1 MASTER CIRCULAR SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2024/110 August 09, 2024 To, All Recognized Stock Exchanges Stock Brokers through Recognized Stock Exchanges Madam/Sir, Subject: Master Circular for Stock Brokers I. Securities and Exchange Board of India (SEBI), from time to time, has been issuing various circulars/directions to Stock Brokers. In order to enable the users to have access to the provisions of the applicable circulars at one place, SEBI had issued Master Circular dated May 22, 2024 in respect of Stock Brokers. II. Subsequently, various guidelines/directions were issued to Stock Brokers by way of circulars/advisory. In view of the same, the Master Circular dated May 22, 2024 has been updated to include all relevant circulars that were issued till date i.e. August 09, 20241 . The instant master circular supersedes the Master Circular for Stock Brokers dated May 22, 2024. III. Vide Master Circular for Stock Brokers dated May 22, 2024, the directions/instructions contained in the circulars listed out in the Appendix to that Master Circular, to the extent they relate to the Stock Brokers, were rescinded. In addition, with the issuance of this Master Circular, the directions/instructions contained in the circulars listed out at Sr. nos.117-118 in the Appendix to this Master Circular, to the extent they relate to the Stock Brokers, shall stand rescinded. IV. Notwithstanding such rescission,

1 A list of changes made in Master Circular is placed at the end of circular as Annexure A.

2 a) anything done or any action taken or purported to have been done or taken under the rescinded circulars, prior to such rescission, shall be deemed to have been done or taken under the corresponding provisions of this Master Circular; b) any application made to the Board under the rescinded circulars, prior to such rescission, and pending before it shall be deemed to have been made under the corresponding provisions of this Master Circular; c) the previous operation of the rescinded circulars or anything duly done or suffered thereunder, any right, privilege, obligation or liability acquired, accrued or incurred under the rescinded circulars, any penalty, incurred in respect of any violation committed against the rescinded circulars, or any investigation, legal proceeding or remedy in respect of any such right, privilege, obligation, liability, penalty as aforesaid, shall remain unaffected as if the rescinded circulars have never been rescinded; V. This circular is issued in exercise of powers conferred under Section 11(1) of the Securities and Exchange Board of India Act, 1992. VI. This circular is available on SEBI website at www.sebi.gov.in. Yours faithfully, Aradhana Verma General Manager Tel. No: 022 26449633 aradhanad@sebi.gov.in

3 TABLE OF CONTENTS S. No. Subject Page No. I. REGISTRATION OF STOCK BROKERS

1. Registration of Brokers – Verification of antecedents of the applicant 10
2. Conversion of individual membership into corporate membership 10
3. Additional information to be submitted at the time of registration of Stock Broker with SEBI 10

Additional requirements for processing applications of Stock Brokers for Registration/ Prior approval for sale of membership/ Change of name/ Trade name 11 5. Merger/ Amalgamation of Trading Members 12 6. Admission of Limited Liability Partnerships as Members of Stock Exchanges 13 7. Single registration for Stock Brokers & Clearing Members 13 8. Registration of Members of Commodity Derivatives Exchanges 15 9. Integration of broking activities in Equity Markets and Commodity Derivatives Markets under single entity 15 10. Uniform membership structure across segments 16 11. Online Registration Mechanism for Securities Market Intermediaries 17 12. Transfer of business by SEBI Registered intermediaries to other legal entity 17 II. SUPERVISION & OVERSIGHT 13. Oversight of Members (Stock Brokers/Trading Members/Clearing Members of any Segment of Stock Exchanges and Clearing Corporations) 19 14. Policy of Annual Inspection of Members by Stock Exchanges/Clearing Corporations 22 15. Enhanced Supervision of Stock Brokers / Depository Participants 24 16. Annual System Audit of Stock Brokers / Trading Members 38 17. Early Warning Mechanism to prevent diversion of client securities 42 18. Enhanced obligations and responsibilities on Qualified Stock Brokers (QSBs) 46 III. DEALINGS WITH CLIENT 19. Unique Client Code 57 20. Simplification And Rationalization Of Trading Account Opening Process 58 21. Nomination for Eligible Trading Accounts 62 22. Requirements relating to dealings between a Client and a Stock Broker (Trading Members included) 63 23. Regulation of Transactions Between Clients and Brokers 67

4 24. Collateral deposited by Clients with Brokers 69 25. Severance of connections with other businesses 70 26. Applicability of Rule 8(1)(f) and 8(3)(f) of the Securities Contract (Regulation) Rules, 1957 70 27. Mode of payment and delivery 71 28. Pre- funded instruments / Electronic fund transfers 71 29. Disclosure of proprietary trading by Broker to Client 72 30. “Pro – account” trading terminal 72 31. Review of norms relating to trading by Members/ Sub-Brokers 73 32. Market Access through Authorised Persons 74 33. SMS and E-mail alerts to investors by Stock Exchanges 78 34. Prevention of Unauthorised Trading by Stock Brokers 80 35. Execution of Power of Attorney (PoA) by the Client in favour of the Stock Broker/ Stock Broker and Depository Participant 81 36. Execution of ‘Demat Debit and Pledge Instruction’ (DDPI) for transfer of securities towards deliveries / settlement obligations and pledging / re￾pledging of securities 86 37. Modification of Client Codes of Non-institutional Trades Executed on Stock Exchanges (All Segments) 88 38. Margin Trading Facility 90 39. Collection and reporting of margins by Trading Member (TM) /Clearing Member (CM) in Cash Segment. 95 40. Framework to Enable Verification of Upfront Collection of Margins from Clients in Cash and Derivatives segments 97 41. Margin obligation to be given by way of Pledge/ Re-pledge in the Depository System 98 42. Segregation and Monitoring of Collateral at Client Level 105 43. Maintenance of current accounts in multiple banks by Stock Brokers 116 44. Block Mechanism in demat account of clients undertaking sale transactions 116 45. Handling of Client’s Securities by Trading Members/ Clearing Members 118 46. Validation of Instructions for Pay-In of Securities from Client demat account to Trading Member (TM) Pool Account against obligations received from the Clearing Corporations 120 47. Settlement of Running Account of Client’s Funds lying with Trading Member (TM) 122 48. Risk disclosure with respect to trading by individual traders in Equity Futures & Options Segment 124 49. Ease of Doing Investments by Investors - Facility of voluntary freezing/ blocking of Trading Accounts by Clients 125 50. Enhancement of operational efficiency and Risk Reduction-Pay-out of securities directly to client demat account 126 IV. TECHNOLOGY RELATED PROVISIONS

