SECURITIES AND EXCHANGE BOARD OF INDIA Memorandum to …

of 9

SECURITIES AND EXCHANGE BOARD OF INDIA

Memorandum to the Board

No. 58 / 2014

Report of the Depository System Review Committee

1. SEBI Board in its meeting held on July 28, 2011 suggested that demat system

may be reviewed on the basis of CPSS-IOSCO principles by an external

expert appointed by SEBI.

2. To give effect to the decision of the SEBI Board, an expert committee was

constituted as the 'Depository System Review Committee (DSRC)' by SEBI in

June 2012 under the Chairmanship of Shri M. Balachandran (Chairman, NPCI

and former CMD, Bank of India) and included the following external members:

i. Prof. H. Krishnamurthy (Principal Research Scientist, IISc Bangalore)

ii. Shri R. S. Loona (Managing Partner, Alliance Corporate Lawyers and

former Executive Director, SEBI)

iii. Prof. Vikram Kuriyan (Clinical Prof. of Finance, Indian School of

Business)

3. The mandate of the committee was guided by the following Terms of

Reference:

i. Assessment of Existing Policy Framework of Depositories and identify

areas for review.

ii. Assessment of Depository System with CPSS-IOSCO principles,

recommendations of CESR-ECB pertaining to CSDs so as to

benchmark with Global Best Practices.

iii. Identifying areas for continuous improvement of systems, procedures

and practices and make recommendations thereof.

iv. Identify systemically important market infrastructure

providers/institutions/ depository participants and their inter-linkages

of 9

and identify areas and suggest safeguards to prevent single point

failures and denial of depository service.

v. Review existing system of inspection by depositories and suggest

changes to strengthen the monitoring/oversight of depository

participants.

4. In the area of inspection and oversight function of depositories including for IT

Governance, the committee decided to carry out a detailed analysis and

formed a sub-committee for this purpose comprising Prof. Krishnamurthy,

representatives of NSDL, CDSL and officials of SEBI. The recommendations

of the sub-committee were presented to SEBI as part of an interim report. The

committee submitted its interim report in May 2013. A copy of the Interim

Report of the committee is annexed to the Board Memorandum (Annexure A).

5. The interim recommendations of the committee are as follows:

A. IT Governance Depositories should implement the following for their IT governance structure:

a) There should be an IT strategy committee at the board level of

depositories.

b) There should be an approved and comparable IT strategy/plan document

which needs to be reviewed annually by the depositories and their DPs.

c) There should be an IT Steering committee to assist the IT Strategy

Committee in implementation of IT strategy. The IT steering committee

should comprise of representatives from IT, HR, Legal and various

business functions as appropriate.

d) Information Security policy should be approved by the board and reviewed

annually.

e) There should be an office of information security and a senior official

should be designated as Chief Information Security Officer (CISO) whose

work would be to assess risk and identify the threat / vulnerabilities.

of 9

B. Oversight and Inspection Framework

The committee carried out an extensive review of the oversight and inspection

framework for Depository Participants. The key recommendations of the

committee are as follows:

i. Inspection of Depository Participant by Depositories:

a) Inspections should be risk based rather than compliance based to

provide economic benefits such as fewer inspections for less risky

participants and frequent inspections for more risky ones. The

inspection reports should not only identify risk areas but should also

proactively suggest risk mitigation.

b) The sample size selection should be dynamic and should depend on

the past compliance of a DP in that area.

c) The inspection process of DPs and their service centers should be

automated through usage of appropriate technology. If such close

inspection / oversight modality is not possible directly by Depositories

through their own personnel, the possibility of outsourcing service

centre inspections may be explored, and a suitable outsourcing policy

may be framed.

ii. Delivery Instruction Slips (DIS) Issuance and Processing:

a) Appropriate infrastructure and other requirements, to facilitate scanning

and uploading of the DIS image, should be implemented at the DP’s

end and the depositories should put in place a suitable mechanism to

maintain a database of the scanned DIS.

b) DIS should be standardized across DPs to facilitate easy identification

and tracking of DIS issuance and processing.

c) The depositories should put in place systems such that all significant

DIS related information is available to them for off site inspections.

6. These recommendations were accepted and implemented vide SEBI circulars

dated February 07, 2014, January 21, 2014 and January 07, 2014.

of 9

7. After submitting the interim report, the committee took up the issues relating to

assessment of existing policy framework of depositories, assessment of

depository system on the basis of CPSS-IOSCO Principles for Financial

Market Infrastructures, identification of areas for continuous improvement of

systems, procedures and practices and identification of systemically important

Market Infrastructure Institutions and their Inter-Linkages.

8. The committee held extensive discussions and deliberations with depositories

and other market participants related to the depository system. The committee

submitted its final report to SEBI on August 27, 2014. A summary of the

recommendations made by the committee in addition to the interim

recommendations given above is as follows:

A. Assessment of Existing Policy Framework of Depositories

Based on its review of the policy framework for depositories, the committee

recommended the following:

i. SEBI should ensure that the system and technology related requirements

which are verified prior to granting certificate for commencement of

business, are also maintained on an ongoing basis through regular

inspections and system audits.

ii. SEBI may put in place a mechanism so that depositories maintain

complete reconciled record of total issued and listed capital, including both

physical and dematerialized shares.

iii. Depositories are uniquely placed to scale up and utilize their infrastructure

to dematerialize not just securities but also other financial assets subject to

adequate regulatory framework and checks and balances being put in

place. The committee felt that this will promote the integration of the Indian

of 9

Financial markets and allow the consumers greater access to and control

of a wide portfolio of financial assets.

iv. With greater integration of depositories with other financial service

providers, there is possibility of interconnectivity of depositories with

financial institutions/ FMIs/ international CSDs in future. Interconnectivity

may require standardization of messaging formats used by depositories.

The committee recommended that it may be desirable to standardize

messaging formats in the long term.

v. With regard to KYC, the committee noted that the e-KYC service launched

by Unique Identification Authority of India (UIDAI) has been accepted by

SEBI as valid process of KYC verification. The committee also informed

that NPCI has entered in to an MoU with UIDAI in order to aid financial

inclusion through Aadhaar enabled bank accounts and financial

transactions. The Committee recommended that use of e-KYC through

NPCI should be popularised among DPs.

B. Assessment of Depository System on the basis of relevant globally

accepted Principles for Financial Market Infrastructures so as to

benchmark with Global Best Practices.

The committee observed that while the Depositories are broadly compliant

with the CPSS-IOSCO principles for FMIs, certain areas needed to be

strengthened. In view of this, the committee recommended the following:

i. Risk Management Framework for depositories: FMI principles lay emphasis

on the need to have robust risk management framework to identify, monitor

and manage various risks emanating from multiple sources to its

operations.

The committee recommended that there should be a Board approved

policy providing for a well documented comprehensive risk management

of 9

framework at both depositories. The risk management group/

committee formed by the depositories should be active and meet

periodically to continuously identify, evaluate and assess applicable risks in

depository system through various sources vis-à-vis investors complaints,

inspections, system audit etc. and suggest measures to mitigate risk

wherever applicable. A Chief Risk officer should be made responsible,

accountable, accessible & answerable to the board on overall risk

management issues.

ii. Orderly winding down of depositories: The Committee observed that there

is no laid down system or procedure for orderly winding up of depositories

in the event of potential scenarios such as voluntary winding up by

depositories, depositories going bust due to general business risk, fraud at

the end of depositories, or depositories wound up due to regulatory action

or court order. In Indian depository micro structure, there are two

depositories. In the event of failure, disruption or winding up of one

depository, all the demat accounts and securities held with stressed

depository can be potentially moved to another depository without affecting

the interest of investors. The committee recommended that there is a need

to have a well documented framework for orderly winding down of the

depository operations including making necessary legal provisions in the

regulations, rules and Depositories Act.

C. Identification of Areas for Continuous Improvement of Systems,

Procedures and Practices

The committee identified a few areas which needed further focus from the

perspective of maintaining a robust depository system. Based on its review

of these areas, the committee recommended the following:

i. In order to achieve wider financial inclusion and encourage participation of

investors from Tier II and Tier III towns in the securities market, the DPs

of 9

need to widen their reach in these areas. For this purpose, there is a need

to devise an incentive structure for depository participants so that they

encourage investors to open demat accounts with them. In this regard, the

revenue source of depositories may be augmented and DPs may be

incentivized by having a revenue sharing mechanism between the

depositories and DPs which may encourage the DPs to expand their reach

in tier II & III towns. Bank DPs with their large branch network and wider

reach in the tier II & III towns can play a crucial role in furthering the

objectives of financial inclusion. DPs may be compensated for the cost

incurred in account opening, especially Basic Service Demat Accounts

(BSDA) as it will act as a motivator for DPs to open more accounts.

ii. The committee recommended that SEBI may review the quantum of funds

required to be transferred to IPF by depositories and arrive upon a sizable

limit for corpus of IPF. Only profits from depository operations may be

transferred to IPF. SEBI may also formulate an Investment Policy for the

IPF. The funds of the IPF may be utilized for conducting Investor

Awareness and Education Programmes and supporting the depositories'/

DP's initiatives for financial inclusion in a variety of ways.

iii. The committee noted that certain DPs allow the promoters of companies to

use tripartite agreements usually referred to as Non-Disposal Agreement/

Non-Disposal Undertaking (NDU) to extend facilities to its clients for

lending / borrowing of shares instead of following the pledging facility

available in the depository system. The committee recommended that DPs

should not be party to such arrangements as there is no regulatory

mechanism whereby depositories and DPs can treat shares covered by

NDU as pledged / encumbered, leading to potential for fraud and multiple

pledging.

iv. In the area of outsourcing by Depositories, there is a need for further focus

and strengthening of guidelines on the lines given below:

of 9

a) Care should be exercised while outsourcing and wherever possible

depositories should put in place various controls to ensure that there is

check on the activities of outsourced entity especially to monitor that

outsourced activities are not further outsourced downstream.

b) Core and critical activities of depositories should not be outsourced.

c) Core IT support infrastructure / activities for running the core activities

of depositories to the possible extent should not be outsourced.

d) Wherever outsourcing is allowed, depositories should ensure that risk

impact analysis is undertaken, only reputed entity having proven high

delivery standards are selected, appropriate back up / restoration

system are put in place, monitor and have checks and over all controls

over the outsourced entity on real time basis.

e) Audit of implementation of risk assessment and mitigation measures

listed in the outsourcing policy document and outsourcing agreement/

service level agreements pertaining to IT systems should form part of

System Audit of Depositories.

D. Identification of Systemically Important Market Infrastructure

Institutions and their Inter-Linkages

In view of transformation of securities market infrastructure brought about

by advances in information technology (IT) and dependence of Financial

Market Infrastructure Institutions on technology, the committee examined

the technology infrastructure of the Depositories and reviewed the usage of

technology in the Depository system. The committee recommended the

following:

i. The IT infrastructure deployed should have high availability and no single

point of failure. In the event of failure of any sub-system or component

or software the resultant solution has to work, may be with

acceptable levels of degraded performance, and the corrective mechanism

put in place to ensure that the rectification takes place within 4 hours. The

of 9

DPs have to put in place appropriate mechanisms in order to ensure no

compromise to data integrity and transaction integrity.

ii. Depositories should take steps to ensure that the IT Infrastructure of DPs

has high availability and fault tolerance, uptime guarantee of 99.5%

measured on a monthly basis with mean time to restore (MTTR) of not

more than 4 hrs, data integrity and transaction integrity and appropriate

security access and control framework.

9. The committee has categorised its recommendations as short term, medium,

term and long term goals. A copy of the final report is annexed to the Board

memorandum for perusal (Annexure B).

10. The Report of the Depository System Review Committee is placed before the

Board for its consideration. The Board is requested to take note of the interim

recommendations of the committee which have been implemented by SEBI as

stated at para 6 and to authorise Chairman to take necessary action on the

basis of the final report as deemed appropriate.

Interim Report of the Depository System Review Committee

Page 1 of 61

Annexure A



Page 2 of 61

Contents

Executive Summary .............................................................................................................................................. 3

Preamble and Introduction ............................................................................................................................... 9

Oversight and Inspection Framework ........................................................................................................ 16

Risk Modeling and DP rating .......................................................................................................................... 25

DIS issuance & processing ............................................................................................................................... 46

IT Governance ...................................................................................................................................................... 50

Technology Enabled Future Road Map ....................................................................................................... 58


Page 3 of 61

Executive Summary

The introduction of Depository System has been instrumental in eliminating various drawbacks in

handling of physical share securities in terms of problems related to transfer of shares, bad deliveries,

loss of share certificates etc. and it enabled fast and efficient settlement (T+2 settlement cycle).

Technology has been a major driver in ushering this electronic revolution in securities markets, thereby,

making securities markets more in sync with the fast changing technological environment. This, in

tandem with the dynamic nature of securities markets, presents challenges before Regulators in

maintaining orderly development of securities markets and also to protect the interest of investors.

Over the years, SEBI as a regulatory body has responded by tightening of the regulatory framework of

Depositories consisting of Regulations, circulars issued by SEBI, byelaws and circulars of the

Depositories, etc. However, there had emerged inadequacies in the systems which were misused by

certain market participants for their benefit, which led to an examination and order by a two member

committee of SEBI in 2009, which inter-alia recommended review of the depository system through an

independent body of experts.

Therefore, a Depository System Review Committee (DSRC) was constituted on June 25, 2012 under the

Chairmanship of Mr. M. Balachandran (former CMD of Bank of India) along with Prof H.Krishnamurthy

(IISc Bangalore), Mr.R.S.Loona (Ex ED SEBI), Prof Vikram Kuriyan (ISB) as members to undertake a

comprehensive review of the Indian Depository System and to benchmark against global best practices.

The committee while reviewing the system as a first measure examined

I. Inspection and Oversight

a. The oversight over the depository’s functioning including the inspection of DPs by them.

b. Inspection of depositories by SEBI

II. Risk Model and rating of DPs

III. DIS issuance & processing

IV. IT Governance

The DSRC while examining the inspection system & processes observed that the matter would need to

be looked at from two angles, viz:

A. inspection of DPs by Depositories and

B. oversight by SEBI on the functioning of Depositories and their operational control of DPs

Therefore, a sub-committee was formed comprising Prof. Krishnamurthy (DSRC Member),

representatives of NSDL and CDSL, and officials of SEBI Market Regulation Department - Division of

Market Supervision to look into aforementioned issues, review the current inspection process of the

Depositories and to frame comprehensive inspection guidelines.

The Committee noted a major change in many countries in the move from rule based supervision to

principle based supervision. Developed countries like the U.K. (A.R.R.O.W.), Singapore (C.R.A.F.T.) and


Page 4 of 61

emerging markets like Malaysia, Thailand, China, South Africa, and Taiwan follow a risk based inspection

methodology. Thereby, enhancing the need to move from compliance based oversight & inspection

towards risk based oversight & inspection. This report discusses the need for inspections to be efficient

and effective by being more focused on risk assessment. In order to be more effective, the inspection

focus needs to be dynamic, keeping in view the changing risk profile, technological advancements and

innovations in products and market structure.

A) The committee observed that the inspection of DPs by Depositories is done as a routine annual

exercise which mainly focuses on compliance. Light monetary penalties are imposed in cases where non-

compliance / deviations are observed. Therefore, it was felt by the committee that inspection

techniques and methods should be reviewed based on thorough understanding of potential failure

modes and inspection should be made risk based. Further, DPs should be classified into risk buckets with

appropriate risk weights for the purpose of rating of DPs and an integrated risk model be developed.

In the aftermath of the financial crisis, wherein Financial Stability Board (FSB) and the G20 Leaders

identified the need for more intense and effective supervision particularly to systemically important

financial institutions (SIFIs) as weak risk controls at financial institutions are still being witnessed.

Further, sharing of information regarding all activities undertaken by SIFIs regulated by various

authorities need to be encouraged for improvement in supervision to ensure that it is effective,

proactive and outcomes-focused.

One of the key risks identified is operational risk, which is more dynamic in view of technological

changes, information security, systemic risk, newer products being offered and increase in sophistication

of institutions. Therefore, in the context of depositories, risk based inspection must focus more on

operational risk especially the aspects like business continuity and information security.

Since the resources available with regulators are relatively limited, the main responsibility of risk

assessment and mitigation would rest with the depositories and their participants through internal

audit, risk management and compliance. However, risk based inspections would address this through

deploying limited resources to the riskiest institutions and areas, prioritized based on an assessment of

the risks therein. As such, inspection approaches and areas of focus need to be periodically reviewed to

confirm that, for instance, institutions and areas previously classified as “low or moderate risk” still

warrant this assessment.

Effective inspection requires finding the right balance between focusing on areas of higher risk while

also ensuring some periodic coverage of all aspects, including, for example, those that might prove risky.

Striking the right balance is an ongoing challenge; however, regulatory developments should allow

inspectors to explore and leverage off deeper information sets and analysis. This includes the

information that can be made available from depositories and other centralized sources of data, and

information from implementation of recovery and resolution plans which provide supervisors with new

insights. This, therefore, puts technology into perspective and hence the need for increased use of

technology based inspections.


Page 5 of 61

The committee felt that in a risk based inspection framework, identification of various sources of risks in

the system will be critical and quantification of same will enable effective monitoring of participants. For

assessing the quantitative factors, one of the parameters is complaints received against DPs as this data

provides vital information regarding the quality of services provided to investors by the DPs and also

provides information regarding unauthorized usage of securities / manipulation if any. Further, non-

compliances (number of violations) observed during inspection of DPs is also another parameter which

can be quantified. However, there could also be various unquantifiable risks which can be covered

through qualitative factors. The qualitative factors includes governance in terms of corporate as well as

IT governance, management quality & capacity, reputation & goodwill, efficiency & economy of services

rendered, etc. Therefore committee felt the need to have weighted average risk model to include both

quantitative factors and qualitative factors to objectively assess and measure the risk profile of the DPs

and categorize them into various Risk Buckets viz. high, medium, low. This bucketing will allow the

Depositories to allocate more resources to high risk and non-compliant DPs and focus relatively less on

low risk DPs.

The interim report of the DSRC covers the current inspection process and practices by Depositories

and the recommendations of the committee on the same and IT Governance of Depositories and DPs

and best practices for DIS and future roadmap for strengthening the system.

In summary, while risks and dynamicity has increased in the system, the inspection system has remained

rooted to compliance based. Therefore, the need for risk based inspection and an integrated risk model

and moving towards oversight and inspection regimen enabled by technology based methods and tools.

To accomplish this objective, the report prescribes through the recommendations an inspection

framework based on risk assessment, which comprises of inspection guidelines, quantitative risk model

and bucketing and enhanced use of technology for effective supervision.

List of Recommendations

I. Inspection and Oversight

1. Inspection of Depositories by SEBI

The objectives of the inspection of depositories by SEBI are broadly to examine whether the

procedures and practices of the depository are in compliance with the Depositories Act,

1996, SEBI (Depositories and Participants) Regulations, 1996, SEBI circulars, the bye-laws

etc. This involves examining whether the processes, operations and systems are in

accordance with SEBI (Depository and Participants) Regulations, 1996; look into the

complaints redressal mechanism of the depository, assess whether the IT infrastructure

Including its security system are adequate with suitable business continuity arrangements,

checking the compliance level of the previous inspection findings.

Depositories should be inspected on an annual basis


Page 6 of 61

SEBI should examine the information received through Monthly Development Reports

(MDRs) on a regular basis and capture from various angles the deficiencies in the

functioning of Depositories and DPs and convey their observations to the Depositories,

especially on the latter’s findings of the inspection of DPs.

SEBI should revamp and then examine the information received through Monthly

Development Reports (MDRs) on a regular basis and SEBI should analyze the MDRs and

convey their observations / comments to the Depositories, specifically on findings of

the inspection of DPs.

The SEBI's inspection of the Depositories should ensure that the critical observations of

SEBI’s Inspection of DPs are reflected in the critical observations of the DP inspection by

depositories.

There should be an annual interface between SEBI and Depositories to review

comprehensively and deliberate on the inspection findings on the DPs and areas of

repeat violations, non compliance, and overall status of rectification.

2. Inspection of Depository Participants by Depositories

The inspection techniques and methods should be reviewed based on thorough

understanding of potential failure modes

Consolidated / integrated risk based inspection framework for joint inspection

of DPs which are registered on both depositories and have large number of BO

accounts and custody value should be introduced.

There should be disclosures in the annual report of depositories regarding

inspections conducted and various actions taken pursuant to inspections

In order to assess the effectiveness of inspection methodology of the

depositories, the critical observations of SEBI noted during its inspection of DPs

should be communicated to depositories so as to counter check and verify

whether finding of the depository and SEBI are broadly in sync with each other.

Inspections should be risk based rather than compliance based to provide economic

benefits such as fewer inspections for less risky participants and frequent inspections for

more risky ones. The inspection reports should not only identify risk areas but should

also proactively suggest risk mitigation.

The sample size selection should be dynamic and should depend on the past compliance

of a DP in that area.

The inspection process of DPs and their service centers should be automated through

usage of appropriate technology. If such close inspection / oversight modality is not

possible directly by Depositories through their own personnel, the possibility of

outsourcing service centre inspections may be explored, and a suitable outsourcing

policy may be framed.

II. Risk Model and Rating of DPs


Page 7 of 61

Committee recommended a weighted average risk model on quantitative and qualitative

factors to arrive at a risk score and thereafter categorize the DPs into various Risk Buckets

viz. high, medium, low. This bucketing will allow the Depositories to pay more attention and

allocate more resources to high risk and non-compliant DPs and focus relatively less on low

risk DPs. The parameters on which risk score is assigned are as follows:

Past Inspection findings, a good compliance record indicates a low risk profile and hence

will result into a low Risk Score; alternatively, a non compliant DP will be assigned a high

risk score. Repetitive violations of the same kind result into a higher risk score being

assigned to the DP.

The complaints received against the DP by various entities

The size of the DP

The Nature of the DP viz. stock broker, Bank DP will result into a different score being

assigned to the DP in conjunction with the above parameters, as different

III. DIS issuance & processing:

Standardization of DIS across Depositories will facilitate easy identification and tracking

of DIS issuance and processing. Further, it will also ensure that issue of loose slips at the

end of DP will also be monitored and regulated. The depositories should revise their

EOD reporting requirements / structure such that all significant information relevant for

their inspections available in the back office of DP should also be available with them.

The appropriate infrastructure and other requirements to facilitate scanning and

uploading of the DIS image should be implemented at the DP’s end and the Depositories

should put in place a suitable mechanism to maintain a database of the scanned DIS and

use it for easing the inspection process within a timeframe of 6 months.

Truncated image of DIS captured at branches / service centers of DPs should be

accessed and available to Depositories directly for effective monitoring of the

transactions from a market surveillance perspective.

IV. Sample Selection Guidelines

The sample size for each activity will range from minimum of 2,000 samples to

maximum 6,000 samples. Sample selection shall be adaptive by taking into

consideration various risk parameters for following activities and dynamically adjusted

depending on the risk rating of DP.

Account opening

DIS execution

Investor complaints

Demat / Remat / Pledge / Unpledged

Client master Changes Samples and other miscellaneous areas


Page 8 of 61

V. IT Governance and Internal Audit

The inspection process should ensure verification of the following:

o The depositories and their DPs should have an approved IT strategy / plan document

which needs to be reviewed annually.

o A System Audit framework should be prescribed for DPs.

o Create an IT Steering committee to assist the IT Strategy Committee in implementation

of IT strategy.

o Information Security policy should be approved by the boards and reviewed annually

o Create an office of information security and designate a senior official as Chief

Information Security Officer (CISO) whose work would be to assess risk and identify the

threat/ vulnerabilities.

o In the event of disaster, there should be no disruption in services and in case there is a

disruption, there should be near zero data loss

o Designate a senior official as Head of BCP function

o Increased use of technology so as to ensure effective off site inspections of DPs and

their branches and service centers

o The subcommittee also desired to enhance the efficacy of internal audit of DPs and

towards accomplishing the objective suggested that :

Areas for concurrent audit to include high risk areas such as account opening

and modification, issuance and execution of DIS, investor grievance redressal,

POA modifications, etc.

Review scope and format of reports of Internal Audit

Software utilities to identify data entry errors

Insurance coverage

Periodicity of Inspection of new participants

People carrying out Inspection of DPs

Capital Adequacy

Annual system audit and Comprehensive BCP/DR guidelines


Page 9 of 61

Preamble and Introduction

The enactment of Depositories Act in August 1996 paved the way for introduction of Depository system

in India. India has adopted Dematerialization system wherein by operation of law, physical shares

certificate is replaced with shares in electronic form. In the books of company, depository is the

registered owner and depository in turn maintains electronic ledger of the securities wherein movement

of securities from one account to another are recorded and maintained to ascertain the beneficial

owners. In the year 1996, National Securities Depository Limited (NSDL) was the first depository to be

established in India followed by Central Securities Depository Limited (CDSL) in the year 1999.

Introduction of Depository system has eliminated various drawbacks in handling of physical securities in

terms of problems related to transfer of shares, bad deliveries, loss of share certificates etc. and enabled

fast and efficient settlement. The Depositories Act 1996 and SEBI (Depositories and Participants)

Regulation 1996 form the backbone of the regulatory framework for depositories and depository

participants.

In the depository system, the depositories provide various services to investors / clients through their

agents i.e. depository participants. The broad services provided by these participants are as follows:

Account opening

Demat / Remat

Other services such as PoA, pledge / un pledge, transmission, freeze / unfreeze, etc.

Inter-depository transfers

Transactions / transfers - pay in, payout, early pay in, etc.

A snapshot1 of the Indian Depository System is as under:

Sr. No.

Types of DPs

CDSL NSDL

DPs BOs Custody Value (in Rs. Cr.)

DPs BOs Custody Value (in Rs. Cr.)

1 Banks 35 5,94,900 3,23,946 53 48,74,899 42,13,576

2 Custodians 11 63,207 4,45,251 6 6,99,702 26,24,861

3 Stock Brokers 506 72,71,775 2,45,498 212 68,62,581 9,31,791

4 Clearing Corporations 17 2,17,794 11,854 8 667 630

5 Others (RTA and NBFC) 6 3,157 2,237 4 63,376 48,738

6 Total 575 81,50,833 10,28,786 283 1,25,01,225 78,19,596

From the above table, it is noted that stock broker DPs hold maximum number of BO accounts whereas Bank DPs hold maximum in terms of custody value. Going forward and with financial inclusion initiative kicking in, it is envisaged that Bank DPs will play a substantial role in expanding the DP footprint to the new areas and segments of investors.

1 For the month ending November 2012


Page 10 of 61

The different type of instruments along with their dematerialized custody value is as under:

Number of ISINs:

Type of Instrument

No. of ISINs at the end

of the month

(30/11/2012)

Demat Custody value as

on 30/11/2012 (Figures in

Rs. Cr)

Equity shares # 15,140 58,69,602

a. Listed 10,947 56,27,720

b. Unlisted 4,193 2,41,882

Preference shares 969 50,633

Debts # 14,735 11,92,099

a. Listed 6,514 10,27,578

b. Unlisted 8,221 1,64,521

Mutual Fund Units 7,402 17,976

Others 18,148 6,89,286

Total 56,394 78,19,596

From the above table it can be inferred that other instruments apart from equity will increase the choice

for investors and the demat custody value for such instruments will see an increase in the future.

