Market regulator Securities and Exchange Board of India (SEBI) has imposed a penalty of Rs12 lakh on NSE Data & Analytics Ltd, formerly DotEx International, due to significant lapses in regulatory compliance. Specifically, SEBI says the company failed to properly segregate its information technology (IT) infrastructure and personnel from its parent, National Stock Exchange (NSE).
In an order, Barnali Mukherjee, the adjudicating officer at SEBI, stated, "NSE Data & Analytics was under an obligation to abide by the provisions of the Intermediaries Regulations, Know Your Client Registration Agency (KRA) Regulations, and SEBI circulars, which it failed to do during the inspection period. Although NSE KRA asserted that it had implemented various corrective measures, the irregularities committed during the inspection period could not be overlooked. As a registered intermediary, NSE KRA is expected to uphold fair practices and maintain a high degree of professionalism in its operations."
The inspection, conducted from 6 September 2023 to 7 September 2023, examined the company's activities from 1 April 2022 to 31 July 2023. NSE Data & Analytics is registered with SEBI as a KRA.
NSE Data & Analytics says it shares its network architecture and adheres to the NSE's business continuity management policy. SEBI says, "This arrangement has led to the absence of a distinct business continuity plan (BCP) and disaster recovery (DR) policy."
While the company argued that the SEBI circular did not necessitate a separate policy, it misinterpreted the requirements. It only established its own BCP and DR policy in January 2024, confirming its non-compliance during the inspection period.
SEBI also found that NSE Data & Analytics delayed sending acknowledgement letters to investors during the IPO process in 61 out of 1,11,539 cases. SEBI mandates that such letters be sent within 10 working days. Although NSE KRA claimed that the delays, which ranged from 13 to 178 days, were procedural and had no adverse impact, it cannot absolve itself of responsibility for these delays, which should have been addressed promptly.
Furthermore, SEBI requires KRAs to implement a robust cyber security and cyber resilience framework. However, system audit reports of NSE Data & Analytics from February and July 2023 revealed unresolved vulnerabilities from vulnerability assessment and penetration testing (VAPT) activities, which were not addressed in the cybersecurity audit report.
SEBI inspection also uncovered poorly maintained access logs at NSE Data & Analytics data centre. Additionally, minutes from the Standing Committee on Technology lacked transparency regarding action taken reports. SEBI mandates that all cyber incidents be reported within six hours, a requirement missing in NSE Data & Analytics policy as stipulated by SEBI regulations.
NSE Data & Analytics also failed to validate 1,159 KYCs (know-your-customer) within SEBI's stipulated two-day turnaround time (TAT). Despite NSE Data & Analytics claims that the reduced TAT was challenging, SEBI had provided sufficient time and extensions. NSE KRA's argument was rejected, confirming violations of SEBI's circulars and KRA regulations.
Further, the company's failure to segregate IT infrastructure and personnel from the NSE violated the SEBI Intermediaries Regulations, 2008. Although NSE KRA acknowledged the need for segregation and completed it by 30 May 2024, this was not achieved during the inspection period.
SEBI concluded that NSE Data & Analytics did not comply with the necessary standards and the imposed penalty underscores the seriousness of the company's deficiencies in cybersecurity, KYC processing and corporate governance.