositories with other financial service providers, the
committee feels that there is possibility of interconnectivity of depositories with
financial institutions/ FMIs/ international CSDs in future. Interconnectivity may require
standardization of messaging formats used by depositories. The committee therefore
recommends that it may be desirable to standardise messaging formats in the long
term.
5. With regard to KYC, the committee noted that the e-KYC service launched by Unique
Identification Authority of India (UIDAI) has been accepted by SEBI as valid process of
KYC verification. The committee also informed that NPCI has entered in to an MoU with
UIDAI in order to aid financial inclusion through Aadhaar enabled bank accounts and
financial transactions. The Committee recommends that use of e-KYC through NPCI
should be popularised among DPs.
Page 16 of 65
Chapter 2
Assessment of Depository System on the basis of relevant Globally accepted Principles for Financial Market Infrastructures so as to benchmark with Global Best Practices
Benchmarking the Indian Depositories with Globally accepted Principles Depositories are recognized as Financial Market Infrastructure under the CPSS-IOSCO Principles
for FMIs which were formally issued by CPSS-IOSCO on 16 April 2012. The committee was of the
view that it was important to benchmark Indian Depositories against the FMI Principles
particularly as the FMI Principles were framed to strengthen market infrastructure institutions
after the 2008 financial crisis. The committee also looked into the recommendations of CESR-
ESCB pertaining to CSDs and mapped the said recommendations with the FMI principles.
The committee noted that a self assessment with regard to the FMI Principles was carried out
by Depositories. SEBI has also issued a circular on Sep 04, 2013 requiring Depositories and
clearing corporations to comply with the FMI Principles and mentions periodic assessment of
Depositories compliance with the FMI Principles.
The committee took note of the methodology of assessment specified by CPSS-IOSCO which
involves an elaborate questionnaire with key consideration issues on each FMI principle and
reviewed the compliance of depositories with the FMI Principles based on their self
assessment. The observations of the committee regarding compliance of the Depositories
with the FMI Principles are as follows:
Principle 1 and 2
1. Legal basis: An FMI should have a well-founded, clear, transparent, and enforceable legal
basis for each material aspect of its activities in all relevant jurisdictions.
2. Governance: An FMI should have governance arrangements that are clear and transparent,
promote the safety and efficiency of the FMI, and support the stability of the broader financial
system, other relevant public interest considerations, and the objectives of relevant
stakeholders.
Observations: The committee noted that the legal basis for setting up of Depositories and their
functions are defined under the Depositories Act, 1996, SEBI (Depositories & Participants)
Regulations, 1996 and the approved Byelaws and Rules/Instructions of Depositories.
Depositories are incorporated under the Companies Act, 1956 and the composition of their
Page 17 of 65
Board is governed by the relevant provisions of the Companies Act and the guidelines issued by
the SEBI from time to time. SEBI has also strengthened the governance arrangements for
Depositories in D&P Regulations in year 2012 by incorporating the provisions on governance
structure and shareholding, thereby enhancing public interest.
Principle 3 and 17
3. Framework for the comprehensive management of risks: An FMI should have a sound risk-
management framework for comprehensively managing legal, credit, liquidity, operational, and
other risks.
17. Operational risk: An FMI should identify the plausible sources of operational risk, both
internal and external, and mitigate their impact through the use of appropriate systems,
policies, procedures, and controls. Systems should be designed to ensure a high degree of
security and operational reliability and should have adequate, scalable capacity. Business
continuity management should aim for timely recovery of operations and fulfilment of the
FMI’s obligations, including in the event of a wide-scale or major disruption.
Observations: On the issue of risk management, the Committee noted that apart from the above two principles, risk management is also covered under Principle 2. The committee noted that the relevant FMI Principles mention the following:
2.6 “The board should establish a clear, documented risk-management framework that includes
the FMI’s risk-tolerance policy, assigns responsibilities and accountability for risk decisions, and
addresses decision making in crises and emergencies. Governance arrangements should ensure
that the risk-management and internal control functions have sufficient authority, independence,
resources, and access to the board.”
17.1 “An FMI should establish a robust operational risk-management framework with
appropriate system, polices, procedures and controls to identify, monitor and manage
operational risk”
17.5 “An FMI should have comprehensive physical and information security policies that address
all potential vulnerabilities and threats. “
17.6 “An FMI should have a business continuity plan that addresses events posing a significant
risk of disrupting operations ………. The FMI should regularly test these arrangements.”
17.7 “An FMI should identify, monitor and manage the risks that key participants, other FMIs and services and utility providers might pose to its operations. In addition, an FMI should identify, monitor and manage the risks its operation might pose to other FMIs.”
Page 18 of 65
On the governance structure for risk management, the committee noted that while the
Depositories follow practices including Business Continuity and Disaster Recovery plan, internal
audit and controls, insurance etc, they do not have a Board level policy for assessing their risk
tolerance, and assigning responsibility and accountability for risk decisions.
FMI principles lay emphasis on the need to have robust risk management framework to
identify, monitor and manage various risks emanating from multiple sources to its operations.
The depositories have in place a risk management group/committee comprising of members
from senior management which identifies and assesses risks that arise in the depositories
business. However, it was observed that there is no documented common enterprise wide
comprehensive risk management policy framework with the depositories. Risk management is
done in respect of different operational areas in a non-cohesive manner. The committee
therefore recommends that there should be a Board approved policy providing for a well
documented comprehensive risk management framework at both depositories. Committee
also recommends that the risk management group/ committee should be active and meet
periodically to continuously identify, evaluate and assess applicable risks in depository system
through various sources such as investors complaints, inspections, system audit etc. and
suggest measures to mitigate risk wherever applicable. Chief Risk officer should be made
responsible, accountable, accessible & answerable to the board on overall risk management
issues.
Principle 15: General business risk
An FMI should identify, monitor, and manage its general business risk and hold sufficient liquid
net assets funded by equity to cover potential general business losses so that it can continue
operations and services as a going concern if those losses materialise. Further, liquid net assets
should at all times be sufficient to ensure a recovery or orderly wind-down of critical operations
and services.
Observations: In order to cater to general business risk, the Committee noted that the
Depositories are required to have minimum networth of Rs 100 crore as laid down in SEBI
(Depository & Participants) Regulations. The Committee noted that both Depositories have
networth higher than the minimum stipulated networth. As the main source of revenue for
depositories is issuer charges and transaction fees, the business risks may stem mainly from low
market activity or risk of competition. However, with regard to orderly-winding down of a
depository in the event of unforeseen circumstances, the FMI Principles state the following:
Page 19 of 65
“3.4 An FMI should identify scenarios that may potentially prevent it from being able to
provide its critical operations and services as a going concern and assess the
effectiveness of a full range of options for recovery or orderly wind-down. An FMI should
prepare appropriate plans for its recovery or orderly wind-down based on the results of
that assessment. Where applicable, an FMI should also provide relevant authorities with
the information needed for purposes of resolution planning.”
"15.3 An FMI should maintain a viable recovery or orderly wind-down plan and should
hold sufficient liquid net assets funded by equity to implement this plan. At a minimum,
an FMI should hold liquid net assets funded by equity equal to at least six months of
current operating expenses. These assets are in addition to resources held to cover
participant defaults or other risks covered under the financial resources principles.
However, equity held under international risk-based capital standards can be included
where relevant and appropriate to avoid duplicate capital requirements."
The Committee observed that there is no laid down system or procedure for orderly winding
up of depositories in the event of potential scenarios such as voluntary winding up by
depositories, depositories going bust due to general business risk, fraud at the end of
depositories, or liquidation of depositories due to regulatory action or court order. In Indian
depository micro structure, there are two depositories. In the event of failure, disruption or
winding up of one depository, all the demat accounts and securities held with stressed
depository can be potentially moved to another depository without affecting the interest of
investors. These measures are technically possible in the existing market micro structure,
though there is no laid down written document detailing the process and procedure for orderly
winding up of depositories. In view of above, committee felt that there is a need to have a well
documented framework for orderly winding down of the depository operations.
Principles 13, 19, 20 and 23:
Principle 13: Participant-default rules and procedures
An FMI should have effective and clearly defined rules and procedures to manage a participant
default. These rules and procedures should be designed to ensure that the FMI can take timely
action to contain losses and liquidity pressures and continue to meet its obligations.
Principle 19: Tiered participation arrangements
An FMI should identify, monitor, and manage the material risks to the FMI arising from tiered
participation arrangements.
Page 20 of 65
Principle 20: FMI links
An FMI that establishes a link with one or more FMIs should identify, monitor, and manage link-
related risks.
Principle 23: Disclosure of rules, key procedures, and market data
An FMI should have clear and comprehensive rules and procedures and should provide
sufficient information to enable participants to have an accurate understanding of the risks,
fees, and other material costs they incur by participating in the FMI. All relevant rules and key
procedures should be publicly disclosed.
Observations: The committee noted that Depository Participants do not handle financial
settlement and therefore participant default rules are not relevant with regard to ensuring
payment and settlement of securities transactions. Further, the depository structure requires
maintenance of beneficial owner-wise accounts. Hence, securities are segregated in the name
of the beneficial owner and hence cannot be used by the Participant. Further, the records of
securities in beneficial owner accounts are also held in the Depository system. Thus participant
default does not affect safety of investors' securities. In the event of default, Depositories have
clearly defined rules and procedures for the Participant to be followed for every activity
including transfer of investors accounts to another Participant.
The Depository structure in India as mandated by the legal framework only provides for direct
participation. Therefore the risks arising out of tiered participation arrangements are not
present as the depository maintains every single account. The beneficial owners hold their
demat accounts with Depository Participants who act as agents of the Depository.