5 51. Electronic Contract Note 127 52. Conditions to be met by Broker for providing Internet Based Trading Service 130 53. Securities Trading through Wireless medium on Wireless Application Protocol (WAP) platform 135 54. Securities Trading using Wireless Technology 137 55. Additional Requirements for Internet Based Trading (IBT) and Securities trading using Wireless Technology (STWT) 139 56. Direct Market Access facility 140 57. Smart Order Routing 151 58. Broad Guidelines on Algorithmic Trading 154 59. Testing of Software used in or related to Trading and Risk Management 159 60. Safeguards to avoid trading disruption in case of failure of software vendor 165 61. Cyber Security and Cyber resilience framework for Stock Brokers. 166 62. Reporting for Artificial Intelligence (AI) and Machine Learning (ML) applications and systems offered and used by market intermediaries 180 63. Advisory for Financial Sector Organizations regarding Software as a Service(SaaS) based solutions 181 64. Framework to address the ‘technical glitches’ in Stock Brokers’ Electronic Trading Systems 182 65. Advisory for SEBI Regulated Entities (REs) regarding Cybersecurity best practices 187 66. Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) 188 V. CHANGE IN STATUS, CONSTITUTION, CONTROL, AFFILIATION 67. Periodical Report – Grant of prior approval to members of Stock Exchanges 192 68. Procedure for seeking prior approval for change in control 193 69. Guidelines for seeking NOC by Stock Brokers / Clearing Members for setting up Wholly Owned Subsidiaries, Step Down Subsidiaries, Joint Ventures in GIFT IFSC 196 VI. FOREIGN ACCOUNTS TAX COMPLIANCE ACT RELATED PROVISIONS 70. Inter-Governmental Agreement with United States of America under Foreign Accounts Tax Compliance Act – Registration 198 71. Implementation of the Multilateral Competent Authority Agreement and Foreign Account Tax Compliance Act 199 VII. INVESTOR GRIEVANCE REDRESSAL 72. Exclusive e-mail ID for redressal of Investor Complaints 201 73. Redressal of investor complaints against Stock Brokers in SEBI Complaints Redress System (SCORES) 201

6 74. Information regarding Grievance Redressal Mechanism 202 75. Publishing Investor Charter and disclosure of Investor Complaints by Stock Brokers on their websites 202 VIII. DEFAULT RELATED PROVISIONS 76. Standard operating procedure in the cases of Trading Member / Clearing Member leading to default 203 77. Recovery of assets of defaulter member and recovery of funds from debit balance clients of defaulter member for meeting the obligations of clients / Stock Exchange / Clearing Corporation 211 IX. MISCELLANEOUS 78. Advertisement by Brokers and grant of trading terminals 212 79. Registration Number of Brokers to be quoted on all correspondences with SEBI 212 80. Maintenance of books of accounts and other documents sought by Enforcement Agencies from Stock Exchanges and Brokers 212 81. Display of details by Stock Brokers (including Trading Members) 213 82. Unauthenticated news circulated by SEBI Registered Market Intermediaries through various modes of communication 213 83. Guidelines on Outsourcing of Activities by Stock Brokers 214 84. General Guidelines for dealing with Conflicts of Interest of Stock Brokers and their Associated Persons in Securities Market. 222 85. Digital Mode of Payment 224 86. Regulatory Framework for Commodity Derivatives Brokers 224 87. Approach to securities market data access and terms of usage of data provided by data sources in Indian securities market 225 88. Introduction of Investor Risk Reduction Access (IRRA) platform in case of disruption of trading services provided by the Trading Member (TM) 225 89. Maintenance of a website by stock brokers 228 90. Framework for Regulatory Sandbox 229 91. Transactions in Corporate Bonds through Request for Quote (RFQ) platform by Stock Brokers (SBs) 229 92. Bank Guarantees (BGs) created out of clients’ funds 230 93. Upstreaming of clients’ funds by Stock Brokers (SBs) / Clearing Members (CMs) to Clearing Corporations (CCs) 231 94. Measures to instil confidence in securities market – Brokers’ Institutional mechanism for prevention and detection of fraud or market abuse 234 X. REPORTING REQUIREMENTS 236 Annexures

1. Annexure-1 - Additional information to be submitted at the time of registration of Stock Broker with SEBI 243
2. Annexure-2 – An Illustrative list of common violations/deficiencies observed by SEBI in its inspections of members 249

7 3. Annexure-3 - Stock Broker System Audit Framework - Terms of Reference (ToR) for Type I Broker 253 4. Annexure-4 - Stock Broker System Audit Framework – ToR for Type II Broker 258 5. Annexure-5 - Stock Broker System Audit Framework – ToR for Type III Broker 265 6. Annexure-6 - Stock Broker System Audit Framework – Executive Summary Reporting Format 274 7. Annexure-7 - Index of documents giving details of various documents for client account opening process 276 8. Annexure-8 - Additional information about the client related to trading account 278 9. Annexure-9 - Rights & Obligations of stock broker, and client for trading on exchanges (including additional rights & obligations in case of internet / wireless technology based trading) 282 10. Annexure-10 - Uniform Risk Disclosure Documents (for all segments / exchanges) 289 11. Annexure-11- Guidance Note detailing Do’s and Don’ts for trading on exchange(s) for investors 295 12. Annexure-12 - Format for nomination form 297 13. Annexure-13 - Declaration Form for opting out of nomination 299 14. Annexure-14 - Demat Debit and Pledge Instruction 300 15. Annexure-15 - Format of the Daily Reporting by the members to the Exchange on the amount financed by them under the Margin Trading Facility 301 16. Annexure-16 - Allocation of collateral 302 17. Annexure-17 – Monitoring of the minimum 50% cash-equivalent collateral requirement 304 18. Annexure-18 - Blocking of margins 306 19. Annexure-19 - Monitoring of risk reduction mode 308 20. Annexure-20 – Change of Allocation 310 21. Annexure-21 - Procedures to be followed in the Stage-2 and the Stage￾3 of Default Management Process 311 22. Annexure-22 - Procedures to be followed in the Stage-4 of Default Management Process 313 23. Annexure-23 - Risk disclosures 316 24. Annexure-24 - Data Format 317 25. Annexure-25 - Incident Reporting Form regarding cyber incidents by stock brokers 319 26. Annexure-26 - Form to report on AI and ML technologies 323