Over a period of time, there had emerged inadequacies in the system which has been taken advantage,

sometimes wrongly, by the market participants for their benefit. SEBI noticed such inadequacies when

its surveillance system observed large scale off market transfers prior to the date of listing which upon

detailed analysis indicated that thousands of fictitious / benami demat accounts were fraudulently

opened by certain operators who ultimately used these demat accounts for cornering of shares in

various IPOs. Further, in another matter SEBI had observed that one of the depositories had failed to

exercise due diligence at the time of dematerialization of DSQ shares which lead to trading of unlisted

shares on stock exchanges. In this connection, SEBI had reviewed the operations of Depositories and the

following observations were made:

1. Adequacy of Bye laws on internal monitoring, review and control process - The adequacy of Bye

laws of Depositories should be assessed through independent experts

2. Audit System – No specific comments on the adequacy of audit system or audit process.

3. Supervision – Lack of an effective supervisory mechanism or if the mechanism was adequate the

failure to operate it effectively, and the consequent failure to prevent, detect and remedy

fraudulent transactions in dematerialized accounts. The system needs to be reviewed by

independent experts to develop revamped and strengthened supervisory system to proactively

anticipate and prevent fraudulent activity and safe guard the integrity of the systems.

4. Inspection – The inspections of DPs failed to detect the large scale fraud illustrating the inherent

weakness of the systems, procedures and practices in conducting inspections. It was felt

prudent to review the inspection system using suitable independent experts to develop a


Page 11 of 61

revamped and strengthened inspection system to proactively anticipate and prevent fraudulent

activity and safe guard the integrity of the systems.

5. Data Reliability – The system established and operated was not adequately strong in

safeguarding the reliability of the data uploaded into it.

6. Sanctions and penalties – A consistent approach has not been taken on the issue of sanctions for

various types of violations and the basis for differentiation of approach is less than clear which is

not conducive for orderly development of the market. Urgent action was required to be taken to

review existing policy and practice and develop a clear, rational and transparent policy

framework on sanctions and penalties.

7. Lack of Physical Verification of DP applicants - Given the crucial role of DPs in the depositories

system, ordinary prudence and due diligence required that depository should have at a

minimum, physically inspected DP applicants before approving their status and that mere

reliance on third party certification is neither adequate nor justifiable.

8. KYC system and implementation – The staff of the DP only should carry out in-person

verification. The DP should not outsource or assign the activity of in-person verification to an

outside agency.

9. Introduction of a correspondence address field – No adverse comments.

10. Allowing use of Agents to open accounts – No adverse comments.

In light of the above observations, to ensure that the operations were conducted in better compliance

the system was revamped. The Depositories and DPs subject themselves to independent audit

conducted on the following operations to assess whether they are adequate to ensure the integrity of

the overall depository system and the securities market:

1. Selection of DPs

2. Opening and operation of Depository accounts including the KYC system

3. Audit

4. Supervision

5. Inspection

6. Penalties and Sanctions.

Pursuant to the various inadequacies observed in the depository system, the depositories in

consultation with SEBI, to remedy the shortcomings, took various steps which are as under:

1. Strengthening of KYC Norms:

a. Verification of the identity and address of the beneficial owners.

b. PAN made mandatory for opening of dematerialized accounts.

c. In-person verification of the applicants by staff of the DP at the time of account opening.

d. Mandatory 100% verification of the account opening documents by the Concurrent

Auditor.

e. KYC non complaint accounts frozen till compliance are ensured.


Page 12 of 61

2. Audit procedures and System Audit:

a. DPs have to conduct internal and concurrent audit programs as part of their risk

mitigation measures.

b. The Depositories were mandated to subject themselves to comprehensive system audit

on annual basis and place the report along with compliance status before the Governing

Board of depositories before forwarding the same to SEBI.

c. The depositories were advised to review the scope and format of reports of Internal

Audit on half yearly basis.

d. The depositories were advised to submit the report as well as certificate of the internal

auditor to SEBI certifying effective implementation of adequate internal control

procedures and operational control

3. Improving disclosures and Surveillance:

a. Information regarding details of dematerialization, re-materialization, and off-market

transaction were mandated to be disseminated on websites of Depositories.

b. Examination of off-market transfer of IPO shares where many (five or more)

dematerialized account holders make off market transfers to a target account.

c. De-dupe Software were developed to identify and stop multiple demat accounts being

opened with the same or similar PAN, bank account and MICR code

d. ISIN of companies issuing shares (IPOs) are activated only on the day of commencement

of trading.

e. Software utilities were developed and installed to identify and prevent data entry

errors.

f. Identifying frozen demat accounts receiving IPO credits

g. The ISIN of the companies issuing shares by way of Initial Public Offer frozen for debits

and credits while crediting the shares and the ISIN reactivated on the day of

commencement of trading on the stock exchanges.

h. SMS alert facility to the investors was introduced for debits, credits and various changes

such as address change, etc., in the demat accounts.

i. Monitoring of Minor BO accounts

j. An independent surveillance cell formed to coordinate the surveillance activities with

SEBI, FIU-India and other investigating agencies

k. Concurrent audit to include high risk areas such as account opening and modification,

issuance and execution of DIS, investor grievance redressal, POA execution and

modifications, etc.

4. Strengthening of the Regulatory Framework for Depositories:

a. Review of completeness of bye-laws and procedure for monitoring given the evolving

nature of DP operations.

b. Enhanced insurance cover with facility for free reinstatement and automatic

reinstatement of sum insured

5. Penalties and Sanctions:

a. The penalty structure was made uniform at both the depositories.


Page 13 of 61

6. Inspection of DPs

a. Both the Depositories viz NSDL & CDSL had carried out a special review of their

inspection function/ system & procedures by an external auditor and accordingly

updated / framed their manual for conducting inspection of their participants based on

the inputs of respective auditor.

b. The depositories to update their Operations cum Manual Process Flow for Inspection of

Participant every quarter

c. Both depositories to follow a common sampling plan for carrying out inspection.

d. Conduct inspection of new DP within a limited time frame (say 6 months) to provide

guidance.

Subsequently, while disposing the matter of NSDL, the SEBI Board observed in its order

(BOARD/SEBI/1/2010) dated February 02, 2010 that"...there is scope for continuous improvement of

systems, procedures and practices in conducting inspections, The systems need to be reviewed by

suitable independent experts and a comprehensive and strengthened inspection system needs to be

developed and put in place. Such a review can, inter alia, include the issue of further use of technology

for preventing or alerting to the possibility of fictitious accounts - a cardinal issue in the integrity of

financial systems."

In light of various observations made by a two member committee appointed earlier in 2008, on the

functioning of depositories, SEBI Board in its meeting held on July 28, 2011 decided that the "Depository

system " be reviewed by an independent expert group on the basis of CPSS-IOSCO principles.

Accordingly, Depository System Review Committee (DSRC) was constituted on July 15, 2012 under the

Chairmanship of Mr. M. Balachandran to undertake a comprehensive review of the Indian Depository

system.

The terms of reference of the committee are:

a) Overall assessment / adequacy of existing depository framework and identify areas for review.

b) Assessment of depository system on the basis of relevant CPSS-IOSCO principles, recommendations

of CESR-ECB pertaining to Central Securities Depositories (CSDs) so as benchmark with the global

best practices.

c) Identify areas for continuous improvement of systems, procedures and practices and make

recommendations thereof.

d) Identify systemically important market infrastructure providers / institutions / depository

participants and their inter-linkages and identify areas and suggest safeguards to prevent single

point failures and denial of depository service.

e) Review existing system of inspection by depositories and suggest changes to strengthen monitoring

/ oversight of depository participants.

The first meeting of the committee was held on August 14, 2012 and the committee has held five

meetings so far. The committee decided that the existing systems, procedures and process be studied so

as to identify deficiencies, inadequacies, cost efficiency and scope for providing better services to


Page 14 of 61

investors. Further it was also felt a study of depository systems in international jurisdictions could be

helpful so as to understand and indentify best practices which may deserve to be introduced in Indian

context. In the mean time the committee took up an appraisal to understand the overall operations and

activities of Indian depositories, and therefore committee visited CDSL and NSDL and had detailed

discussions with the top management team of both depositories.

Based on their initial observations of the functioning and assessment of potential risks in the system, the

committee, as a first in the agenda, took up the issue of Inspection of Depositories and the DPs by

depositories for examination. DPs being the agents of Depositories act as touch points for the customers

on behalf of depositories and the various services of the depositories are rendered indirectly through

these participants. Therefore, an effective oversight of these participants is a critical obligation of

depositories. Inspection is one of the effective means of oversight and supervision and helps in

identifying inadequacies and risks in the system. Further, it can also help the depositories to ensure

compliance and adherence to the recommendations of CPSS-IOSCO. The relevant recommendations

whose adherence can be directly assessed by inspection are as under:

Operational Reliability - identification & mitigation of operational risks through proper systems,

controls and procedures that ensure reliability, security and scalability.

Protection of Customers' Securities - Accounting practices and safekeeping procedures to fully

protect customers' securities including protection against claims of a custodian's creditors

Governance - Arrangements to fulfill requirements for public interest and promote the

objectives of owners and users

Efficiency - The systems should be efficient w.r.t. safe and secure operations in a cost effective

manner

Transparency - Proper information to be provided to the customers to help them in identifying

and evaluating risks and costs associated with the services rendered

Regulation & oversight - transparent and effective regulation and oversight with clear defined

roles and responsibilities.

The depositories are mandated by SEBI to inspect their participants on an annual basis. The depositories

conduct these inspections through an in-house team with a gap of around a year between two

inspections of the same DP. Currently a spreadsheet based system is used by depositories to

individually take information / data from databases through reports and then used for determination of

samples / adaptive samples. Since sample size and sample selection are critical pre-inspection activities

which requires sifting of data and analysis, use of proper technology can be a catalytic enabler in arriving

at an appropriate sample and its size which truly represents the criticality and risks associated with a

particular activity. Further, technology can be used in the archiving and record keeping of various

inspection findings to help prepare an appropriate integrated risk model which can quantify risks leading

to risk bucketing of DPs for efficient and effective regulation and oversight.


Page 15 of 61

Against the aforesaid background, the committee desired to provide immediate attention to the

following issues:

1. Whether Inspections should be risk based rather than compliance based to provide economic

benefits such as fewer inspections for less risky participants and frequent inspections for more

risky ones.

2. Whether the inspection techniques and methods should be reviewed based on thorough

understanding of potential failure modes

3. Whether the inspection process of DPs and their service centers should be automated through

usage of appropriate technology for the following purpose:

a. to Make it more quality oriented and less labour intensive so as to enhance the productivity of inspection process

b. To Safeguard integrity of data and reduce the risk of failure. c. to Reduce inspection and maintenance costs without compromising integrity and

reliability of samples collected d. to Offer a flexible technique to continuously improve and adapt to changing

environment 4. Whether DPs should be classified into risk buckets with appropriate risk weights for the purpose

of rating of DPs.

In order to address the above issues, review the current inspection process of the Depositories, and to

frame comprehensive inspection guidelines, the DSRC formed a sub-committee consisting of Prof.

Krishnamurthy (DSRC Member), representatives of NSDL and CDSL, and officials of SEBI Market

Regulation Department - Division of Market Supervision. The findings and suggestions of the

subcommittee are incorporated in this report.


Page 16 of 61

Oversight and Inspection Framework

The enactment of SEBI Act, 1992 bestows upon SEBI, the responsibility of protecting the interests of

investors in securities and to promote the development of, and to regulate, the securities markets and

for matters connected therewith or incidental thereto. Further, the enactment of Depositories Act, 1996

provides for regulation of depositories in securities and for matters connected therewith or incidental

thereto.

The statutory provisions in the SEBI Act (Sections 11 and 11B) and the Depositories Act (Section 19)

confer powers and responsibilities on SEBI to achieve the objectives of the abovementioned laws i.e. to

protect the interests of investors and safeguard the orderly development of the securities market.

These provisions cover all “persons” who fall within Section 12 of the SEBI Act, including depositories.

Section 19(ii) of the Depositories Act empowers SEBI “to prevent the affairs of any depository or

participant (DP) being conducted in the manner detrimental to the interest of the investors and

securities market.” The responsibility for conducting its affairs in a manner not detrimental to the

interest of investors of the securities market thus lies on each depository/ DP and SEBI has the duty to

prevent or correct any failure on the part of depositories / DPs to fulfill this obligation.

The above statutory responsibility is reflected in regulatory provisions such as the following:

Section 26 of the Depositories Act, 1996 requires depositories to frame bye laws which may

inter-alia provide for…….

(i) The procedure for ensuring safeguards to protect the interest of the participants and

beneficial owners,

(ii) The internal control standards including procedure for auditing reviewing and monitoring.”

Regulation 34 of the Securities and Exchange Board of India (Depositories and Participants)

Regulations, 1996 (hereinafter referred to as “Depositories Regulation”), provides that “every

depository shall have adequate mechanisms for the purpose of reviewing, monitoring and

evaluating the depository’s controls systems, procedures and safeguards.”

Regulation 35 of the Depositories Regulation provides that “every depository shall cause an

inspection of its controls, systems, procedures and safeguards to be carried out annually and

forward a copy of the report to the Board.”

Regulation 59 of the Depositories Regulations provides that SEBI may appoint one or more

persons as inspecting officers to undertake inspection of the books of account, records,

documents and infrastructure, systems and procedures, or to investigate the affairs of a

depository, participant, beneficial owner, an issuer or its agent for any of the purposes specified

therein.

These provisions show the extensive authority and responsibility given to depositories to carry out

inspection in an intensive manner to prevent and detect system and operational failures and fraudulent

transactions. Further, SEBI Act and Depositories Act, in the interest of investors, empowers SEBI to inter-


Page 17 of 61

alia inspect into the affairs of a depository or a participant. Depositories are also mandated to monitor

and supervise their DPs regularly so as to ensure that apart from potential fraud / irregularities

detection, various services rendered to investors are effectively and efficiently delivered by participants

in a cost effective manner.

The criticality of effective supervision through inspection came to the fore when IPO irregularities and

inadequacies of Depository Systems in the matter of dematerialization of DSQ shares were found and

the two member committee (Dr Mohan Gopal and Shri Leeladhar) formed to look into the said issues

observed that the inspections by depositories had failed to detect the fraud illustrating the inherent

weakness of the systems, procedures and practices in conducting inspections. The committee,

therefore, recommended review of the inspection system using suitable independent expert to develop

a revamped and strengthened inspection system.

Current Inspection Framework

The current inspection framework at the end of SEBI and depositories are as mentioned below.

Inspection of Depositories by SEBI

As per the inspection policy of SEBI, depositories are inspected annually. SEBI has clearly laid down

inspection manual approved by the Whole Time Member of SEBI which is updated on a regular basis.

Besides annual comprehensive inspections, SEBI also conducts specific purpose inspections.

The objectives of the inspection of depositories are broadly to:

a) Examine whether the procedures and practices of the depository are in compliance with the

Depositories Act, 1996, SEBI (Depositories and Participants) Regulations, 1996, SEBI circulars,

the bye-laws etc.

b) Check whether the books of account are being maintained by the depository, in the manner

specified in SEBI (Depository and Participants) Regulations, 1996;

c) Look into the complaints received by depositories from participants, issuers, issuers' agents,

beneficial owners or any other person;

d) Assess whether the IT infrastructure including its security system are adequate with suitable

business continuity arrangements.

e) Check whether violations and deficiencies pointed out in the last inspection report have been

rectified and procedures and systems have been suitably modified/ enhanced so that the

violations and or deficiencies would not occur again.


Page 18 of 61

The broad areas covered in the inspection are as under:

1. Organization Structure: Infrastructure, committees and their working, bye-laws of the

depositories, employees, compliance officer etc.

2. Administrative and Monitoring Control: Process flow and operational manual, cooperation with

other entities

3. Issuer’s/ RTAs: Admission of issuer’s security, administration of issuers of securities, RTAs,

allocation and activation of ISIN, reconciliation of issuers’ records, corporate action.

4. Depository participants : Admission, renewal, withdrawal of participants , supervision &

inspection of participants

5. Operations : General operations of the depository

6. Systems Audit: Systemic issues of the depository

7. Financial Analysis: Financial performance, net worth, insurance, contingency funds etc.

8. Connectivity with other entities such as depository participants, clearing houses/corporations,

issuers, RTAs and stock exchanges

9. Other Aspects: Maintenance of books of accounts etc

10. Chinese walls in operations and systems between the capital market de/re materialization

related functions and non core activities undertaken by the depositories.

As per the existing procedure, SEBI calls for data from depositories through pre-inspection questionnaire

and the same is analyzed manually. The data so analyzed enables SEBI to identify areas which needs

greater focus and verifications during on-site inspection. Any major observations noted during on-site

inspections are discussed with the management of depositories for their immediate information and

compliance. Further, periodically follow up with the depositories is done till all pending observations are

fully implemented. The time taken to complete the entire exercise starting from pre-inspection data,

analysis of data, on-site inspection, and preparation of report and follow up with depositories may take

up to 6 months. Since the entire process is manual and labor intensive with minimal usage of

technology, the time taken in certain cases may further increase depending on number of inspecting

officials.

The current inspection methodology of SEBI is primarily compliance based wherein focus is on

ascertaining the compliance status of various guidelines and safeguards mandated by SEBI from time to

time.

Apart from inspection of depositories, SEBI also conducts annual inspection of DPs on selective basis and

such inspection is again primarily compliance based. Further, SEBI also receives monthly development

reports (MDR) from depositories which contain various details including number of routine / specific

purpose inspections of DPs conducted by them along with the name of the DPs and various actions /

penalties imposed by them.


Page 19 of 61

Details of SEBI inspection of CDSL are as follows:

Period of Inspection Date of commencement

Nature of Inspection

August 2002- Jan 2004 Feb 23, 2004 Comprehensive Inspection

Feb/March 2004 – March 2005 July 5, 2005 Comprehensive Inspection

April 2005-March 2007 March 26, 2007 Comprehensive Inspection

N.A. Oct 19, 2010 Special purpose inspection to ascertain systems , processes and Inspection mechanism of Depository

April 2007- August 31, 2012 Nov 23, 2012 Comprehensive Inspection

Details of SEBI inspection of NSDL are as follows:

Period of Inspection Date of commencement


August 2002- March 2005 April 28, 2005 Comprehensive Inspection

April 2005-May 2007 July 29, 2007 Comprehensive Inspection

N.A. Oct 11, 2010 Special purpose inspection to ascertain systems , processes and Inspection mechanism of Depository

The number of DPs inspected by SEBI from 2009-10 onwards is as follows

Year 2009-10 2010-11 2011-12

Number of DPs inspected 9 11 13

The major findings of SEBI inspection of Depositories are as follows:

NSDL CDSL

NSDL’s monitors Exposure limit of SBDP on a weekly basis rather than on a daily basis as advised by SEBI.

As regards to the process of appointment of system auditor, CDSL does not have a practice of obtaining a certificate from auditors towards conflict of interest

NSDL admits issuers/ companies who are not satisfying the eligibility criteria in certain cases even though the byelaws and operating manual does not provide for the discretion to relax the conditions.

It is observed that CDSL does not confirm from the pledgee that the securities are available for pledge as stated in the Regulations.

It was observed from the data provided by NSDL that 7270 cases of rejections were reported out of which 6345 were because of wrong DPID and 925 were for wrong client status in case of IPOs.

It was observed that there might be a case that even though the Depository provides training to two persons of inspecting firms, the inspections of RTAs/DPs might be carried out by the persons who


Page 20 of 61

are not trained for carrying out the inspections by the Depository.

NSDL had not taken appropriate penal action against DPs for repetitive violations by DPs observed by them during inspections. NSDL’s action has never gone beyond imposition of monetary penalties.

It was observed that the inspection report does not have any comment on the status of implementation of various circulars and communiqué issued by SEBI and CDSL to DPs/RTAs.

The Depository has not set any internal standards for the depository officials for preparation of the inspection report, for issue of letter of observation/first letter and for analysis of the reply submitted by the DP/RTA i.e. for preparation of action and presenting the case to DAC etc.

The inspection reports are not analytical in nature. From the inspection report it is very difficult to draw a conclusion as it is in ‘Yes’ and ‘No’ format.

The inspection reports of the RTAs are in very standardized formats and they do not seem to be focusing on any specific areas of concern observed/identified by the different departments of the Depository. Further, it was observed that the inspection department of the Depository does not take any feedback from other departments such as operations, investor grievances etc to analyze the areas which require more attention during the inspection.

It was observed that the DAC of the Depository had reduced the penalty levied for the violations pointed out in the inspection reports by 75% which defeats the very purpose of having penalty structure.

The inspection report does not have any comment on the status of implementation of various circulars and communiqué issued by SEBI and NSDL to RTAs.

During discussion with CDSL it was found that it takes two to seven weeks to update the net-worth records in the AVPS monitoring system after receipt of the net-worth certificate.

There were some cases where inspection reports were considered to be closed even when RTAs had not sent compliance report to NSDL for the violations made in the inspection reports. There were as many as 25 such cases of RTAs observed during the period covered under inspection.

The Reconciliation of capital is done at RTA’s end and not even inspected by the inspection team. This could lead to major issues of capital mismatch not coming to notice if the RTA commits any error of commission/omission or colludes with the issuer.

In this regard, it is pertinent to mention that SEBI does not analyze the data which could be retrieved

out of MDRs or call for the inspection reports from the depositories on their findings about DPs and

therefore no cross verification of Depositories findings with SEBI's own findings seemed to have been

done.

In view of above, the committee has suggested:-

1. SEBI should revamp and then examine the information received through Monthly Development

Reports (MDRs) on a regular basis and SEBI should analyze the MDRs and convey their

observations / comments to the Depositories, specifically on findings of the inspection of DPs.

2. The critical observations of SEBI’s Inspection of DPs should be cohesive with the critical

observations of the DP inspection by depositories. In this context, the adequacy of inspection of


Page 21 of 61

DPs by depositories needs to be checked by SEBI during its inspection of Depositories or

otherwise.

3. There should be an annual interface between SEBI and Depositories to review comprehensively

the inspection findings on the DPs and areas of repeat violations, non compliance, and overall

status of rectification.

4. Depositories should be inspected on an annual basis

Inspection of DPs by Depositories

The DPs are inspected and supervised by Depositories in accordance with Depositories Regulations and

while these inspections are intended to be more comprehensive. But it was observed that the current

process of inspection of DPs by the depositories is more a checklist based labor intensive process. The

committee was informed that inspection policy of depositories covers the following:

Annual inspection of operations and system of every DP.

Inspections are conducted by in-house audit team with a gap of 11-13 months between two

inspections of the same DP.

Inspection of new DP is conducted within 3 months of the date of commencement of its

business.

Period of inspection of a DP is generally the period from the last date of previous inspection till

the end of the month immediately preceding the actual date of inspection.

Major areas that are looked into during the inspection of DPs by Depositories are:

Account opening (KYC and In person verification), account modification, account closure

Dematerialization / rematerialization, pledge/ unpledge, freeze / unfreeze of securities

Issuance of DIS booklets & Execution of transactions

Complaint handling

The maintenance of all mandatory registers.

Back office software

The DSRC and its sub-committee deliberated on the inspection process and the depositories were asked

to make a presentation regarding the inspection of their participants. It was noted that NSDL has 283

DPs with 320 DPMs and 5,000 service centers. Similarly, CDSL has 575 DPs, 222 branches and 13,000

service centers. It may be noted that branches are those DP offices which are connected live with

Depositories where as service centers are those offices of DPs which only act as investor service points

handling collection of forms, data, account opening & related in-person verifications, and complaints.

Yet, services centers are connected with the main office through back office system of DP. The service

centre enters the data which flows electronically to main office and the corresponding physical

applications are sent to respective main office / related branch which are then verified and stored.

The salient features of inspection of DPs by depositories are:


Page 22 of 61

Yearly inspections of all DPs and their live connected branches.

Inspection of service centers of DPs are on sample basis which constitutes less than 5% of total

service centers.

Majority of non-compliances result in imposition of monetary penalty as a deterrent measure.

The sampling policy is uniform across both the depositories and the sample selection is done

automatically on the basis of information available with the depositories on various parameters

in the following areas :

o Account Opening and KYC Documentation

o Account Modification

o Dematerialization / Rematerialisation/ Repurchase

o Issuance and Processing of DIS

o Account Closure

o Freeze/ Unfreeze

o Pledge/ Unpledge/ Hypothecation/ Invocation

o Transmission

o POD for Transaction Statements

The sampling is adaptive sampling based on the historical non-compliance data wherein sample

size varies dynamically from one DP to other DP.

The maximum sample size in any particular area is 1000 (irrespective of size of the portfolio -

cumulative or incremental) which however, is doubled in case of repetitive violations.

The penalties imposed are displayed on the website of the depositories.

One of the important areas looked into during on-site inspection is verification of process of

Delivery Instruction Slips (DIS) issuance and processing.

Audit / verification of various back office checks mandated by depositories.

From the above, following is observed:

Most of DPs are registered as participants with both the depositories, therefore they are

subjected to inspections by the depositories separately

By the very nature of their registration criteria, all DPs are carrying out other activities such

stock broking, banking, custodian, NBFC, RTA etc.

Inspections are checklist based annual exercises focusing only on compliance.

Inspections merely result in imposing monetary penalties rather than rectifying and improving

the systems, process and procedures.

The frequency of inspections is the same irrespective of size, nature and risk profile of DPs.

All service centers are not inspected by the depositories.

Depositories do not have details of the DIS booklets issued by DPs to their BOs which get

verified only at the time of on-site inspection resulting in loss of man hours and resources.

Depositories do not have all the information available in the back office of DPs with them such

as DIS numbers, mapping, KYC documents, account details, etc.


Page 23 of 61

Having regard to the number of DPs and their service centers, volumes transacted nature and extent of

non compliance, the complaints etc the inspection process is sought to be revamped with following

suggestions:

The inspections should be risk oriented and the inspection reports should not only identify risk

areas but should also proactively suggest risk mitigation.

Consolidated / integrated risk based inspection framework for joint inspection of DPs by both

the depositories,

The pre and post inspection process of DPs and their service centers should be automated

through usage of appropriate technology so as to make it more quality oriented and less labor

intensive which will ultimately enhance the productivity of inspection process. There should be

architecture for facilitating the system generated flow of information/ data required for

regulatory oversight and / or routine review either on line or in batch mode on prescribed

frequency.

Alternatively, if such close inspection / oversight modality is not possible directly by Depositories

through their own personnel, the possibility of outsourcing service centre inspections through

accredited / duly empanelled external audit firms may be explored.

There should be disclosures in the annual report of depositories regarding inspections

conducted, major findings and various actions taken pursuant to inspections.

Classifying DPs into risk buckets with appropriate risk weights for the purpose of rating of DPs.

Further, for the categorization of risks, relative weights should be derived and more weights

should be assigned to the operational aspects with provision for triggers on slippages.

There should be an annual interface between Depositories to review comprehensively the

inspection findings on the DPs and areas of repeat violations, non compliance, and overall status

of rectification.

Both depositories should have uniform penalty structure so that DPs do not take advantage of

regulatory arbitrage.

Integrated risk based inspection framework

In the aftermath of the financial crisis, wherein Financial Stability Board (FSB) and the G20 Leaders

identified the need for more intense and effective supervision particularly to systemically important

financial institutions (SIFIs) as weak risk controls at financial institutions are still being witnessed. Some

of the entities registered as DP may be SIFIs. Therefore, keeping in view the global focus of effective

supervision on SIFIs, sharing of information of all activities undertaken by SIFIs regulated by various

authorities need to be encouraged for improvement in supervision to ensure that it is effective,

proactive and outcomes-focused.

If the above suggestions are implemented the same may strengthen the existing inspection framework

at the end of depositories. Further, there is a need to provide special attention to those DPs who are

also engaged in various other activities (some of which are risky in nature) apart from acting as DPs,

Such DPs may be subjected to more frequent inspections / monitoring in order to avoid and / or detect


Page 24 of 61

any irregularities / fraud or early warning signals hinting at possible failure which if go undetected may

affect the confidence of the investors and also threaten the integrity of depositories.