With regard to links between FMIs, the Committee noted that the IT architecture is well
established and robust. Depositories have established links with Clearing Corporations of Stock
Exchanges and between themselves to facilitate settlement of securities and inter-depository
transfers. Legal basis for establishing links with the other FMIs and transfer of securities
between Depositories and Clearing Corporations is clearly laid down in the Bye Laws and Rules
of Depositories and CCs.
With regard to disclosure of rules, key procedures, and market data, Committee noted that
Information regarding bye-laws, business rules/ operating instruction, are published on the
website of the Depositories. Depositories have also provided the details of various types of fees
charged by them and various charges applicable to Beneficial Owners on their website.
Page 21 of 65
Recommendations by the Committee 1. Risk Management Framework for Depositories
FMI principles lays emphasis on the need to have robust risk management framework to
identify, monitor and manage various risks emanating from multiple sources to its
operations.
The committee therefore recommends that there should be a Board approved policy
providing for a well documented comprehensive risk management framework at both
depositories. Committee also recommends that the risk management group/ committee
should be active and meet periodically to continuously identify, evaluate and assess
applicable risks in depository system through various sources such as investor complaints,
inspections, system audit etc. and suggest measures to mitigate risk wherever applicable.
Chief Risk officer should be made responsible, accountable, accessible & answerable to the
board on overall risk management issues.
2. Orderly winding down of depositories
The Committee observed that there is no laid down system or procedure for orderly winding
up of depositories in the event of potential scenarios such as voluntary winding up by
depositories, depositories going bust due to general business risk, fraud at the end of
depositories, or depositories liquidation due to regulatory action or court order. In Indian
depository micro structure, there are two depositories. In the event of failure, disruption or
winding up of one depository, all the demat accounts and securities held with stressed
depository can be potentially moved to another depository without affecting the interest of
investors. These measures are technically possible in the existing market micro structure,
though there is no laid down written document detailing the process and procedure for
orderly winding up of depositories. In view of above, committee felt that there is a need to
have a well documented framework for orderly winding down of the depository operations
including making necessary legal provisions in the regulations, rules and Depository Act.
Page 22 of 65
Chapter 3
Identification of Areas for Continuous Improvement of Systems, Procedures and Practices
While assessing the policy framework for Depositories, the committee identified certain areas
that needed further focus in terms of their role in the depository system. The depository
system is a pillar of the securities market as it brings together investors, issuers and the
secondary markets and holds the wealth generated by the capital markets. The robustness of
the depository system is thus very important for the capital markets. It has an important role in
bringing in new investors through better reach, opening of more demat accounts and providing
better service to investors. At the same time, the depository system is required to maintain
integrity of data and prevent misuse/ fraud in any manner.
In view of the above, the committee looked into the following areas:
Business Model of Depository Participants.Complaints against Depositories and Depository
Participants.
Investor Protection Fund (IPF) of Depositories.
Use of Non Disposal Undertaking (NDU) for Lending/ Borrowing of Securities.
Outsourcing by Depositories
I. Business Model of Depository Participants Depository services are provided by DPs which are mainly banks and stock brokers. Almost 96%
of the BO accounts are held by the banks and Stock broker DPs. For these banks and brokers,
depository services are not their primary activity but an add-on or ancillary service and
therefore not their primary revenue centres. In the absence of same, there may not be much
incentive for the DP’s to aggressively promote opening of new demat accounts.
The committee observed that over a period of time SEBI has taken various steps for
rationalization of charges like abolition of account opening charges, mandating the custody
charges to be payable by the issuers instead of the investors, introduction of Basic Services
Demat Accounts (BSDA) etc. While these measures have helped small investors, they have also
affected the viability of maintaining such accounts due to sliding down of income from those
accounts and ultimately the over all income for DPs from depository services. Thus there
appears to be lack of incentives for DPs to expand their reach to the said category of investors.
Page 23 of 65
The committee examined the revenue sources of the depositories and their income from
depository operations.
1. Income source of Depositories
The main sources of income for the depositories are :
a. Annual Issuer Charges:
b. Transaction charges
c. Software license fee/ user facility charges
a. Annual Issuer Charges: These are the charges levied by the depositories on the issuers/
companies as custody charges for holding shares in demat form. The depositories
currently charge Rs. 8/- per folio (ISIN position) subject to a minimum as mentioned
below:
Nominal value of admitted
securities (Rs)
Annual Custodial Fee payable by a issuer to
each Depository (Rs) (*)
Upto 5 crore 6,000
Above 5 crore and upto 10
crore 15,000
Above 10 crore and upto 20
crore 30,000
Above 20 crore 50,000
*Plus service tax as applicable The charges are prescribed by SEBI and were last revised in February 2009, when the charges
were revised from Rs 5 per folio to Rs 8 per folio.
b. Transaction charges: These are charged by the depositories on the DPs for the
transactions done by the BOs in their account. The various types of transactions that are
charged are debit transactions, settlement fee charged on clearing members for debit.
Other fees charged are for services like rematerialisation of shares, creation of pledge
etc. NSDL charges a flat fee of Rs 4.50 per debit transaction whereas CDSL charges in
range of Rs 5.50 to Rs 4.25 based on the monthly transaction bill amount of the DPs.
c. Software license fee/ user facility charges: These are the annual charges levied upon the
DPs and Issuers for availing the software usage services.
Page 24 of 65
INCOME FROM DEPOSITORY OPERTATIONS FOR NSDL AND CDSL
Figures in Rs. crores
Depository Particulars
For the year ended
March 31, 2011
For the year
ended March
31, 2012
For the year
ended March
31, 2013
CDSL
Annual Issuer
charges
30.77 35.86 38.97
Transaction charges 34.85 27.43 24.31
User Facility Charges 4.38 4.25 4.13
Account
Maintenance charges
1.72 1.94 2.10
Others 12.43 8.10. 5.60
Total 82.04 77.59 75.13
NSDL
Custody fees (Annual
Issuer charges)
46.85 50.46 51.83
Transaction fees 65.44 48.91 42.37
Software license fees 0.20 0.08 0.18
Annual fees 0.55 0.71 0.76
Other operational
Income
4.39 2.80 2.90
Total 117.43 102.96 98.05
Page 25 of 65
It is seen from the table above that the major sources of income for depositories are the annual
issuer charges collected from the issuer companies and the transaction charges collected from
Depository Participants for the transactions effected by their clients. The revenue from issuer
charges has increased over the years but the income from transaction charges has shown a
decrease on account of adverse market conditions.
The committee felt that one of the ways to increase the revenue of depositories is through
revision of the annual issuer charges. Unlike transaction fees, the issuer charges form a more
steady source of revenue and are relatively immune to the market conditions. The charges are
not borne by the investor but the issuer companies who have been the major beneficiaries of
dematerialization in terms of cost savings for share registry work. Therefore, the committee
feels that since the annual issuer charges were last revised in 2009, there is a case to revise the
folio based charges. Presently, the depositories charge Rs.8 per folio from the issuers per ISIN
towards holding shares in demat form, subject to a prescribed minimum.
2. Income source of Depository Participants
Depository Participants (DP) act as the agents of the Depositories. The depositories charge the
DPs for certain services like debit transactions, pledge instructions, rematerialisation etc. The
DPs in turn charge their clients for these services with a mark up. However competition ensures
that the charges remain competitive as the details of the charges are available in the respective
websites of the DPs and a comparative list at the Depository websites as well.
Annual Maintenance charge levied by the DPs on their clients forms the major source of
revenue apart from the revenue from transactions and other services like
dematerialisation/rematerialisation, pledge instructions etc. Most of the DPs usually charge
AMC in the range of Rs 150 to Rs 500 for individuals and Rs 500 to Rs 1500 for corporate
accounts. The DPs also offer different schemes with different AMCs. For Basic Services Demat
Accounts (BSDA) no AMC can be charged for accounts having custody value upto Rs 50,000
while an AMC upto Rs 100 can be charged for those BSDA whose custody value is between Rs
50,000 and Rs 200,000. Presently there are over five lakh basic services demat accounts. The
depository system today has more than 2 crore accounts but half of them have zero balance in
their accounts indicating a lack of participation by the retail investors. This also implies that
revenue from these accounts in the form of AMC would be practically zero even though not all
these accounts are designated as BSDA. The non recovery of dues from the clients resulting in
high NPAs with the DPs is a direct consequence of the non retail participation. This has impact
on the financial health of the DPs and viability of the DP services as a standalone business.
Page 26 of 65
Observations/ Recommendations
Based on the committee's deliberations on this issue, the committee recommends the
following:
a) The revenue source of depositories may be augmented and DPs may be incentivized by
having a revenue sharing mechanism between the depositories and DPs which may encourage the DPs to expand their reach in tier II & III towns.
b) In order to incentivize DPs which are first point of contact with investors, the annual issuer charges may be suitably enhanced and be shared with the DPs by the depositories. SEBI may take a view with regard to the mode of sharing this incremental revenue with the DPs so as to promote growth of retail participation and depository services.
c) The incentive structure may be so devised that DPs get compensation on any incremental
account opened by them in tier II and III towns. In this regard the Bank DPs with their large branch network and wider reach in these towns can play a crucial role in furthering the objectives of financial inclusion.
d) DPs would deserve to be compensated for the cost incurred in account opening, especially Basic Services Demat Accounts(BSDA) as it will act as a motivator for DPs to open more accounts.