8 27. Annexure-27 - Systems deemed to be based on AI and ML technology 325 28. Annexure-28 – Consolidated Quarterly Reporting Form 326 29. Annexure-29 – Advisory for Financial Sector Organizations regarding Software as a Service(SaaS) based solutions 327 30. Annexure-30 –Root Cause Analysis (RCA) Form 329 31. Annexure-31 – Advisory for SEBI Regulated Entities (REs) regarding Cybersecurity best practices 331 32. Annexure-32 - Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) 334 33. Annexure-33 - Format for reporting changes in "status or constitution" of Members 379 34. Annexure-34 - Declaration cum undertaking 380 35. Annexure-35 – Application to SEBI for opening of wholly owned subsidiaries, step down subsidiaries or entering into joint ventures in GIFT IFSC 382 36. Annexure-36 - Information regarding Grievance Redressal Mechanism 386 37. Annexure-37 - Investor Charter - Stock Brokers 387 38. Annexure-38 – Format for Investor Complaints Data to be displayed by Stock Brokers on their respective websites 394 39. Annexure-39 - Affidavit of undertaking cum indemnity bond to be submitted by member to Stock Exchange / Clearing Corporation 396 40. Annexure-40 - Digital Mode of Payment 399 41. Annexure-41 - Details of FMC circulars which shall stand repealed and relevant SEBI circulars which shall be applicable 400 42. Annexure-42 - Details of FMC circulars contents/norms of which shall continue as they are specific to commodity derivative markets 404 43. Annexure-43 - Details of FMC circulars which shall stand repealed 405 44. Annexure-44 - Terms and conditions for allowing Bank guarantee from clients 406 45. Appendix - List of Circulars / Communication 408 46.

Annexure A - List of Changes 418 List of Abbreviations API Application Programming Interface CC Clearing Corporation CM Clearing Member CTCL Computer-to-Computer Link DP Depository Participant

9 EPI Early Pay-in FII Foreign Institutional Investor GIFT IFSC Gujarat International Finance Tec-City International Financial Services Centre IPF Investor Protection Fund ISIN International Securities Identification Number KYC Know Your Customer LAN Local Area Network MoA Memorandum of Association NOC No Objection Certificate PAN Permanent Account Number PoA Power of Attorney SGF Settlement Guarantee Fund T-Day Trading Day TM Trading Member UCC Unique Client Code VaR Value-at-Risk

10 IV. REGISTRATION OF STOCK BROKERS

1. Registration of Brokers - Verification of antecedents of the applicant2 1.1. In terms of Rule 8(1)(e) of Securities Contracts (Regulation) Rules, 1957, "no person shall be eligible to be elected as a member if he has been convicted of an offence involving fraud or dishonesty". 1.2. Stock Exchanges shall verify the antecedents of the applicant before granting admission as a member of Stock Exchange and also submit a declaration at the time of forwarding the applications for registration with SEBI, to the effect that the member has not been convicted of any offence involving fraud or dishonesty.
2. Conversion of individual membership into corporate membership3 2.1. In case of corporatisation of individual membership, the individual member may trade in his individual name pending registration of the corporate member by SEBI. 2.2. In case the corporate member acquires the membership through purchase of membership card of an individual member, the corporate member shall not be entitled to trade because of the provisions of Section 12 of the Securities and Exchange Board of India Act, 1992 (hereinafter referred to as “SEBI Act 1992”), till registration is granted to the corporate member by SEBI.
3. Additional information to be submitted at the time of registration of Stock Broker with SEBI4 3.1 In terms of Regulation 3(2) of the Securities and Exchange Board of India (Stock Brokers) Regulations, 1992 (hereinafter referred to as “Stock Brokers Regulations 1992”), a Stock Broker has to apply in Form A, Schedule I of the aforesaid Regulations, duly recommended by the Stock Exchange of which he is a member, for registration as a Stock Broker by SEBI.

2 Reference: Circular SMD/POLICY/CIRCULAR/30/97 dated November 25, 1997. 3 Reference: Circular SMD/POLICY/CIR-34/97 dated December 11, 1997. 4 Reference: Circular SMD/POLICY/CIR-11/98 dated March 16, 1998.

11 3.2 While forwarding the applications in Form A, Stock Exchanges shall ensure that additional information as per the format at Annexure-1 is also submitted along with the application for all the cases sent for registration. 4. Additional requirements for processing applications of Stock Brokers for Registration/ Prior approval for sale of Membership/ Change of name/ Trade name5 4.1 The applications for grant of registration / requisite approvals are processed by SEBI based on information communicated by the Exchange/ members to SEBI. Such information can undergo a change within a very short period of time. It has been observed that in many cases information/ documents enclosed along with the applications are outdated for SEBI to take any cognizance of the same. 4.2 In order to improve the standard of information flow so as to enable SEBI to take an informed decision while processing applications, the following norms may be adhered to: 4.2.1 Application for registration of stock brokers: a. Stock Exchanges shall ensure that the following documents which are forwarded by the Exchanges along with registration applications are not more than three months old from the date of forwarding of the application. i. Form A ii. Additional Information Form iii. Undertakings furnished by the Applicant 4.2.2 Change of name applications for Brokers a. Stock Exchanges shall ensure that change of name applications should be accompanied by information from the Exchange as to whether the change in name is accompanied by / associated with change in majority shareholding / management / control. Applications not accompanied with such information from the Exchange would be returned to the concerned exchanges.

5 Reference: Circular SMD/DBA-II/CIR-22/2002 dated September 12, 2002.

12 b. Stock Exchanges shall instruct all the member brokers of the exchange to comply with the above instructions and ensure that applications forwarded to SEBI strictly adhere with the above time schedules / documents failing which the applications would be returned to the concerned Exchange. 4.3 Clarification regarding eligibility for availing fee continuity benefit by corporate entity formed by converting partnership membership card of the Exchange 4.3.1 In order to get benefit of clause I (4) of Schedule III of the Stock Brokers Regulations 1992, all erstwhile partner(s) should be whole-time directors in the corporate entity so formed, and the whole-time director shall individually (in case there is one whole-time director) or jointly (in case there are more than one whole-time directors) have to hold at least 40% of the paid up equity capital of the corporate entity formed for a period of at least three years from the date of such conversion. 4.3.2 In case of Exchanges which do not grant membership to the partnership firms, but permit individual members to form partnerships, each of the erstwhile member partner, now whole-time director of the corporate entity, will have to individually or jointly hold at least 40% of the paid-up capital of the corporate entity so formed for a period of at least three years from the date of such conversion. 5. Merger/ Amalgamation of Trading Members6 5.1 When two or more corporate broking firms merge leading to creation of a new entity, the SEBI registration granted to the extinguishing entity does not automatically devolve upon the emerging entity and the new entity has to fulfil the eligibility criteria and apply afresh for registration and pay the registration fees. 5.2 The emerging entity may be allowed to trade on the registration of the