The aforesaid potential risks threatening the effectiveness of depository system as a whole calls for

having consolidated / integrated risk based inspection framework for joint inspection of operations of

DPs which are registered on both depositories and have large number of BO accounts and custody

value. Further, it will be also useful and meaningful for SEBI and depositories to identify and effectively

monitor such DPs which are perceived to be risky on the basis of various parameters like compliance

level, quality of management, and complaints. It will also enable to monitor whether DPs have

information security, business continuity and disaster recovery plans in place. These checks will ensure

that connectivity between depositories and other market infrastructure institutions services are not

disrupted and various services to investors are effectively delivered at all times.


Page 25 of 61

Risk Modeling and DP rating Risk is normally defined as an exposure to the possibility of loss, injury, or other adverse or unwelcome

circumstance; a chance or situation involving such a possibility. ISO defines risk as an effect of

uncertainty on objectives; these uncertainties include events that may or may not occur and

uncertainties caused by ambiguities and lack of information. Unmanaged risk can prove disastrous and

the recent global crisis is a testimony of this fact. Therefore, for survival, it becomes imperative to

understand the risks and to learn to manage them.

Understanding of the risks involves awareness of risks; known risks - that can be identified and

measured (through quantitative analysis), unknown risks – which can be identified but cannot be

measured (through qualitative analysis), and unknowable risks – which cannot be identified.

Risk management, therefore, must include a blend of quantitative and qualitative analysis to provide a

high level of insight and consistent communication to management of evolving conditions enabling the

firm to respond effectively to emerging opportunities and risks. Further, risk management must also

include stress testing and scenario analysis to supplement the risk model outputs so as to factor in the

risks arising from rare but plausible events.

The current system of inspection of DPs by depositories has a policy of annual inspection focusing on

compliance rather than risk. Given that DPs apart from acting as DPs also concurrently undertake

various other activities, it will be appropriate to assess the risk on a holistic basis with focus on risk

based inspection and develop a risk model for the DPs. The risk model should include both quantitative

factors and qualitative factors to objectively assess and measure the risk profile of the DPs. Also, when

both securities and monies are handled under one roof / management there is a greater need to have

risk based supervision so as to ensure that possible failure / insolvency / fraud by such systematically

important institutions are detected well in advance which will in turn uphold integrity of financial

system.

Some of other activities undertaken by DPs are regulated by SEBI (stock broker, custodians, RTAs, etc)

and some activities (NBFC / Banks) are regulated by RBI. These activities have inherent risks associated

while dealing in their capacity as Banks / NBFC/ brokers / Custodians / RTAs etc, which can have an

impact directly or indirectly on the functioning or overall assessment of risk profile of a DP. In case both

primary and other activities (stock broker / custodian / RTAs) undertaking by DPs are regulated by SEBI,

associated risk profile of such entities needs to be seen together in order to have better understanding

of overall risk profile and the systemic risk that such entities could pose to market integrity. This line of

thinking gained traction, in the aftermath of the financial crisis, wherein Financial Stability Board (FSB)

and the G20 Leaders identified the need for more intense and effective supervision particularly to

systemically important financial institutions (SIFIs) as weak risk controls at financial institutions are still

being witnessed. Further, sharing of information regarding all activities undertaken by SIFIs regulated by

various authorities need to be encouraged for improvement in supervision to ensure that it is effective,


Page 26 of 61

proactive and outcomes-focused. Out of all categories of DPS registered with SEBI, activities like stock

broker, custodian, clearing house and RTA are also regulated by SEBI. Relevant information regarding

the same can be made available by Stock Exchange / SEBI wherever applicable. Therefore, it will be

appropriate to incorporate this parameter in the proposed risk model so as to have overall assessment

of entity.

In order, to formulate a risk model various risks emanating from activities undertaken by DPs need to be

identified and measured. Thereafter, these risks may be continuously monitored so as to take various

measures to mitigate /insulate such risks. For this exercise to be effective, it is essential to categorize all

activities handled into core and critical activities and carry out risk matrix. With a view to understand the

system, the depositories were advised to submit the list of activities which they perceive as risky from

their perspective taking into account all the complaints and inspection observations.

On the basis of the submitted information, it is noted that depositories categorize the activities which

have 100% internal / concurrent audit and where penalties were levied as high risk, the other activities

where penalties were levied are categorized as medium risk and those activities where minor deviations

are observed are categorized as low risk.

In view of the above, various activities which are perceived to be risky are as under:

1. Account Opening / KYC - The major risk associated with this activity is the opening of fictitious accounts.

2. DIS issuance & processing / Unauthorized Transfer - Lack of monitoring / supervision of this activity may lead to a situation where securities lying in the BO accounts could be moved unauthorized (without the knowledge of BO holder) by the DP which can seriously jeopardize the integrity of depository system and thereby damage the confidence of investors.

3. Trading of unlisted shares - Reconciliation of shares (Physical + electronic shares) of both depositories must ensure that shares more than issued capital do not float in the market.

4. Pledge / un-pledge of shares – Particularly such cases where promoters were able to pledge same shares with various entities.

5. Complaints handling – Types and instances of complaints can point to various inadequacies in the system

6. Power of Attorney - Since power of attorney give the legal right to use the demat account; there is a risk of usage of securities to derive gains for POA holders, at the cost of beneficial owner.

7. Non core activities - Risks emanating from other activities undertaken by the depository which are not in the domain of securities markets can permeate into the core activities of the depository.

The low risk activities are as under:

1. Demat / remat 2. Issue of transaction statement 3. Closure of accounts 4. Inter-depository transfers


Page 27 of 61

Complaints received in the system form an integral part of the market intelligence systems through

which various risks / irregularities / fraud come to the notice of regulators. The analysis of complaints

data provides vital information regarding the quality of services provided to investors by the DPs and

also provides information regarding unauthorized usage of securities / manipulation. Therefore, the

complaints received against the DPs as available in SCORES database of SEBI were analyzed on the basis

of category of complaints and number of complaints which is given below:

Sr. No Category of complaints Total complaint received since June 2010 till date

1 Others (Miscellaneous) 704

2 Non closure/ delay in closure of account 425

3 Wrong/ Excess Charges 371

4 Unauthorized Transaction in account 245

5 Manipulation 185

6 Delay in Dematerialization request processing 147

7 Delay in / Non-Execution of DIS 135

8 Non-updation of changes in account (address/ signatories/bank details/ PAN/ Nomination etc.)

111

9 Delay in/ Non-Receipt of Statements from DP 101

10 Charges for Opening/closure of Account 84

11 Non acceptance of DIS for transfer 72

12 Delay in Issuance / Re-issuance of DIS Booklet 64

13 Transmission related 61

14 Deactivation/ Freezing/ Suspension related 58

15 Delay in/ Non-Receipt of Original certificate after demat rejection 52

16 Discrepancy in Transaction statement 51

17 Non Acceptance of demat/remat request 44

18 Delay in activation/ opening of account 37

19 Unauthorized changes in account (address/ signatories/bank details/PAN etc.)

33

20 Closure of account without intimation by DP 30

21 Denial in opening an account 21

22 SMS related 20

23 Non receipt of Account Opening Kit 17

24 Insistence on Power of Attorney in favor of DP 15

25 Account opened in another name than as requested 13

26 Pledge related 12

27 Non Receipt of copy of DP Client Agreement/Schedule A of Charges 11

28 Delay in Rematerialization request processing 10

29 De-freezing related 9

30 Charges paid, but not credited 8

Grand Total 3146

From the above table it can be observed that majority of the complaints relate to:


Page 28 of 61

Unauthorized transactions in accounts and manipulation

Improper services rendered such as Non closure/ delay in closure of account, Wrong/ Excess Charges, Delay in / Non-Execution of DIS, Non-updation of changes in account (address/ signatories/bank details/ PAN/ Nomination etc.), Delay in/ Non-Receipt of Statements from DP, Delay in Dematerialization request processing, etc.

Hence, it will be appropriate that complaints database as available at the end of depositories be extensively and effectively used for the purpose of quantitative analysis in the risk model wherein appropriate weights be derived for activities based on number of complaints received. However, there may still be certain risks associated with the activities and their related processes and procedures which can go unnoticed and continue to be in the system, if no complaint is received related to those areas. In this regard, the inspections conducted by regulators help in identifying / detecting such risks, if any, and take proactive / preventive steps to mitigate these risks. Therefore, instances of inspection observations related to inadequacies noticed in the various activities and their related processes and procedures also need to be used for the purpose of quantitative analysis in the risk model. Based on the same, appropriate weights may be derived for such activities. As explained earlier, there are various unknown risks associated with any system and those risks are covered through qualitative analysis. Hence, it is imperative to include qualitative factors in the risk model to arrive at the total risk score. The qualitative factors may include governance in terms of corporate as well as IT governance, management quality & capacity, reputation & goodwill, efficiency & economy of services rendered, etc. In view of the above, it is suggested to develop a risk model on the lines as indicated below:

1. Assignment of weights – Depositories may assign weights for various activities taking into consideration following factors:

a. Category of registrations as DPs – eg. Different weight for a stock broker DP as compared to a bank DP

b. Size of operations - Different weight for a big DP (value of custody, no of BOs and no of services centers) as compared to a smaller DP for a particular activity

c. Repetitive violations of the same kind to result into a higher weight being assigned to the respective activity.

d. Technological glitches in the past at the end of DPs e. Quality of back office systems of DP.

2. Calculation of Complaint Weight

Type & nature of complaint Weight (A)

No of Complaints Received during the period covered under inspection

Complaint score CW=A x B


Page 29 of 61

(B)

1. Account Opening Related

a) Denial in opening an account

b) Account opened in another name than as requested

c) Non receipt of Account Opening Kit

d) Delay in activation/ opening of account

e) Non Receipt of copy of DP Client Agreement/Schedule A of Charges

Total Weight for Account Opening Related Issues

2. Demat/Remat Related

a) Delay in Dematerialization request processing

b) Delay in Rematerialisation request processing

c) Delay in/ Non-Receipt of Original certificate after demat rejection

d) Non Acceptance of demat/remat request

Total Weight for Demat/Remat Related

3. Transaction Statement Related

a) Delay in/ Non-Receipt of Statements from DP

b) Discrepancy in Transaction statement

Total Weight for Transaction Statement Related

4. Improper Service Related

a) Insistence on Power of Attorney in its favour

b) Deactivation/ Freezing/ Suspension related

c) Defreezing related

d) Transmission Related

e) Pledge Related

f) SMS Related

g) Non-updation of changes in account (address/ signatories/bank details/ PAN/ Nomination etc.)

Total Weight for Improper Service Related

5. Charges Related

a) Wrong/ Excess Charges

b) Charges paid but not credited

c) Charges for Opening/closure of Account

Total Weight for Charges Related

6. Delivery Instruction Related (DIS )

a) Non acceptance of DIS for transfer

b) Delay in/ non Execution of DIS

c) Delay in Issuance / Reissuance of DIS Booklet

Total Weight for Delivery Instruction Related (DIS )

7. Closure

a) Non closure/ delay in closure of account

b) Closure of a/c without intimation by DP

Total Weight for Closure


Page 30 of 61

8. Manipulation/ Unauthorized Action

a) Unauthorized Transaction in account

b) Manipulation

c) Unauthorized changes in account (address/ signatories/bank details/PAN etc.)

Total Weight for Manipulation/ Unauthorized Action

9. Company/ RTA related

a) Action – Cash

b) Action – Non–Cash

c) Initial Public Offer/ Follow-on Public Offer Related

Total Weight for Company/ RTA related

10. Others

3. Sample Selection Guidelines

A sample selected for an activity will depend on the Nature of that Activity, the non compliances

observed in the past inspection of the DPs. Initially a base sample is determined based on the activity

and has a cap of 2000. This base sample is then multiplied by a factor dependent on the DP Risk Rating

to arrive at a Final Sample size. The final sample size has a cap of 6000 samples.

1. General Guidelines

The sample selection for account opening should cover all categories of clients such as individuals, HUF, Corporate, FIIs etc. Account Opening Forms (AOF) relating to FIIs should be checked on a 100% basis.

A. Account Opening

Base sample size: 5% of AOF or 150 AOFs whichever is higher with a maximum cap of 2000 accounts.

The sample selected should maintain the proportion of new accounts opened in each category.

Final Sample Size: The sample size is also dependent on past rating of DP. The following multipliers should be implemented in order to determine final sample size for the current inspection

DP Rating Multiplier

High risk 3

Medium High risk 2

Medium risk 1.5

Low risk 1

B. DIS Execution

Base sample size: 10% of DIS or 200 DIS whichever is higher with a maximum cap of 2000 DIS.


Page 31 of 61

Final Sample Size: The sample size is also dependent on past rating of DP. The following multipliers should be implemented in order to determine final sample size for the current inspection

DP Rating Multiplier

High risk 3

Medium High risk 2

Medium risk 1.5

Low risk 1

Intra Depository Transfers (IDT) samples will be 5% of the total samples verified for DIS.

Out of total intra depository instructions to be verified, the percentage of on and off market instructions would be in the ratio of 1/3 and 2/3.

DIS issuance sample will be 5% of the total samples verified.

C. Demat / Remat / Pledge / Unpledged Samples

5% of Demat Remat / Pledge / Unpledged Samples processed or 100 requests whichever is

higher with a maximum cap of 500 demat requests.

D. Base Sample Size for Client master Changes Samples and other miscellaneous areas

Address change samples=50

o 1/3rd of the samples should be from Urban, Semi Urban and Rural Areas

Nomination Change samples=25

Signature change Samples=100

Addition/Deletion/Modification of POA = 100

Addition or deletion of authorized signatories of POA=100

Freeze Samples=50

Unfreeze Samples=100

Bank Details Change Samples=100

PAN modification samples=100

Account closure initiated by clients=25

Closure initiated by DPs=25

Demat rejection=30

Statement of Transactions=25

Slip issuance/ validation and Blocking=100

Change in e-mail Id=50

Change in mobile number=50

Change in SMS flag=50

Change in standing instruction flag=50

Transmission Samples=50% of total samples

Last visit compliance=100% of total samples


Page 32 of 61

The final sample size should be arrived at after multiplying with the respective multiplier

corresponding to the DP Risk Rating.

E. Investor grievance Samples

100% of investor complaints or 100 investor complaints whichever is lower. The sample should

include 25% representations of complaints on following types

Unauthorized transactions

DIS related complaints

Delay in opening / closure accounts

Excessive charges

F. Other Aspects

A uniform Base sample size of 100 should be adopted in case of all other activities. In case of the total number of samples being less than 100 then 100% of the samples should be verified.

4. Calculation of Inspection Weight

Activities and their processes & procedures Weight (A)

(No of Instances)/ Sample size (B)

Inspection Score IW = A*B

A Account Opening

1 Proof of identity, proof of address and other KYC document is not collected

2 Correspondence address of third party is accepted, without adhering to the guidelines prescribed.

3 PANs is not obtained for all the accounts, wherever applicable

4 PANs are not verified with the database of Income Tax Department and stamp of "PAN Verified" is not affixed on the photocopy of the PAN card(s) for all the accounts?

5 Copies of all the documents submitted by the applicant is not self- attested

6 Copies of all the documents submitted by the applicant are not accompanied with originals for verification / properly attested by entities authorized for attesting the documents.

7 Cases where 'in - person' verification of the account holders is not done before activation of the account as per guidelines

8 Cases where prescribed DP – Client agreement is not been executed for all the accounts

9 Cases where a separate DP – Client agreement has not been executed with clients who want to hold warehouse receipts in their account

10 Cases where data entered In DPM system does not matches


Page 33 of 61

with the details mentioned in the account opening form

11 Cases where signature of account holder(s) as given in the account opening form is not been scanned in the DPM system clearly and correctly.

12 Cases where all KYC application b forms and account opening forms are not completely filled?

13 Cases where KYC application form and supporting documents of the clients is not been sent to KRA within 10 working days from the date of execution of documents by clients.

14 Cases where Participant has not uploaded existing clients' KYC data on KRA system and sent KYC documents to KRA as per SEBI guidelines.

15 Cases where Participant has not used the KYC data of a client obtained from the KRA only for the purposes it is meant for.

16 Cases where account is opened with suffix HUF or in the name of firm.

17 The information on Financial Status and Nature of Business of clients is obtained in the account opening Form.

18 If the DP has opened any PMS Demat account, DP ensures the compliance of communiqués issued by Depositories.

19 There is adequate mechanism to ensure that the details of account opening forms are entered correctly in the Depositories.

20 Validation on PAN format i.e. 5 characters, 4 numbers & 1 character.

21 Guardian details are mandatory for Minor BO.

22 Joint holders In case of a minor account.

23 In case of Minor turning major, a report is generated one month before minor turns major and on the date of minor turning major, account is frozen for debit by Depositories.

24 Joint holders are allowed in case of HUF account

25 Account is activated only before capture of signature.

26 Authorized Signatory is missing

27 Nomination is allowed only for accounts of category other than individual.

28 Bank details are missing if ECS flag is activated.

29 Power of attorney is mandatory for margin trading accounts.

Total Weight for Account Opening

B Client Data Modification

1

Cases where clients' request for changes in data (e.g. address, signature, bank details, nomination closure / freezing / unfreezing of account) have been processed as per prescribed procedure?


Page 34 of 61

2 Modification to account details is done only after accepting account modification form/letters duly signed by BO and the same is updated in Depository Software.

Total Weight for Client Data Modification

C Demat / Remat / Conversion / Reconversion request

1 Cases where demat / conversion requests have been accepted and processed not as per the prescribed procedure

2 Cases where date of receiving the demat / conversion request and date of forwarding the documents to Issuer / Registrar & Transfer Agent has not been recorded correctly

3

Cases where demat / conversion requests received have been sent to Issuer / Registrar & Transfer Agent not within seven days from the date of receipt of the request from the account holder

4

Cases where sufficient provisions / arrangements for safe keeping of security certificates received from account holders for dematerialization and certificates received after rejection of the demat request from Issuer / Registrar & Transfer Agent is not maintained

5 Cases where demat / conversion request was rejected due to error attributable to Participant

6 Cases where the Participant has not taken necessary corrective and preventive measures to avoid rejections attributable to Participant

7 Cases where remat / reconversion requests have been accepted and processed not as per the prescribed procedure

8

In case of demat account closure / shifting of the demat account from one DP to another, DP has complied with the procedure of refunding AMC for the balance quarter/s, in case the same is collected upfront on annual/half yearly basis.

9

In case of accounts being shifted from one DP to another by using Account Transfer option in the Transfer/Transmission module or where waiver has been claimed for inter depository transfer, the procedure prescribed in this regard has been followed

10 Register of documents received and sent for dematerialization is maintained.

11 Securities for dematerialization to Registrar & Transfer Agents / Issuers are sent after defacing and mutilating the certificates.

12 The Demat requests are accepted and processed as per procedure laid down by Depositories

13 Demat requests received from BOs are sent to the Issuer/ RTA/AMC within seven days from the date of receipt of demat request.

14 There is a proper procedure for recording of demats dispatch details such as dispatch ref. no., dispatch date, name of courier


Page 35 of 61

etc.

15 In case of demat/remat requests rejected due to the errors attributable to the DP, corrective actions are taken so that such instances are not repeated in future.

16 The certificates along with rejection letters are returned to the concerned BO within 7 days of receipt of the same from the RTA.

17 Proper records of dispatch such as DRN, dispatch ref no., dispatch date, name of courier / signature of BO are kept.

18 DP has a system of inward of Demat request (DRF)/MF DRF received which clearly gives information about date of receipt of DRF from BO.

19 ISIN is invalid and/or inactive.

20 BO is not active.

21 Demat request cannot be set from CM settlement accounts.

22 Demat cannot be setup if BO is frozen for credit/ both.

23 BO should belong to same DP or its Sub DP.

24 A letter is generated by the system after creation of demat request addressed to the RTA of the ISIN

25 Balance should exist in BO account.

26 ISIN should be active.

27 BO inactive.

28 BO is not of same DP or its Sub DP.

29 Proper balance type (Free / Lock in) is not selected.

30 A letter is generated by the system after creation of remat request addressed to the RTA of the ISIN.

Total weight for Demat / Remat / Conversion / Reconversion request

D Delivery Instruction Slip (DIS)

1 There is proper inventory control mechanism for instruction slip booklets.

2 The physical inventory is tallied with the inventory records at prescribed intervals.

3 The first instruction slip booklet is being issued as per the procedure prescribed for the same.

4 There is system to issue delivery instruction booklets to the BOs based ONLY on the requisition slip which forms part of the earlier issued instruction slip booklet.

5 Requisition slip has preprinted instruction slip serial number range of the booklet of which it forms a part.

6 If any instruction slip booklet is not issued on the basis of requisition slip, the proper procedure prescribed is followed.


Page 36 of 61

7 There is control over issue of instruction slips to the BOs e.g. proper records of instruction slip serial numbers vis-à-vis account number.

8 Provision for blocking of DIS sr. numbers which are already used is existing.

9 The DP has not issued more than 10 loose DIS to any account holder in a financial year (April to March)

10

The DP has complied with the procedure for initiation of closure / transfer of balances / rematerialisation within 2 days of receipt of account closure request, in case of account closure initiated by BO.

11 The off-market and inter depository instructions are executed in Depository Software as per the execution date written by the BO.

Total weight for Delivery Instruction Slip (DIS)

D(A) Issuance of DIS

1 Cases where issuance of DIS or loose DIS to account holder is not done as per prescribed procedure.

Total weight for Issuance of DIS

D(B) Verification of DIS

1 Cases where date and time stamp is not affixed on the DIS received

2 Cases where Participant has not affixed 'late stamp' on DIS received beyond the prescribed deadline time

3 Cases where Participant has not verified that the DIS received from client was actually issued to same client ID.

4

Cases where serial number of all the executed DIS(s) (irrespective of whether executed through back office or directly in DPM system) and DIS(s) reported as lost / misplaced / stolen by the account holder are not blocked in the back office or in the DIS issuance register to prevent any re- acceptance

5

Cases where DIS(s) given by account holder are not available for all instructions executed in DPM system (instruction other than those given by account holders through Speed-e / electronically)

6 Cases where signature(s) on DIS does not match with the signature(s) scanned in the DPM system

7 Cases where corrections / cancellation on DIS, if any, are not authenticated by the client (all holders for joint accounts)

8 Cases where Participant accepts instructions by fax from account holder and not adhere to the guidelines

9 Cases where Participant is accepting delivery instruction in form of an annexure to a DIS, and it is not done as per the prescribed procedure


Page 37 of 61

10 Cases where information under columns "Consideration" and "Reason / Purpose" are not mentioned for off market instructions.

11 Cases where maker - checker system to process the instructions is not followed.

12 Cases where additional level of verification for high value and dormant instructions is not there.

13 Cases where instructions executed in the DPM system is not as per DIS

14 Cases where Participant accepts instructions in electronic form which is not as per the procedure

Total weight for Verification of DIS

E Transaction

1 BO not of same DP or SUB DP

2 Settlement ID is missing for transaction from or to CM account.

3 Debit Transaction is allowed if Seller BO is frozen for Debit / Both.

4 Credit Transaction is allowed if Buyer BO is frozen for Credit / Both.

5

Transaction can be setup even if balance is not present in account at the time of setup. The transaction (off-market) will be in overdue status till sufficient quantity is received and if not available on EOD of execution date, the transaction will fail.

6 If Confirmation waiver flag is “Y” then no need for buyer BO to enter buy transaction.

7 Future dated transactions setup more than 10 days.

8 ISIN is invalid and/or inactive.

9 A report on high value transactions is not generated

10 A report on transactions taken place in dormant accounts is not generated

11 Buyer BO account is inactive.

12 Other than free balance is transferred.

Total weight for Transaction

F Transaction Statement

1

Cases where TS generated from back office, does not match with statement generated from DPM system or Cases where transaction statements are not provided to the account holders as per prescribed frequency

2 Records for transaction statements provided to BO, giving details such as account number, date of dispatch; period for which the statement was dispatched etc. is maintained.

Total weight for Transaction Statement


Page 38 of 61

G Compliance under Prevention of Money Laundering Act, 2002 (PMLA)

1 Cases where Participant has not adopted a policy to comply with its obligations under PMLA

2

Cases where Participant has not complied with all the policies and procedures as prescribed under PMLA Act, 2002 and SEBI guidelines such as customer due diligence, suspicious transaction monitoring and reporting, record keeping etc.

3 Cases where Participant has not appointed a 'Principal officer' as required under PMLA

4 Cases where there is no mechanism to deal appropriately with the alerts provided by Depositories

5 Cases where suspicious transaction is reported to FIU and not informed to Depositories

Total weight for Compliance under PMLA

H Maintenance of record and documents

1 Cases where Participant has not informed Depositories about place(s) of record keeping

2 Cases where Participant has outsourced record keeping activity (partly or fully) in contradiction to prescribed guidelines.

Total weight for Maintenance of records and documents

I Service Centre

1 Service centre (whether offering the services as a DPM setup, branch, franchisee, collection centre, drop box centre or called by any other name)

2 Cases where Depositories’ approval has not been obtained for all the service centres opened during the audit period

3 Cases where prescribed procedure has been followed for any service centre closed / terminated during the audit period.

4

Cases where data of all the service centres (DPM setup, branch, franchisee, collection centre, drop box centre or called by any other name) displayed on the Depositories website is not updated and correct

5

Cases where NCDO / NISM / NCFM qualified person in Depository operations is not appointed at each service centres (DPM setup, branch, franchisee, collection centre or called by any other name except drop box centre)

Total weight for Service Centre

J Status of compliance for deviations / observations noted in last inspection

1 Cases where Participant has not complied with all the deviations noted during last inspection conducted by Depository

Total weight for Compliance status


Page 39 of 61

K Miscellaneous areas

1 Cases where transmission cases have not been processed as per prescribed procedure

2 Cases where Participant has not collected requisite documents to claim waiver of settlement fees

3 Cases where Power of Attorney documents are not duly executed and the same have been entered into DPM?

4 Cases where all investors' grievances have not been redressed as per the procedure and within the stipulated time

5 Cases where pledge and hypothecation instructions are not processed as per prescribed procedure

6 Cases where Participant has not executed software utilities provided by DEPOSITORIES on a monthly basis and take appropriate action. In respect of the exceptions identified

7 Cases where forms in use for various activities are as prescribed

8

Cases where any supplementary agreement / letter of confirmation / power of attorney obtained / executed with account holder which are in contravention to prescribed DP - Client agreement / Depositories guidelines

9 Cases where Internal Audit Report / Concurrent Audit Report is not submitted In the prescribed format within the stipulated time period

10

Cases where Internal audit report/ Concurrent audit report submitted without inclusion of management comments for deviations noted by auditors or not providing compliance duly certified by auditors on the observations made by the Depository

11 Cases where non-submission of net worth certificate based on the audited annual accounts by the Participants in the prescribed format for 31st March within prescribed time limit.

12 Cases where non-submission of annual financial statement within the prescribed time limit

13 Cases where non filing of information sought by Depository either periodically or specifically through circulars / letters etc.

14 Cases where Half yearly Compliance certificate is not submitted within the stipulated time.

15 Cases where client grievances (except disputes /court cases) is not redressed within 30 days.

16 Cases where non-submission of monthly report of Client Complaints

Total weight for Miscellaneous areas

L System areas

1 Cases where hardware and software installed on machines used for depository operations are not as per the specifications mentioned in the latest Form B submitted to Depositories


Page 40 of 61

2 Cases where updated antivirus is not installed on the server and all the client machines

3 Cases where ASR set is not prepared as per prescribed guidelines

4 Cases where robocopy feature is not working on one client machine

5 Cases where all the software installed on server and client machines are not licensed

6 Cases where RAID has not been configured as per the prescribed guidelines

7 Cases where database reorganization and shrinking are not done as per the prescribed guidelines

8 Cases where scheduled switch to fallback connectivity is not done and the record thereof is not maintained

9 Cases where all the hardware / equipments used for depository operations are not covered under AMC / warranty?

10 Cases where adequate physical and logical access restrictions for usage of system is not In place

11

Using the DPM system for any other purpose or loading any other software or alteration of parameters/ configuration/ software other than DPM application software/prescribed system software found loaded In the system.