II. Complaints against Depositories and Depository Participants.
Complaints are received against Depository, Depository Participants, RTAs/ Issuers directly by
the Depositories as well as through SEBI. SEBI has an online complaints redressal system
(SCORES) through which Depository related complaints are sent to the respective Depository
for their redressal. Different types of complaints relating to depository services are:
a) Account opening related
b) Transaction statement related
c) Improper Services Related
d) Charges related
e) Delivery Instruction related
f) Account closure Related
g) Manipulation/ Unauthorized action related
h) Demat/remat related
i) Company/ RTA related
j) Others
Page 27 of 65
The data for different type of complaints during the period - Jan 2012 to November 2013 is
given below
Type of Complaint Average (Pending
at the beginning of
the month+
received during the
month
Average resolved
during the month
Resolving
Percentage
Account opening related 11 8 72.73%
Transaction statement
related
29 20 68.97%
Improper service related 43 32 74.42%
Charges related 44 32 72.73%
Delivery Instruction
related
29 20 68.97%
Account closure Related 70 54 77.14%
Manipulation/
Unauthorized action
related
26 19 73.08%
Demat/remat related 1503 48 3.19%
Company/ RTA related 22 20 90.91%
Others 215 200 93.02%
It is seen from the data that the largest proportion of pending complaints relates to delay in
demat/ remat. These complaints arise when securities are sent by the DPs to issuer/ RTAs for
dematerializing / rematerializing, and there is delay in response from the issuer/ RTA. The
causes for such delay could be on account of the following reasons:
a. RTA may not respond due to non payment of fees by the issuer.
b. The issuer may be a loss making company which is no longer in business.
Page 28 of 65
c. There could be vanishing companies whose officials are not traceable.
d. The issuer could be a suspended non-compliant company which does not respond to
demat/remat request.
The committee notes that the number of complaints against the Depositories and / or DPs
attributable to their service factors was significantly less except the complaints due to delay in
demat/ remat which in fact were due to reasons resting with Issuers and or RTA. Also, there
were no pending complaints against the Depositories as on November 30, 2013 evidencing that
the complaints redressal was fairly satisfactory.
III. Investor Protection Fund (IPF) of Depositories
Analysis of the complaints received against depositories and DPs shows that most complaints
are resolved quickly except for complaints relating to delay in demat/ remat. In such cases, the
delay is at the end of issuers and RTAs rather than the Depositories. Considering the nature of
complaints and the fact that there were negligible pending complaints, the committee
reviewed the Investor Protection Fund for Depositories and its possible utilization.
The Dr.Bimal Jalan Committee on “Review of Ownership and Governance of Market
Infrastructure Institutions (MIIs)" had inter alia recommended "that a cap may be fixed on the
maximum return that can be earned by an MII on its net worth and can be distributed /
allocated to the shareholders out of the total returns earned by the MII. The Dr.Bimal Jalan
committee also recommended that any return/profits above such maximum attributable
amount would be transferred to IPF or SGF as the case may be and the same would not form
part of shareholders funds/net worth for the purposes of determining returns and book value
of the shares."
Subsequent to the discussion on the Dr Bimal Jalan Committee in the SEBI Board, it was decided
that in case of a depository, 25% of the profits of the depository will be transferred to the IPF of
the depositories.
The Committee observed that the contribution of 25% of annual profits by depositories to IPF
appears to have been stipulated on the lines of the provisions of the Securities Contracts
(Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2012 wherein
exchanges are required to contribute 25% of their annual profit to the fund created by clearing
corporations for the purpose of guaranteeing settlement of trades. The object of such a fund,
however, is materially different from that of the proposed fund under the depositories
regulations. The committee noted that an IPF created under the Depositories and Participants
Page 29 of 65
(Amendment) Regulations, 2012 is primarily for investors’ awareness, education and training.
The risks to the depositories on account of fraud, etc., are covered by insurance which is taken
by the depositories. In case of failure/ closure of DPs, the investors are protected as the
Beneficiary Owner data is present with the depositories and the investors are allowed to shift
their accounts to other DPs. In view of this, the committee noted that the fund does not
envisage providing compensation for any loss to the investors.
Investor Education and Protection Fund under the Companies Act, 1956 (“IEPF”) and Investor
Protection and Education Fund under the SEBI Act, 1992 (“IPEF”) have been created without
any contribution from any intermediary. Broadly, IEPF under the Companies Act is created with
the amounts of unpaid dividend, grants, donations from the Central/State Governments and
institutions, etc. On the other hand, IPEF is created by transferring to it the disgorged amount
under the SEBI Act. Past experience shows that while a huge corpus of IEPF has been created,
the same has not been utilised due to procedural difficulties associated with the use of such
fund.
Under the new company law every company having a net worth of Rs.500 crore or more or
turnover of Rs.1000 crore or more, is required to formulate corporate social responsibility
policy and to spend atleast 2% of the average net profits in each year. Mandatory expenditure
of atleast 2% appears to be quite realistic considering the size of the companies which are
required to discharge corporate social responsibility.
International practice seems to be tilted towards mandating lower slab of contribution towards
IPFs. For e.g., securities brokers in China who have been rated A for three consecutive years and
been granted AA or A rating during the last rating period are required to pay 0.5% to 0.75% of
their operating revenue to the Securities Investor Protection Fund (“SIPF”).
The committee feels the need to synergise the funds created with the stock exchanges and the
depositories for the purpose of investors’ awareness, education and training. It is felt that since
the IPF with the depositories does not provide for any sort of protection like the guarantee
settlement fund, there is no need for an IPF with substantial contribution from the depositories
alone. The committee is also of the view that the profit from depository operations need only
be considered for the purpose of contribution to the IPF. Other income i.e. income received
from investments & other non-operative activities may be excluded from computation of
profits because mostly income under this head is received out of investments made from
accumulated reserves & surplus of past years, which was not distributed to stake holders.
Page 30 of 65
Based on the above deliberations, the committee recommends to SEBI the following:
a) Review the quantum of funds required to be transferred to IPF by depositories and arrive
upon a sizable limit for corpus of IPF.
b) Formulation of an Investment Policy for the IPF.
c) Mode of calculation of Profit -The committee recommends that only profits from depository
operations should be considered for calculating the amount to be transferred to IPF.
d) Utilization of IPF funds -The funds of the IPF should be utilized for compensating investors in
case of loss in events as may be specified by SEBI and conducting Investor Awareness and
Education Programs. The fund may also be utilized for supporting / incentivizing the
depositories'/ DP's initiatives for financial inclusion in a variety of ways.
IV. Use of Non Disposal Undertaking (NDU) for Lending/ Borrowing of Securities
The committee noted that there was an instance where a DP permitted promoters of a
company to use Non-Disposal Undertaking (NDU) tripartite agreement for borrowing against
the shares instead of utilising the pledging facility available in the depository system. This led
to a situation where the same shares which were encumbered through NDU were again
pledged to another lender using the pledge facility in the depository system.
It was reported that certain forged documents were submitted by the promoters of the
company to the DP conveying that the lenders had released the encumbrance on the shares as
mentioned in the NDU. Based on a forged letter, the DP allowed creation of pledge through the
depository system to another lender. Thus, at the same time, the shares were pledged twice.
Such Non Disposal Undertakings are understood to be a common practice for the purpose of
creating encumbrance on shares. The committee feels that such NDUs should not be permitted
in the market as the same is not captured in the depository system. Even though the
regulations require the promoters to disclose their encumbered shares (including those
encumbered through an NDU), there is no obligation on other investors. Further, if the
promoters fail to make this disclosure, this information may not be available to the market. .
Pledging of shares through depository system enables availability of complete information
regarding pledger and pledgee and the shares pledged. The committee recommends that
pledge should be encouraged using the depository mechanism instead of means such as NDUs.
To discourage NDUs, SEBI should not permit DPs to be party to such NDUs.
Page 31 of 65
V. Outsourcing guidelines for Intermediaries: Outsourcing of functions is a common practice across industries and is also seen in the financial
sector. Recognizing this, SEBI has issued guidelines for outsourcing by intermediaries in the
securities market. The guidelines acknowledge that concerns associated with outsourcing may
include operational risk, reputational risk, legal risk, country risk, strategic risk, exit-strategy
risk, counter party risk, concentration and systemic risk. In order to address these concerns,
intermediaries are mandated to follow the broad principles outlined by SEBI.
As per the SEBI Circular, the intermediaries desirous of outsourcing their activities shall not
outsource their core business activities and compliance functions. The intermediaries shall be
responsible for reporting of any suspicious transactions to FIU or any other competent
authority in respect of activities carried out by the third parties.
On the policy followed by NSDL and CDSL with respect to outsourcing, it was noted that both
the depositories have identified their core activities that shall not be outsourced. In addition,
the depositories have in place a guidelines for risk analysis and implementation of control
measures in respect of outsourced activities.
The committee is of the view that outsourcing does bring in advantages in terms of reduced cost, time and efficiency. However, the absence of a clear cut policy for identifying and measuring or evaluating the potential risk or impact of failure of outsourced entity to deliver quality services on time, would have adverse impact on the overall operations of the depositories. The committee examined details of implementation of the outsourcing policy of NSDL and CDSL
on the following parameters:
How the Risk Assessment and Mitigation measures listed in the policy document are
being ensured / complied with.
Whether the outsourcing agreement/ service level agreements pertaining to IT systems
address the following:
i. penalty in cases of failure to deliver as per the agreement
ii. prevent further outsourcing to third parties
iii. uptime guarantee within a given time frame
iv. dependency on single network service providers for providing connectivity to
DPs , Issuers and other depository
v. contingency plans in the event of vendor failure
vi. role of outsourced manpower
Page 32 of 65
Depositories have put in place appropriate measures with regard to the above parameters. The
committee is of the view that audit of implementation of these measures should form part of
System Audit of Depositories.