6 Reference: Circular SMD/POLICY(BRK.REG.)/CIR-18/98 dated July 09, 1998. Paragraph in Circular SMD/POLICY(BRK.REG.)/CIR-18/98 dated July 09, 1998, which read “It is generally seen that while the application comes to SEBI after the court has approved the scheme of amalgamation/ merger, the existing entity is required to seek prior approval from SEBI in case of any change in its constitution, in terms of Rule 4(c) of SEBI (Stock Brokers) Regulations, 1992. Therefore, you are advised that as soon as the application for merger is filed before the High Court, the extinguishing broking entity should approach SEBI through the Stock Exchange for obtaining prior permission, to the scheme of merger/ amalgamation giving all necessary details of the proposal.” deleted in view of Notification LAD-NRO/GN/2011-12/03/12650 dated April 19, 2011.

13 extinguishing entity for a period of say 45 days. However, the emerging entity should apply to SEBI at the earliest and give an undertaking to be liable for the act of the extinguishing entity and such applications in any case should be made not later than 30 days of the registration granted by the Registrar of companies to the emerging entity. 6. Admission of Limited Liability Partnerships as Members of Stock Exchanges7 6.1 Securities Contract (Regulation) Rules, 1957 (hereinafter referred to as “SCRR 1957”) do not explicitly mention Limited Liability Partnerships (LLPs) as the Limited Liability Partnership Act, 2008 (hereinafter referred to as “LLP Act 2008”) was a subsequent development. As per the LLP Act 2008, LLP is a body corporate. Sub-rule 4A and 5 of Rule 8 of the SCRR 1957 provide that Limited Liability Companies (LLC) and partnership firms are eligible to be admitted as members of Stock Exchanges. In this context it may be stated that LLPs are akin to LLC and partnership firms. 6.2 In view of the above and since the Parliament has put in place a legal framework for LLPs, Stock Exchanges may consider granting membership to LLPs subject to LLP complying with the conditions laid down in Rule 8(4A) of the SCRR 1957, as far as it can apply to LLPs. 7. Single registration for Stock Brokers & Clearing Members8 7.1 As per the amendment to the Stock Brokers Regulations 1992 vide Notification No. LAD-NRO/GN/2014-15/15/1671 dated October 08, 2014, the requirement of obtaining registration as stock broker/ clearing member for each Stock Exchange/ Clearing Corporation has been done away with and instead a single registration with any Stock Exchange/ Clearing Corporation shall be required. For operating in any other Stock Exchange(s)/ Clearing Corporation (s), approval will be required from the concerned Stock Exchange or Clearing Corporation. 7.2 Registration requirements will be as per the following guidelines: 7.2.1 If a new entity desires to register as a stock broker or clearing member with any Stock Exchange or Clearing Corporation, as the case may be, then the entity shall apply to SEBI through the respective Stock Exchange or Clearing Corporation in the manner prescribed in the Stock Brokers

7 Reference: Circular CIR/MIRSD/12/2011 dated July 11, 2011. 8 Reference: Circular CIR/MIRSD/4/2014 dated October 13, 2014.

14 Regulations 1992. The entity shall be issued one certificate of registration, irrespective of the Stock Exchange(s)/ Clearing Corporation(s) or number of segment(s). 7.2.2 If the entity is already registered with SEBI as a stock broker with any Stock Exchange, then for operating on any other Stock Exchange(s) or any Clearing Corporation, the entity can directly apply for approval to the concerned Stock Exchange or Clearing Corporation, as per the procedure prescribed in the Stock Brokers Regulations 1992 for registration. The Stock Exchange/ Clearing Corporation shall report to SEBI about such grant of approval. 7.2.3 Similarly, if any entity is already registered with SEBI as a clearing member in any Clearing Corporation, then for operating in any other Clearing Corporation(s) or any Stock Exchange, the entity shall follow the procedure as prescribed in para 7.2.2 above. 7.2.4 Fees shall be applicable for all the stock brokers, self-clearing members and clearing members as per Schedule V of the Stock Brokers Regulations 1992. As per current requirement, the entity shall continue to be liable to pay fees for each segment approved by the Stock Exchange or Clearing Corporation, as per the Schedule to the Stock Brokers Regulations 1992. 7.3 The Stock Exchange or Clearing Corporation shall grant approval for operating in any segment(s) or additional segment(s) to the SEBI registered stock broker, self-clearing member or clearing member, as the case may be, after exercising due diligence and on being satisfied about the compliance of all relevant eligibility requirements, and shall also, inter-alia ensure: 7.3.1 The applicant, its directors, proprietor, partners and associates satisfy the Fit and Proper Criteria as defined in the Securities and Exchange Board of India (Intermediaries) Regulations, 2008 (hereinafter referred to as “Intermediaries Regulations 2008”); 7.3.2 The applicant has taken satisfactory corrective steps to rectify the deficiencies or irregularities observed in the past in actions initiated/ taken by SEBI/ Stock Exchanges(s) or other regulators. The Stock Exchange or Clearing Corporation may also seek details whether the Board of the applicant is satisfied about the steps taken. They may also carry out inspection, wherever considered appropriate; and

15 7.3.3 Recovery of all pending fees/ dues payable to SEBI, Stock Exchange and Clearing Corporation. 8. Registration of Members of Commodity Derivatives Exchanges9 8.1 Any person desirous of becoming a member of any commodity derivatives exchange(s), shall have to meet the eligibility criteria to become a member of an exchange and conditions of registration, as specified in SCRR 1957 and Stock Brokers Regulations 1992, respectively. 8.2 The application for registration shall be made in the manner prescribed in the Stock Brokers Regulations 1992, through the commodity derivatives exchange, of which it holds membership, in the prescribed form, along with the applicable fees. The application shall be accompanied by additional information as prescribed in Annexure-1 to this circular regarding additional information to be submitted at the time of registration of stock broker with SEBI. 8.3 The minimum net worth specified for members of commodity derivatives exchanges, shall have to be computed as prescribed in the Stock Brokers Regulations 1992. 8.4 “Business in goods related to the underlying” and/ or “business in connection with or incidental to or consequential to trades in commodity derivatives”, by a member of a Stock Exchange, would not be disqualified under Rule 8(1)(f) and Rule 8(3)(f) of the SCRR 1957. 9. Integration of broking activities in Equity Markets and Commodity Derivatives Markets under single entity10 10.1A stock broker can deal in commodity derivatives and other securities under a single entity, thereby facilitating ease of doing business. 10.2As per the existing procedure under single registration mechanism, a one-time certificate of registration as stock broker / clearing member shall be granted by SEBI and subsequent permissions to act as a stock broker / clearing member of other Stock Exchanges / Clearing Corporation, shall be granted by the respective Stock Exchange / Clearing Corporation after proper due diligence.