12 Back office software has been installed in Main DP /Live connected branch DP.

Total weight for system area

M POA

1 DP has mandatorily registered the BO for SMS Alert facility, at the time of setting up POA.

2 POA in favor of a stock broker DP contains clauses as per SEBI guidelines.

3 Power of Attorney (POA) documents are duly executed as per SEBI guidelines and the same have been appropriately entered into Depository Software.

4 Power of Attorney register is maintained

Total weight for POA

N Inter depository Transfers

1 ISIN is not active and not present on both the depositories.

2 BO ID is suspended, inactive or closed.

3 BO does not belong to same DP or its Sub DP.

4 Settlement ID is mandatory if transfer is from or to a CM account.

5 Transaction can be for current date or for future date.

6 Only free balance can be transferred.


Page 41 of 61

7

Inter depository transaction can be setup even if balance is not present in account at the time of setup. The transaction will be in overdue status till sufficient quantity is received and if not available till inter depository cutoff time on execution date, the transaction will fail.

Total weight for Inter depository transfers

O Account Transfer

1 Other than free balance is transferred.

2 Both the accounts do not have same product and category.

3 BO account status not changed to “To Be Closed” even if transfer request fails.

4 Both BO’s are not with any DP’s of depositories.

5 Transferor BO account is not closed automatically after the transaction is executed.

6 Account Transfer is charged.

Total weight for Account Transfer

P Transfer and Transmission

1 Only free balance can be transferred.

2 Transferee BO account should be active.

3 Transferor BO account is not closed automatically after the transaction is executed.

4 Transactions in Transfer & transmission are charged.

Total weight for Transfer and Transmission

Q Early Pay-in

1 BO ID is suspended, inactive or closed.

2 BO should be of same DP or SUB DP.

3 Instruction cannot be set up from CM payout account for BSE.

4 Future dated transactions can be setup for settlement ids in next 7 days.

5 CM does not belong to the exchange.

6 CMID is inactive.

7 Settlement ID does not belong to exchange id.

8 Settlement ID is past dated.

9 BO ISIN has insufficient balance.

10 For CM accounts balance does not exist in respective settlement pocket.

Total weight for Early Pay-in

R BO Obligation


Page 42 of 61

1 BO ID is either suspended , inactive or closed.

2 BO is not of same DP or SUB DP.

3 Future dated transactions are setup for settlement ids in time more than next 7 days.

4 CM does not belong to the exchange for which the BOC is being set up.

5 CMID is inactive.

6 Settlement ID does not belong to exchange id.

7 Settlement ID is past dated i.e. pay-in / Payout is over for the settlement.

Total weight for BO Obligation

S Pledge

1 Pledgor and Pledgee BO are not of depositories.

2 Pledgor and Pledgee BO are closed or suspended for debit / credit / both).

3 ISIN is inactive.

Total weight for Pledge

T Freeze/Unfreeze

1 Freeze can be for debit / credit/ or both debit as well as credit.

2 Freeze can be on the BO account i.e. all ISINs the account are frozen, Freeze can be on one ISIN in the account or freeze can be on part quantity of a ISIN in the account.

3 Partial freeze can be only for debits.

4 Freeze request can be activated on current date or future date.

5 BO should belong to same DP or its Sub DP.

6 Future dated partial freeze on CM settlement account is not allowed.

Total weight for Freeze / Unfreeze

U Compliance of previous inspection Observations

1 Total number of non-compliances

Total weight for previous inspection Observations

Qualitative factors

Qualitative Factors Weight (A)

Point on the scale of 1to 10 (B)

Total score * (B)

1 Ownership and Governance


Page 43 of 61

2 IT security and Business Continuity

3 Regulatory / procedural Compliance

4 Automation of Systems and processes for critical activities

5 Quality of Management

6 Financial Status / profitability of DPs

7 Pending enquires / Penalties imposed by SEBI / Depositories on DP operations

8 Complaints redressal

9 Adverse findings of other activities (eg. Broking / custodian / banks etc)

Following indicative factors need to be taken into account for arriving at above mentioned qualitative score: Ownership and Governance:

1. Constitution of Board of DP – Number of promoter directors, Independent Directors etc. 2. Role of non-executive directors/Independent directors 3. Compliance officer/Risk officer position if any on the board of DP

Quality of Management:

1. Experience, Fit and Proper and Qualification of Key Personnel 2. Existence of Succession planning for top management especially in control functions 3. Chinese walls between the activities in terms of manpower, resources etc 4. Training and development of employees. 5. Adequacy of staff strength. 6. Compliance level of previous inspection observations/ directions of regulatory bodies

IT security and Business Continuity:

1. High Availability 2. Appropriate Interconnected Architecture: 3. Appropriate Recovery Time Objective (RTO) and Recovery Point Objective (RPO) and

near “Zero Data Loss” 4. Periodic Drills that simulate the real life scenarios on a regular basis. 5. Technological glitches in the past period and remedies taken. 7. Information security. 8. Upgradation of technology

Financial Status / profitability of DPs :

1. The net-worth of the DPs (whether reducing or increasing from previous years) 2. Net Profits of DPs operations.


Page 44 of 61

Complaints redressal:

1. Complaint redressal system 2. Percentage of complaints pending and resolved.

Adverse findings of other activities (eg. Broking / custodian / banks etc):

1. Actions taken by Stock exchange and SEBI / RBI with respect to other activities 2. Actions taken by other depository.

Procedural / Regulatory compliances:

No. Procedural / Regulatory compliances Compliance Status (YES / NO)

1 DP has designated e-mail id for investor grievance and displayed the same on the website as per SEBI circular no.MRD/DOP/Dep/SE/cir-22/06 dated December 18,2006.

2 The daily report with respect to High Value Transactions (including null report) being generated by depositories is stored by the Main and branch DPs.

3 Alterations done in the contents of agreement are as prescribed by depositories.

4 Procedure prescribed by depositories as per operating instruction 16.7 is followed in case DP has opted an exemption from sending transaction statements to BOs in respect of demat accounts with no transactions and no security balances

5 Transaction Statements are sent for the quarter in which the request for account closure has been received from the BOs with the words “Account Closed / Marked for Closure”.

6 Proof of dispatch of statement of accounts sent after processing of account closure request is preserved.

7 30 days notice is given to the BO before closing his account, in case account closure is initiated by DP.

8 All formats used by the DP are in conformity with depositories prescribed format.

9 The statement of account (transaction/holding statement) is being sent to BOs as per depositories requirements.

10 Concurrent audit reports are submitted by the concurrent auditor to the DP on monthly basis by 10th of the next month.

11 The major negative observations in the concurrent audit are informed to depositories.

12 DP follows maker-checker concept in all of its activities to ensure the accuracy of the data and as a mechanism to check unauthorized transaction.

13 The register as prescribed by depositories regarding the alerts being provided is maintained properly and actions taken are recorded as per procedure.

14 The staff operating the DPs is trained as per the requirement of depositories.

15 The details of the compliance officer/ investor relations officers/ authorized signatories/ office address and change if any is informed by DP to depositories in the prescribed format.

16 The scope of activity of the service centers is clearly documented and adhered to.


Page 45 of 61

17 Reconciliation between the branches / service centers and main DP takes place for the purpose of maintenance of account opening form, Demat request, instruction slips and blank instruction booklets issued by and / or received from the branch.

18 The details of statement of transactions generated from back office match with the statement or report generated from depositories.

19 The back office (including web site) is updated regularly for the transactions done on the depositories.

20 Account opening forms, agreements and supporting documents of all BOs are being kept in a manner so that they can be retrieved at any time.

21 DP operations are carried out after following all communiqués issued by Depository.

22 Agreement executed is in order in all respects.

23 Investor Grievance Register is maintained.

24 Statement of account is sent under digital signature of DP official.

25 Nomination register is maintained.

26 The discrepancies and /or non-compliances observed during previous inspection and last two internal audits are rectified and /or complied with.

27 The DP has implemented the procedures as confirmed in the previous compliance report for the last inspection and/ or internal audit report.

28 Supplementary agreement executed or undertaking / letter obtained or any modification made in any document which does not have clauses contradictory to depository prescribed agreement.

29 Cases where OM is not prepared , the same is updated , it is not available to all the staff

Total score table = Total quantitative scores + Total Qualitative Scores Based on the total scores, DPs can be categorized into High Medium High, Medium and Low.

Risk Categorization Percentile of Risk Score No of DPs

HIGH Top 80%ile

MEDIUM HIGH 46-79%ile

MEDIUM 21-45%ile

LOW 0-20%ile

Further reports / dash board on various parameters can also be carried out like activity wise analyses to identify / categorize DPs which are high on risk etc.


Page 46 of 61

DIS issuance & processing

One of the important areas looked into during on-site inspection is verification of process of Delivery

Instruction Slips (DIS) issuance and processing.

In this regard, the following is observed

Depositories do not have details of the DIS booklets issued by DPs to their BOs which get

verified only at the time of on-site inspection resulting in spending huge man hours and

resources.

Depositories do not have all the information available in the back office of DPs such as DIS

numbers, mapping, KYC documents, account details, etc.

Considering that the activity relating to issuance and monitoring of Delivery Instruction Slips (DIS) is one

of the high risk activities, the committee felt that lack of monitoring / supervision of this activity may

lead to a situation where securities lying in the BO accounts could be moved in an unauthorized manner

(without the knowledge of BO) by the DP which can seriously jeopardize the integrity of depository

system and thereby damage the confidence of investors.

Such a possibility is very high in case of broker DPs due to the very nature of their activities where both

trading and securities accounts are held with the same entity. Further, due to inadequate focus /

prioritization on such high risk activity at the time of inspection, it may go unnoticed for long times and

may threaten the market integrity. Therefore, this issue was examined whether the transactions

involving DIS could be digitalized and whether images of the DIS on transactions could be captured for

verification & archived. The existing system of issue, processing and monitoring of DIS at the end of DPs

is as under:

a) Size, contents and structure of DIS are not uniform across the Depositories.

b) Most DPs use back office software for their operations which includes processing of transactions

(DIS and related issues).

c) The back office software is procured by DPs from third party vendors. The Depositories only

prescribe the checks and minimum requirements which is checked / verified by the depositories

at the time of start of their DP operations.

d) After the account is opened by depositories, each DP issues its own DIS booklet to the BO

holders and maintains the details of DIS in their back office software. The booklet issued is

mapped to respective BO.

e) Presently there are no checks at the end of depositories to verify the information (regarding DIS)

submitted by DP through uploading of back-office data to the depositories as the information

regarding the DIS serial numbers of BOs are not available at the end of depositories.

f) With respect to transactions processed, the DPs submit / upload End of Day (EOD) reports to the

depositories which only contain the details of the transactions executed and other relevant

details like DIS serial number, maker checker ID etc available at the back office of DP are not

included.


Page 47 of 61

To check the efficacy of the above system, checks and balances for DIS issuance and processing an

analysis of the Insurance claims against the DPs was conducted to understand the major sources of

claims and the type of DPs against whom such claims were made .It was learnt that insurance claims

made against the DPs are predominantly due to fraudulent transfer of shares as indicated below and the

DPs are mostly stock broker DPs. In some cases fraudulent transfer of shares of amounting to 1 Crore 11

lakhs has also been observed. Frauds are predominantly done by employees who appear to have moved

the securities without DIS in DP who perform multiple activities and this trend still prevalent .

CDSL Statistics

Year Name of the DP Nature of loss Claim Settled Rejected Outstanding/

Amount Pending

Rs. Rs. Rs.

2007-08 Motilal Oswal Securities Ltd.

Unauthorised transfer- signatures on the DISs were forged by employee of the DP

3,586,629 2,445,392 1,141,237 -

LKP Shares and Securities Ltd.

Non-uploading of file 2,250,000 2,140,902 109,098 -

Inter-depository failure

902,751 756,083 146,668 -

Total 6,739,380 5,342,377 1,397,003 -

2008-09

Shilpa Stock Brokers Pvt. Ltd.

Unauthorised transfer- infidelity of employee

658,800 - 658,800 -

Anand Rathi Financial Services Ltd.

Unauthorised transfer- signature on the DIS was forged by employee of the DP

1,695,553 - - 1,695,553

Select Stock Brokers Ltd

Unauthorised transfer- infidelity of employee

130,000 - - 130,000

Angel Broking Limited

Non-execution of DIS 493,028 429,345 63,683 -

Dindayal Biyani Stock Brokers Ltd.

Punching error 74,575 23,789 50,786 -

Total 3,051,956 453,134 773,269 1,825,553

2009-10 Sunchan Securities Ltd.


4,531,483 - - 4,531,483

Sam Global Securities Ltd.


756,000 - 756,000

Saurashtra Capital Service Pvt. Ltd.

Non-execution of DIS 289,277 239,277 50,000 -

Anand Rathi Financial Services Ltd.

Unauthorised transfer- signature on the DIS was forged by employee of the DP

1,268,768 1,268,768

Total 6,845,528 239,277 806,000 5,800,251


Page 48 of 61

2010-11 Asit C. Mehta Unauthorised transfer- signatures on the DISs were forged

1,333,705 - - 1,333,705

Emkay Global Financial Services Ltd.

Unauthorised transfer 6,242,155 - - 6,242,155

Sushil Financial Services Pvt. Ltd.

Unauthorised transfer Potential Potential

Total 1,333,705 1,333,705

2011-12 LKP Securities Limited

Unauthorised transfer Potential - - Potential

i. Mahendrabhai Patel

5,99,000

ii. Chandrakant Patel 2,14,000

iii. Taraben Patel 2,87,000 1,100,000

Total - 11,00,000

Karuna Financial Services Pvt. Ltd.

Auction of securities due to wrong entry of Delivery Instruction Slip (DIS).

2,88,560.64 - - 2,88,560.64

Pace Stock Broking Services Pvt. Ltd.

Loss of Securities due to wrong punching of Delivery Instruction Slip (DIS).

Potential - Claim Withdrawn

IIT Investrust Limited

Auction of securities due to wrong punching of Delivery Instruction Slip (DIS).

Potential 1,42,279

Rejected

Asit C. Mehta Alleged Unauthorized Transfer of Securities

Potential - Potential

Total 15,30,840 1,530,840

2012-13 Karmic Stock Broking Pvt. Ltd

Punching Error 58311 8311 50000 -

Wellindia Securities Ltd.,

Unauthorized Transfer of Securities

19,57,136 - - 19,57,136

NSDL Statistics

Name of Claimant(s) Details/Nature of claim

Amount of Claim lodged (Rs. in lakh)

Remarks

Claims under Policy Year:2010-11 (From October 29, 2010 to October 28, 2011)

Stock Holding Corporation of India

Fraudulent transfer of shares 60.00 Claim Settled

Mansukh Securities & Finance Ltd.

Fraudulent transfer of shares 50.00 Claim Outstanding

Integrated Enterprises Fraudulent transfer of shares 111.00 Claim Outstanding

Stock Holding Corporation of India

Employee Dishonesty 35.00 Claim Outstanding

Standard Chartered Bank Loss due to delivery instruction 2.43 Claim Rejected for want of documents from DP

Claims under Policy Year:2011-12 (From October 29, 2011 to October 28, 2012)


Page 49 of 61

Zuari Investment Ltd. Fraud by employee & consumer court award

0.60 Claim Outstanding

Religare Financial Loss to Third Parties 250.00 Assessment still going on by insurance company

Religare - Gopal Mani Financial Loss to Third Parties 25.00 Assessment still going on by insurance company

In view of above, the following is suggested:

a) Centralized generation of DIS (DPID + DIS serial number) will enable depositories to have better

control over issuance of DIS booklets to BO. Further, this step will also ensure that issue of loose

slips at the end of DP will also be monitored and regulated.

b) Standardization of DIS across Depositories.

c) The depositories should revise their EOD reporting requirements / structure such that all

significant information which resides in the back office of DP shall be available to depositories.

d) If the truncated (image version) of DIS were to be captured directly by DPs out of their branches

/ service centers and also Depositories directly and simultaneously with a provision for archiving

the image files, the information gathered will enable effective monitoring of the transactions

from market surveillance perspective.


Page 50 of 61

IT Governance

The rapid and dramatic changes in the financial market microstructure have been lead by a plethora of

new financial products & changing market designs and improved information technology. Technology is

the driver’s seat that modulates not only the quality of infrastructure but even the product designs. The

most significant development is the way technology has erased the geographical boundaries, even

creating new alternatives.

Innovations through Information Technology have led to a paradigm shift and revolutionized the

structure and the functioning of the securities market, the most important revolution being electronic

trading, clearing & settlement. Dematerialization of securities has been one of the important landmark

in the securities market, made possible by technology, which not only changed the way trading was

being done but also eliminated various market evils such as delay in transfer of shares, possibility

of forgery on various documents leading to bad deliveries &, legal disputes etc., possibility of theft of

share certificates, prevalence of fake certificates in the market, mutilation or loss of share certificates in

transit.

The dependence on technology in securities markets is such that most of the financial markets

infrastructure institutions (Stock Exchanges, Depositories, Clearing and Settlement Corporations, etc.)

have started to using technology extensively in various areas which reduced the latency, cost and

manpower. Further flow of information / data among FMIs has also been fully automated. This

dependence on technology have brought along a set of challenges to deal with such as obsolescence,

capacity handling, multiplicity & complexity of systems, dependence on vendors and their associated

risks, denial of services, external threats (cyber attacks, cyber frauds / crimes), internal threats,

governance & management of technology, continuity of business and disaster recovery in case of

exigencies , etc.

The reliance on technology has led to introduction of a new set of risk i.e. technology risks, which not

only have a direct impact in terms of operations of the institution but can also act as a catalyst in

cascading other risks such as credit risk, settlement risk and market risk. Further, inadequate

technology implementation can also induce strategic risk due to distortion of information / data as well

as compliance risk due to non adherence of any legal or regulatory requirement. These issues, therefore,

not only have the potential to undermine investor confidence & trust and can lead to reputation risks.

In view of the above, the committee endorses the subcommittee's recommendations on the various

issues specifically technology usage in the depository system for efficiency and effectiveness of

inspections. Therefore, the technology architecture of CDSL and NSDL was examined. Further, the

depositories were asked to provide the following information:

1. Various checks and balances prescribed by them in the front and back office systems of DPs

2. Information available at back office of DPs and which is not uploaded to the depository system

and only checked at the time of inspections.


Page 51 of 61

On the basis of the information submitted and the examination of system architecture, the following is

observed:

1. CDSL

VPN SW (Fort)

ETH

Leased Line

VSAT MPLS

Service Providers

BSE DAKCBSE FORT

Fort routing switch

DAKC routing switch

BCC routing switch

HYD routing switch

CDSL Internal F/W (Fort)CDSL Internal F/W (DAKC)

VPN SW (DAKC)

CDAS Server (DAKC)

EASI Server (DAKC)

DAKC User LAN

Fort USER LAN

VPN SW (HYD)

Internal FW(BCC)CDSL Internal F/W (Hyd)

CDAS Server (HYD)

EASI Server (HYD)

HYD User LANBCC USER

LANInternet

INT F/W with IPS

INT F/W with IPS

BSE Network Infrastructure

2

7

1

435

6

WAN USER TRAFFIC

LAN USER TRAFFIC

CDSL Network connectivity

IDMR MQ

IDMR MQNSDL Lease Line

NSDL Lease Line

Router

Router

CDSL has a centralized architecture and database. DPs enter the data in the system provided by

CDSL.

CDSL have deployed 3 tier architecture depository software applications (CDAS – Centralized

Depository Accounting System).

This application is accessed by users (DP & RTA) through WAN based connectivity.

They also have a web based software applications for DPs, RTAs, BOs and CMs (EASI – Electronic

Access to Security Information and EASIEST – Electronic Access to Security Information and

Execution of Secured Transaction) which provides online and upload based transactions using

digital signature.

DPs do not have separate front end software. Each DP is required to have back office software

for the purpose of DIS issuance & usage controls, BO signature capture & retrieval, and

importing various reports generated by the CDSL system for updating transaction status /

reconciliation.

The centralized architecture of CDSL provides following distinct advantages to the users:


Page 52 of 61

o The initial set-up cost for Issuer Companies/their RTAs and Depository Participants is

low.

o Information on investor's holdings is available to the Depository Participant and the

Issuer or its RTA instantly.

o Database is replicated between main site and DR site using Oracle Data Guard facility.

The important checks available in the CDAS system of CDSL are:

o Mandatory PAN details

o PAN Validation

o Account activated only after capture of signature

o Debit and credits frozen in case of frozen BO accounts

o ISIN should be valid and active

o BO should be active

o Availability of balance in BO account

The various checks available in the back office system of CDSL DPs are:

o Maker checker for all transactions entered

o Verification of BO signature at the entry of instructions

o Inventory control of printed DIS books

o Record or cancel slips / slip books which are reported lost / returned by the BO

o Inventory control of DIS issued to POA holders

o Two step verification of high value DIS (value of more than Rs. 5 lacs) and for the

transactions originating from dormant accounts

o Daily updation of back office from CDAS system

CDSL has 4 sites i.e. Main, DR data center, operational site at Fort, Mumbai and business

continuity center at Belapur, Navi Mumbai. All these 4 sites are interconnected with each other

using 45 Mbps/ 100 Mbps Ethernet leased lines. All leased lines setup are configured in

redundancy from 2 different service providers.

During DR operations, CDSL users are seamlessly connected to DR site without any change at

user end.

CDSL complies with ISO 27001 standards for information security.

CDSL has been awarded BS25999-2:2007 certification for its Business continuity Management

Systems in April 2012


Page 53 of 61

2. NSDL

NSDL Depository system is a J2EE architecture standard based 3 tier implementation comprising

presentation layer (web servers), business logic layer (application server) and Data layer

(Database servers).

The design affords both horizontal and vertical scalability and is tested for linear scalability for

execution of four times the current daily volume of instructions in one hour.

The current installed capacity can service the current entire day volume of instruction in just an

hour.

The system is deployed on cluster of Intel and UNIX servers, and Mainframe with processor

sparring facility and enterprise class storage with RAID and DISK sparring facility ensuring

redundancy and no single point of failure.

Similarly, all routers, network devices firewall have equipment level redundancy and configured

with automatic failover.


Page 54 of 61

For servers NSDL undertakes OS hardening by disabling unused ports and services. Further, the

infrastructure is periodically subjected to vulnerability assessment scan to confirm that

unwanted ports and services are indeed closed and the patch level of OS is as required

NSDL has designed their software in two distinct parts 1) Depository Software (DM, eDPM) and

2) DP Software (Local DPM Software) which is the front office. Participants can submit

Instructions using e DPM hosted at NSDL and Local DPM available at Participant’s end can be

used to fulfill reporting requirement. This provides flexibility to Participants to generate report

on demand and for any period and on real time basis.

The Application code is subjected to application security test to ensure that it is not vulnerable

to SQL injection, cross site scripting and such attacks.

The front office can be used to operate complete DP functionality including account opening,

transfer & modifications, delivery, pledge, etc.

The DPs use back office for purposes such as DIS controls, billing, transaction controls, and

internet based trading, etc.

The important checks available in the front office are:

o The system can be accessed only by authorized users over intranet as well as internet

using e-token with digital certificate based PKI challenge response mechanism which

provides for two factor authentication based on ‘what you have’ and “what you know”

principle of security.

o The access is granted strictly on ‘need to know’ and ‘need to do’ basis.

o The system requires two separate users maker and checker to execute any transaction.

o The system further ensures that same user cannot assume both maker and checker role

thereby enforcing good practice of segregation of duty and preventing one user to

unilaterally execute the Instruction.

o The system maintains complete audit trail for transactions including IP address of the

workstation from which the Instruction originated.

o NSDL has recently developed end to end security for data files exchanged between

Participant Back Office (BO) and Depository system. This facility allows Participants to

encrypt as well as digitally sign files right at the stage of generation from their BO

system.

o Compulsory daily backup and end of day internal reconciliation

o Online reconciliation of position balance post execution of each transaction.

o End of Day internal reconciliation of balances across all clients (i.e. including the ones

who have not transacted). In addition, external reconciliation of changed Positions

between Local DPM and eDPM for a Business day is carried out.

o Audit trail for transactions

o Important Business validations are specified below:-

PAN is mandatory and is also structurally validated for opening of Beneficiary

Account.

Activation of Account is subject to capture of mandatory fields including

signature.


Page 55 of 61

Account will not be allowed any debits and credits if the Account is suspended

for debit and credit. Credits are allowed if Account is frozen for only debits.

Transactions are allowed for ISIN in ‘Active’ Status. In addition, Account should

be in ‘Active’ status and should have sufficient Balance in the free Account for

any debit transaction.

Source Account should be present with the participant initiating the

Transaction. Source and Target Account should be present in the Depository

System

The important checks available in the back office are:

o Control on issuance & usage of DIS using unique DIS serial number

o Automatic blocking of used DIS

o Blocking of slips / slip books which are reported lost / returned by the BO

o Maker checker segregation for critical functions

o Verification of high value transactions and for the transactions originating from dormant

accounts

o Investor grievances controls

o Verification of BO Signature at the time of entry of Instruction

NSDL has provided facilities to Participants to automatically update their back office with

depository related exports as well as submit instructions captured in back office in a hands free

manner and thereby eliminating operational errors.

NSDL has deployed identical infrastructure as production at its Disaster Recovery Site located in

another city with on-line storage based replication over high bandwidth low latency link with

near Zero RPO (Recovery Point Objective).

NSDL complies with ISO 27001 standards for information security

NSDL has established capability as a part of BCP readiness to conduct business operations from

its branches, cold site and remotes site over secure VPN with ‘what you have and what you

know’ security. Such recovery is done through alternate business teams nominated for

functional recovery, in the disaster events. The system seamlessly connects such business users

to data center from which operations is conducted.

In view of the above, the following is suggested:

1. There should be an IT strategy committee at the board level of depositories.

2. The depositories and their DPs should have an approved and to the extent comparable IT strategy /

plan document which needs to be reviewed annually.

3. A System Audit framework should be prescribed for Depositories and DPs

4. Create an IT Steering committee to assist the IT Strategy Committee in implementation of IT

strategy. The IT steering committee should comprise of representatives from IT, HR, Legal and

various business functions as appropriate.

5. Information Security policy should be approved by the board and reviewed annually

6. Create an office of information security and designate a senior official as Chief Information Security

Officer (CISO) whose work would be to assess risk and identify the threat / vulnerabilities.


Page 56 of 61

7. In the event of disaster, the disruption in the services provided by the depository system may affect

not only the market integrity but also the confidence of investors. It is therefore imperative that

there should be no disruption in services and in case there is a disruption, there should be near zero

data loss. In this context, the following needs to be ensured:

High Availability: There should not be any single point of failure and no denial of service.

Appropriate Interconnected Architecture: The architecture should ensure data replication

without compromising data and transaction integrity.

Recovery Time Objective (RTO) and Recovery Point Objective (RPO) requirements as 4 hours and

30 minutes, respectively, and ensuring that the technology implemented and the processes

adopted are capable of fulfilling the RTO / RPO objectives.

“Zero Data Loss” and implementing the same through appropriate mechanism; e.g.

synchronous replication / near site

Periodic Drills that simulate the real life scenarios on a regular basis and conducting these drills

on a week day

8. Designate a senior official as Head of BCP function

9. Increased use of technology so as to ensure effective off site inspections of DPs and their branches

and service centers. For this purpose, the following needs to be en

Installation and usage of licensed software

Generation and control through centralized DIS issuance

Standardization and scanning of DIS

Revise EOD reporting requirements / structure such that all significant information which

resides in the back office of DP should be available to depositories

Daily reconciliation of various records in the back office with records in the front office

Use of Technology for Off-Site and Onsite Inspection

The current system of inspection of DPs by Depositories has the following features:

Annual inspection of operations and system of every DP based on sample data.