Therefore, the committee recommends the following:
a) Care should be exercised while outsourcing and wherever possible depositories should
put in place various controls to ensure that there is check on the activities of outsourced
entity especially to monitor that outsourced activities are further outsourced
downstream only with appropriate safeguards.
b) Core and critical activities of depositories should not be outsourced.
c) Core IT support infrastructure / activities for running the core activities of depositories to
the possible extent should not be outsourced.
d) Where ever out sourcing is allowed, depositories should ensure that risk impact analysis
is undertaken, only reputed entity having proven high delivery standards is selected,
appropriate back up / restoration system is put in place and there is effective monitoring
of the outsourced entity on real time basis.
e) Audit of implementation of risk assessment and mitigation measures listed in the outsourcing policy document and outsourcing agreement/ service level agreements pertaining to IT systems should form part of System Audit of Depositories
Page 33 of 65
Chapter 4
Identification of Systemically Important Market Infrastructure Institutions and their Inter-Linkages Innovations through Information Technology have led to a paradigm shift and revolutionized
the structure and the functioning of the securities market, the most important revolution being
electronic trading, clearing & settlement. Dematerialization of securities has been one of the
important landmark in the securities market, made possible by technology, which not only
changed the way trading was being done but also eliminated various market evils.
The dependence on technology in securities markets is such that most of the financial markets
infrastructure institutions (Stock Exchanges, Depositories, Clearing and Settlement
Corporations, etc.) have started using technology extensively in various areas which reduced
the latency, cost and manpower. This dependence on technology have brought along a set of
challenges to deal with such as obsolescence, capacity handling, multiplicity & complexity of
systems, dependence on vendors and their associated risks, denial of services, external threats
(cyber attacks, cyber frauds / crimes), internal threats, governance & management of
technology, continuity of business and disaster recovery in case of exigencies , etc.
The reliance on technology has led to introduction of a new set of risk i.e. technology risks,
which not only have a direct impact in terms of operations of the institution but can also act as
a catalyst in cascading other risks such as credit risk, settlement risk and market risk.
Inadequate technology implementation can also induce strategic risk due to distortion of
information/data as well as compliance risk due to non adherence of any legal or regulatory
requirement. These issues, therefore, not only have the potential to undermine investor
confidence & trust but can also lead to reputation risks.
In view of the above, it is desired that the technology infrastructure deployed by the DPs to
handle the task has to be robust, mature and secure and the implementation mechanism
followed adheres to the industry best practices.
The committee deliberated on the system architecture of CDSL and NSDL to examine the need
for review of technology usage in the depository system. The system architectures of CDSL and
NSDL are described below:
Page 34 of 65
I. System Architecture of Depositories
1. System Architecture of CDSL
a) CDSL has a centralized architecture and database. DPs enter the data in the system
provided by CDSL.
b) CDSL have deployed 3 tier architecture depository software applications (CDAS –
Centralized Depository Accounting System).
c) This application is accessed by users (DP & RTA) through WAN based connectivity.
d) They also have a web based software applications for DPs, RTAs, BOs and CMs (EASI –
Electronic Access to Security Information and EASIEST – Electronic Access to Security
Information and Execution of Secured Transaction) which provides online and upload
based transactions using digital signature.
e) DPs do not have separate front end software. Each DP is required to have back office
software for the purpose of DIS issuance & usage controls, BO signature capture &
retrieval, and importing various reports generated by the CDSL system for updating
transaction status / reconciliation.
Page 35 of 65
f) The centralized architecture of CDSL provides following distinct advantages to the users:
The initial set-up cost for Issuer Companies/their RTAs and Depository Participants
is low.
Information on investor's holdings is available to the Depository Participant and the
Issuer or its RTA instantly.
Database is replicated between main site and DR site using Oracle Data Guard
facility.
g) The important checks available in the CDAS system of CDSL are:
Mandatory PAN details
PAN Validation
Account activated only after capture of signature
Debit and credits frozen in case of frozen BO accounts
ISIN should be valid and active
BO should be active
Availability of balance in BO account
h) The various checks available in the back office system of CDSL DPs are:
Maker checker for all transactions entered
Verification of BO signature at the entry of instructions
Inventory control of printed DIS books
Record or cancel slips / slip books which are reported lost / returned by the BO
Inventory control of DIS issued to POA holders
Two step verification of high value DIS (value of more than Rs. 5 lacs) and for the
transactions originating from dormant accounts
Daily updation of back office from CDAS system
i) CDSL has 4 sites i.e. Main, DR data center, operational site at Fort, Mumbai and business
continuity center at Belapur, Navi Mumbai. All these 4 sites are interconnected with
each other using 45 Mbps/ 100 Mbps Ethernet leased lines. All leased lines setup are
configured in redundancy from 2 different service providers.
j) During DR operations, CDSL users are seamlessly connected to DR site without any
change at user end.
k) CDSL complies with ISO 27001 standards for information security.
l) CDSL has been awarded BS25999-2:2007 certification for its Business continuity
Management Systems in April 2012.
Page 36 of 65
2. System Architecture of NSDL
a) NSDL Depository system is a J2EE architecture standard based 3 tier implementation,
comprising presentation layer (web servers), business logic layer (application server)
and data layer (Database servers).
b) The design affords both horizontal and vertical scalability and is tested for linear
scalability for execution of four times the current daily volume of instructions in one
hour.
c) The current installed capacity can service the current entire day volume of instruction in
just an hour.
d) The system is deployed on cluster of Intel and UNIX servers, and Mainframe with
processor sparring facility and enterprise class storage with RAID and DISK sparring
facility ensuring redundancy and no single point of failure.
Page 37 of 65
e) Similarly, all routers, network devices firewall have equipment level redundancy and
configured with automatic failover.
f) For servers, NSDL undertakes OS hardening by disabling unused ports and services.
Further, the infrastructure is periodically subjected to vulnerability assessment scan to
confirm that unwanted ports and services are indeed closed and the patch level of OS is
as required
g) NSDL has designed their software in two distinct parts:
1) Depository Software (DM, eDPM) and 2) DP Software (Local DPM Software) which is
the front office. Participants can submit Instructions using eDPM hosted at NSDL and
Local DPM available at Participant’s end can be used to fulfill reporting requirement.
This provides flexibility to Participants to generate report on demand and for any period
and on real time basis.
h) The application code is subjected to application security test to ensure that it is not
vulnerable to SQL injection, cross site scripting and such attacks.
i) The front office can be used to operate complete DP functionality including account
opening, transfer & modifications, delivery, pledge, etc.
j) The DPs use back office for purposes such as DIS controls, billing, transaction controls,
and internet based trading, etc.
k) The important checks available in the front office are:
The system can be accessed only by authorized users over intranet as well as
internet using e-token with digital certificate based PKI challenge response
mechanism which provides for two factor authentication based on ‘what you have’
and “what you know” principle of security.
The access is granted strictly on ‘need to know’ and ‘need to do’ basis.
The system requires two separate users maker and checker to execute any
transaction.
The system further ensures that same user cannot assume both maker and checker
role thereby enforcing good practice of segregation of duty and preventing one
user to unilaterally execute the Instruction.
The system maintains complete audit trail for transactions including IP address of
the workstation from which the Instruction originated.
NSDL has recently developed end to end security for data files exchanged between
Participant Back Office (BO) and Depository system. This facility allows Participants
to encrypt as well as digitally sign files right at the stage of generation from their BO
system.
Compulsory daily backup and end of day internal reconciliation
Online reconciliation of position balance post execution of each transaction.
Page 38 of 65
End of Day internal reconciliation of balances across all clients (i.e. including the
ones who have not transacted). In addition, external reconciliation of changed
Positions between Local DPM and eDPM for a Business day is carried out.
Audit trail for transactions
Important Business validations are specified below:-
PAN is mandatory and is also structurally validated for opening of Beneficiary
Account.
Activation of Account is subject to capture of mandatory fields including signature.
Account will not be allowed any debits and credits if the Account is suspended for
debit and credit. Credits are allowed if Account is frozen for only debits.
Transactions are allowed for ISIN in ‘Active’ Status. In addition, Account should be
in ‘Active’ status and should have sufficient Balance in the free Account for any
debit transaction.
Source Account should be present with the participant initiating the Transaction.
Source and Target Account should be present in the Depository System
l) The important checks available in the back office are:
Control on issuance & usage of DIS using unique DIS serial number
Automatic blocking of used DIS
Blocking of slips / slip books which are reported lost / returned by the BO
Maker checker segregation for critical functions
Verification of high value transactions and for the transactions originating from
dormant accounts
Investor grievances controls
Verification of BO Signature at the time of entry of Instruction
m) NSDL has provided facilities to DPs to automatically update their back office with
depository related exports as well as submit instructions captured in back office in a
hands free manner and thereby eliminating operational errors.
n) NSDL has deployed identical infrastructure as production at its Disaster Recovery Site
located in another city with on-line storage based replication over high bandwidth low
latency link with near Zero RPO (Recovery Point Objective).
o) NSDL complies with ISO 27001 standards for information security.
p) NSDL has established capability as a part of BCP readiness to conduct business
operations from its branches, cold site and remotes site over secure VPN with ‘what you
have and what you know’ security. Such recovery is done through alternate business
teams nominated for functional recovery, in the disaster events. The system seamlessly
connects such business users to data center from which operations is conducted.