9 Reference: Circular CIR/MIRSD/4/2015 dated September 29, 2015 10 Reference: Circular SEBI/HO/MIRSD/MIRSD1/CIR/P/2017/104 dated September 21, 2017.

16 10.3Prior approval from SEBI will be required to be obtained by the stock broker only in cases where integration leads to change in control of the stock broker/clearing member. 10.4Further, to facilitate integration between stock brokers, it is clarified that client account may be transferred from one stock broker to the other stock broker, by taking the express consent of the client through a verifiable mode of communication and thereby continuing with the existing set of documentation in respect of broker client relationship. 10. Uniform Membership structure across segments11 10.1 SEBI has implemented the mechanism of single registration, whereby a registered TM /CM can operate in any segment of the recognized Stock Exchange / Clearing Corporation under the single registration number granted by SEBI. 10.2 In order to implement uniform membership structure across equity cash and derivatives segments, following course of action is provided: 10.2.1 The membership structure as TM, Self-clearing Member (SCM), CM and Professional Clearing Member (PCM) as prevalent in equity derivatives segment has been implemented in cash segment with effect from April 01, 2019 10.2.2 The existing Stock Brokers in cash segment of a Stock Exchange who are already registered as SCM / CM in derivatives segment have automatically become SCM / CM, as the case may be, in cash segment with effect from April 01, 2019. 10.2.3 The existing Stock Brokers in cash segment of a Stock Exchange who are not registered as SCM / CM in derivatives segment shall continue as SCM in cash segment with effect from April 01, 2019. However, - 10.2.3.1 Existing Stock Brokers in cash segment shall meet with the net-worth requirement as per formula prescribed by Dr. L.C. Gupta Committee as applicable to SCM / CM in equity derivatives segment on or before September 30, 2019.

11 Reference: Circular SEBI/HO/MIRSD/DOP/CIR/P/2019/14 dated January 11, 2019.

17 10.2.3.2 Existing Stock Brokers in cash segment who fail to meet the net-worth requirement for SCM / CM on or before September 30, 2019 shall continue to trade as Trading Member in cash segment provided that they shall tie up with a CM / PCM for clearing and settlement of their trades on or before September 30, 2019. 11. Online Registration Mechanism for Securities Market Intermediaries12 11.1 SEBI Intermediary Portal (https://siportal.sebi.gov.in) has been operationalized for the intermediaries to submit all the registration applications online. The SEBI Intermediary Portal includes online application for registration, processing of application, grant of final registration, application for surrender / cancellation, submission of periodical reports, requests for change of name / address / other details etc. 11.2 All applications for registration / surrender / other requests shall be made through SEBI Intermediary Portal only. The application in respect of stock brokers and depository participants shall continue to be made through the Stock Exchanges and Depositories respectively. 11.3 The applicants will be separately required to submit relevant documents viz. declarations / undertakings, in physical form, only for records without impacting the online processing of applications for registration. 11.4 Where applications are made through the Stock Exchanges / Depositories, the hard copy of the applications made by their members shall be preserved by them and shall be made available to SEBI, as and when called for. 12. Transfer of business by SEBI registered intermediaries to other legal entity13 12.1 The transferee shall obtain fresh registration from SEBI in the same capacity before the transfer of business if it is not registered with SEBI in the same capacity. SEBI shall issue new registration number to transferee different from transferor’s registration number in the following scenario: “Business is transferred through regulatory process (pursuant to merger/

12 Reference: Circular SEBI/HO/MIRSD/MIRSD1/CIR/P/2017/38 dated May 02, 2017. 13 Reference: Circular SEBI/HO/MIRSD/DOR/CIR/P/2021/46 dated March 26, 2021.

18 amalgamation / corporate restructuring by way of order of primary regulator /government / NCLT, etc.) or non-regulatory process (as per private agreement /MOU pursuant to commercial dealing / private arrangement) irrespective of transferor continues to exist or ceases to exist after the said transfer. 12.2 In case of change in control pursuant to both regulatory process and non￾regulatory process, prior approval and fresh registration shall be obtained. While granting fresh registration to same legal entity pursuant to change in control, same registration number shall be retained. 12.3 If the transferor ceases to exist, its certificate of registration shall be surrendered. 12.4 In case of complete transfer of business by transferor, it shall surrender its certificate of registration. 12.5 In case of partial transfer of business by transferor, it can continue to hold certificate of registration.

19 V. SUPERVISION & OVERSIGHT 13. Oversight of Members (Stock Brokers/Trading Members/Clearing Members of any Segment of Stock Exchanges and Clearing Corporations)14 13.1 Inspection of Members by Stock Exchanges / Clearing Corporations 13.1.1 The Stock Exchange or the Clearing Corporation, as the case may be, shall, in consultation with SEBI, formulate a policy for annual inspection of their members in various segments and follow up action thereon. The policy shall also cover various kinds of risks posed to the investors and market at large on account of the activities/business conduct of their members. 13.1.2 The Stock Exchange or the Clearing Corporation, as the case may be, shall conduct inspection of their members in various segments in terms of the above policy and in case of members who hold multiple memberships of the exchanges, the Stock Exchanges shall establish an information sharing mechanism with one another on the important outcome of inspection in order to improve the effectiveness of supervision. 13.1.3 The inspection shall cover: a. Compliance with the relevant provisions of the Act, Rules and Regulations made there under, Rules and Regulation of the Stock Exchange / Clearing Corporation and the circulars issued by SEBI and Stock Exchanges / Clearing Corporations from time to time, and b. Efficacy of the investor grievance redressal mechanism and discharge of various obligations towards clients, for the preceding one year unless a longer period is warranted in the circumstances. 13.1.4 An illustrative list of common violations/deficiencies observed by SEBI in its inspections of members is enclosed as Annexure-2. The Stock Exchanges and Clearing Corporations are advised to bring this list to the notice of members with an advice to them to avoid these

14 Reference: Circular SEBI/MIRSD/MASTER CIR-04/2010 dated March 17, 2010 and Circular CIR/MIRSD/13/2012 dated December 07, 2012.