Inspection conducted by both CDSL and NSDL in-house audit team with a gap of 11-13

months between two inspections of the same DP.

Inspection of new DP conducted within 3 months of the date of commencement.

Period of inspection of a DP is the period from the last date of previous inspection till the end of

the month immediately preceding the actual date of inspection.

Selection of DPs, sample size and sample selection are critical issues which need to be carefully done for

effective inspection. Currently, Irrespective of nature and size of DPs, the sample size is capped at 500

which are multiplied in case of repetitive violations. Currently a "spreadsheet based" system is used by

depositories to individually take information / data from databases through reports and then used for

determination of samples / adaptive samples.


Page 57 of 61

In view of the above, since the critical activities of sample size and sample selection is currently manual,

it will be appropriate to use technology to have checks and balances in place whereby various sources of

database are integrated such that the sample size and sample selection truly represents the risks

underlying various activities through appropriate algorithms, which if done manually may bring in

discretion which may affect the quality of inspection.

Off Site Inspection

Currently, it is noted that one of the major activities which is undertaken at on-site inspection is

verification of the process of DIS and processing of DIS. In order to address this issue, it has already been

suggested that DIS should be scanned and images captured in the depository system whereby same can

be used for verified off-site rather than on-site.

Supervision of services centers is currently weak as number of service centers inspected every year is

very less compared to total number of service centers across the country. This can be a cause of concern

due to lack of supervision over such services centers. Therefore, there is a need to have appropriate

technology in place to make sure that all information regarding service centers is available at the Back

office software system of DPs. The same should also be available with depositories so that they can be

monitored offline without having to go on-site thereby saving manpower, time and cost.

Besides depositories, SEBI also inspects DPs leading to duplicity and thereby wastage of time and

resources. This can be avoided if SEBI is able to have off-line access to the inspection modules of

depositories so that inspection observations are monitored for better supervision.


Page 58 of 61

Technology Enabled Future Road Map

The DSRC has been entrusted with the task of examining the existing Inspection and Oversight

mechanism and come out with suitable recommendations taking into account the technological

advancements in the field and the operational risks associated with the functioning of the Depositories

and the DPs.

Apart from the suggestions / recommendations, it was also decided to come out with the way forward

keeping in mind specifically the technology support available today to ensure that the

Inspection framework and the associated guidelines are meaningful and purposeful.

The Inspection framework of the DPs by the Depositories and the Depositories by the regulator has to

take into account the technological advancements that could bring in more efficiency and productivity

by capturing the relevant data for ensuring compliance or risk mitigation. Efforts required for

completing the Inspection process has to be drastically reduced both in terms of the time for completion

and the resources required to accomplish the task.

For the purpose of carrying out the Inspection comprehensively the first and foremost aspect is to have

authentic and accurate data. This data is generated at the DP level and mostly is available in

the electronic format. It is important to ensure that all the DPs do have the data required for Inspection

to be available in the electronic format in a definite time frame expeditiously. This exercise will result

in ensuring technology enabled Inspection framework to be implemented for all the DPs.

The DPs need to have internal mechanisms put in place to ensure that the data is complete, consistent

and meet the stated requirements of the Inspection framework and guidelines from time to time.

Before the start of the Inspection, DPs have to give an undertaking that they conform to this

requirement. The Inspection that will be taken up in 2013-2014 has to address this issue clearly and

bring out inadequacies if any, for the DPs to put in corrective mechanisms in place.

It is to be noted that the details regarding all aspects of the KYC, scanned copy of the DIS and other

relevant data regarding the transactions are captured and made available. Apart from the

data available as scanned copies, extract of the relevant portion of the data in the form of tables has to

be made available for access by the Depositories.

The Inspection carried out by the Depositories, should be made as online inspection, by accessing the

resources and information located at the DPs using the online connectivity. This approach will enable

the Depositories to take up not only the Annual Inspection as a compliance requirement but more

importantly periodic mid-term whenever required.

The physical Inspection carried out by the Depositories has to be need based and justifiable as this will

involve considerable human effort. The way forward is to ensure all the mandatory requirements to be

met by the DPs are available for remote access through appropriate authentication mechanisms and

only in cases where the physical Inspection is justified, it will be taken up.


Page 59 of 61

The IT resources located at the DPs both in the front office and the back office have to meet clearly

defined performance metrics in order to ensure that the service delivery is as per expectations.

The IT resources, including the software environment has to adhere to the stated levels of

Performance and Scalability

Availability and Fault tolerance

Security and Access Control

Conformance to standards

It is important to understand that the initiatives of the GoI will fructify in ensuring large number of retail

investors taking part in the Securities Market and therefore the load on the systems at the DP as well

as the Depositories will exponentially increase. Technology based Inspection framework is the only

option to ensure effective and timely completion of the Inspection process.

The report recommends moving towards a risk based mechanism in place of the existing compliance

based mechanism. Therefore, it is important to ensure that the Inspection periodicity is adaptive and

flexible. This is possible by categorizing the results of the Inspection into multiple levels of compliance

rather than the binary decision making. The levels of compliance will dictate the future course of action

by redefining the periodicity as well as the sample size. Adaptive sampling methodology is to be

implemented by the Depositories based on a case by case basis depending on the outcome of the

preceding Inspection.

The current approach used for deciding the sample size does not take into account the above issue and

therefore the Depositories need to come out with specific approaches to deciding on the sample size to

ensure that Quality is not compromised. To arrive at this and ensure that the exercise is meaningful

and purposeful, one of the important aspects that need to be kept in mind is the data integrity.

Periodic checks with respect to the data integrity needs to be taken up in addition to accuracy and

reliability. The depositories have to take up the compliance to data integrity check by having appropriate

software framework that will include suitable integrity checks.

Based on the outcome of the earlier Inspection, the Depositories have to come out with specific tailor

made check lists for each one of the DPs and the DPs have to present the data in appropriate formats

in their servers for access by the Depositories to complete the evaluation quickly. If required, it should

be possible to drill down to have access to the primary data as and when required. The process that is

used by the DPs to create the derived data required for the Inspection process has to have one to one

correspondence with the primary data and has to be automated fully to avoid human intervention

through appropriate software tools or scripts.

The technology infrastructure deployed by the DPs to handle the task has to be robust, mature and

secure and the implementation mechanism followed adheres to the industry best practices. It is

desirable that periodic audit of the implementation is carried out by reputed external agencies and the

suggestions and recommendations are implemented. The authentication framework put in place by the


Page 60 of 61

DPs for access by the Depositories as well as otherwise needs to be robust and secure and has to be

audited periodically.

The DPs also conduct other lines of business and may have the IT resources which are common across

multiple business lines. It is important that the resources which are allocated for this activity

is electronically isolated and access is permitted only to authorized resources. The employees of the DPs

who are allocated additional responsibilities in addition to the primary activities of the DP operations

have to maintain discipline stipulated for access to other resources through appropriate mechanisms.

One of the important aspects of this exercise is to evaluate and categorize the IT resources deployed by

the DPs for this activity based on the following criteria.

High Availability and Fault tolerance:

The IT infrastructure deployed should not have any single point of failure. In the event of failure of any

sub-system or component or software the resultant solution has to work, may be with acceptable

levels of degraded performance, and the corrective mechanism put in place to ensure that the

rectification takes place within 4 hours. The administration, monitoring and management of the

solution have to be proactive to identify and correct the faults before the failure occurs, in most of the

cases. It is recommended that the IT infrastructure deployed by the DPs do have an uptime guarantee of

99.5 % measured on a monthly basis with mean time to restore (MTTR) of not more than 4 hrs. Apart

from the IT resources, the processes put in place, the implementation and management of the same

play a crucial role in ensuring compliance to the above requirement.

Data Requirement:

The DPs have to put in place appropriate mechanisms in order to ensure no compromise to data

integrity and transaction integrity. Implementation of near site is NOT mandatory. If the DPs have

implemented innovative mechanisms to ensure no data loss (similar to the implementations of NSDL

and CDSL) it would suffice.

Performance and Scalability:

As mentioned before, it is estimated, in view of the initiatives of the GoI, large number of retail

investors will become a part of the market in the near future and therefore, the IT infrastructure should

be in a position to handle the increased load with acceptable levels of performance. More importantly

the performance should be consistent taking into account the scalability concerns

Security and Access Control:

One of the major concerns of the Industry today is increased levels of automation to address the ever

increasing load and also the need to provide connectivity to the external environments. The

infrastructure is expected to be open and at the same time secure enough.


Page 61 of 61

One of the primary requirements of security is to have a robust and secure authentication framework.

The DPs have to put in place appropriate authentication framework and should collect the necessary

data from the system administrator logs to clearly address the issue of aspects related to the access of

the resources in the event of any attempts to gain entry into the system. As the environment is open to

access from the external networks including the Internet, the DPs have to put in place appropriate

checks and balances to ensure that only trusted and secure users are in a position to access the

resources

Business Continuity and Disaster Recovery:

In the event of any minor events like the failure of either the sub-system or component or the

software, high availability built in and the fault tolerant mechanisms implemented will be in a position

to address the requirement of continued delivery of services.

In the event of any major disaster, the entire IT infrastructure at the primary site is not available for the

delivery of services and therefore the DPs have to put in place an appropriate Disaster Recovery

mechanism with acceptable levels of RTO and RPO.

The DPs need to have a business continuity plan and the guidelines stipulated in the BCP will dictate

the appropriate solution architecture for the Disaster Recovery centre and also the connectivity

between the DC and the DR.

Inspection of the DPs by the Depositories and the Depositories by the Regulator has to keep in mind

the above metrics and evaluate the IT solution architecture deployed, come out with suitable

classification of the same and remedial measures that need to be implemented within the stipulated

timelines to ensure that the technology framework is robust, mature and secure.

Annexure B

Depository System Review

Committee

Final Report

AUGUST 2014

Acknowledgement

At the outset, the committee members would like to thank the SEBI Chairman, Shri U.K. Sinha

for constituting the Depository Systems Review Committee and entrusting this assignment to

the committee.

This report of the Depository Systems Review Committee has been made possible with the

support and contributions of many individuals and organisations. The committee would like to

gratefully acknowledge their significant efforts and contributions.

The committee sincerely thank for the valuable guidance and support provided by SEBI former

Executive Director Shri S Ramann, the current Executive Directors Shri Muralidhar Rao, Shri J

Ranganayakulu and CGM Shri P K Bindlish.

The committee appreciates and acknowledges the significant efforts put in by the teams of Ms.

Maninder Cheema, Deputy General Manager, SEBI and Mr. B. J. Dilip , Deputy General

Manager, SEBI which included Mr. Atif Alvi , Mr. M. A . Shinod, Mr. Vikas Komera and Mr. Amit

Nigam.

The committee is also grateful to the officials of National Securities Depository Limited and

Central Depository (Services) India Limited for making detailed presentations on their systems

framework and giving valuable inputs to the committee. The committee would like to convey

its gratitude to Ms Deena Mehta of Asit C Mehta Securities and other stakeholders like HDFC,

ICICI Securities, NPCI and SWIFT for their valuable insights and inputs.

Table of Contents

Preamble 1

Executive Summary 2

Chapter 1 - Assessment of Existing Policy Framework for Depositories 9

I. Structure and Role of Depositories 9

II. Depositories Act 10

III. SEBI Depositories and Participants Regulations 11

IV. Policy Circulars/ Guidelines Issued by SEBI 14

V. Observations of the Committee 14

Chapter 2 - Assessment of Depository System on the basis of relevant Globally accepted

Principles for Financial Market Infrastructures so as to benchmark with Global Best

Practices

16

I. Benchmarking the Indian Depositories with Globally accepted Principles 16

II. Recommendations by the Committee 21

Chapter 3 - Identification of Areas for Continuous Improvement of Systems, Procedures

and Practices

22

I. Business Model of Depository Participants 22

II. Complaints against Depositories and Depository Participants 26

III. Investor Protection Fund (IPF) of Depositories 28

IV. Use of Non Disposal Undertaking (NDU) for Lending/ Borrowing of Securities 30

V. Outsourcing Guidelines for Intermediaries 31

Chapter 4 - Identification of Systemically Important Market Infrastructure Institutions and

their Inter-Linkages

33

I. System Architecture of Depositories 34

II. Business Continuity and Disaster Recovery 41

Chapter 5 - Oversight and Inspection Framework 42

I. Guidelines for Inspection of Depository Participants by Depositories 43

II. Delivery Instruction Slips (DIS) Issuance & Processing 50

Way Forward 52

Annexure I 56

Annexure II 58

List of Abbreviations 64

of 65

Preamble

The Depository Systems Review Committee (DSRC) was constituted by Securities and Exchange

Board of India (SEBI) in June 2012 pursuant to decision of the SEBI Board to the effect that the

"Depository system" be reviewed by an independent expert group. The mandate of the

Committee was guided by the following terms of reference:

i. Overall assessment / adequacy of existing depository framework and identification of

areas for review.

ii. Assessment of depository system on the basis of relevant CPSS-IOSCO principles,

recommendations of CESR-ECB pertaining to Central Securities Depositories (CSDs) so as

benchmark with the global best practices.

iii. Identification of areas for continuous improvement of systems, procedures and

practices and make recommendations thereof.

iv. Identification of systemically important market infrastructure providers / institutions /

depository participants and their inter-linkages and identify areas and suggest

safeguards to prevent single point failures and denial of depository service.

v. Review of existing system of inspection by depositories and suggest changes to

strengthen monitoring / oversight of depository participants.

The Committee was constituted under the Chairmanship of Shri M. Balachandran and included

the following members:

i. Shri M Balachandran (Chairman, NPCI and former CMD, Bank of India)

ii. Prof H Krishnamurthy (Principal Research Scientist, IISc Bangalore)

iii. Shri R S Loona (Managing Partner, Alliance Corporate Lawyers and former Executive

Director, SEBI)

iv. Prof Vikram Kuriyan (Clinical Prof. of Finance, Indian School of Business)

In order to carry out its mandate, the committee interacted with SEBI officials, held discussions

with various market participants, and visited the two depositories, CDSL and NSDL to

understand their systems. Detailed presentations were made by the Depositories, DPs and

organizations such as SWIFT and NPCI, some banks, brokers as well as investment bankers to

enable the committee to gain understanding of the issues involved. Details of meetings held by

the committee along with the list of persons who made presentations is enclosed as Annexure

I.

of 65

Executive Summary

The committee held extensive discussions and deliberations with depositories and other

market participants related to the depository system in order assess the adequacy of the

system and to identify areas for focused review. Based on these interactions, the committee

identified the following major areas for review:

i. Existing policy framework of the Depositories

ii. Benchmarking against global standards

iii. IT Governance of Depositories

iv. Existing framework of inspection and oversight of depositories and depository

participants

The committee was conscious of the technological advancements made recently in the financial

sector and in the securities market in particular. The recommendations of the committee are

geared to leverage these technological advancements to improve the ease of operations,

enhance operational efficiency and to effectively minimise the risks in the system.

In the area of inspection and oversight function of depositories, the committee decided to carry

out a detailed analysis and formed a sub-committee for this purpose comprising of Prof.

Krishnamurthy, representatives of NSDL and CDSL and officials of SEBI. The recommendations

of the sub-committee were presented to SEBI as part of an interim report and SEBI is

understood to have initiated measures based on these recommendations. The

recommendations of the sub-committee presented in the interim report are included as part of

the final report.

A summary of the recommendations made by the committee is as follows:

1. Assessment of Existing Policy Framework of Depositories

A review of the policy framework for depository system revealed that the regulatory framework

and the various policy measures put in place appear to be adequate. Depositories function

under the framework of the Depositories Act and the SEBI (Depositories and Participants)

Regulations, 1996. Necessary amendments to the regulations are made when felt necessary. In

addition, SEBI issues guidelines and circulars to update and revise the systems and processes

according to the needs of the market.

of 65

SEBI has put in place risk management measures such as In-person verification (IPV) and

mandatory PAN requirement which ensure that instances of fraudulent /fictitious accounts are

prevented. Other measures have been taken like freezing further issue of capital under

temporary ISIN until trading approval is obtained to prevent their transfer and mingling with

pre-existing shares. This enhances the integrity of the process for security issuances.

Based on its review of the policy framework for depositories, the committee recommends the

following:

I. SEBI to ensure that the system and technology related requirements which are verified

prior to granting certificate for commencement of business, are also maintained on an

ongoing basis through regular inspections and system audits. This is an important aspect

of the depository system architecture and SEBI should regularly update its oversight

processes to ensure ongoing compliance.

II. Reconciliation of records of shareholding is very critical to maintaining integrity of the

capital markets. The responsibility for reconciling records of total issued capital, listed

capital and capital held by depositories in dematerialized form lies with issuer. SEBI may

put in place a mechanism so that depositories maintain complete reconciled record of

total issued and listed capital, including both physical and dematerialized shares.

III. Depositories are uniquely placed to scale up and utilize their infrastructure to

dematerialize not just securities but also other financial assets subject to adequate

regulatory framework and checks and balances being put in place. This aspect which the

committee intended to recommend based on interactions with the stake holders was

well received by the depositories and also the market participants. In this background it

is pertinent to take note of the Budget announcement made in the interim budget

presentation in February 2014 and again in the budget speech in July 2014. The July

2014 budget announcement aims to "Introduce one single operating demat account so

that Indian financial sector consumers can access and transact all financial assets

through this one account." The committee feels that the above proposal would

promote the integration of the Indian Financial markets and allow the

consumers greater access to and control of a wide portfolio of financial assets.

IV. With greater integration of depositories with other financial service providers, there is

possibility of interconnectivity of depositories with financial institutions/ FMIs/

international CSDs in future. Interconnectivity may require standardization of messaging

of 65

formats used by depositories. The committee recommends that it may be desirable to

standardise messaging formats in the long term.

V. With regard to KYC, the committee noted that the e-KYC service launched by Unique

Identification Authority of India (UIDAI) has been accepted by SEBI as valid process of

KYC verification. The committee also informed that NPCI has entered in to an MoU with

UIDAI in order to aid financial inclusion through Aadhaar enabled bank accounts and

financial transactions.The Committee recommends that use of e-KYC through NPCI

should be popularised among DPs.

2. Assessment of Depository System on the basis of relevant globally accepted Principles for

Financial Market Infrastructures so as to benchmark with Global Best Practices.

The committee observed that while the Depositories are broadly compliant with the CPSS-IOSCO principles for FMIs, certain areas needed to be strengthened. The committee therefore recommends the following:

I. Risk Management Framework for depositories: FMI principles lays emphasis on the need to

have robust risk management framework to identify, monitor and manage various risks

emanating from multiple sources to its operations.

The committee therefore recommends that there should be a Board approved policy

providing for a well documented comprehensive risk management framework at both

depositories. The risk management group/ committee formed by the depositories should

be active and meet periodically to continuously identify, evaluate and assess applicable risks

in depository system through various sources viz a viz investors complaints, inspections,

system audit etc. and suggest measures to mitigate risk wherever applicable. A Chief Risk

officer should be made responsible, accountable, accessible & answerable to the board on

overall risk management issues.

II. Orderly winding down of depositories: The Committee observed that there is no laid down

system or procedure for orderly winding up of depositories in the event of potential

scenarios such as voluntary winding up by depositories, depositories going bust due to

general business risk, fraud at the end of depositories, or depositories wound up due to

regulatory action or court order. In Indian depository micro structure, there are two

depositories. In the event of failure, disruption or winding up of one depository, all the

demat accounts and securities held with stressed depository can be potentially moved to

another depository without affecting the interest of investors. These measures are

of 65

technically possible in the existing market micro structure, though there is no laid down

written document detailing the process and procedure for orderly winding up of

depositories. The committee recommends that there is a need to have a well documented

framework for orderly winding down of the depository operations including making

necessary legal provisions in the regulations, rules and Depositories Act.

3. Identification of Areas for Continuous Improvement of Systems, Procedures and Practices

The committee identified few areas which needed further focus from the perspective of

maintaining a robust depository system. Complaints received from investors against DPs and

Depositories were analyzed for this purpose. The committee reviewed the business model of

Depository Participants as it was observed that there are no stand alone DPs. Certain practices

such as use of Non Disposal Undertaking (NDU) for Lending/ Borrowing of Securities were

examined from the perspective of risk posed to Depositories and DPs. The committee also

looked into the use of Investor Protection Fund (IPF) of Depositories and outsourcing policy

followed by Depositories. Based on its review of these areas, the committee recommends the

following:

I. In order to achieve wider financial inclusion and bring investors in securities market from

Tier II and Tier III towns, the DPs need to widen their reach in these areas. For this purpose,

there is a need to devise an incentive structure for depository participants so that they

encourage investors to open demat accounts with them. The revenue source of

depositories may be augmented and DPs may be incentivized by having a revenue sharing

mechanism between the depositories and DPs which may encourage the DPs to expand

their reach in tier II & III towns. Bank DPs with their large branch network and wider reach

in the tier II & III towns can play a crucial role in furthering the objectives of financial

inclusion. DPs may be compensated for the cost incurred in account opening, especially

Basic Service Demat Accounts (BSDA) as it will act as a motivator for DPs to open more

accounts. Incentive structure may be devised so that DPs get compensation on any

incremental account opened by them in tier II & III towns.

II. Complaints received against depositories and DPs are resolved quickly except for

complaints relating to delay in demat/ remat. In such cases, the delay is at the end of

issuers and RTAs rather than the Depositories. Considering the nature of complaints and the

fact that there were negligible pending complaints, the committee feels that Depositories

do not require a corpus comparable to stock exchanges for their Investor Protection Fund.

The committee therefore recommends that SEBI may review the quantum of funds required

to be transferred to IPF by depositories and arrive upon a sizable limit for corpus of IPF.

of 65

Only profits from depository operations may be transferred to IPF. SEBI may formulate an

Investment Policy for the IPF. The funds of the IPF may be utilized for conducting Investor

Awareness and Education Programmes and supporting the depositories'/ DP's initiatives for

financial inclusion in a variety of ways.

III. The committee noted that certain DPs allow the promoters of companies to use tripartite

agreements usually referred to as Non-Disposal Agreement/ Non-Disposal Undertaking

(NDU) to extend facilities to its clients for lending / borrowing of shares instead of following

the pledging facility available in the depository system. The committee recommends that

DPs should not be party to such arrangements as there is no regulatory mechanism

whereby depositories and DPs can treat shares covered by NDU as pledged/ encumbered,

leading to potential for fraud and multiple pledging.

IV. In the area of outsourcing by Depositories, there is a need for further focus and

strengthening of guidelines on the lines given below:

a) Care should be exercised while outsourcing and wherever possible depositories should

put in place various controls to ensure that there is check on the activities of outsourced

entity especially to monitor that outsourced activities are not further outsourced

downstream.


c) Core IT support infrastructure / activities for running the core activities of depositories

to the possible extent should not be outsourced.

d) Wherever outsourcing is allowed, depositories should ensure that risk impact analysis is

undertaken, only reputed entity having proven high delivery standards are selected,

appropriate back up / restoration system are put in place, monitor and have checks and

over all controls over the outsourced entity on real time basis.

e) Audit of implementation of risk assessment and mitigation measures listed in the outsourcing policy document and outsourcing agreement/ service level agreements pertaining to IT systems should form part of System Audit of Depositories

4. Identification of Systemically Important Market Infrastructure Institutions and their Inter-

Linkages

In view of transformation of securities market infrastructure brought about by advances in

information technology (IT) and dependence of Financial Market Infrastructure Institutions on

technology, the committee examined the technology infrastructure of the Depositories and

of 65

reviewed the usage of technology in the Depository system. The committee therefore

recommends the following:

I. The IT infrastructure deployed should have high availability and no single point of failure. In

the event of failure of any sub-system or component or software the resultant solution has

to work, may be with acceptable levels of degraded performance, and the corrective

mechanism put in place to ensure that the rectification takes place within 4 hours. The DPs

have to put in place appropriate mechanisms in order to ensure no compromise to data

integrity and transaction integrity.

II. Depositories should implement the following for their IT governance structure:

a) There should be an IT strategy committee at the board level of depositories.

b) There should be an approved and comparable IT strategy/plan document which needs

to be reviewed annually by the depositories and their DPs.

c) There should be an IT Steering committee to assist the IT Strategy Committee in

implementation of IT strategy. The IT steering committee should comprise of

representatives from IT, HR, Legal and various business functions as appropriate.

d) Information Security policy should be approved by the board and reviewed annually.

e) There should be an office of information security and a senior official should be

designated as Chief Information Security Officer (CISO) whose work would be to assess

risk and identify the threat / vulnerabilities.

f) Depositories should take steps to ensure that the IT Infrastructure of DPs has high

availability and fault tolerance, uptime guarantee of 99.5% measured on a monthly basis

with mean time to restore (MTTR) of not more than 4 hrs, data integrity and transaction

integrity and appropriate security access and control framework.

5. Oversight and Inspection Framework

The committee carried out an extensive review of the oversight and inspection framework for

Depository Participants. Recommendations in this area were given in the interim report of the

committee and are reported to be under implementation by SEBI. The key recommendations of

the committee are as follows:

I. Inspection of Depository Participant by Depositories:

a) Inspections should be risk based rather than compliance based to provide economic

benefits such as fewer inspections for less risky participants and frequent inspections for

more risky ones. The inspection reports should not only identify risk areas but should

also proactively suggest risk mitigation.

of 65

b) The sample size selection should be dynamic and should depend on the past compliance

of a DP in that area.

c) The inspection process of DPs and their service centers should be automated through

usage of appropriate technology. If such close inspection / oversight modality is not

possible directly by Depositories through their own personnel, the possibility of

outsourcing service centre inspections may be explored, and a suitable outsourcing

policy may be framed.

II. Delivery Instruction Slips (DIS) Issuance and Processing:

a) Appropriate infrastructure and other requirements, to facilitate scanning and uploading

of the DIS image, should be implemented at the DP’s end and the depositories should

put in place a suitable mechanism to maintain a database of the scanned DIS.

b) DIS should be standardized across DPs to facilitate easy identification and tracking of DIS

issuance and processing.

c) The depositories should put in place systems such that all significant DIS related

information is available to them for off site inspections.

of 65

Chapter 1

Assessment of Existing Policy Framework for Depositories

The enactment of Depositories Act in August 1996 paved the way for introduction of Depository

system in India. India has adopted Dematerialisation system wherein by operation of law,

physical shares certificate is replaced with shares in electronic form. In the books of company,

depository is the registered owner and depository in turn maintains electronic ledger of the

securities wherein movement of securities from one account to another are recorded and

maintained to bestow rights to the investors as the beneficial owners.

The introduction of Depository System has been instrumental in eliminating various drawbacks

in handling of physical share certificates in terms of problems related to transfer of shares, bad

deliveries, loss of share certificates etc. and it enabled fast and efficient settlement (T+2

settlement cycle).

I. Structure and Role of Depositories National Securities Depository Limited (NSDL) was the first depository to be established in India

in the year 1996, followed by Central Securities Depository Limited (CDSL) in the year 1999.

Depositories are systemically important post-trading infrastructures. They perform crucial

services such as custody and safekeeping of securities, settlement and efficient processing of

securities transactions in financial markets. Some of the benefits brought about by the

depository system are listed below:

1. Holding securities assets for the whole market: With almost all the new issues now in demat

mode, the depositories now hold custody of the securities assets for the entire market. The

total custody value of the securities held in Indian depository system as on March 31, 2014

amounts to Rs.1,00,27,479 crores.

2. Facilitate holding of securities in dematerialised form: Depositories have enabled the

securities to be held in electronic form, resulting in a host of benefits to the investors by

eliminating the risks associated with holding securities in physical form.

