August 10, 2018
To, All Registrars to an Issue and Share Transfer Agents registered with SEBI
Dear Sir/ Madam,
Subject: Enhanced monitoring of Qualified Registrars to an Issue and Share Transfer Agents
1. SEBI constituted a Committee under the Chairmanship of Shri R. Gandhi, Former Deputy Governor, Reserve Bank of India to review the regulations and relevant circulars pertaining to Market Infrastructure Institutions (MIls). The Committee also looked into the desirability of extending the extant framework of MIIs to certain market intermediaries including the Registrars to an Issue and Share Transfer Agents (RTAs) servicing more than 2 crore folios (hereinafter referred to as “Qualified RTAs” or “QRTAs”).
2. Based on the recommendations of the Committee and the public comments received on the same, SEBI Board in its meeting held on June 21, 2018, decided that while changes in ownership structures of RTAs may not be required, the QRTAs may be required to comply with enhanced monitoring requirements, through adoption and implementation of internal policy framework; and periodic reporting on key risk areas, data security measures, business continuity, governance structures, measures for enhanced investor services, service standards, grievance redressal, insurance against risks, etc. With respect to data security and system audits, vide SEBI circular dated September 08, 2017, certain compliance requirements have already been prescribed for QRTAs.
3. The QRTAs are now advised to formulate and implement a comprehensive policy framework, approved by the Board of Directors (“BoD”) of the QRTAs, which shall include the following aspects:
I. Risk Management Policy:
The QRTAs are advised to establish a clear, thorough and a well-documented risk management policy, which shall include the following-
a. An integrated and comprehensive view of risks to the QRTAs including those emanating from vendors, third parties to whom activities are outsourced, clients, etc.;
b. List of all relevant risks, including Operational risk, Fraud risk, Technology risk, Cyber Security risk, and general business risks including Credit risk, Market risk, Legal risk, Reputation risk etc. as the BoD of QRTAs deems fit; and systems, policies and procedures to identify, assess, monitor and manage the risks that arise in or are borne by the QRTAs, including audit and reporting of the same to the BoD;
c. Responsibilities and accountability for risk decisions and decision making process in crises and emergencies.
II. Business Continuity Plan:
QRTAs shall maintain Business Continuity Plan with a Center (BCP) situated at location other than primary processing location (off-site), which is capable to take over operations without disruption in case of any service failure at primary processing site.
QRTAs shall have written policy, protocols, processes and controls for BCP. QRTAs shall ensure business continuity and no adverse impact on investor servicing resultant of any data loss. The effectiveness of BCP to be tested periodically, and the gap between two tests (mock drills, etc.) shall not be more than twelve months.
III. Manner of keeping records:
Where records are kept electronically by the QRTAs, they shall ensure that the integrity of the automatic data processing systems is maintained at all times. QRTAs shall also maintain accurate up to date records for investor servicing and take all precautions necessary to ensure that the records are not lost, destroyed or tampered with; and in the event of loss or destruction, ensure that sufficient back up of records is available at all times at a different place.
IV. Wind-down Plan:
Every QRTA shall devise and maintain a wind-down plan.
A ‘wind-down plan’ means a process or plan of action employed, for transfer of the entire operations of the QRTA to an alternative RTA/ QRTA registered with SEBI, that would take over the operations of the QRTA in scenarios such as erosion of net-worth of the QRTA or its insolvency or its inability to provide critical RTA operations or services.
V. Data Access and Data Protection Policy:
QRTAs shall extend all such co-operation to the investors, issuers, custodians of securities, depositories and other QRTAs as is necessary for effective and smooth investor servicing.
Towards this purpose, QRTAs shall lay down appropriate protocols, processes and controls for its activities and also for entities who wish to connect with the database of the QRTAs electronically. QRTAs shall also have written agreements, confidentiality contracts, security protocols and such other relevant procedures for data integrity while facilitating electronic access.