20 violations/deficiencies. 13.1.5 The Stock Exchange or the Clearing Corporation, as the case may be, shall initiate all the follow up action – remedial, penal and disciplinary - required on inspection findings, within six months from the conclusion of the inspection. 13.2 Internal Audit 13.2.1 The member shall carry out complete internal audit on a half yearly basis by an independent qualified Chartered Accountant, Company Secretary or Cost and Management Accountant who is in practice and does not have any conflict of interest. 13.2.2 The audit shall cover, inter alia, a. the existence, scope and efficiency of the internal control system, b. compliance with the provisions of the SEBI Act, 1992, Securities Contracts (Regulation) Act 1956 (hereinafter referred to as “SCRA 1956”), Intermediaries Regulations 2008, Stock Brokers Regulations 1992, circulars issued by SEBI from time to time, Bye Laws and Regulations and circulars issued by the Stock Exchange / Clearing Corporation, c. data security and insurance in respect of operations, and d. efficacy of the investor grievance redressal mechanism and discharge of various obligations towards clients. 13.2.3 The internal auditor shall submit the audit report to the member, who shall place it before its Board of Directors/Proprietor/Partners and shall forward the same along with para-wise comments to the respective Stock Exchange/ Clearing Corporation within two months from the end of the half year period. 13.2.4 The Stock Exchange/Clearing Corporation shall analyze the audit reports so received and take appropriate follow up action. 13.2.5 The Stock Exchange/Clearing Corporation shall initiate appropriate

21 actions – remedial, penal or disciplinary - against the members where deficiencies are noticed in audit reports or where audit report has not been received, and inform the details of action taken to SEBI, within six months from the end of the half year period. 13.3 Default in case of Multiple Membership 13.3.1 Whenever a member of any segment is declared defaulter, the concerned Stock Exchange/Clearing Corporation shall immediately declare it a defaulter in all its segments. It shall also immediately inform all other Stock Exchanges/Clearing Corporations the details of the defaulter member such as name of the member, the names of the proprietors/partners/promoters/dominant shareholders, as applicable. 13.3.2 Immediately on receipt of the information about default of a member, the Stock Exchange / Clearing Corporation shall declare the said member defaulter on all its segments. 13.3.3 The Stock Exchanges / Clearing Corporations shall take appropriate action against the associates of defaulter member. For this purpose, the term ‘associate’ shall include a person: a. who, directly or indirectly, by itself, or in combination with other persons, exercises control over the member, whether individual, body corporate or firm or holds substantial share of not less than 15% in the capital of such entities; or b. in respect of whom the member, individual or body corporate or firm, directly or indirectly, by itself or in combination with other persons, exercises control; or c. whose director or partner is also a director or partner of the member, body corporate or the firm, as the case may be. Explanation: The expression “control" shall have the same meaning as defined under clause (e) of Regulation 2 of the Securities and Exchange Board of India (Substantial Acquisition of Shares and Takeovers) Regulations, 2011 (hereinafter referred to as “Takeover Regulations 2011”).

22 14. Policy of Annual Inspection of Members by Stock Exchanges/Clearing Corporations15 14.1 Policy for annual inspection of members, as decided in consultations with the Stock Exchanges/Clearing Corporations is specified below. 14.2 The criteria for selection of members for annual inspection are as follows: 14.2.1 Stock Brokers servicing investors, getting disabled on account of funds shortages on more than three times in a month shall be inspected irrespective of the fact of when they were last inspected. 14.2.2 Stock Brokers servicing investors, having overnight disablement on account of margin shortage for more than two days shall be inspected irrespective of the fact of when they were last inspected. 14.2.3 Top twenty-five stock brokers paying high and recurring penalties for non￾reporting or short reporting of margin/Client Code modification/CTCL mismatch fines or any other similar high risk compliance issue shall be inspected irrespective of when they were last inspected. 14.2.4 Top twenty-five stock brokers in terms of investor complaints and arbitration cases filed by investors shall be inspected irrespective of the fact of when they were last inspected. 14.2.5 Stock Brokers having adverse observations in the internal audit report on high risk issues like wrong reporting of margins, transfer of trades, pledging of client securities, dealing with unregistered intermediaries etc., shall be inspected irrespective of the fact of when they were last inspected. 14.2.6 Subsidiaries of Regional Stock Exchanges shall be inspected every year. 14.2.7 Stock Exchange shall frame internal policy for selection of stock brokers for inspection based on inputs/alerts from Risk Based Supervision. 14.2.8 Besides the above, the special purpose/limited inspections shall be carried out based on any triggers like patterns found during investor

15 Reference: Circular CIR/HO/MIRSD/MIRSD2/CIR/P/2017/73 dated June 30, 2017.

23 complaint resolution/Arbitration, complaints on specific malpractices of a broker or references from various authorities. The inspection shall be irrespective of the fact of when the last inspection was carried out. 14.2.9 Apart from the above few stock brokers shall be selected by the Stock Exchanges on a random basis for inspection. 14.2.10 Stock Brokers who do not fall under any of the above category shall be inspected by the Stock Exchanges at least once in three years. 14.2.11 Stock Brokers selected on the above category shall be inspected for all segments and also for clearing activity if the stock broker is undertaking clearing for other stock brokers. 14.2.12 Inspections of Professional Clearing Members shall be conducted by Clearing Corporations once in two years. 14.3 Clearing activity undertaken by stock brokers for other stock brokers shall be inspected by Clearing Corporations. Other activities of stock brokers shall be inspected by Stock Exchanges. If Stock Exchanges and Clearing Corporations so desire, they can conduct joint inspections of stock brokers. Where Clearing Corporation has not been set up, Stock Exchange shall inspect all activities of stock brokers including activity of clearing for other stock brokers. 14.4 The Stock Exchanges/Clearing Corporations are advised to continuously assess the risks posed by their members and review/revise the policy of annual inspection, as and when required, in consultation with SEBI. 14.5 The Stock Exchanges shall establish an information sharing mechanism with one another on the important outcome of inspection of members who hold multiple memberships of the exchanges in order to improve the effectiveness of supervision and shall also bring cases of repetitive and / or serious violations to the notice of SEBI.