3. Facilitate Transfer of Securities: Depositories enable the efficient transfer of securities

through electronic book entry. This enables quick ownership of securities on settlement

resulting in increased liquidity, avoids confusion in the ownership title of securities,

of 65

provides easy receipt of public issue allotments and enables quick receipt of benefits from

corporate actions like stock splits and bonuses.

4. Facilitate free, secure and efficient movement of securities: The depository system, which

links the depositories with the issuers/ RTAs, depository participants (DPs), and Clearing

Corporation/ Clearing house of stock exchanges, facilitates secure and efficient movement

of securities.

5. Spreading the concept of dematerialisation among the retail investors: The depositories

through their investor education and awareness programs inform and educate the investors

on the benefits of dematerialisation and encourage them to hold the securities in demat.

6. Protect the interest of two primary stakeholders in the securities market: the investors in

securities and the issuers of those securities:

a. The interests of investors are protected by ensuring the proper recording of the

beneficial ownership of the securities by enabling securities transactions to be

processed and settled by book entry.

b. The interests of the issuers are protected by ensuring the integrity of security issues so

that securities initially created equals the total number of securities in circulation at any

time. This is achieved by daily reconciliation of the records between the depositories

and Issuers/ RTA.

II. Depositories Act

Depositories Act, 1996 is the primary enactment which enabled setting up of Depositories.

Depositories Act provides for setting up and regulation of depositories for dematerialisng

securities and for matters connected therewith or incidental thereto. It requires depositories to

obtain a certificate of commencement from SEBI. It also mandates SEBI to satisfy itself that the

depository has adequate systems and safeguards to prevent manipulation of records and

transactions before granting certificate to depository.

The Act broadly outlines the framework for providing depository services through participants

or agents and lays down the rights and obligations of the depositories, participants, issuers and

beneficial owners (BOs). It gives option to the investors to hold the security either in demat/

physical form and has mandated depositories to indemnify BOs for any loss incurred by them. It

also gives power to SEBI to conduct Enquiry, Inspection, call for information and in certain cases

of 65

give directions. It prescribes penalty for various offences and empowers SEBI to adjudicate for

the purpose of imposing penalty.

III. SEBI (Depositories & Participants) Regulations

Under the mandate of the Depositories Act, SEBI has framed the SEBI (Depositories and

Participants) Regulations, 1996 to carry out the purposes of the Depositories Act. These

regulations chiefly provide for the following:

Procedure for grant of certificate of registration and certificate of commencement of

business to the depositories, eligibility criteria for sponsors of the depositories, criteria for

fit and proper person for the depositories, participants, sponsors and shareholders and

networth requirement for the depositories.

System level requirements for protecting automatic data processing system, securing

network communications, establishing standard transmission and encryption formats for

electronic communications and maintaining data back up.

Ownership and governance norms for the depositories, Code of conduct for the

depositories, their directors and key management personnel and depository participants,

appointment of compliance officer etc.

Rights and obligations of the depositories, participants and issuers, agreement to be

entered between depository, participant and issuer, records to be maintained, systems and

procedures, connectivity , reconciliation etc.

External and Internal monitoring, review and evaluation of systems and control.

Securities eligible for dematerialization.

Restriction on carrying out activity not incidental to the activity of the depository.

Some of the above provisions of the policy framework are elaborated below:

1. Grant of certificate of commencement of business to Depositories

Regulation 13(1) requires SEBI to take into account all matters relevant to the efficient and

orderly functioning of the depository before granting certificate of commencement of

business. In particular they include the following:

The automatic data processing systems of the depository have been protected against

unauthorized access, alteration, destruction, disclosure or dissemination of records and

data

of 65

The network through which continuous electronic means of communications are

established between the depositories, participants, issuers and issuer’s agents is secure

against unauthorized entry or access

The depository has established standard transmission and encryption formats for

electronic communications of data between the depository, participants, issuers and

issuer’s agents

The physical or electronic access to the premises, facilities, automatic data processing

systems, data storage sites including back up sites and to the electronic data

communication network connecting the depository, participants, issuers and issuers’

agents is controlled, monitored and recorded

The depository has a detailed operations manual explaining all aspects of its functioning,

including the interface and method of transmission of information between the

depository, issuers, issuers’ agents, participants and beneficial owners

The depository has established adequate procedures and facilities to ensure that its

records are protected against loss or destruction and arrangements have been made for

maintaining back up facilities at a location different from that of the depository.

2. Governance norms

Clear, transparent and well documented governance norms and procedures are crucial for

the efficient functioning of any organization. It is especially true in the case of depositories

who hold in their custody the securities of the entire capital market. In this respect the

Bimal Jalan Committee made several recommendations on the Ownership and Governance

of Market Infrastructure Institutions. SEBI accepted many of these recommendations and

implemented them by making suitable amendments to the Regulations in the year 2012.

3. Restriction on other activity

Depositories Act and the DP Regulations restrict the activity of the depositories to the

dematerialisation of securities. As per Regulation 7 (c), the depository shall not carry on any

activity other than that of a depository unless the activity is incidental to the activity of the

depository. However, a depository may carry out such activity not incidental to its activities

as a depository, if such activity has been assigned by the Central Government or by a

regulator in the financial sector. Provided that the activity is carried out through the

establishment of a Strategic Business Unit (SBU) specific to each activity with the prior

approval of SEBI and subject to such conditions as may be prescribed by SEBI including

transfer of such activity to a separate company within such time as may be specified by it.

of 65

4. Insurance against risks

A depository is required to take adequate measures including insurance to protect the

interests of the beneficial owners against risks likely to be incurred on account of its

activities as a depository.

5. Reconciliation

Every depository participant is required to reconcile its records with every depository in

which it is a participant, on a daily basis. The issuer or its agent reconcile the records of

dematerialized securities with all the securities issued by the issuer, on a daily basis.

Every issuer is required to submit audit report on a quarterly basis to the concerned stock

exchanges audited by a qualified chartered accountant or a practicing company secretary,

for the purposes of reconciliation of the total issued capital, listed capital and capital held

by depositories in dematerialized form, the details of changes in share capital during the

quarter and the in principle approval obtained by the issuer from all stock exchanges where

it is listed in respect of such further issued capital.

6. Inspection of Depositories

In Order to examine whether the procedures and practices of the depository are in

compliance with the Depositories Act, 1996, SEBI (Depositories and Participants)

Regulations, 1996, SEBI circulars, the bye-laws etc., SEBI conducts regular inspection of

depositories. As a general rule, such inspections are carried out once in a year. SEBI also

conducts specific purpose inspection which is decided on case to case basis depending on

the requirement of the situation.

7. Systems and procedures

Every depository is required to have systems and procedures which will enable it to co-

ordinate with the issuer or its agent, and the participants, to reconcile the records of

ownership of securities with the issuer or its agent, as the case may be, and with

participants, on a daily basis.

8. Connectivity

Every depository is required to maintain continuous electronic means of communication

with all its participants, issuers or issuers' agents, as the case may be, clearing houses and

clearing corporations of the stock exchanges and with other depositories.

of 65

9. Business Continuity Plan

A depository is mandated to have adequate Business Continuity Plan for data and electronic

records to prevent, prepare for, and recover from any disaster.

IV. Policy Circulars / Guidelines Issued by SEBI

In addition to the D&P Regulations, SEBI issues circulars / guidelines from time to time to

regulate various aspects of Depository and depository participant operations. The committee

took a brief overview of the various circulars issued by SEBI relating to depository functions and

noted that measures like In-person verification (IPV) and mandatory PAN requirement ensure

that instances of fraudulent /fictitious accounts does not happen. Further, measures like

freezing further issue of capital under temporary ISIN until trading approval is obtained,

prevent their transfer and mingling with other shares. This enhances the integrity of the

process for security issuances.

V. Observations of the Committee

The committee examined the broad policy framework mentioned above and method of its

implementation in the depositories. Observations of the committee in this regard are given

below:

1. It is important for SEBI to ensure that the system and technology related requirements

which are verified prior to granting certificate for commencement of business, are also

maintained on an ongoing basis. The committee noted that SEBI ensures the same

through regular inspections and system audits. The committee emphasised that this is

an important aspect of the depository system architecture and SEBI should regularly

update its oversight processes to ensure ongoing compliance.

2. The committee further noted that reconciliation of records of shareholding is very

critical to maintaining integrity of the capital markets. The responsibility for reconciling

records of total issued capital, listed capital and capital held by depositories in

dematerialized form lies with issuer. This means that while depositories maintain

reconciled records for dematerialized holding, there is no single place where records of

physical shareholding are available in a complete and reconciled manner. The

committee therefore recommends that SEBI may put in place a mechanism so that

depositories maintain complete reconciled record of total issued and listed capital.

of 65

3. On the issue of restriction of depositories from carrying out any other activity, the

committee felt that depositories are uniquely placed to scale up and utilize their

infrastructure to dematerialize not just securities but also other financial assets subject

to adequate regulatory framework and checks and balances being put in place. In this

regard, the committee notes that the Honourable Union Minister of Finance, Shri P

Chidambaram, in the interim budget speech of 2014 on 17th February 2014 stated that

one of the steps envisaged for the financial sector is " to create one record for all

financial assets of every individual". This vision was further spelt out in the Budget

Speech by Finance Minister Shri Arun Jaitley in his proposal to "Introduce one single

operating demat account so that Indian financial sector consumers can access and

transact all financial assets through this one account." The committee further notes

that FSLRC as part of its recommendations also suggested "allowing depositories to

store securities including Government Securities and record of other financial services in

electronic form only". All these proposals aim to achieve a unified financial markets

coupled with greater choice and ease of access for the consumers. The committee feels

that the above proposal would promote the integration of the Indian Financial markets

and allow the consumers greater access to and control of a wide portfolio of financial

assets. This aspect which the committee intended to recommend based on interactions

with the stake holders was well received by the depositories and also the market

participants.

4. With greater integration of depositories with other financial service providers, the

committee feels that there is possibility of interconnectivity of depositories with

financial institutions/ FMIs/ international CSDs in future. Interconnectivity may require

standardization of messaging formats used by depositories. The committee therefore

recommends that it may be desirable to standardise messaging formats in the long

term.

5. With regard to KYC, the committee noted that the e-KYC service launched by Unique


KYC verification. The committee also informed that NPCI has entered in to an MoU with


financial transactions. The Committee recommends that use of e-KYC through NPCI


of 65

Chapter 2

Assessment of Depository System on the basis of relevant Globally accepted Principles for Financial Market Infrastructures so as to benchmark with Global Best Practices

Benchmarking the Indian Depositories with Globally accepted Principles Depositories are recognized as Financial Market Infrastructure under the CPSS-IOSCO Principles

for FMIs which were formally issued by CPSS-IOSCO on 16 April 2012. The committee was of the

view that it was important to benchmark Indian Depositories against the FMI Principles

particularly as the FMI Principles were framed to strengthen market infrastructure institutions

after the 2008 financial crisis. The committee also looked into the recommendations of CESR-

ESCB pertaining to CSDs and mapped the said recommendations with the FMI principles.

The committee noted that a self assessment with regard to the FMI Principles was carried out

by Depositories. SEBI has also issued a circular on Sep 04, 2013 requiring Depositories and

clearing corporations to comply with the FMI Principles and mentions periodic assessment of

Depositories compliance with the FMI Principles.

The committee took note of the methodology of assessment specified by CPSS-IOSCO which

involves an elaborate questionnaire with key consideration issues on each FMI principle and

reviewed the compliance of depositories with the FMI Principles based on their self

assessment. The observations of the committee regarding compliance of the Depositories

with the FMI Principles are as follows:

Principle 1 and 2

1. Legal basis: An FMI should have a well-founded, clear, transparent, and enforceable legal

basis for each material aspect of its activities in all relevant jurisdictions.

2. Governance: An FMI should have governance arrangements that are clear and transparent,

promote the safety and efficiency of the FMI, and support the stability of the broader financial

system, other relevant public interest considerations, and the objectives of relevant

stakeholders.

Observations: The committee noted that the legal basis for setting up of Depositories and their

functions are defined under the Depositories Act, 1996, SEBI (Depositories & Participants)

Regulations, 1996 and the approved Byelaws and Rules/Instructions of Depositories.

Depositories are incorporated under the Companies Act, 1956 and the composition of their

of 65

Board is governed by the relevant provisions of the Companies Act and the guidelines issued by

the SEBI from time to time. SEBI has also strengthened the governance arrangements for

Depositories in D&P Regulations in year 2012 by incorporating the provisions on governance

structure and shareholding, thereby enhancing public interest.

Principle 3 and 17

3. Framework for the comprehensive management of risks: An FMI should have a sound risk-

management framework for comprehensively managing legal, credit, liquidity, operational, and

other risks.

17. Operational risk: An FMI should identify the plausible sources of operational risk, both

internal and external, and mitigate their impact through the use of appropriate systems,

policies, procedures, and controls. Systems should be designed to ensure a high degree of

security and operational reliability and should have adequate, scalable capacity. Business

continuity management should aim for timely recovery of operations and fulfilment of the

FMI’s obligations, including in the event of a wide-scale or major disruption.

Observations: On the issue of risk management, the Committee noted that apart from the above two principles, risk management is also covered under Principle 2. The committee noted that the relevant FMI Principles mention the following:

2.6 “The board should establish a clear, documented risk-management framework that includes

the FMI’s risk-tolerance policy, assigns responsibilities and accountability for risk decisions, and

addresses decision making in crises and emergencies. Governance arrangements should ensure

that the risk-management and internal control functions have sufficient authority, independence,

resources, and access to the board.”

17.1 “An FMI should establish a robust operational risk-management framework with

appropriate system, polices, procedures and controls to identify, monitor and manage

operational risk”

17.5 “An FMI should have comprehensive physical and information security policies that address

all potential vulnerabilities and threats. “

17.6 “An FMI should have a business continuity plan that addresses events posing a significant

risk of disrupting operations ………. The FMI should regularly test these arrangements.”

17.7 “An FMI should identify, monitor and manage the risks that key participants, other FMIs and services and utility providers might pose to its operations. In addition, an FMI should identify, monitor and manage the risks its operation might pose to other FMIs.”

of 65

On the governance structure for risk management, the committee noted that while the

Depositories follow practices including Business Continuity and Disaster Recovery plan, internal

audit and controls, insurance etc, they do not have a Board level policy for assessing their risk

tolerance, and assigning responsibility and accountability for risk decisions.

FMI principles lay emphasis on the need to have robust risk management framework to

identify, monitor and manage various risks emanating from multiple sources to its operations.

The depositories have in place a risk management group/committee comprising of members

from senior management which identifies and assesses risks that arise in the depositories

business. However, it was observed that there is no documented common enterprise wide

comprehensive risk management policy framework with the depositories. Risk management is

done in respect of different operational areas in a non-cohesive manner. The committee

therefore recommends that there should be a Board approved policy providing for a well

documented comprehensive risk management framework at both depositories. Committee

also recommends that the risk management group/ committee should be active and meet

periodically to continuously identify, evaluate and assess applicable risks in depository system

through various sources such as investors complaints, inspections, system audit etc. and

suggest measures to mitigate risk wherever applicable. Chief Risk officer should be made

responsible, accountable, accessible & answerable to the board on overall risk management

issues.

Principle 15: General business risk

An FMI should identify, monitor, and manage its general business risk and hold sufficient liquid

net assets funded by equity to cover potential general business losses so that it can continue

operations and services as a going concern if those losses materialise. Further, liquid net assets

should at all times be sufficient to ensure a recovery or orderly wind-down of critical operations

and services.

Observations: In order to cater to general business risk, the Committee noted that the

Depositories are required to have minimum networth of Rs 100 crore as laid down in SEBI

(Depository & Participants) Regulations. The Committee noted that both Depositories have

networth higher than the minimum stipulated networth. As the main source of revenue for

depositories is issuer charges and transaction fees, the business risks may stem mainly from low

market activity or risk of competition. However, with regard to orderly-winding down of a

depository in the event of unforeseen circumstances, the FMI Principles state the following:

of 65

“3.4 An FMI should identify scenarios that may potentially prevent it from being able to

provide its critical operations and services as a going concern and assess the

effectiveness of a full range of options for recovery or orderly wind-down. An FMI should

prepare appropriate plans for its recovery or orderly wind-down based on the results of

that assessment. Where applicable, an FMI should also provide relevant authorities with

the information needed for purposes of resolution planning.”

"15.3 An FMI should maintain a viable recovery or orderly wind-down plan and should

hold sufficient liquid net assets funded by equity to implement this plan. At a minimum,

an FMI should hold liquid net assets funded by equity equal to at least six months of

current operating expenses. These assets are in addition to resources held to cover

participant defaults or other risks covered under the financial resources principles.

However, equity held under international risk-based capital standards can be included

where relevant and appropriate to avoid duplicate capital requirements."

The Committee observed that there is no laid down system or procedure for orderly winding

up of depositories in the event of potential scenarios such as voluntary winding up by

depositories, depositories going bust due to general business risk, fraud at the end of

depositories, or liquidation of depositories due to regulatory action or court order. In Indian

depository micro structure, there are two depositories. In the event of failure, disruption or

winding up of one depository, all the demat accounts and securities held with stressed

depository can be potentially moved to another depository without affecting the interest of

investors. These measures are technically possible in the existing market micro structure,

though there is no laid down written document detailing the process and procedure for orderly

winding up of depositories. In view of above, committee felt that there is a need to have a well

documented framework for orderly winding down of the depository operations.

Principles 13, 19, 20 and 23:

Principle 13: Participant-default rules and procedures

An FMI should have effective and clearly defined rules and procedures to manage a participant

default. These rules and procedures should be designed to ensure that the FMI can take timely

action to contain losses and liquidity pressures and continue to meet its obligations.

Principle 19: Tiered participation arrangements

An FMI should identify, monitor, and manage the material risks to the FMI arising from tiered

participation arrangements.

of 65

Principle 20: FMI links

An FMI that establishes a link with one or more FMIs should identify, monitor, and manage link-

related risks.

Principle 23: Disclosure of rules, key procedures, and market data

An FMI should have clear and comprehensive rules and procedures and should provide

sufficient information to enable participants to have an accurate understanding of the risks,

fees, and other material costs they incur by participating in the FMI. All relevant rules and key

procedures should be publicly disclosed.

Observations: The committee noted that Depository Participants do not handle financial

settlement and therefore participant default rules are not relevant with regard to ensuring

payment and settlement of securities transactions. Further, the depository structure requires

maintenance of beneficial owner-wise accounts. Hence, securities are segregated in the name

of the beneficial owner and hence cannot be used by the Participant. Further, the records of

securities in beneficial owner accounts are also held in the Depository system. Thus participant

default does not affect safety of investors' securities. In the event of default, Depositories have

clearly defined rules and procedures for the Participant to be followed for every activity

including transfer of investors accounts to another Participant.

The Depository structure in India as mandated by the legal framework only provides for direct

participation. Therefore the risks arising out of tiered participation arrangements are not

present as the depository maintains every single account. The beneficial owners hold their

demat accounts with Depository Participants who act as agents of the Depository.

With regard to links between FMIs, the Committee noted that the IT architecture is well

established and robust. Depositories have established links with Clearing Corporations of Stock

Exchanges and between themselves to facilitate settlement of securities and inter-depository

transfers. Legal basis for establishing links with the other FMIs and transfer of securities

between Depositories and Clearing Corporations is clearly laid down in the Bye Laws and Rules

of Depositories and CCs.

With regard to disclosure of rules, key procedures, and market data, Committee noted that

Information regarding bye-laws, business rules/ operating instruction, are published on the

website of the Depositories. Depositories have also provided the details of various types of fees

charged by them and various charges applicable to Beneficial Owners on their website.

of 65

Recommendations by the Committee 1. Risk Management Framework for Depositories

FMI principles lays emphasis on the need to have robust risk management framework to

identify, monitor and manage various risks emanating from multiple sources to its

operations.

The committee therefore recommends that there should be a Board approved policy

providing for a well documented comprehensive risk management framework at both

depositories. Committee also recommends that the risk management group/ committee

should be active and meet periodically to continuously identify, evaluate and assess

applicable risks in depository system through various sources such as investor complaints,

inspections, system audit etc. and suggest measures to mitigate risk wherever applicable.

Chief Risk officer should be made responsible, accountable, accessible & answerable to the

board on overall risk management issues.

2. Orderly winding down of depositories

The Committee observed that there is no laid down system or procedure for orderly winding

up of depositories in the event of potential scenarios such as voluntary winding up by

depositories, depositories going bust due to general business risk, fraud at the end of

depositories, or depositories liquidation due to regulatory action or court order. In Indian

depository micro structure, there are two depositories. In the event of failure, disruption or

winding up of one depository, all the demat accounts and securities held with stressed

depository can be potentially moved to another depository without affecting the interest of

investors. These measures are technically possible in the existing market micro structure,

though there is no laid down written document detailing the process and procedure for

orderly winding up of depositories. In view of above, committee felt that there is a need to

have a well documented framework for orderly winding down of the depository operations

including making necessary legal provisions in the regulations, rules and Depository Act.

of 65

Chapter 3

Identification of Areas for Continuous Improvement of Systems, Procedures and Practices

While assessing the policy framework for Depositories, the committee identified certain areas

that needed further focus in terms of their role in the depository system. The depository

system is a pillar of the securities market as it brings together investors, issuers and the

secondary markets and holds the wealth generated by the capital markets. The robustness of

the depository system is thus very important for the capital markets. It has an important role in

bringing in new investors through better reach, opening of more demat accounts and providing

better service to investors. At the same time, the depository system is required to maintain

integrity of data and prevent misuse/ fraud in any manner.

In view of the above, the committee looked into the following areas:

Business Model of Depository Participants.Complaints against Depositories and Depository

Participants.

Investor Protection Fund (IPF) of Depositories.

Use of Non Disposal Undertaking (NDU) for Lending/ Borrowing of Securities.

Outsourcing by Depositories

I. Business Model of Depository Participants Depository services are provided by DPs which are mainly banks and stock brokers. Almost 96%

of the BO accounts are held by the banks and Stock broker DPs. For these banks and brokers,

depository services are not their primary activity but an add-on or ancillary service and

therefore not their primary revenue centres. In the absence of same, there may not be much

incentive for the DP’s to aggressively promote opening of new demat accounts.

The committee observed that over a period of time SEBI has taken various steps for

rationalization of charges like abolition of account opening charges, mandating the custody

charges to be payable by the issuers instead of the investors, introduction of Basic Services

Demat Accounts (BSDA) etc. While these measures have helped small investors, they have also

affected the viability of maintaining such accounts due to sliding down of income from those

accounts and ultimately the over all income for DPs from depository services. Thus there

appears to be lack of incentives for DPs to expand their reach to the said category of investors.

of 65

The committee examined the revenue sources of the depositories and their income from

depository operations.

1. Income source of Depositories

The main sources of income for the depositories are :

a. Annual Issuer Charges:

b. Transaction charges

c. Software license fee/ user facility charges

a. Annual Issuer Charges: These are the charges levied by the depositories on the issuers/

companies as custody charges for holding shares in demat form. The depositories

currently charge Rs. 8/- per folio (ISIN position) subject to a minimum as mentioned

below:

Nominal value of admitted

securities (Rs)

Annual Custodial Fee payable by a issuer to

each Depository (Rs) (*)

Upto 5 crore 6,000

Above 5 crore and upto 10

crore 15,000

Above 10 crore and upto 20

crore 30,000

Above 20 crore 50,000

*Plus service tax as applicable The charges are prescribed by SEBI and were last revised in February 2009, when the charges

were revised from Rs 5 per folio to Rs 8 per folio.

b. Transaction charges: These are charged by the depositories on the DPs for the

transactions done by the BOs in their account. The various types of transactions that are

charged are debit transactions, settlement fee charged on clearing members for debit.

Other fees charged are for services like rematerialisation of shares, creation of pledge

etc. NSDL charges a flat fee of Rs 4.50 per debit transaction whereas CDSL charges in

range of Rs 5.50 to Rs 4.25 based on the monthly transaction bill amount of the DPs.

c. Software license fee/ user facility charges: These are the annual charges levied upon the

DPs and Issuers for availing the software usage services.

of 65

INCOME FROM DEPOSITORY OPERTATIONS FOR NSDL AND CDSL

Figures in Rs. crores

Depository Particulars

For the year ended

March 31, 2011

For the year

ended March

31, 2012

For the year

ended March

31, 2013

CDSL

Annual Issuer

charges

30.77 35.86 38.97

Transaction charges 34.85 27.43 24.31

User Facility Charges 4.38 4.25 4.13

Account

Maintenance charges

1.72 1.94 2.10

Others 12.43 8.10. 5.60

Total 82.04 77.59 75.13

NSDL

Custody fees (Annual

Issuer charges)

46.85 50.46 51.83

Transaction fees 65.44 48.91 42.37

Software license fees 0.20 0.08 0.18

Annual fees 0.55 0.71 0.76

Other operational

Income

4.39 2.80 2.90

Total 117.43 102.96 98.05

of 65

It is seen from the table above that the major sources of income for depositories are the annual

issuer charges collected from the issuer companies and the transaction charges collected from

Depository Participants for the transactions effected by their clients. The revenue from issuer

charges has increased over the years but the income from transaction charges has shown a

decrease on account of adverse market conditions.

The committee felt that one of the ways to increase the revenue of depositories is through

revision of the annual issuer charges. Unlike transaction fees, the issuer charges form a more

steady source of revenue and are relatively immune to the market conditions. The charges are

not borne by the investor but the issuer companies who have been the major beneficiaries of

dematerialization in terms of cost savings for share registry work. Therefore, the committee

feels that since the annual issuer charges were last revised in 2009, there is a case to revise the

folio based charges. Presently, the depositories charge Rs.8 per folio from the issuers per ISIN

towards holding shares in demat form, subject to a prescribed minimum.

2. Income source of Depository Participants

Depository Participants (DP) act as the agents of the Depositories. The depositories charge the

DPs for certain services like debit transactions, pledge instructions, rematerialisation etc. The

DPs in turn charge their clients for these services with a mark up. However competition ensures

that the charges remain competitive as the details of the charges are available in the respective

websites of the DPs and a comparative list at the Depository websites as well.

Annual Maintenance charge levied by the DPs on their clients forms the major source of

revenue apart from the revenue from transactions and other services like

dematerialisation/rematerialisation, pledge instructions etc. Most of the DPs usually charge

AMC in the range of Rs 150 to Rs 500 for individuals and Rs 500 to Rs 1500 for corporate

accounts. The DPs also offer different schemes with different AMCs. For Basic Services Demat

Accounts (BSDA) no AMC can be charged for accounts having custody value upto Rs 50,000

while an AMC upto Rs 100 can be charged for those BSDA whose custody value is between Rs

50,000 and Rs 200,000. Presently there are over five lakh basic services demat accounts. The

depository system today has more than 2 crore accounts but half of them have zero balance in

their accounts indicating a lack of participation by the retail investors. This also implies that

revenue from these accounts in the form of AMC would be practically zero even though not all

these accounts are designated as BSDA. The non recovery of dues from the clients resulting in

high NPAs with the DPs is a direct consequence of the non retail participation. This has impact

on the financial health of the DPs and viability of the DP services as a standalone business.

of 65

Observations/ Recommendations

Based on the committee's deliberations on this issue, the committee recommends the

following:

a) The revenue source of depositories may be augmented and DPs may be incentivized by

having a revenue sharing mechanism between the depositories and DPs which may encourage the DPs to expand their reach in tier II & III towns.

b) In order to incentivize DPs which are first point of contact with investors, the annual issuer charges may be suitably enhanced and be shared with the DPs by the depositories. SEBI may take a view with regard to the mode of sharing this incremental revenue with the DPs so as to promote growth of retail participation and depository services.

c) The incentive structure may be so devised that DPs get compensation on any incremental

account opened by them in tier II and III towns. In this regard the Bank DPs with their large branch network and wider reach in these towns can play a crucial role in furthering the objectives of financial inclusion.

d) DPs would deserve to be compensated for the cost incurred in account opening, especially Basic Services Demat Accounts(BSDA) as it will act as a motivator for DPs to open more accounts.