Page 39 of 65
The committee felt that it is important to understand that the initiatives of the Government of
India will fructify in ensuring large number of retail investors taking part in the Securities Market
and therefore the load on the systems at the DP as well as the Depositories will exponentially
increase. The IT resources located at the DPs front office and the back office have to meet
clearly defined performance metrics in order to ensure that the service delivery is as per
expectations. The IT resources, including the software environment has to adhere to the stated
levels of
i. Performance and Scalability
ii. High Availability and Fault tolerance
iii. Security and Access Control
iv. Conformance to standards
Performance and Scalability: As mentioned above, it is estimated, in view of the initiatives of the GoI, large number of retail
investors will become a part of the market in the near future and therefore, the IT
infrastructure should be in a position to handle the increased load with acceptable levels of
performance. More importantly the performance should be consistent taking into account the
scalability concerns
High Availability and Fault Tolerance: The IT infrastructure deployed should not have any single point of failure. In the event of failure
of any sub-system or component or software the resultant solution has to work, may be with
acceptable levels of degraded performance, and the corrective mechanism put in place to
ensure that the rectification takes place within 4 hours. The administration, monitoring and
management of the solution have to be proactive to identify and correct the faults before the
failure occurs, in most of the cases. The IT infrastructure deployed by the DPs should have an
uptime guarantee of 99.5% measured on a monthly basis with mean time to restore (MTTR)
of not more than 4 hrs. Apart from the IT resources, the processes put in place, the
implementation and management of the same play a crucial role in ensuring compliance to the
above requirement.
Page 40 of 65
Data Requirement: The DPs have to put in place appropriate mechanisms in order to ensure no compromise to
data integrity and transaction integrity. Implementation of near site is not mandatory. If the
DPs have implemented innovative mechanisms to ensure no data loss (similar to the
implementations of NSDL and CDSL) it would suffice.
Security and Access Control: One of the major concerns of the Industry today is increased levels of automation to address
the ever increasing load and also the need to provide connectivity to the external
environments. The infrastructure is expected to be open and at the same time secure enough.
One of the primary requirements of security is to have a robust and secure authentication
framework. The DPs have to put in place appropriate authentication framework and should
collect the necessary data from the system administrator logs to clearly address the issue of
aspects related to the access of the resources in the event of any attempts to gain entry into
the system. As the environment is open to access from the external networks including the
Internet, the DPs have to put in place appropriate checks and balances to ensure that only
trusted and secure users are in a position to access the resources
In view of the above, the committee recommends the following:
a) A IT strategy committee at the board level of depositories.
b) An approved and comparable IT strategy/plan document which needs to be reviewed
annually by the depositories and their DPs.
c) AN IT Steering committee to assist the IT Strategy Committee in implementation of IT
strategy. The IT steering committee should comprise of representatives from IT, HR,
Legal and various business functions as appropriate.
d) Information Security policy should be approved by the board and reviewed annually.
e) Create an office of information security and designate a senior official as Chief
Information Security Officer (CISO) whose work would be to assess risk and identify the
threat / vulnerabilities.
Page 41 of 65
f) Depositories should take steps to ensure that the IT Infrastructure of DPs has high
availability and fault tolerance, uptime guarantee of 99.5% measured on a monthly basis
with mean time to restore (MTTR) of not more than 4 hrs, data integrity and transaction
integrity and appropriate security access and control framework.
II. Business Continuity and Disaster Recovery
In the event of disaster, the disruption in the services provided by the depository system may
affect not only the market integrity but also the confidence of investors. It is therefore
imperative that there should be no disruption in services and in case there is a disruption, there
should be near zero data loss. In this context, the committee noted that SEBI has mandated
inter alia the following in its guidelines on BCP and DR:
a) High Availability: There should not be any single point of failure and no denial of service.
b) Appropriate Interconnected Architecture: The architecture should ensure data replication
without compromising data and transaction integrity.
c) Recovery Time Objective (RTO) and Recovery Point Objective (RPO) requirements as 4 hours
and 30 minutes, respectively, and ensuring that the technology implemented and the
processes adopted are capable of fulfilling the RTO/RPO objectives.
d) “Near Zero Data Loss” and implementing the same through appropriate mechanism; e.g.
synchronous replication / near site.
e) Periodic Drills that simulate the real life scenarios on a regular basis and conducting these
drills on a week day.
The committee recommends that, in addition to the above, the depositories should designate a
senior official as Head of BCP function.
Page 42 of 65
Chapter 5
Oversight and Inspection Framework
The committee while dealing with the frame work for Inspection and Oversight of Depositories
and Depository Participants, felt that the matter needed to be examined from the following
two angles
Oversight by SEBI on the functioning of Depositories and their operational control of DPs and
Inspection of DPs by Depositories
The oversight on the functioning of the depositories is maintained by SEBI mainly through the
mandatory standard monthly development reporting (MDR) by the depositories, enforcement
of the governance norms and through inspection of the depositories. Through these MDRs the
depositories report the monthly statistical data such as the new account openings, account
closures, new participant registrations, participant closures, number of issuers connected to
the depository, no. of ISINs activated in the system, custody value of the securities held in the
depository etc. It also includes information on the number of DP inspections conducted during
the month, special inspections conducted, penalty levied/ restrictions imposed, details of
complaints received and resolved. Further they also provide exception reports including the
number of suspicious transactions reported by the DPs to the Financial Intelligence Unit. They
also give status of the implementation of SEBI directives and circulars in the MDR.
SEBI has prescribed governance norms for depositories wherein it has been stipulated that in
the governing board of depository, the number of Public Interest Directors(PIDs) shall not be
less than the number of shareholder directors and Chairperson shall be elected from PIDs
subject to prior approval of SEBI. Further, atleast one PID to be present to constitute a
quorum.
Apart from the above, regular inspection of the depositories forms the basis for overseeing the
compliance of the depositories with respect to the relevant regulations and the prescribed
guidelines. Therefore, a sub-committee was formed comprising Prof. Krishnamurthy (DSRC
Member), representatives of NSDL and CDSL, and officials of SEBI Market Regulation
Department - Division of Market Supervision to comprehensively review the Inspection and
Oversight framework.
Page 43 of 65
I. Guidelines for Inspection of Depository Participants by Depositories
Depository Participants being the agents of Depositories act as touch points for the customers
on behalf of depositories. An effective oversight of the DPs is a critical obligation of depositories
and inspection is one of the effective means of oversight and supervision. It helps in identifying
inadequacies and risks in the system and also help the depositories to ensure compliance and
adherence to the recommendations of CPSS-IOSCO principles.
1. Inspection Framework of Depositories by SEBI
As per the inspection policy of SEBI, depositories are inspected annually. Besides annual
comprehensive inspections, SEBI also conducts specific purpose inspections. As per the
procedure, SEBI calls for data from depositories through pre-inspection questionnaire and
the same is analyzed manually. The data so analyzed enables SEBI to identify areas which
needs greater focus and verifications during on-site inspection. Any major observations
noted during on-site inspections are discussed with the management of depositories for
their immediate information and compliance. Further, periodic follow up with the
depositories is done till all pending observations are fully implemented. However, as could
be observed from the table given below that the periodicity of inspections have not been
regular due to multiple reasons.
The time taken to complete the entire exercise starting from pre-inspection data, analysis of
data, on-site inspection, preparation of report and follow up with depositories takes up to a
period of 6 months. Since the entire process is manual and labour intensive with minimal
usage of technology, it is observed that the time taken in certain cases further increases
depending upon the number of inspecting officials.
Apart from inspection of depositories, SEBI also conducts annual inspection of DPs on
selective basis covering a limited number of DPs and such inspection is again observed to be
primarily compliance oriented. SEBI also receives monthly development reports (MDR) from
depositories which contain various details including number of routine/specific purpose
inspections of DPs conducted by them along with the various actions/penalties imposed on
the DP.
Page 44 of 65
Details of SEBI inspection of CDSL are as follows:
Period of Inspection Date of
commencement
Nature of Inspection
August 2002- Jan 2004 Feb 23, 2004 Comprehensive Inspection
Feb/March 2004 – March 2005 July 5, 2005 Comprehensive Inspection
April 2005-March 2007 March 26, 2007 Comprehensive Inspection
N.A. Oct 19, 2010 Special purpose inspection to ascertain
systems, processes and inspection
mechanism of Depository
April 2007- August 31, 2012 Nov 23, 2012 Comprehensive Inspection
Details of SEBI inspection of NSDL are as follows:
Period of Inspection Date of
commencement
Nature of Inspection
August 2002- March 2005 April 28, 2005 Comprehensive Inspection
April 2005-May 2007 July 29, 2007 Comprehensive Inspection
N.A. Oct 11, 2010 Special purpose inspection to ascertain
systems, processes and Inspection
mechanism of Depository
The number of DPs inspected by SEBI from 2009-10 onwards is as follows
Year 2009-10 2010-11 2011-12
Number of DPs inspected 9 11 13
It is felt by the committee that the current inspection methodology of SEBI is primarily
compliance based wherein focus is on ascertaining the compliance status of various guidelines
and safeguards mandated by SEBI from time to time. It is observed by the committee that
Page 45 of 65
findings of the Depository inspections of DP and findings of SEBI inspections of DPs are not
cross verified or compared. The committee feels that compliance activities ought to be risk
based with a view to minimizing systemic risk while enhancing and improving customer (BO)
satisfaction. It is also felt by the committee that the data obtained from the MDRs and also
reports from the depositories on their findings about DPs leaves scope for further effective
analysis by SEBI.