24 15. Enhanced Supervision of Stock Brokers / Depository Participants16 15.1 SEBI constituted a committee on “Enhanced Supervision of Stock Brokers”, which included representatives from Stock Exchanges, Depositories and Brokers. With a view to implement the recommendations, the guidelines in para 15.3 to 15.11 below have been issued. These guidelines cover the following broad areas: 15.1.1 Uniform nomenclature to be followed by stock brokers for Naming/Tagging of Bank and Demat Accounts and the reporting of such accounts to the Stock Exchanges/Depositories. 15.1.2 Monitoring of Clients’ Funds lying with the stock broker by the Stock Exchanges, through a sophisticated alerting and reconciliation mechanism, to detect any misutilisation of clients’ fund. 15.1.3 Changes in the existing system of internal audit for stock brokers/depository participants viz. appointment, rotation of Internal Auditors, formulation of objective sample criteria, monitoring of quality of Internal Audit Reports, timeline for submissions of Internal Audit Reports, etc. 15.1.4 Monitoring of Financial Strength of Stock Brokers by Stock Exchanges so as to detect any signs of deteriorating financial health of stock brokers and serve as an early warning system to take preemptive and remedial measures. 15.1.5 Imposition of uniform penal action on stock brokers/depository participants by the Stock Exchanges/Depositories in the event of non￾compliance with specified requirements. 15.1.6 Other Requirements: a) Uploading client's funds and securities balances by Stock Brokers to Stock Exchange System and onwards transmission of the same to the clients for better transparency.

16 Reference: Circular SEBI/HO/MIRSD/MIRSD2/CIR/P/2016/95 dated September 26, 2016, Circular CIR/HO/MIRSD/MIRSD2/CIR/P/2017/64 dated June 22, 2017, Circular CIR/HO/MIRSD/MIRSD2/CIR/PB/2017/107 dated September 25, 2017 and Circular SEBI/HO/MIRSD/MIRSD2/CIR/P/2017/123 dated November 29, 2017.

25 b) Clarification on Running Account Settlement c) Providing PAN details of Directors, Key Management Personnel and Dealers, to Stock Exchanges and any change thereof. 15.2 The provisions of enhanced supervision circular is not applicable to Regional Commodity Exchanges till further notice. 15.3 Naming/Tagging of Bank and Demat Accounts by Stock Broker17 15.3.1 Bank accounts and Demat accounts maintained by all stock brokers shall have appropriate nomenclature to reflect the purpose for which those bank/demat accounts are being maintained. 15.3.2 The nomenclature for bank accounts and demat accounts to be followed is given as under: 15.3.2.1 Up Streaming Client Nodal Bank Account (USCNBA): SB/CM shall receive clients’ funds in USCNBA. The nomenclature for such accounts shall be “Name of the SB/CM – USCNB account”. 15.3.2.2 Down Streaming Client Nodal Bank Account (DSCNBA): Payment to clients shall be done only from DSCNBA account. The nomenclature for such accounts shall be “Name of the SB/CM – DSCNB account”. 15.3.2.3 Bank account(s) held for the purpose of settlement would be named as "Name of Stock Broker - Settlement Account". 15.3.2.4 Stock brokers are required to maintain demat accounts only under the following 6 categories: Table 1 S.No. Demat Account Category Purpose of Demat Account

1. Proprietary Account Hold Own Securities

17 Reference: Circular SEBI/HO/ MIRSD/ MIRSD_DPIEA/P/CIR/2022/83 dated June 20, 2022, Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2022/153 dated November 11, 2022 and Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/187 dated December 12, 2023

26 2. Pool account Settlement Purpose 3. Client Unpaid Securities Pledgee Account For pledging of Unpaid Securities of Clients 4. Client Securities Margin Pledge Account For Margin obligations to be given by way of Pledge/ Re￾pledge 5. Client Securities under Margin Funding Account Hold funded securities in respect of margin funding 6. Client Nodal MFOS Account For subscription/ redemption of MFOS units 15.3.3 Naming proprietary bank accounts of the stock broker as 'Stock Broker￾Proprietary Account' is voluntary. It is however clarified that bank account which do not fall under the above para of 15.3.2.1 and 15.3.2.2 would be deemed to be proprietary. 15.3.4 All demat accounts maintained by stock brokers should be appropriately tagged. Further, it is prescribed that: 15.3.4.1 Credit of securities shall not be allowed in any demat account left untagged from July 01, 2022 onwards. Credits on account of corporate actions shall be permitted. 15.3.4.2 Debit of securities shall also not be allowed in any demat account left untagged from August 01, 2022. 15.3.4.3 Stock Broker shall obtain permission from Stock Exchanges to allow tagging of such demat accounts from August 01, 2022 onwards. Stock Exchange shall grant such approval within two working days after imposing penalty as per their internal policy. 15.3.4.4 The provision at 15.3.4 shall not be applicable for the demat accounts which are used exclusively for banking activities by stock brokers which are also banks. 15.4 Reporting of Bank and Demat accounts maintained by Stock Broker: 15.4.1 The stock brokers shall inform the Stock Exchanges of existing and new bank account(s) in the following format:

27 Table 2 Name and address of Bank Name of the Branch Account Number IFSC Code Name of Account Purpose of Account (Own/Client/ Settlement) Date of Opening 15.4.1.1 Stock Broker which is also Bank, may be required to report to the Stock Exchanges only those bank accounts that are used for their stock broking activities. 15.4.2 The stock brokers shall inform the Stock Exchanges of existing and new demat account(s) in the following format: Table 3 Name of DP Account Number/ Client ID DP ID Name of Account Holder PAN Sub-type/ tag of Demat Account18 Date of Opening 15.4.3 Stock Exchanges and/or Depositories, as the case may be, shall ensure the following: 15.4.3.1 All new bank and demat accounts opened by the stock brokers shall be named as per the above given nomenclature and the details shall be communicated to the Stock Exchanges within one week of the opening of the account. 15.4.3.2 In case of closure of any of the reported bank and demat accounts, the same shall be communicated to the Stock Exchanges within one week of its closure. 15.4.3.3 Depositories shall ensure that once the nomenclature for a particular demat account has been assigned by the stock broker, then the same shall not be modified. 15.4.3.4 Any non-compliance/non-reporting in this regard by the stock

18Reference: SEBI Circular SEBI/HO/MIRSD/ MIRSD_DPIEA/P/CIR/2022/83 dated June 20, 2022