II. Complaints against Depositories and Depository Participants.

Complaints are received against Depository, Depository Participants, RTAs/ Issuers directly by

the Depositories as well as through SEBI. SEBI has an online complaints redressal system

(SCORES) through which Depository related complaints are sent to the respective Depository

for their redressal. Different types of complaints relating to depository services are:

a) Account opening related

b) Transaction statement related

c) Improper Services Related

d) Charges related

e) Delivery Instruction related

f) Account closure Related

g) Manipulation/ Unauthorized action related

h) Demat/remat related

i) Company/ RTA related

j) Others

of 65

The data for different type of complaints during the period - Jan 2012 to November 2013 is

given below

Type of Complaint Average (Pending

at the beginning of

the month+

received during the

month

Average resolved

during the month

Resolving

Percentage

Account opening related 11 8 72.73%

Transaction statement

related

29 20 68.97%

Improper service related 43 32 74.42%

Charges related 44 32 72.73%

Delivery Instruction

related

29 20 68.97%

Account closure Related 70 54 77.14%

Manipulation/

Unauthorized action

related

26 19 73.08%

Demat/remat related 1503 48 3.19%

Company/ RTA related 22 20 90.91%

Others 215 200 93.02%

It is seen from the data that the largest proportion of pending complaints relates to delay in

demat/ remat. These complaints arise when securities are sent by the DPs to issuer/ RTAs for

dematerializing / rematerializing, and there is delay in response from the issuer/ RTA. The

causes for such delay could be on account of the following reasons:

a. RTA may not respond due to non payment of fees by the issuer.

b. The issuer may be a loss making company which is no longer in business.

of 65

c. There could be vanishing companies whose officials are not traceable.

d. The issuer could be a suspended non-compliant company which does not respond to

demat/remat request.

The committee notes that the number of complaints against the Depositories and / or DPs

attributable to their service factors was significantly less except the complaints due to delay in

demat/ remat which in fact were due to reasons resting with Issuers and or RTA. Also, there

were no pending complaints against the Depositories as on November 30, 2013 evidencing that

the complaints redressal was fairly satisfactory.

III. Investor Protection Fund (IPF) of Depositories

Analysis of the complaints received against depositories and DPs shows that most complaints

are resolved quickly except for complaints relating to delay in demat/ remat. In such cases, the

delay is at the end of issuers and RTAs rather than the Depositories. Considering the nature of

complaints and the fact that there were negligible pending complaints, the committee

reviewed the Investor Protection Fund for Depositories and its possible utilization.

The Dr.Bimal Jalan Committee on “Review of Ownership and Governance of Market

Infrastructure Institutions (MIIs)" had inter alia recommended "that a cap may be fixed on the

maximum return that can be earned by an MII on its net worth and can be distributed /

allocated to the shareholders out of the total returns earned by the MII. The Dr.Bimal Jalan

committee also recommended that any return/profits above such maximum attributable

amount would be transferred to IPF or SGF as the case may be and the same would not form

part of shareholders funds/net worth for the purposes of determining returns and book value

of the shares."

Subsequent to the discussion on the Dr Bimal Jalan Committee in the SEBI Board, it was decided

that in case of a depository, 25% of the profits of the depository will be transferred to the IPF of

the depositories.

The Committee observed that the contribution of 25% of annual profits by depositories to IPF

appears to have been stipulated on the lines of the provisions of the Securities Contracts

(Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2012 wherein

exchanges are required to contribute 25% of their annual profit to the fund created by clearing

corporations for the purpose of guaranteeing settlement of trades. The object of such a fund,

however, is materially different from that of the proposed fund under the depositories

regulations. The committee noted that an IPF created under the Depositories and Participants

of 65

(Amendment) Regulations, 2012 is primarily for investors’ awareness, education and training.

The risks to the depositories on account of fraud, etc., are covered by insurance which is taken

by the depositories. In case of failure/ closure of DPs, the investors are protected as the

Beneficiary Owner data is present with the depositories and the investors are allowed to shift

their accounts to other DPs. In view of this, the committee noted that the fund does not

envisage providing compensation for any loss to the investors.

Investor Education and Protection Fund under the Companies Act, 1956 (“IEPF”) and Investor

Protection and Education Fund under the SEBI Act, 1992 (“IPEF”) have been created without

any contribution from any intermediary. Broadly, IEPF under the Companies Act is created with

the amounts of unpaid dividend, grants, donations from the Central/State Governments and

institutions, etc. On the other hand, IPEF is created by transferring to it the disgorged amount

under the SEBI Act. Past experience shows that while a huge corpus of IEPF has been created,

the same has not been utilised due to procedural difficulties associated with the use of such

fund.

Under the new company law every company having a net worth of Rs.500 crore or more or

turnover of Rs.1000 crore or more, is required to formulate corporate social responsibility

policy and to spend atleast 2% of the average net profits in each year. Mandatory expenditure

of atleast 2% appears to be quite realistic considering the size of the companies which are

required to discharge corporate social responsibility.

International practice seems to be tilted towards mandating lower slab of contribution towards

IPFs. For e.g., securities brokers in China who have been rated A for three consecutive years and

been granted AA or A rating during the last rating period are required to pay 0.5% to 0.75% of

their operating revenue to the Securities Investor Protection Fund (“SIPF”).

The committee feels the need to synergise the funds created with the stock exchanges and the

depositories for the purpose of investors’ awareness, education and training. It is felt that since

the IPF with the depositories does not provide for any sort of protection like the guarantee

settlement fund, there is no need for an IPF with substantial contribution from the depositories

alone. The committee is also of the view that the profit from depository operations need only

be considered for the purpose of contribution to the IPF. Other income i.e. income received

from investments & other non-operative activities may be excluded from computation of

profits because mostly income under this head is received out of investments made from

accumulated reserves & surplus of past years, which was not distributed to stake holders.

of 65

Based on the above deliberations, the committee recommends to SEBI the following:

a) Review the quantum of funds required to be transferred to IPF by depositories and arrive

upon a sizable limit for corpus of IPF.

b) Formulation of an Investment Policy for the IPF.

c) Mode of calculation of Profit -The committee recommends that only profits from depository

operations should be considered for calculating the amount to be transferred to IPF.

d) Utilization of IPF funds -The funds of the IPF should be utilized for compensating investors in

case of loss in events as may be specified by SEBI and conducting Investor Awareness and

Education Programs. The fund may also be utilized for supporting / incentivizing the

depositories'/ DP's initiatives for financial inclusion in a variety of ways.

IV. Use of Non Disposal Undertaking (NDU) for Lending/ Borrowing of Securities

The committee noted that there was an instance where a DP permitted promoters of a

company to use Non-Disposal Undertaking (NDU) tripartite agreement for borrowing against

the shares instead of utilising the pledging facility available in the depository system. This led

to a situation where the same shares which were encumbered through NDU were again

pledged to another lender using the pledge facility in the depository system.

It was reported that certain forged documents were submitted by the promoters of the

company to the DP conveying that the lenders had released the encumbrance on the shares as

mentioned in the NDU. Based on a forged letter, the DP allowed creation of pledge through the

depository system to another lender. Thus, at the same time, the shares were pledged twice.

Such Non Disposal Undertakings are understood to be a common practice for the purpose of

creating encumbrance on shares. The committee feels that such NDUs should not be permitted

in the market as the same is not captured in the depository system. Even though the

regulations require the promoters to disclose their encumbered shares (including those

encumbered through an NDU), there is no obligation on other investors. Further, if the

promoters fail to make this disclosure, this information may not be available to the market. .

Pledging of shares through depository system enables availability of complete information

regarding pledger and pledgee and the shares pledged. The committee recommends that

pledge should be encouraged using the depository mechanism instead of means such as NDUs.

To discourage NDUs, SEBI should not permit DPs to be party to such NDUs.

of 65

V. Outsourcing guidelines for Intermediaries: Outsourcing of functions is a common practice across industries and is also seen in the financial

sector. Recognizing this, SEBI has issued guidelines for outsourcing by intermediaries in the

securities market. The guidelines acknowledge that concerns associated with outsourcing may

include operational risk, reputational risk, legal risk, country risk, strategic risk, exit-strategy

risk, counter party risk, concentration and systemic risk. In order to address these concerns,

intermediaries are mandated to follow the broad principles outlined by SEBI.

As per the SEBI Circular, the intermediaries desirous of outsourcing their activities shall not

outsource their core business activities and compliance functions. The intermediaries shall be

responsible for reporting of any suspicious transactions to FIU or any other competent

authority in respect of activities carried out by the third parties.

On the policy followed by NSDL and CDSL with respect to outsourcing, it was noted that both

the depositories have identified their core activities that shall not be outsourced. In addition,

the depositories have in place a guidelines for risk analysis and implementation of control

measures in respect of outsourced activities.

The committee is of the view that outsourcing does bring in advantages in terms of reduced cost, time and efficiency. However, the absence of a clear cut policy for identifying and measuring or evaluating the potential risk or impact of failure of outsourced entity to deliver quality services on time, would have adverse impact on the overall operations of the depositories. The committee examined details of implementation of the outsourcing policy of NSDL and CDSL

on the following parameters:

How the Risk Assessment and Mitigation measures listed in the policy document are

being ensured / complied with.

Whether the outsourcing agreement/ service level agreements pertaining to IT systems

address the following:

i. penalty in cases of failure to deliver as per the agreement

ii. prevent further outsourcing to third parties

iii. uptime guarantee within a given time frame

iv. dependency on single network service providers for providing connectivity to

DPs , Issuers and other depository

v. contingency plans in the event of vendor failure

vi. role of outsourced manpower

of 65

Depositories have put in place appropriate measures with regard to the above parameters. The

committee is of the view that audit of implementation of these measures should form part of

System Audit of Depositories.

Therefore, the committee recommends the following:

a) Care should be exercised while outsourcing and wherever possible depositories should

put in place various controls to ensure that there is check on the activities of outsourced

entity especially to monitor that outsourced activities are further outsourced

downstream only with appropriate safeguards.


c) Core IT support infrastructure / activities for running the core activities of depositories to

the possible extent should not be outsourced.

d) Where ever out sourcing is allowed, depositories should ensure that risk impact analysis

is undertaken, only reputed entity having proven high delivery standards is selected,

appropriate back up / restoration system is put in place and there is effective monitoring

of the outsourced entity on real time basis.

e) Audit of implementation of risk assessment and mitigation measures listed in the outsourcing policy document and outsourcing agreement/ service level agreements pertaining to IT systems should form part of System Audit of Depositories

of 65

Chapter 4

Identification of Systemically Important Market Infrastructure Institutions and their Inter-Linkages Innovations through Information Technology have led to a paradigm shift and revolutionized

the structure and the functioning of the securities market, the most important revolution being

electronic trading, clearing & settlement. Dematerialization of securities has been one of the

important landmark in the securities market, made possible by technology, which not only

changed the way trading was being done but also eliminated various market evils.

The dependence on technology in securities markets is such that most of the financial markets

infrastructure institutions (Stock Exchanges, Depositories, Clearing and Settlement

Corporations, etc.) have started using technology extensively in various areas which reduced

the latency, cost and manpower. This dependence on technology have brought along a set of

challenges to deal with such as obsolescence, capacity handling, multiplicity & complexity of

systems, dependence on vendors and their associated risks, denial of services, external threats

(cyber attacks, cyber frauds / crimes), internal threats, governance & management of

technology, continuity of business and disaster recovery in case of exigencies , etc.

The reliance on technology has led to introduction of a new set of risk i.e. technology risks,

which not only have a direct impact in terms of operations of the institution but can also act as

a catalyst in cascading other risks such as credit risk, settlement risk and market risk.

Inadequate technology implementation can also induce strategic risk due to distortion of

information/data as well as compliance risk due to non adherence of any legal or regulatory

requirement. These issues, therefore, not only have the potential to undermine investor

confidence & trust but can also lead to reputation risks.

In view of the above, it is desired that the technology infrastructure deployed by the DPs to

handle the task has to be robust, mature and secure and the implementation mechanism

followed adheres to the industry best practices.

The committee deliberated on the system architecture of CDSL and NSDL to examine the need

for review of technology usage in the depository system. The system architectures of CDSL and

NSDL are described below:

of 65

I. System Architecture of Depositories

1. System Architecture of CDSL

a) CDSL has a centralized architecture and database. DPs enter the data in the system

provided by CDSL.

b) CDSL have deployed 3 tier architecture depository software applications (CDAS –

Centralized Depository Accounting System).

c) This application is accessed by users (DP & RTA) through WAN based connectivity.

d) They also have a web based software applications for DPs, RTAs, BOs and CMs (EASI –

Electronic Access to Security Information and EASIEST – Electronic Access to Security

Information and Execution of Secured Transaction) which provides online and upload

based transactions using digital signature.

e) DPs do not have separate front end software. Each DP is required to have back office

software for the purpose of DIS issuance & usage controls, BO signature capture &

retrieval, and importing various reports generated by the CDSL system for updating

transaction status / reconciliation.

of 65

f) The centralized architecture of CDSL provides following distinct advantages to the users:

The initial set-up cost for Issuer Companies/their RTAs and Depository Participants

is low.

Information on investor's holdings is available to the Depository Participant and the

Issuer or its RTA instantly.

Database is replicated between main site and DR site using Oracle Data Guard

facility.

g) The important checks available in the CDAS system of CDSL are:

Mandatory PAN details

PAN Validation

Account activated only after capture of signature

Debit and credits frozen in case of frozen BO accounts

ISIN should be valid and active

BO should be active

Availability of balance in BO account

h) The various checks available in the back office system of CDSL DPs are:

Maker checker for all transactions entered

Verification of BO signature at the entry of instructions

Inventory control of printed DIS books

Record or cancel slips / slip books which are reported lost / returned by the BO

Inventory control of DIS issued to POA holders

Two step verification of high value DIS (value of more than Rs. 5 lacs) and for the

transactions originating from dormant accounts

Daily updation of back office from CDAS system

i) CDSL has 4 sites i.e. Main, DR data center, operational site at Fort, Mumbai and business

continuity center at Belapur, Navi Mumbai. All these 4 sites are interconnected with

each other using 45 Mbps/ 100 Mbps Ethernet leased lines. All leased lines setup are

configured in redundancy from 2 different service providers.

j) During DR operations, CDSL users are seamlessly connected to DR site without any

change at user end.

k) CDSL complies with ISO 27001 standards for information security.

l) CDSL has been awarded BS25999-2:2007 certification for its Business continuity

Management Systems in April 2012.

of 65

2. System Architecture of NSDL

a) NSDL Depository system is a J2EE architecture standard based 3 tier implementation,

comprising presentation layer (web servers), business logic layer (application server)

and data layer (Database servers).

b) The design affords both horizontal and vertical scalability and is tested for linear

scalability for execution of four times the current daily volume of instructions in one

hour.

c) The current installed capacity can service the current entire day volume of instruction in

just an hour.

d) The system is deployed on cluster of Intel and UNIX servers, and Mainframe with

processor sparring facility and enterprise class storage with RAID and DISK sparring

facility ensuring redundancy and no single point of failure.

of 65

e) Similarly, all routers, network devices firewall have equipment level redundancy and

configured with automatic failover.

f) For servers, NSDL undertakes OS hardening by disabling unused ports and services.

Further, the infrastructure is periodically subjected to vulnerability assessment scan to

confirm that unwanted ports and services are indeed closed and the patch level of OS is

as required

g) NSDL has designed their software in two distinct parts:

1) Depository Software (DM, eDPM) and 2) DP Software (Local DPM Software) which is

the front office. Participants can submit Instructions using eDPM hosted at NSDL and

Local DPM available at Participant’s end can be used to fulfill reporting requirement.

This provides flexibility to Participants to generate report on demand and for any period

and on real time basis.

h) The application code is subjected to application security test to ensure that it is not

vulnerable to SQL injection, cross site scripting and such attacks.

i) The front office can be used to operate complete DP functionality including account

opening, transfer & modifications, delivery, pledge, etc.

j) The DPs use back office for purposes such as DIS controls, billing, transaction controls,

and internet based trading, etc.

k) The important checks available in the front office are:

The system can be accessed only by authorized users over intranet as well as

internet using e-token with digital certificate based PKI challenge response

mechanism which provides for two factor authentication based on ‘what you have’

and “what you know” principle of security.

The access is granted strictly on ‘need to know’ and ‘need to do’ basis.

The system requires two separate users maker and checker to execute any

transaction.

The system further ensures that same user cannot assume both maker and checker

role thereby enforcing good practice of segregation of duty and preventing one

user to unilaterally execute the Instruction.

The system maintains complete audit trail for transactions including IP address of

the workstation from which the Instruction originated.

NSDL has recently developed end to end security for data files exchanged between

Participant Back Office (BO) and Depository system. This facility allows Participants

to encrypt as well as digitally sign files right at the stage of generation from their BO

system.

Compulsory daily backup and end of day internal reconciliation

Online reconciliation of position balance post execution of each transaction.

of 65

End of Day internal reconciliation of balances across all clients (i.e. including the

ones who have not transacted). In addition, external reconciliation of changed

Positions between Local DPM and eDPM for a Business day is carried out.

Audit trail for transactions

Important Business validations are specified below:-

PAN is mandatory and is also structurally validated for opening of Beneficiary

Account.

Activation of Account is subject to capture of mandatory fields including signature.

Account will not be allowed any debits and credits if the Account is suspended for

debit and credit. Credits are allowed if Account is frozen for only debits.

Transactions are allowed for ISIN in ‘Active’ Status. In addition, Account should be

in ‘Active’ status and should have sufficient Balance in the free Account for any

debit transaction.

Source Account should be present with the participant initiating the Transaction.

Source and Target Account should be present in the Depository System

l) The important checks available in the back office are:

Control on issuance & usage of DIS using unique DIS serial number

Automatic blocking of used DIS

Blocking of slips / slip books which are reported lost / returned by the BO

Maker checker segregation for critical functions

Verification of high value transactions and for the transactions originating from

dormant accounts

Investor grievances controls

Verification of BO Signature at the time of entry of Instruction

m) NSDL has provided facilities to DPs to automatically update their back office with

depository related exports as well as submit instructions captured in back office in a

hands free manner and thereby eliminating operational errors.

n) NSDL has deployed identical infrastructure as production at its Disaster Recovery Site

located in another city with on-line storage based replication over high bandwidth low

latency link with near Zero RPO (Recovery Point Objective).

o) NSDL complies with ISO 27001 standards for information security.

p) NSDL has established capability as a part of BCP readiness to conduct business

operations from its branches, cold site and remotes site over secure VPN with ‘what you

have and what you know’ security. Such recovery is done through alternate business

teams nominated for functional recovery, in the disaster events. The system seamlessly

connects such business users to data center from which operations is conducted.

of 65

The committee felt that it is important to understand that the initiatives of the Government of

India will fructify in ensuring large number of retail investors taking part in the Securities Market

and therefore the load on the systems at the DP as well as the Depositories will exponentially

increase. The IT resources located at the DPs front office and the back office have to meet

clearly defined performance metrics in order to ensure that the service delivery is as per

expectations. The IT resources, including the software environment has to adhere to the stated

levels of

i. Performance and Scalability

ii. High Availability and Fault tolerance

iii. Security and Access Control

iv. Conformance to standards

Performance and Scalability: As mentioned above, it is estimated, in view of the initiatives of the GoI, large number of retail

investors will become a part of the market in the near future and therefore, the IT

infrastructure should be in a position to handle the increased load with acceptable levels of

performance. More importantly the performance should be consistent taking into account the

scalability concerns

High Availability and Fault Tolerance: The IT infrastructure deployed should not have any single point of failure. In the event of failure

of any sub-system or component or software the resultant solution has to work, may be with

acceptable levels of degraded performance, and the corrective mechanism put in place to

ensure that the rectification takes place within 4 hours. The administration, monitoring and

management of the solution have to be proactive to identify and correct the faults before the

failure occurs, in most of the cases. The IT infrastructure deployed by the DPs should have an

uptime guarantee of 99.5% measured on a monthly basis with mean time to restore (MTTR)

of not more than 4 hrs. Apart from the IT resources, the processes put in place, the

implementation and management of the same play a crucial role in ensuring compliance to the

above requirement.

of 65

Data Requirement: The DPs have to put in place appropriate mechanisms in order to ensure no compromise to

data integrity and transaction integrity. Implementation of near site is not mandatory. If the

DPs have implemented innovative mechanisms to ensure no data loss (similar to the

implementations of NSDL and CDSL) it would suffice.

Security and Access Control: One of the major concerns of the Industry today is increased levels of automation to address

the ever increasing load and also the need to provide connectivity to the external

environments. The infrastructure is expected to be open and at the same time secure enough.

One of the primary requirements of security is to have a robust and secure authentication

framework. The DPs have to put in place appropriate authentication framework and should

collect the necessary data from the system administrator logs to clearly address the issue of

aspects related to the access of the resources in the event of any attempts to gain entry into

the system. As the environment is open to access from the external networks including the

Internet, the DPs have to put in place appropriate checks and balances to ensure that only

trusted and secure users are in a position to access the resources

In view of the above, the committee recommends the following:

a) A IT strategy committee at the board level of depositories.

b) An approved and comparable IT strategy/plan document which needs to be reviewed

annually by the depositories and their DPs.

c) AN IT Steering committee to assist the IT Strategy Committee in implementation of IT

strategy. The IT steering committee should comprise of representatives from IT, HR,

Legal and various business functions as appropriate.

d) Information Security policy should be approved by the board and reviewed annually.

e) Create an office of information security and designate a senior official as Chief

Information Security Officer (CISO) whose work would be to assess risk and identify the

threat / vulnerabilities.

of 65

f) Depositories should take steps to ensure that the IT Infrastructure of DPs has high




II. Business Continuity and Disaster Recovery

In the event of disaster, the disruption in the services provided by the depository system may

affect not only the market integrity but also the confidence of investors. It is therefore

imperative that there should be no disruption in services and in case there is a disruption, there

should be near zero data loss. In this context, the committee noted that SEBI has mandated

inter alia the following in its guidelines on BCP and DR:

a) High Availability: There should not be any single point of failure and no denial of service.

b) Appropriate Interconnected Architecture: The architecture should ensure data replication

without compromising data and transaction integrity.

c) Recovery Time Objective (RTO) and Recovery Point Objective (RPO) requirements as 4 hours

and 30 minutes, respectively, and ensuring that the technology implemented and the

processes adopted are capable of fulfilling the RTO/RPO objectives.

d) “Near Zero Data Loss” and implementing the same through appropriate mechanism; e.g.

synchronous replication / near site.

e) Periodic Drills that simulate the real life scenarios on a regular basis and conducting these

drills on a week day.

The committee recommends that, in addition to the above, the depositories should designate a

senior official as Head of BCP function.

of 65

Chapter 5

Oversight and Inspection Framework

The committee while dealing with the frame work for Inspection and Oversight of Depositories

and Depository Participants, felt that the matter needed to be examined from the following

two angles

Oversight by SEBI on the functioning of Depositories and their operational control of DPs and

Inspection of DPs by Depositories

The oversight on the functioning of the depositories is maintained by SEBI mainly through the

mandatory standard monthly development reporting (MDR) by the depositories, enforcement

of the governance norms and through inspection of the depositories. Through these MDRs the

depositories report the monthly statistical data such as the new account openings, account

closures, new participant registrations, participant closures, number of issuers connected to

the depository, no. of ISINs activated in the system, custody value of the securities held in the

depository etc. It also includes information on the number of DP inspections conducted during

the month, special inspections conducted, penalty levied/ restrictions imposed, details of

complaints received and resolved. Further they also provide exception reports including the

number of suspicious transactions reported by the DPs to the Financial Intelligence Unit. They

also give status of the implementation of SEBI directives and circulars in the MDR.

SEBI has prescribed governance norms for depositories wherein it has been stipulated that in

the governing board of depository, the number of Public Interest Directors(PIDs) shall not be

less than the number of shareholder directors and Chairperson shall be elected from PIDs

subject to prior approval of SEBI. Further, atleast one PID to be present to constitute a

quorum.

Apart from the above, regular inspection of the depositories forms the basis for overseeing the

compliance of the depositories with respect to the relevant regulations and the prescribed

guidelines. Therefore, a sub-committee was formed comprising Prof. Krishnamurthy (DSRC

Member), representatives of NSDL and CDSL, and officials of SEBI Market Regulation

Department - Division of Market Supervision to comprehensively review the Inspection and

Oversight framework.

of 65

I. Guidelines for Inspection of Depository Participants by Depositories

Depository Participants being the agents of Depositories act as touch points for the customers

on behalf of depositories. An effective oversight of the DPs is a critical obligation of depositories

and inspection is one of the effective means of oversight and supervision. It helps in identifying

inadequacies and risks in the system and also help the depositories to ensure compliance and

adherence to the recommendations of CPSS-IOSCO principles.

1. Inspection Framework of Depositories by SEBI

As per the inspection policy of SEBI, depositories are inspected annually. Besides annual

comprehensive inspections, SEBI also conducts specific purpose inspections. As per the

procedure, SEBI calls for data from depositories through pre-inspection questionnaire and

the same is analyzed manually. The data so analyzed enables SEBI to identify areas which

needs greater focus and verifications during on-site inspection. Any major observations

noted during on-site inspections are discussed with the management of depositories for

their immediate information and compliance. Further, periodic follow up with the

depositories is done till all pending observations are fully implemented. However, as could

be observed from the table given below that the periodicity of inspections have not been

regular due to multiple reasons.

The time taken to complete the entire exercise starting from pre-inspection data, analysis of

data, on-site inspection, preparation of report and follow up with depositories takes up to a

period of 6 months. Since the entire process is manual and labour intensive with minimal

usage of technology, it is observed that the time taken in certain cases further increases

depending upon the number of inspecting officials.

Apart from inspection of depositories, SEBI also conducts annual inspection of DPs on

selective basis covering a limited number of DPs and such inspection is again observed to be

primarily compliance oriented. SEBI also receives monthly development reports (MDR) from

depositories which contain various details including number of routine/specific purpose

inspections of DPs conducted by them along with the various actions/penalties imposed on

the DP.

of 65

Details of SEBI inspection of CDSL are as follows:

Period of Inspection Date of

commencement


August 2002- Jan 2004 Feb 23, 2004 Comprehensive Inspection

Feb/March 2004 – March 2005 July 5, 2005 Comprehensive Inspection

April 2005-March 2007 March 26, 2007 Comprehensive Inspection

N.A. Oct 19, 2010 Special purpose inspection to ascertain

systems, processes and inspection

mechanism of Depository

April 2007- August 31, 2012 Nov 23, 2012 Comprehensive Inspection

Details of SEBI inspection of NSDL are as follows:

Period of Inspection Date of

commencement


August 2002- March 2005 April 28, 2005 Comprehensive Inspection

April 2005-May 2007 July 29, 2007 Comprehensive Inspection

N.A. Oct 11, 2010 Special purpose inspection to ascertain

systems, processes and Inspection

mechanism of Depository

The number of DPs inspected by SEBI from 2009-10 onwards is as follows

Year 2009-10 2010-11 2011-12

Number of DPs inspected 9 11 13

It is felt by the committee that the current inspection methodology of SEBI is primarily

compliance based wherein focus is on ascertaining the compliance status of various guidelines

and safeguards mandated by SEBI from time to time. It is observed by the committee that

of 65

findings of the Depository inspections of DP and findings of SEBI inspections of DPs are not

cross verified or compared. The committee feels that compliance activities ought to be risk

based with a view to minimizing systemic risk while enhancing and improving customer (BO)

satisfaction. It is also felt by the committee that the data obtained from the MDRs and also

reports from the depositories on their findings about DPs leaves scope for further effective

analysis by SEBI.