In view of the above, the committee recommends the following:
a) A revamp of the MDRs received from the depositories. The information received through
Monthly Development Reports (MDRs) be examined on a regular basis and the
observations/comments be conveyed to the Depositories, especially on findings of
the inspection of DPs.
b) The critical observations of SEBI inspection of DPs should be cohesive with the critical
observations of the DP inspection by depositories. In this context, the adequacy of inspection
of DPs by depositories needs to be checked by SEBI during its inspection of Depositories or
otherwise.
c) An annual interface between SEBI and Depositories to review comprehensively the
inspection findings on the DPs and areas of repeat violations, non compliance, and overall
status of rectification.
d) the inspection should not restrict themselves to compliance but coverage should be
comprehensive including risk management, operational efficiency, customer satisfaction etc.
e) the non compliance and violations have to be dis-incentivised not only through penalties as
they are now but also through statutory actions aiming to correct the procedures and
bringing in systems in place.
2. Inspection Framework of DPs by Depositories:
It is observed that presently, the depositories are mandated by SEBI to inspect their
participants on an annual basis. The depositories conduct these inspections through an in-
house team with a gap of around a year between two inspections of the same DP. A
spreadsheet based system is used by depositories to individually take information/data
from databases through reports and is used for determination of samples/adaptive
samples.
It was noted that NSDL has 283 DPs with 320 DPMs and 5,000 service centers. Similarly,
CDSL has 575 DPs, 222 branches and 13,000 service centers. It may be noted that branches
are those DP offices which are connected live with Depositories whereas service centers are
Page 46 of 65
those offices of DPs which only act as investor service points for handling collection of
forms, data, account opening & related in-person verifications, and complaints. Services
centers are also observed to be connected with the main office through the back office
system of DP. Data from service centers flow electronically to the main office and the
corresponding physical applications are sent to the respective main office/related branch
which are then verified and stored.
The major areas that are looked into during the inspection of DPs by depositories are the
following:
a) Account opening (KYC and In person verification), account modification, account closure
b) Dematerialisation/rematerialisation, pledge/unpledge, freeze/unfreeze of securities
c) Issuance of Delivery Instruction Slip (DIS) booklets & execution of transactions
d) Complaint handling
e) Maintenance of mandatory registers.
f) Audit/verification of Back office software
Depositories conduct yearly inspections of all DPs and their live branches. Since most of the
DPs are registered as participants with both the depositories, they are subjected to
inspections by the depositories separately. All service centers are not inspected by the
depositories. Inspection of service centres of DPs are on sample basis which constitutes less
than 5% of total service centres. By the very nature of their registration criteria, all DPs are
observed to be carrying out other activities such as stock broking, banking, custodian, NBFC,
RTA etc. The frequency of inspections is observed to be the same irrespective of size, nature
and risk profile of DPs. It is observed that depositories do not have all the information
available in the back office of DPs with them such as DIS numbers, mapping, KYC
documents, account details, etc. As the details of the DIS booklets issued by DPs to their
BOs are not available with the depositories, they get verified only at the time of on-site
inspection resulting in loss of man hours and resources.
The DSRC and its sub-committee deliberated on the inspection process of the DPs by the
depositories, and considering that certain DPs are also systemically important financial
institutions (SIFIs) and engaged in various other activities, the committee considered it
appropriate to assess the risk on a holistic basis and develop a risk model for the DPs. It was
felt that inspections are currently done as checklist based annual exercises focusing only on
compliance, merely resulting in imposing monetary penalties rather than rectifying and
improving the systems, process and procedures.
Page 47 of 65
In order to formulate a risk model, various risks emanating from activities undertaken by
DPs need to be identified and measured. The risk model should include both quantitative
factors and qualitative factors to objectively assess and measure the risk profile of the DPs.
Thereafter, these risks may be continuously monitored so as to take various measures to
mitigate/insulate such risks. For this exercise to be effective, it is essential to categorize all
activities handled into core and critical activities and carry out a risk matrix.
On the basis of information submitted by the depositories, it was noted that depositories
categorize the activities which have 100% internal/concurrent audit and where penalties
are levied as high risk. The other activities where penalties were levied are categorized as
medium risk and those activities where minor deviations are observed are categorized as
low risk. Based on the above, the various activities which the committee perceived to be
risky are as under:
a) Account Opening / KYC - The major risk associated with this activity is the opening of
fictitious accounts.
b) DIS issuance & processing / Unauthorized Transfer - Lack of monitoring / supervision of
this activity may lead to a situation where securities lying in the BO accounts could be
moved unauthorized (without the knowledge of BO holder) by the DP which can
seriously jeopardize the integrity of depository system and thereby damage the
confidence of investors.
c) Trading of unlisted shares - Reconciliation of shares (Physical + electronic shares) of both
depositories must ensure that shares more than issued capital do not float in the
market.
d) Pledge/un-pledge of shares – Particularly such cases where promoters were able to
pledge same shares with various entities.
e) Complaints handling – Types and instances of complaints can point to various
inadequacies in the system
f) Power of Attorney (PoA) - Since PoA gives the legal right to operate the demat account
there is a risk of manipulation of securities in the demat account to derive unlawful
gains for POA holders, at the cost of beneficial owners.
g) Non core activities - Risks emanating from other activities undertaken by the depository
which are not in the domain of securities markets can permeate into the core activities
of the depository may cause contagion damage.
The low risk activities were demat/remat, issue of transaction statement, closure of
accounts and inter-depository transfers.
Page 48 of 65
Complaints received in the system form an integral part of the market intelligence systems
through which various risks/irregularities come to the notice of regulators. The analysis of
complaints' data provides vital information regarding the quality of services provided by the
DPs and any unauthorized use of securities. Therefore, the complaints received against the
DPs as available in SCORES database of SEBI were analyzed. It was observed that majority of
the complaints relate to:
a) Unauthorized transactions in accounts and manipulation
b) Improper services rendered such as non-closure/delay in closure of account,
wrong/excess charges, delay/non-execution of DIS, non-updation of changes in account
(address/ signatories/bank details/ PAN/nomination etc.,), delay in/non-receipt of
statements from DP, delay in dematerialization request processing, etc.
The committee therefore urges that :
a. the complaints database as available at the end of depositories should be extensively
and effectively studied for the purpose of quantitative analysis in the risk model.
Appropriate weights should be derived for activities based on number of complaints
received.
b. appropriate weights should also be assigned to those activities based on observations in
the inspection report where inadequacies were noticed in the processes and
procedures.
c. qualitative factors such as corporate governance and IT governance, management
quality & capacity, reputation & goodwill, efficiency & economy of services rendered,
etc., also need to be considered in the risk model to arrive at the total risk score.
Based on the above, the committee recommends SEBI to develop a risk model as given
below:
a) Risk Weightage – Depositories may assign risk weights for each of inspection areas after
taking into consideration following factors:
i) Operational risks in each of the inspection areas.
ii) Category of DPs
For example, a Bank DP should be assigned a different weight vis-a-vis a broker DP.
iii) Size of operations
Page 49 of 65
Different weight for a big DP (based on value under custody, no of BO accounts, no
of services centers, etc.,) as compared to a smaller DP
iv) Repetitive violations of an activity
Higher weights to be assigned for the activity wherein repetitive violations are
observed.
v) IT Security and BCP
vi) Complaints received and redressed
b) Quantitative Score Calculation: Depositories shall arrive at a Quantitative Risk Score for
each inspection area by multiplying percentage of non-compliance to the sample size
with the corresponding assigned risk weight.
c) Qualitative Score Calculation: Depositories shall arrive at a Qualitative Risk Score for
each qualitative area by multiplying the score assigned by inspection team to DP with
corresponding assigned risk weight.
d) Total DP Risk Score shall be the summation of quantitative and qualitative scores
assigned to the DP.
e) Depositories shall suitably normalize the scales of the qualitative and quantitative scores
in arriving at the Total DP risk score.
f) Depositories shall categorize their DPs as 'High Risk', 'Medium to High Risk', 'Medium
Risk', and 'Low Risk' DPs based on the percentile of risk score.
DP Risk Rating / Categorization Percentile of Risk Score
High ≥ 80
Medium-High 46-79
Medium 21-45
Low ≤ 20
g) After arriving at the risk rating / categorization as mentioned above, for subsequent
inspections, depositories shall use the DP risk rating/categorization to decide on the
frequency of inspection of DPs. Depositories shall inspect DPs categorized as High Risk
annually.
The Sample Size determination methodology and DP Rating/ Categorisation model are enclosed as Annexure II
Page 50 of 65
II. Delivery Instruction Slips (DIS) Issuance & Processing
The Delivery Instruction Slip (DIS) is an instrument using which a demat account holder/
Beneficial Owner (BO) can execute transfer of securities held in electronic form in the demat
account. The DIS to a demat account holder is equivalent to the cheque to a bank account
holder. The Depository Participant (DP) is required to print a DIS with pre-printed serial number
and issue DIS booklet to BO along with a requisition slip having the pre-printed serial number
range of the current DIS booklet. The DP is required to maintain details of serial numbers issued
to a BO and check the same at the time of execution of transaction. As DIS is an instrument of
transfer, DPs and BOs are required to exercise due care while storing, issuing and using the DIS.
Depositories have laid down stringent control measures to ensure minimization of fraudulent
use of DIS.
The members of DSRC during on-site inspection examined the process of verification of DIS
issuance and processing, and observed the following:
a) Depositories do not have details of the DIS booklets issued by DPs to their BOs which get
verified only at the time of on-site inspection, resulting in spending huge man hours and
resources.
b) Depositories do not have all the information available in the back office of DPs such as DIS
numbers, mapping, KYC documents, account details, etc.