VI. Ensuring Integrity of Operations:
QRTAs shall maintain adequate human resources, systems and processes for smooth functioning. QRTAs to also ensure that its database, servers, data storage media shall reside in India.
QRTAs shall lay down the minimum standards, protocol and procedures for smooth running of operations, to protect the investor data and maintain information security. Further, the QRTAs shall have a detailed operations manual explaining all aspects of its functioning, including the interface and method of transmission of information between the depository, issuers, and others. The QRTAs shall have a mechanism in place to haveperiodic replication of data with the concerned Mutual Funds / Issuer Companies / Real Estate Investment Trusts (REITs)/ Infrastructure Investment Trusts (InVITs).
VII. Scalable infrastructure:
The BoD of QRTAs shall approve a policy framework for up-gradation of infrastructure and technology from time to time to ensure smooth functioning and scalability for delivering services to investors at all times. QRTAs shall at all times, maintain adequate technical capacity to process twice the peak transaction load encountered during past six months.
VIII. Board of Directors (BoD) / Committees of BoD of QRTAs:
The BoD of QRTAs shall seek reports on incidents having an impact on investor protection including data security breaches that can affect investor data, etc. QRTAs shall have Committees of the Board of Directors including Audit Committee, Nomination and Remuneration Committee and IT Strategy Committee.
The Audit Committee shall assist the BoD in fulfilling its corporate governance and overseeing responsibilities in relation to an entity’s financial reporting, internal control system, and risk management system including the risk parameters. The Audit Committee shall also review the internal audit reports, compliance to SEBI Regulations, circulars and the reasonableness of the price being charged for investor services.
The Nomination and Remuneration Committee shall in accordance with the rules laid down, recommend to the BoD a policy, relating to the appointment, tenure and remuneration for the directors, key managerial personnel and other employees.
The IT Strategy Committee shall provide insight and advice to the BoD of QRTAs in various areas that may include developments in IT and alignments with the same from investor services perspective, scalability of operations, etc.
IX. Investor Services and Service Standards:
a. QRTAs, servicing Mutual Funds investors, must have Investor Service Center in at least 100 cities based on investor population pertaining to the Mutual Funds clients they service. As regards servicing of corporate, REIT, InvIT investors, QRTA shall maintain adequate investor service centers based on investor population. This shall be reviewed from time to time by SEBI.
b. QRTAs shall have online capabilities for investor queries, complaints and their redressal. The complaints redressal mechanism should be investor friendly and convenient. The same should have capabilities of being retrieved easily by the complainant online through complaint reference number, e-mail id, mobile no. etc.
c. QRTAs, handling corporate registry functions, shall develop facility for providing services for managing Shareholders General Meetings including shareholders voting / poll process and web streaming of all Annual General Meetings (AGMs) of all their listed client companies. QRTAs shall also look forward to providing other value added services and when required by SEBI.
d. QRTAs must publish on its website, the service standards (eg: turnaround time for services rendered).
e. QRTAs should also carry out stakeholder/ investor satisfaction surveys annually, and the same should also be published on the website before March 31, every year.
X. Insurance against Risks:
All QRTAs shall take adequate insurance for omissions and commissions, frauds by employee/s to protect the interests of the investors.
4. QRTAs shall formulate and implement the policy framework, and also comply with the additional reporting requirements within six months from the date of this circular. The first compliance with these guidelines shall be submitted within 30 days from the end of six months period.
5. The compliance report of the enhanced reporting norms shall be submitted to SEBI duly reviewed by the BoD of QRTAs, within 60 days of expiry of each calendar quarter. The format of the report is placed at Annexure 1.
6. This enhanced reporting would be in addition to half-yearly periodic reporting done by Registrars to an Issue and Share Transfer Agents as prescribed by SEBI vide circular dated July 05, 2012 on “Review of Regulatory Compliance and Periodic Reporting”.
7. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
D Rajesh Kumar