In view of the above, the committee recommends the following:

a) A revamp of the MDRs received from the depositories. The information received through

Monthly Development Reports (MDRs) be examined on a regular basis and the

observations/comments be conveyed to the Depositories, especially on findings of

the inspection of DPs.

b) The critical observations of SEBI inspection of DPs should be cohesive with the critical

observations of the DP inspection by depositories. In this context, the adequacy of inspection

of DPs by depositories needs to be checked by SEBI during its inspection of Depositories or

otherwise.

c) An annual interface between SEBI and Depositories to review comprehensively the

inspection findings on the DPs and areas of repeat violations, non compliance, and overall

status of rectification.

d) the inspection should not restrict themselves to compliance but coverage should be

comprehensive including risk management, operational efficiency, customer satisfaction etc.

e) the non compliance and violations have to be dis-incentivised not only through penalties as

they are now but also through statutory actions aiming to correct the procedures and

bringing in systems in place.

2. Inspection Framework of DPs by Depositories:

It is observed that presently, the depositories are mandated by SEBI to inspect their

participants on an annual basis. The depositories conduct these inspections through an in-

house team with a gap of around a year between two inspections of the same DP. A

spreadsheet based system is used by depositories to individually take information/data

from databases through reports and is used for determination of samples/adaptive

samples.

It was noted that NSDL has 283 DPs with 320 DPMs and 5,000 service centers. Similarly,

CDSL has 575 DPs, 222 branches and 13,000 service centers. It may be noted that branches

are those DP offices which are connected live with Depositories whereas service centers are

of 65

those offices of DPs which only act as investor service points for handling collection of

forms, data, account opening & related in-person verifications, and complaints. Services

centers are also observed to be connected with the main office through the back office

system of DP. Data from service centers flow electronically to the main office and the

corresponding physical applications are sent to the respective main office/related branch

which are then verified and stored.

The major areas that are looked into during the inspection of DPs by depositories are the

following:

a) Account opening (KYC and In person verification), account modification, account closure

b) Dematerialisation/rematerialisation, pledge/unpledge, freeze/unfreeze of securities

c) Issuance of Delivery Instruction Slip (DIS) booklets & execution of transactions

d) Complaint handling

e) Maintenance of mandatory registers.

f) Audit/verification of Back office software

Depositories conduct yearly inspections of all DPs and their live branches. Since most of the

DPs are registered as participants with both the depositories, they are subjected to

inspections by the depositories separately. All service centers are not inspected by the

depositories. Inspection of service centres of DPs are on sample basis which constitutes less

than 5% of total service centres. By the very nature of their registration criteria, all DPs are

observed to be carrying out other activities such as stock broking, banking, custodian, NBFC,

RTA etc. The frequency of inspections is observed to be the same irrespective of size, nature

and risk profile of DPs. It is observed that depositories do not have all the information

available in the back office of DPs with them such as DIS numbers, mapping, KYC

documents, account details, etc. As the details of the DIS booklets issued by DPs to their

BOs are not available with the depositories, they get verified only at the time of on-site

inspection resulting in loss of man hours and resources.

The DSRC and its sub-committee deliberated on the inspection process of the DPs by the

depositories, and considering that certain DPs are also systemically important financial

institutions (SIFIs) and engaged in various other activities, the committee considered it

appropriate to assess the risk on a holistic basis and develop a risk model for the DPs. It was

felt that inspections are currently done as checklist based annual exercises focusing only on

compliance, merely resulting in imposing monetary penalties rather than rectifying and

improving the systems, process and procedures.

of 65

In order to formulate a risk model, various risks emanating from activities undertaken by

DPs need to be identified and measured. The risk model should include both quantitative

factors and qualitative factors to objectively assess and measure the risk profile of the DPs.

Thereafter, these risks may be continuously monitored so as to take various measures to

mitigate/insulate such risks. For this exercise to be effective, it is essential to categorize all

activities handled into core and critical activities and carry out a risk matrix.

On the basis of information submitted by the depositories, it was noted that depositories

categorize the activities which have 100% internal/concurrent audit and where penalties

are levied as high risk. The other activities where penalties were levied are categorized as

medium risk and those activities where minor deviations are observed are categorized as

low risk. Based on the above, the various activities which the committee perceived to be

risky are as under:

a) Account Opening / KYC - The major risk associated with this activity is the opening of

fictitious accounts.

b) DIS issuance & processing / Unauthorized Transfer - Lack of monitoring / supervision of

this activity may lead to a situation where securities lying in the BO accounts could be

moved unauthorized (without the knowledge of BO holder) by the DP which can

seriously jeopardize the integrity of depository system and thereby damage the

confidence of investors.

c) Trading of unlisted shares - Reconciliation of shares (Physical + electronic shares) of both

depositories must ensure that shares more than issued capital do not float in the

market.

d) Pledge/un-pledge of shares – Particularly such cases where promoters were able to

pledge same shares with various entities.

e) Complaints handling – Types and instances of complaints can point to various

inadequacies in the system

f) Power of Attorney (PoA) - Since PoA gives the legal right to operate the demat account

there is a risk of manipulation of securities in the demat account to derive unlawful

gains for POA holders, at the cost of beneficial owners.

g) Non core activities - Risks emanating from other activities undertaken by the depository

which are not in the domain of securities markets can permeate into the core activities

of the depository may cause contagion damage.

The low risk activities were demat/remat, issue of transaction statement, closure of

accounts and inter-depository transfers.

of 65

Complaints received in the system form an integral part of the market intelligence systems

through which various risks/irregularities come to the notice of regulators. The analysis of

complaints' data provides vital information regarding the quality of services provided by the

DPs and any unauthorized use of securities. Therefore, the complaints received against the

DPs as available in SCORES database of SEBI were analyzed. It was observed that majority of

the complaints relate to:

a) Unauthorized transactions in accounts and manipulation

b) Improper services rendered such as non-closure/delay in closure of account,

wrong/excess charges, delay/non-execution of DIS, non-updation of changes in account

(address/ signatories/bank details/ PAN/nomination etc.,), delay in/non-receipt of

statements from DP, delay in dematerialization request processing, etc.

The committee therefore urges that :

a. the complaints database as available at the end of depositories should be extensively

and effectively studied for the purpose of quantitative analysis in the risk model.

Appropriate weights should be derived for activities based on number of complaints

received.

b. appropriate weights should also be assigned to those activities based on observations in

the inspection report where inadequacies were noticed in the processes and

procedures.

c. qualitative factors such as corporate governance and IT governance, management

quality & capacity, reputation & goodwill, efficiency & economy of services rendered,

etc., also need to be considered in the risk model to arrive at the total risk score.

Based on the above, the committee recommends SEBI to develop a risk model as given

below:

a) Risk Weightage – Depositories may assign risk weights for each of inspection areas after

taking into consideration following factors:

i) Operational risks in each of the inspection areas.

ii) Category of DPs

For example, a Bank DP should be assigned a different weight vis-a-vis a broker DP.

iii) Size of operations

of 65

Different weight for a big DP (based on value under custody, no of BO accounts, no

of services centers, etc.,) as compared to a smaller DP

iv) Repetitive violations of an activity

Higher weights to be assigned for the activity wherein repetitive violations are

observed.

v) IT Security and BCP

vi) Complaints received and redressed

b) Quantitative Score Calculation: Depositories shall arrive at a Quantitative Risk Score for

each inspection area by multiplying percentage of non-compliance to the sample size

with the corresponding assigned risk weight.

c) Qualitative Score Calculation: Depositories shall arrive at a Qualitative Risk Score for

each qualitative area by multiplying the score assigned by inspection team to DP with

corresponding assigned risk weight.

d) Total DP Risk Score shall be the summation of quantitative and qualitative scores

assigned to the DP.

e) Depositories shall suitably normalize the scales of the qualitative and quantitative scores

in arriving at the Total DP risk score.

f) Depositories shall categorize their DPs as 'High Risk', 'Medium to High Risk', 'Medium

Risk', and 'Low Risk' DPs based on the percentile of risk score.

DP Risk Rating / Categorization Percentile of Risk Score

High ≥ 80

Medium-High 46-79

Medium 21-45

Low ≤ 20

g) After arriving at the risk rating / categorization as mentioned above, for subsequent

inspections, depositories shall use the DP risk rating/categorization to decide on the

frequency of inspection of DPs. Depositories shall inspect DPs categorized as High Risk

annually.

The Sample Size determination methodology and DP Rating/ Categorisation model are enclosed as Annexure II

of 65

II. Delivery Instruction Slips (DIS) Issuance & Processing

The Delivery Instruction Slip (DIS) is an instrument using which a demat account holder/

Beneficial Owner (BO) can execute transfer of securities held in electronic form in the demat

account. The DIS to a demat account holder is equivalent to the cheque to a bank account

holder. The Depository Participant (DP) is required to print a DIS with pre-printed serial number

and issue DIS booklet to BO along with a requisition slip having the pre-printed serial number

range of the current DIS booklet. The DP is required to maintain details of serial numbers issued

to a BO and check the same at the time of execution of transaction. As DIS is an instrument of

transfer, DPs and BOs are required to exercise due care while storing, issuing and using the DIS.

Depositories have laid down stringent control measures to ensure minimization of fraudulent

use of DIS.

The members of DSRC during on-site inspection examined the process of verification of DIS

issuance and processing, and observed the following:

a) Depositories do not have details of the DIS booklets issued by DPs to their BOs which get

verified only at the time of on-site inspection, resulting in spending huge man hours and

resources.

b) Depositories do not have all the information available in the back office of DPs such as DIS

numbers, mapping, KYC documents, account details, etc.

Considering that the activity relating to issuance and monitoring of Delivery Instruction Slips

(DIS) is one of high risk, the committee felt that lack of monitoring of this activity may lead to a

situation where securities lying in the BO accounts could be moved in an unauthorized manner

(without the knowledge of BO) by the DP which can jeopardize the integrity of the depository

system.

The above possibility is very high in case of broker DPs due to the very nature of their activities

where both trading and securities accounts are held with the same entity. Further, due to

inadequate focus on verification of DIS issuance and processing at the time of inspection,

unauthorized transfers may go unnoticed and may threaten the market integrity.

The system of issue, processing and monitoring of DIS at the end of DPs is observed to be as

under:

a) Most DPs are observed using back office software for their operations, which includes

processing of transactions (DIS and related issues).

of 65

b) The back office software is procured by DPs from third party vendors. The Depositories only

prescribes certain checks and minimum requirements which is verified by the depositories

at the time of start of their DP operations.

c) After the account is opened by depositories, each DP issues its own DIS booklet to the BO

holders and maintains the details of DIS in their back office software. The booklet issued is

mapped to respective BO.

d) The size, contents and structure of the DIS are not uniform across the Depositories.

e) Presently there are no checks at the end of depositories to verify the information submitted

by DP (through uploading of back-office data to the depositories) as the information

regarding the DIS serial numbers of BOs are not available with the depositories.

f) With respect to transactions processed, the DPs submit / upload End of Day (EOD) reports

to the depositories which only contain the details of the transactions executed. Other

relevant details such as DIS serial number, maker checker ID, etc., available at the back

office of DP are not included.

To check the efficacy of the above system, the insurance claims against the DPs was analyzed to

understand the major sources of claims and the type of DPs against whom such claims were

made. It was learnt that insurance claims made against the DPs are predominantly due to

fraudulent transfer of shares and the DPs are mostly stock broker DPs. Frauds are observed to

be predominantly done by employees.

The committee examined whether the transactions involving DIS could be digitalized and

whether images of the DIS on transactions could be captured for verification & archived. It was

felt that if the truncated (image) version of DIS were to be captured directly by DPs (out of their

branches / service centres) and also by Depositories, and simultaneously with a provision for

archiving the image files, the information gathered will enable effective monitoring of the

transactions from market surveillance perspective. Further, this will also ensure that issue of

loose slips at the end of DP will also be monitored and regulated. In view of the above, the

committee recommends the following:

a) Appropriate infrastructure and other requirements, to facilitate scanning and uploading of

the DIS image, should be implemented at the DP’s end and the depositories should put in

place a suitable mechanism to maintain a database of the scanned DIS.

b) Standardization of DIS across DPs to facilitate easy identification and tracking of DIS

issuance and processing.

c) The depositories should put in place systems such that all significant DIS related information

is available to them for off site inspections.

of 65

Way Forward

The committee has given its recommendations at the end of each chapter. The

recommendations given in chapter 4 and 5 have already been implemented by SEBI as these

recommendations formed part of the interim report submitted by the Committee.

The remaining recommendations can be divided into short term, medium term and long term

goals for the purpose of implementation. Accordingly, the way forward for recommendations

for the depository system is given below.

Short Term Goals

1. Risk Management Framework for depositories: There should be a Board approved well

documented comprehensive risk management framework at both depositories. The risk

management group/ committee formed by the depositories should be active and meet

periodically to continuously identify, evaluate and assess applicable risks in depository

system through various sources such as investors complaints, inspections, system audit

etc. and suggest measures to mitigate risk wherever applicable. A Chief Risk officer

should be made responsible, accountable, accessible & answerable to the board on

overall risk management issues.

2. The committee noted that certain DPs allow the promoters of companies to use

tripartite agreements usually referred to as Non-Disposal Agreement/ Non-Disposal

Undertaking (NDU) to extend facilities to its client's for lending / borrowing of shares

instead of following the pledging facility available in the depository system. The

committee recommends that DPs should not be party to such arrangements as there is

no regulatory mechanism to confirm whether shares have been pledged/ encumbered

through this method, leading to potential for fraud and multiple pledging.

3. In the area of outsourcing by Depositories, there is need for further focus and

strengthening of guidelines on the lines given below:

a) Care should be exercised while outsourcing and wherever possible depositories

should put in place various controls to ensure that there is check on the activities of

outsourced entity especially to monitor whether outsourced activities are further

outsourced downstream.


c) Core IT support infrastructure / activities for running the core activities of

depositories to the extent possible should not be outsourced.

of 65

d) Wherever outsourcing is allowed, depositories should ensure that risk impact

analysis is undertaken, only reputed entity having proven high delivery standards is

selected, appropriate back up / restoration system is put in place, and there is

effective monitoring of the outsourced entity on real time basis.

e) Audit of implementation of risk assessment and mitigation measures listed in the

outsourcing policy document and outsourcing agreement/ service level agreements

pertaining to IT systems should form part of System Audit of Depositories.

4. With regard to KYC, the committee noted that the e-KYC service launched by Unique


KYC verification. The committee also informed that NPCI has entered into an MoU with


financial transactions. The Committee recommends that use of e-KYC through NPCI


Medium Term Goals

1. SEBI ensures that the system and technology related requirements which are verified

prior to granting certificate for commencement of business, are also maintained on an

ongoing basis through regular inspections and system audits. This is an important aspect

of the depository system architecture and SEBI should regularly update its oversight

processes to ensure ongoing compliance.

2. Depositories should take steps to ensure that the IT Infrastructure of DPs has high




3. Reconciliation of records of shareholding is very critical to maintaining integrity of the

capital markets. The responsibility for reconciling records of total issued capital, listed

capital and capital held by depositories in dematerialized form lies with issuer. SEBI may

put in place a mechanism so that depositories maintain complete reconciled record of

total issued and listed capital, including both physical and dematerialized shares.

4. In order to achieve wider financial inclusion and bring investors in securities market

from Tier II and Tier III towns, the DPs need to widen their reach in these areas. For this

purpose, there is a need to devise an incentive structure for depository participants so

that they encourage investors to open demat accounts with them. The revenue source

of 65

of depositories may be augmented and DPs may be incentivized by having a revenue

sharing mechanism between the depositories and DPs which may encourage the DPs to

expand their reach in tier II & III towns. Bank DPs with their large branch network and

wider reach in the tier II & III towns can play a crucial role in furthering the objectives of

financial inclusion. DPs may be compensated for the cost incurred in account opening,

especially Basic Service Demat Accounts (BSDA) as it will act as a motivator for DPs to

open more accounts. Incentives structure may be devised so that DPs get compensation

on any incremental account opened by them in tier II & III towns.

5. Complaints received against depositories and DPs are resolved quickly except for

complaints relating to delay in demat/ remat. In such cases, the delay is at the end of

issuers and RTAs rather than the Depositories. Considering the nature of complaints and

the fact that there were negligible pending complaints, the committee feels that

Depositories do not require a corpus comparable to stock exchanges for their Investor

Protection Fund. The committee therefore recommends that SEBI may review the

quantum of funds required to be transferred to IPF by depositories and arrive upon a

sizable limit for corpus of IPF. Only profits from depository operations may be

transferred to IPF. SEBI may formulate an Investment Policy for the IPF. The funds of the

IPF may be utilized for conducting Investor Awareness and Education Programmes and

supporting the Depositories'/ DP's initiatives for financial inclusion in a variety of ways.

Long Term Goals

1. Depositories are uniquely placed to scale up and utilize their infrastructure to

dematerialize not just securities but also other financial assets subject to adequate

regulatory framework and checks and balances being put in place. In this regard, the

committee took note of the Budget announcement made in the interim budget

presentation in February 2014 and again in the budget speech in July 2014. The July

2014 budget announcement aims to "Introduce one single operating demat account so

that Indian financial sector consumers can access and transact all financial assets

through this one account." Enabling the above proposal would promote the integration

of the Indian Financial markets and allow the consumers greater access to and control of

a wide portfolio of financial assets.

2. With greater integration of depositories with other financial service providers, there is

possibility of interconnectivity of depositories with financial institutions/ FMIs/

international CSDs in future. Interconnectivity may require standardization of messaging

of 65

formats used by depositories. The committee recommends that it may be desirable to

standardise messaging formats in the long term.

3. Orderly winding down of depositories: The Committee observed that there no laid

down system or procedure for orderly winding up of depositories in the event of

potential scenarios such as voluntary winding up by depositories, depositories going

bust due to general business risk, fraud at the end of depositories, or depositories

wound up due to regulatory action or court order. In Indian depository micro structure,

there are two depositories. In the event of failure, disruption or winding up of one

depository, all the demat accounts and securities held with stressed depository can be

potentially moved to another depository without affecting the interest of investors.

These measures are technically possible in the existing market micro structure, though

there is no laid down written document detailing the process and procedure for orderly

winding up of depositories. The committee recommends that there is a need to have a

well documented framework for orderly winding down of the depository operations

including making necessary legal provisions in the regulations, rules and Depositories

Act.

of 65

Annexure I

The committee held various meetings with Depository and Depository Participants. The dates

on which the meetings were held is given below:

S. No. Date of the meeting Meeting description

1. August 14, 2012 DSRC meeting


3. September 27, 2012 DSRC meeting

4. October 11, 2012 DSRC meeting

5. November 06, 2012 DSRC meeting

6. November 17, 2012 Sub-Committee meeting

7. December 01, 2012 Visit to NSDL & CDSL

8. December 06, 2012 Sub-Committee meeting with inspection department of

Depositories

9. December 31, 2012 Sub-Committee meeting

10. January 23, 2013 Committee meeting at NPCI, Chennai

11. February 08, 2013 DSRC meeting

12. March 16, 2013 Presentation by Asit C Mehta and HDFC Bank

13. April 04, 2013 DSRC meeting

14. May 17, 2013 Presentations by SWIFT and ICICI Securities

15. June 18, 2013 DSRC meeting

16. July 10, 2013 DSRC meeting


18. October 24, 2013 DSRC meeting

19. December 13, 2013 DSRC meeting

of 65

20. May 09, 2014 DSRC meeting


The name of participants who made presentations before the committee are as follows:

S. No. Name of the Participant Organisation Date of attending the meeting

1 Deena Mehta Asit C Mehta March 16, 2013

2

Ashit Raja

ICICI Securities May 17, 2013 Neelkantan Pillai

Prasannan Keshavan

Subir Saha

3 Nishant Nadkarni

HDFC Bank March 16, 2013 G Subrahmanyam

4

Arun Tiwari

SWIFT May 17, 2013 Anik Mehta

Saqib Sheikh

Hemant Chandak

of 65

Annexure II

Sample Size Determination Methodology

a) Sample size for inspection area relating to Account Opening:

The sample selection for account opening should cover all categories of clients such as

individuals, HUF, Corporate, FIIs etc. Account Opening Forms (AOF) relating to FIIs should be

checked on a 100% basis.

Base sample size: 5% of Account Opening Forms (AOFs) or 150 AOFs whichever is higher,

with a maximum cap of 1000 accounts.

Final Sample Size: The final sample size shall also be dependent on past

rating/categorization of DP. The following multipliers shall be used to determine the final

sample size for the current inspection.

DP Rating / Categorization Multiplier

High risk 3

Medium High risk 2

Medium risk 1.5

Low risk 1

b) Sample Size for inspection area relating to DIS

Base sample size: 10% of total DIS processed or 200 processed DIS whichever is higher,

with a maximum cap of 1000 DIS.

Final Sample Size: The sample size shall also be dependent on rating/categorization of

DP. The following multipliers shall be used to determine the final sample size for the

current inspection.

DP Rating / Categorization Multiplier

High risk 3

Medium High risk 2

Medium risk 1.5

Low risk 1

of 65

Out of the total intra depository instructions to be verified, the percentage of on and off

market instructions would be in the ratio of 1/3 and 2/3. The DIS issuance sample size

shall be 5% of the total samples verified for DIS.

c) Sample Sizes for inspection areas of 'Demat/Remat request' and 'Pledge/Unpledge'

5% of Demat/Remat request processed or 100 requests whichever is higher with a

maximum cap of 500 such requests.

5% of Pledge/Unpledge request processed or 100 requests whichever is higher with a

maximum cap of 500 such requests.

d) Sample Size for inspection area of 'Client Data Modification', 'Miscellaneous areas' and

'Other depository specific requirements'

Base Sample Size

i) Address change = 50

ii) Samples from Urban, Semi Urban and Rural Areas shall be equally represented if

available.

iii) Nomination Change = 25

iv) Signature change = 100

v) Addition / Deletion / Modification of POA = 100

vi) Freeze / Unfreeze = 50

vii) Bank Details Change = 100

viii) PAN modification = 100

ix) Account closure initiated by clients = 25

x) Closure initiated by DPs = 25

xi) Demat rejection = 30

xii) Transactions = 25

xiii) Change in e-mail Id = 25

xiv) Change in mobile number = 25

xv) Change in SMS flag = 50

xvi) Change in standing instruction flag = 50

of 65

xvii) Transmission = 50% of total transmission cases

xviii) Previous compliance = 100% of total samples

xix) Final sample size shall be arrived at after multiplying with the respective multiplier

corresponding to the DP Risk rating/categorization as given below. In case the total

number of instances/cases is less than the final sample size, then 100% of the

samples shall be verified.

DP Rating/ Categorization Multiplier

High risk 3

Medium High risk 2

Medium risk 1.5

Low risk 1

xx) A uniform Base sample size of 100 shall be adopted in case of all other activities. In

case the total number of samples is less than 100, then 100% of the samples shall

be verified.

DP Rating / Categorization Model

a) Quantitative Score Calculation: Specific weights shall be assigned to each area as

decided by each depository. The Total Quantitative Score shall be the summation of all

individual inspection scores.

Indicative Table for calculation of Quantitative Score

S. No. Inspection Areas Weight

(A)

B = No of

Instances

divided by

Sample size

Inspection

Score

IS = A*B

A. Inspection Area 1

A.1. Inspection Sub Area A 1

A.2. Inspection Sub Area 2

Total Score for Inspection Area 1

of 65

S. No. Inspection Areas Weight

(A)

B = No of

Instances

divided by

Sample size

Inspection

Score

IS = A*B

B. Inspection Area 2

B.1. Inspection Sub Area B 1



Total Score for Inspection Area 2

Depositories shall include all inspection areas and sub areas in the above model to arrive at the

Quantitative Score for a DP.

Indicative Table for calculation of Quantitative Score for Complaints Received

Sr No Type and Nature of Complaint Weight

(A)

(Number of

Complaints

redressed) /

Number of

Complaints

received)

Inspection

Score

IS = A*B

T Complaints

T.1 Complaint Sub Area 1

T.2 Complaint Sub Area 2

Total Score for Complaints

Quantitative Score = Σ (Scores of Inspection Areas including Total score for

Complaints)

b) Qualitative Score Calculation: Specific weights shall be assigned to each area as decided

by depository. The Total Qualitative Score shall be the summation of all area scores.

Sr. No Qualitative Factors Weight

(A)

Point on the scale of 1 to

10.

[10 being the Worst]

Area

score

=(A) * (B)

of 65

(B)

1 Ownership and Governance

2 IT security and Business Continuity

3 Regulatory / procedural Compliance

4 Automation of systems and processes

for critical activities

5 Quality of Management

6 Financial Status / profitability of DPs

7 Pending enquires / Penalties imposed by

SEBI / Depositories on DP operations

8 Complaints redressal

9 Adverse findings of other activities (eg.

Broking / custodian / banks etc)

Total Qualitative Score = Σ (Area Scores)

Following indicative factors shall be taken into account for arriving at above

mentioned qualitative score:

a) Ownership and Governance

i) Constitution of Board of DP – Number of promoter directors, Independent Directors etc.

ii) Role of non-executive directors / Independent directors.

b) Quality of Management

iii) Experience, Fit and Proper and Qualification of Key Personnel.

iv) Existence of Succession planning for top management especially in control functions.

v) Chinese walls between the activities in terms of manpower, resources etc.

vi) Training and development of employees.

vii) Adequacy of staff strength.

viii) Compliance level of previous inspection observations/ directions of regulatory bodies.

c) IT security and Business Continuity

ix) High Availability.

of 65

x) Appropriate Interconnected Architecture.

xi) Appropriate Recovery Time Objective (RTO) and Recovery Point Objective (RPO) and near “Zero Data Loss”.

xii) Periodic drills that simulate the real life disaster scenarios on a regular basis.

xiii) Technological glitches in the past period and remedies taken.

xiv) Information security.

xv) Upgradation of technology,

d) Financial Status / profitability of DPs

xvi) The net-worth of the DPs (whether reducing or increasing from previous years)

xvii) Net Profits of DPs operations.

e) Complaints redressal

xviii) Complaint redressal system,

xix) Percentage of complaints pending and resolved.

f) Other adverse findings

xx) Actions taken by Stock exchange and SEBI / RBI with respect to other activities

xxi) Actions taken by other depository

Total Score = Qualitative Score + Quantitative Score

of 65

List of Abbreviations

BCP - Business Continuity Planning

BO - Beneficial Owner

BSDA - Basic Services Demat Account

CDAS – Centralized Depository Accounting System

CDSL - Central Depository Services (India) Limited

CISO - Chief Information Security Officer

CM - Clearing Member

CPSS - Committee on Payment and Settlement Systems

CSD - Central Securities Depository

DIS - Delivery Instruction Slip

DP - Depository Participants

DR - Disaster Recovery

FIU - Financial Intelligence Unit

FMI - Financial Markets Infrastructure

IEPF - Investor Education and Protection Fund

IOSCO - International Organization of Securities Commission

IPF - Investor Protection Fund

IPEF - Investor Protection and Education Fund

IPV - In Person verification

KYC - Know Your Client

MDR - Monthly Development Report

NPCI- National Payments Corporation of India

NSDL - National Securities Depository Limited

PID - Public Interest Director

RPO - Recovery Point Objective

RPT - Recovery Point Time

RTA - Registrar and Transfer Agent

of 65

SCORES - SEBI Complaint Redress System

SGF - Settlement Guarantee fund

SIFI - Systematically Important Financial Institutions

UIDAI - Unique Identification Authority of India

SECURITIES AND EXCHANGE BOARD OF INDIA Memorandum to …

Documents

Transcript of SECURITIES AND EXCHANGE BOARD OF INDIA Memorandum to …