Considering that the activity relating to issuance and monitoring of Delivery Instruction Slips
(DIS) is one of high risk, the committee felt that lack of monitoring of this activity may lead to a
situation where securities lying in the BO accounts could be moved in an unauthorized manner
(without the knowledge of BO) by the DP which can jeopardize the integrity of the depository
system.
The above possibility is very high in case of broker DPs due to the very nature of their activities
where both trading and securities accounts are held with the same entity. Further, due to
inadequate focus on verification of DIS issuance and processing at the time of inspection,
unauthorized transfers may go unnoticed and may threaten the market integrity.
The system of issue, processing and monitoring of DIS at the end of DPs is observed to be as
under:
a) Most DPs are observed using back office software for their operations, which includes
processing of transactions (DIS and related issues).
Page 51 of 65
b) The back office software is procured by DPs from third party vendors. The Depositories only
prescribes certain checks and minimum requirements which is verified by the depositories
at the time of start of their DP operations.
c) After the account is opened by depositories, each DP issues its own DIS booklet to the BO
holders and maintains the details of DIS in their back office software. The booklet issued is
mapped to respective BO.
d) The size, contents and structure of the DIS are not uniform across the Depositories.
e) Presently there are no checks at the end of depositories to verify the information submitted
by DP (through uploading of back-office data to the depositories) as the information
regarding the DIS serial numbers of BOs are not available with the depositories.
f) With respect to transactions processed, the DPs submit / upload End of Day (EOD) reports
to the depositories which only contain the details of the transactions executed. Other
relevant details such as DIS serial number, maker checker ID, etc., available at the back
office of DP are not included.
To check the efficacy of the above system, the insurance claims against the DPs was analyzed to
understand the major sources of claims and the type of DPs against whom such claims were
made. It was learnt that insurance claims made against the DPs are predominantly due to
fraudulent transfer of shares and the DPs are mostly stock broker DPs. Frauds are observed to
be predominantly done by employees.
The committee examined whether the transactions involving DIS could be digitalized and
whether images of the DIS on transactions could be captured for verification & archived. It was
felt that if the truncated (image) version of DIS were to be captured directly by DPs (out of their
branches / service centres) and also by Depositories, and simultaneously with a provision for
archiving the image files, the information gathered will enable effective monitoring of the
transactions from market surveillance perspective. Further, this will also ensure that issue of
loose slips at the end of DP will also be monitored and regulated. In view of the above, the
committee recommends the following:
a) Appropriate infrastructure and other requirements, to facilitate scanning and uploading of
the DIS image, should be implemented at the DP’s end and the depositories should put in
place a suitable mechanism to maintain a database of the scanned DIS.
b) Standardization of DIS across DPs to facilitate easy identification and tracking of DIS
issuance and processing.
c) The depositories should put in place systems such that all significant DIS related information
is available to them for off site inspections.
Page 52 of 65
Way Forward
The committee has given its recommendations at the end of each chapter. The
recommendations given in chapter 4 and 5 have already been implemented by SEBI as these
recommendations formed part of the interim report submitted by the Committee.
The remaining recommendations can be divided into short term, medium term and long term
goals for the purpose of implementation. Accordingly, the way forward for recommendations
for the depository system is given below.
Short Term Goals
1. Risk Management Framework for depositories: There should be a Board approved well
documented comprehensive risk management framework at both depositories. The risk
management group/ committee formed by the depositories should be active and meet
periodically to continuously identify, evaluate and assess applicable risks in depository
system through various sources such as investors complaints, inspections, system audit
etc. and suggest measures to mitigate risk wherever applicable. A Chief Risk officer
should be made responsible, accountable, accessible & answerable to the board on
overall risk management issues.
2. The committee noted that certain DPs allow the promoters of companies to use
tripartite agreements usually referred to as Non-Disposal Agreement/ Non-Disposal
Undertaking (NDU) to extend facilities to its client's for lending / borrowing of shares
instead of following the pledging facility available in the depository system. The
committee recommends that DPs should not be party to such arrangements as there is
no regulatory mechanism to confirm whether shares have been pledged/ encumbered
through this method, leading to potential for fraud and multiple pledging.
3. In the area of outsourcing by Depositories, there is need for further focus and
strengthening of guidelines on the lines given below:
a) Care should be exercised while outsourcing and wherever possible depositories
should put in place various controls to ensure that there is check on the activities of
outsourced entity especially to monitor whether outsourced activities are further
outsourced downstream.
b) Core and critical activities of depositories should not be outsourced.
c) Core IT support infrastructure / activities for running the core activities of
depositories to the extent possible should not be outsourced.
Page 53 of 65
d) Wherever outsourcing is allowed, depositories should ensure that risk impact
analysis is undertaken, only reputed entity having proven high delivery standards is
selected, appropriate back up / restoration system is put in place, and there is
effective monitoring of the outsourced entity on real time basis.
e) Audit of implementation of risk assessment and mitigation measures listed in the
outsourcing policy document and outsourcing agreement/ service level agreements
pertaining to IT systems should form part of System Audit of Depositories.
4. With regard to KYC, the committee noted that the e-KYC service launched by Unique
Identification Authority of India (UIDAI) has been accepted by SEBI as valid process of
KYC verification. The committee also informed that NPCI has entered into an MoU with
UIDAI in order to aid financial inclusion through Aadhaar enabled bank accounts and
financial transactions. The Committee recommends that use of e-KYC through NPCI
should be popularised among DPs.
Medium Term Goals
1. SEBI ensures that the system and technology related requirements which are verified
prior to granting certificate for commencement of business, are also maintained on an
ongoing basis through regular inspections and system audits. This is an important aspect
of the depository system architecture and SEBI should regularly update its oversight
processes to ensure ongoing compliance.
2. Depositories should take steps to ensure that the IT Infrastructure of DPs has high
availability and fault tolerance, uptime guarantee of 99.5% measured on a monthly basis
with mean time to restore (MTTR) of not more than 4 hrs, data integrity and transaction
integrity and appropriate security access and control framework.
3. Reconciliation of records of shareholding is very critical to maintaining integrity of the
capital markets. The responsibility for reconciling records of total issued capital, listed
capital and capital held by depositories in dematerialized form lies with issuer. SEBI may
put in place a mechanism so that depositories maintain complete reconciled record of
total issued and listed capital, including both physical and dematerialized shares.
4. In order to achieve wider financial inclusion and bring investors in securities market
from Tier II and Tier III towns, the DPs need to widen their reach in these areas. For this
purpose, there is a need to devise an incentive structure for depository participants so
that they encourage investors to open demat accounts with them. The revenue source
Page 54 of 65
of depositories may be augmented and DPs may be incentivized by having a revenue
sharing mechanism between the depositories and DPs which may encourage the DPs to
expand their reach in tier II & III towns. Bank DPs with their large branch network and
wider reach in the tier II & III towns can play a crucial role in furthering the objectives of
financial inclusion. DPs may be compensated for the cost incurred in account opening,
especially Basic Service Demat Accounts (BSDA) as it will act as a motivator for DPs to
open more accounts. Incentives structure may be devised so that DPs get compensation
on any incremental account opened by them in tier II & III towns.
5. Complaints received against depositories and DPs are resolved quickly except for
complaints relating to delay in demat/ remat. In such cases, the delay is at the end of
issuers and RTAs rather than the Depositories. Considering the nature of complaints and
the fact that there were negligible pending complaints, the committee feels that
Depositories do not require a corpus comparable to stock exchanges for their Investor
Protection Fund. The committee therefore recommends that SEBI may review the
quantum of funds required to be transferred to IPF by depositories and arrive upon a
sizable limit for corpus of IPF. Only profits from depository operations may be
transferred to IPF. SEBI may formulate an Investment Policy for the IPF. The funds of the
IPF may be utilized for conducting Investor Awareness and Education Programmes and
supporting the Depositories'/ DP's initiatives for financial inclusion in a variety of ways.
Long Term Goals
1. Depositories are uniquely placed to scale up and utilize their infrastructure to
dematerialize not just securities but also other financial assets subject to adequate
regulatory framework and checks and balances being put in place. In this regard, the
committee took note of the Budget announcement made in the interim budget
presentation in February 2014 and again in the budget speech in July 2014. The July
2014 budget announcement aims to "Introduce one single operating demat account so
that Indian financial sector consumers can access and transact all financial assets
through this one account." Enabling the above proposal would promote the integration
of the Indian Financial markets and allow the consumers greater access to and control of
a wide portfolio of financial assets.
2. With greater integration of depositories with other financial service providers, there is
possibility of interconnectivity of depositories with financial institutions/ FMIs/
international CSDs in future. Interconnectivity may require standardization of messaging
Page 55 of 65
formats used by depositories. The committee recommends that it may be desirable to
standardise messaging formats in the long term.
3. Orderly winding down of depositories: The Committee observed that there no laid
down system or procedure for orderly winding up of depositories in the event of
potential scenarios such as voluntary winding up by depositories, depositories going
bust due to general business risk, fraud at the end of depositories, or depositories
wound up due to regulatory action or court order. In Indian depository micro structure,
there are two depositories. In the event of failure, disruption or winding up of one
depository, all the demat accounts and securities held with stressed depository can be
potentially moved to another depository without affecting the interest of investors.
These measures are technically possible in the existing market micro structure, though
there is no laid down written document detailing the process and procedure for orderly
winding up of depositories. The committee recommends that there is a need to have a
well documented framework for orderly winding down of the depository operations
including making necessary legal provisions in the regulations, rules and Depositories
Act.
Page 56 of 65
Annexure I
The committee held various meetings with Depository and Depository Participants. The dates
on which the meetings were held is given below:
S. No. Date of the meeting Meeting description
1. August 14, 2012 DSRC meeting
2. August 27, 2012 DSRC meeting
3. September 27, 2012 DSRC meeting
4. October 11, 2012 DSRC meeting
5. November 06, 2012 DSRC meeting
6. November 17, 2012 Sub-Committee meeting
7. December 01, 2012 Visit to NSDL & CDSL
8. December 06, 2012 Sub-Committee meeting with inspection department of
Depositories
9. December 31, 2012 Sub-Committee meeting
10. January 23, 2013 Committee meeting at NPCI, Chennai
11. February 08, 2013 DSRC meeting
12. March 16, 2013 Presentation by Asit C Mehta and HDFC Bank
13. April 04, 2013 DSRC meeting
14. May 17, 2013 Presentations by SWIFT and ICICI Securities
15. June 18, 2013 DSRC meeting
16. July 10, 2013 DSRC meeting
17. August 27, 2013 DSRC meeting
18. October 24, 2013 DSRC meeting
19. December 13, 2013 DSRC meeting
Page 57 of 65
20. May 09, 2014 DSRC meeting
21. August 05, 2014 DSRC meeting
The name of participants who made presentations before the committee are as follows:
S. No. Name of the Participant Organisation Date of attending the meeting
1 Deena Mehta Asit C Mehta March 16, 2013
2
Ashit Raja
ICICI Securities May 17, 2013 Neelkantan Pillai
Prasannan Keshavan
Subir Saha
3 Nishant Nadkarni
HDFC Bank March 16, 2013 G Subrahmanyam
4
Arun Tiwari
SWIFT May 17, 2013 Anik Mehta
Saqib Sheikh
Hemant Chandak
Page 58 of 65
Annexure II
Sample Size Determination Methodology
a) Sample size for inspection area relating to Account Opening:
The sample selection for account opening should cover all categories of clients such as
individuals, HUF, Corporate, FIIs etc. Account Opening Forms (AOF) relating to FIIs should be
checked on a 100% basis.
Base sample size: 5% of Account Opening Forms (AOFs) or 150 AOFs whichever is higher,
with a maximum cap of 1000 accounts.
Final Sample Size: The final sample size shall also be dependent on past
rating/categorization of DP. The following multipliers shall be used to determine the final
sample size for the current inspection.
DP Rating / Categorization Multiplier
High risk 3
Medium High risk 2
Medium risk 1.5
Low risk 1
b) Sample Size for inspection area relating to DIS
Base sample size: 10% of total DIS processed or 200 processed DIS whichever is higher,
with a maximum cap of 1000 DIS.
Final Sample Size: The sample size shall also be dependent on rating/categorization of
DP. The following multipliers shall be used to determine the final sample size for the
current inspection.
DP Rating / Categorization Multiplier
High risk 3
Medium High risk 2
Medium risk 1.5
Low risk 1
Page 59 of 65
Out of the total intra depository instructions to be verified, the percentage of on and off
market instructions would be in the ratio of 1/3 and 2/3. The DIS issuance sample size
shall be 5% of the total samples verified for DIS.
c) Sample Sizes for inspection areas of 'Demat/Remat request' and 'Pledge/Unpledge'
5% of Demat/Remat request processed or 100 requests whichever is higher with a
maximum cap of 500 such requests.
5% of Pledge/Unpledge request processed or 100 requests whichever is higher with a
maximum cap of 500 such requests.
d) Sample Size for inspection area of 'Client Data Modification', 'Miscellaneous areas' and
'Other depository specific requirements'
Base Sample Size
i) Address change = 50
ii) Samples from Urban, Semi Urban and Rural Areas shall be equally represented if
available.
iii) Nomination Change = 25
iv) Signature change = 100
v) Addition / Deletion / Modification of POA = 100
vi) Freeze / Unfreeze = 50
vii) Bank Details Change = 100
viii) PAN modification = 100
ix) Account closure initiated by clients = 25
x) Closure initiated by DPs = 25
xi) Demat rejection = 30
xii) Transactions = 25
xiii) Change in e-mail Id = 25
xiv) Change in mobile number = 25
xv) Change in SMS flag = 50
xvi) Change in standing instruction flag = 50
Page 60 of 65
xvii) Transmission = 50% of total transmission cases
xviii) Previous compliance = 100% of total samples
xix) Final sample size shall be arrived at after multiplying with the respective multiplier
corresponding to the DP Risk rating/categorization as given below. In case the total
number of instances/cases is less than the final sample size, then 100% of the
samples shall be verified.
DP Rating/ Categorization Multiplier
High risk 3
Medium High risk 2
Medium risk 1.5
Low risk 1
xx) A uniform Base sample size of 100 shall be adopted in case of all other activities. In
case the total number of samples is less than 100, then 100% of the samples shall
be verified.
DP Rating / Categorization Model
a) Quantitative Score Calculation: Specific weights shall be assigned to each area as
decided by each depository. The Total Quantitative Score shall be the summation of all
individual inspection scores.
Indicative Table for calculation of Quantitative Score
S. No. Inspection Areas Weight
(A)
B = No of
Instances
divided by
Sample size
Inspection
Score
IS = A*B
A. Inspection Area 1
A.1. Inspection Sub Area A 1
A.2. Inspection Sub Area 2
Total Score for Inspection Area 1
Page 61 of 65
S. No. Inspection Areas Weight
(A)
B = No of
Instances
divided by
Sample size
Inspection
Score
IS = A*B
B. Inspection Area 2
B.1. Inspection Sub Area B 1
B.2. Inspection Sub Area B 2
B.3. Inspection Sub Area B 3
Total Score for Inspection Area 2
Depositories shall include all inspection areas and sub areas in the above model to arrive at the
Quantitative Score for a DP.
Indicative Table for calculation of Quantitative Score for Complaints Received
Sr No Type and Nature of Complaint Weight
(A)
(Number of
Complaints
redressed) /
Number of
Complaints
received)
Inspection
Score
IS = A*B
T Complaints
T.1 Complaint Sub Area 1
T.2 Complaint Sub Area 2
Total Score for Complaints
Quantitative Score = Σ (Scores of Inspection Areas including Total score for
Complaints)
b) Qualitative Score Calculation: Specific weights shall be assigned to each area as decided
by depository. The Total Qualitative Score shall be the summation of all area scores.
Sr. No Qualitative Factors Weight
(A)
Point on the scale of 1 to
10.
[10 being the Worst]
Area
score
=(A) * (B)
Page 62 of 65
(B)
1 Ownership and Governance
2 IT security and Business Continuity
3 Regulatory / procedural Compliance
4 Automation of systems and processes
for critical activities
5 Quality of Management
6 Financial Status / profitability of DPs
7 Pending enquires / Penalties imposed by
SEBI / Depositories on DP operations
8 Complaints redressal
9 Adverse findings of other activities (eg.
Broking / custodian / banks etc)
Total Qualitative Score = Σ (Area Scores)
Following indicative factors shall be taken into account for arriving at above
mentioned qualitative score:
a) Ownership and Governance
i) Constitution of Board of DP – Number of promoter directors, Independent Directors etc.
ii) Role of non-executive directors / Independent directors.
b) Quality of Management
iii) Experience, Fit and Proper and Qualification of Key Personnel.
iv) Existence of Succession planning for top management especially in control functions.
v) Chinese walls between the activities in terms of manpower, resources etc.
vi) Training and development of employees.
vii) Adequacy of staff strength.
viii) Compliance level of previous inspection observations/ directions of regulatory bodies.
c) IT security and Business Continuity
ix) High Availability.
Page 63 of 65
x) Appropriate Interconnected Architecture.
xi) Appropriate Recovery Time Objective (RTO) and Recovery Point Objective (RPO) and near “Zero Data Loss”.
xii) Periodic drills that simulate the real life disaster scenarios on a regular basis.
xiii) Technological glitches in the past period and remedies taken.
xiv) Information security.
xv) Upgradation of technology,
d) Financial Status / profitability of DPs
xvi) The net-worth of the DPs (whether reducing or increasing from previous years)
xvii) Net Profits of DPs operations.
e) Complaints redressal
xviii) Complaint redressal system,
xix) Percentage of complaints pending and resolved.
f) Other adverse findings
xx) Actions taken by Stock exchange and SEBI / RBI with respect to other activities
xxi) Actions taken by other depository
Total Score = Qualitative Score + Quantitative Score
Page 64 of 65
List of Abbreviations
BCP - Business Continuity Planning
BO - Beneficial Owner
BSDA - Basic Services Demat Account
CDAS – Centralized Depository Accounting System
CDSL - Central Depository Services (India) Limited
CISO - Chief Information Security Officer
CM - Clearing Member
CPSS - Committee on Payment and Settlement Systems
CSD - Central Securities Depository
DIS - Delivery Instruction Slip
DP - Depository Participants
DR - Disaster Recovery
FIU - Financial Intelligence Unit
FMI - Financial Markets Infrastructure
IEPF - Investor Education and Protection Fund
IOSCO - International Organization of Securities Commission
IPF - Investor Protection Fund
IPEF - Investor Protection and Education Fund
IPV - In Person verification
KYC - Know Your Client
MDR - Monthly Development Report
NPCI- National Payments Corporation of India
NSDL - National Securities Depository Limited
PID - Public Interest Director
RPO - Recovery Point Objective
RPT - Recovery Point Time
RTA - Registrar and Transfer Agent