28 broker shall attract penal action as per the provisions of Stock Exchanges. 15.4.3.5 Based on the list of stock brokers (including PANs) provided by the respective Stock Exchanges, Depositories shall also provide stock broker-wise details of all the demat accounts opened by a stock broker to the concerned Stock Exchanges to facilitate reconciliation with the data submitted by the stock broker. 15.4.4 In line with the prevalent regulatory requirement, it is reiterated that; 15.4.4.1 Stock Broker shall not use client funds and securities for proprietary purposes including settlement of proprietary obligations. 15.4.4.2 Transfer of funds between "Name of Stock Broker - Client Account" and "Name of Stock Broker - Settlement Account" and client's own bank accounts is permitted. Transfer of funds from "Name of Stock Broker - Client Account" to "Name of Stock Broker - Proprietary Account" is permitted only for legitimate purposes, such as, recovery of brokerage, statutory dues, funds shortfall of debit balance clients which has been met by the stock broker, etc. For such transfer of funds, stock broker shall maintain daily reconciliation statement clearly indicating the amount of funds transferred. 15.4.4.3 The Stock Exchanges shall monitor compliance with the above requirements, during inspections and the same shall be reviewed by the internal auditor of the broker during the half yearly internal audits. 15.4.4.4 Stock Brokers shall not grant further exposure to the clients when debit balances arise out of client's failure to pay the required amount and such debit balances continues beyond the fifth trading day, as reckoned from date of pay-in, except, in accordance with the margin trading facility provided vide SEBI circular CIR/MRD/DP/54/2017 dated June 13, 2017 or as may be issued from time to time. 15.5 Monitoring of Clients’ Funds lying with the Stock Broker by the Stock

29 Exchanges19 15.5.1 Stock Exchanges shall put in place a mechanism for monitoring clients’ funds lying with the stock broker to generate alerts on any misuse of clients’ funds by stock brokers, as per the guidelines stipulated in para 15.5.2 below. 15.5.2 Stock exchanges shall put in place a mechanism for monitoring of clients’ funds (‘G’ principle) lying with the stock brokers on the principle enumerated below: G Principle: The total available funds i.e. cash and cash equivalent with the stock broker and with the clearing corporation/clearing member should always be equal to or greater than clients’ funds as per the ledger balance. 15.5.3 Based on the alerts generated, Stock Exchange shall, inter-alia, seek clarifications, carry out inspections and initiate appropriate actions to protect the clients’ funds from being misused. Stock Exchanges shall also maintain records of such clarifications sought and details of such inspections. 15.5.4 Stock Exchanges shall carry out the monitoring of clients’ funds for all stock brokers, except for those who are carrying out only proprietary trading and/or only trading for institutional clients. 15.5.5 Stock Brokers shall ensure due compliance in submitting the information to the Exchanges within the stipulated time. 15.6 Internal Audit of Stock Broker 15.6.1 SEBI has mandated half yearly internal audit for stock brokers/clearing members. The following additional requirements in relation to internal auditors shall become applicable: 15.6.2 Appointment and Rotation of Internal auditors 15.6.2.1 Stock Exchanges shall ensure that;

19 Reference: SEBI Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2024/03 dated January 12, 2024

30 i. Stock Broker obtains from the internal auditor the following details and shares the same with the Stock Exchange: a. Declaration stating that the internal auditor or its directors/partners have no interest in or relation with the stock broker concerned other than the proposed internal audit assignment, and b. Details of the internal auditor viz., Name, Address, PAN, Designation of Auditor, Name & Address of the Audit Firm, registration number of the Auditor and the Audit firm, any regulatory action taken against internal auditor/partner/director, if any, etc. ii. No stock broker shall appoint or re-appoint— a. an individual as internal auditor for more than one term of five consecutive years; and b. an audit firm as internal auditor for more than two terms of five consecutive years. Provided that— iii. An individual internal auditor who has completed his term under para ii(a) above shall not be eligible for re-appointment as internal auditor for the same stock broker for five years from the completion of his term. iv. An audit firm which has completed its term under para ii(b) above, shall not be eligible for re-appointment as internal auditor for the same stock broker for five years from the completion of such term; Provided further that as on the date of appointment no audit firm having a common partner or partners to the other audit firm, whose tenure has expired in a stock broker immediately preceding the financial year, shall be appointed as internal auditor for the same stock broker for a period of five years. v. The block of five years shall start from FY 2016-17. 15.6.3 Formulation of objective sample criteria for Internal Audit

31 15.6.3.1 The Stock Exchanges shall, in consultation with each other, develop for each theme/area of the internal audit, a pre￾defined objective sample criteria, which shall mention not only the sample size but also the method used for arriving at the sample size. For example, with respect to verification of compliance with KYC norms, instead of the current practice of selecting a minimum number of KYCs, the sample selected may be a certain percentage of the top clients in each client category (Corporate, Partnership, Individual, Trust, Others) based on total turnover on the Stock Exchange and whose account has been opened during the audit period. For each theme/area of audit, internal audit report shall clearly specify the sample size verified, number of instances where adverse observations have been made as also the details of the adverse observations. 15.6.4 Monitoring of quality of Internal Audit Reports 15.6.4.1 The Stock Exchange shall every year identify a certain number of internal auditors based on criteria, such as, number and size of stock brokers audited, discrepancy in findings of auditor vis-à-vis Stock Exchange inspection, regulatory actions taken against the auditor/partners/directors, etc. A certain number of stock brokers who have been audited by these identified internal auditors shall be selected for inspection by the Stock Exchanges. The selection of these stock brokers shall be on the basis of the Supervisory Risk Rating Score derived from the Risk Based Supervisory System. Further, the sample and period of inspection shall be the same as that used for internal audit. 15.6.4.2 In cases where material deviations are observed between the findings of the internal audit report and the Stock Exchange inspection report, the Stock Exchanges shall caution the stock broker to reconsider the appointment of that particular internal auditor. The same shall also be brought to notice of all the stock brokers who are audited by that particular internal auditor. The Stock Exchange shall also bring the deviations to the notice of the internal auditor. The

32 Stock Exchange inspections shall be so planned that at least one client (i.e. stock broker) of each internal auditor is covered at least once in three years. 15.6.5 Submissions of Internal Audit Report 15.6.5.1 Stock Brokers shall ensure that the internal audit reports are submitted to the Exchanges within two months of the end of respective half years for which the audit is being conducted. The due date for submissions shall be as under: Table 4 S. No. Period of Audit Due date for submission 1 For half year ending September 30th November 30th 2 For half year ending March 31st May 31st 15.6.6 Other requirements 15.6.6.1 The Stock Exchanges shall provide a mechanism to enable the internal auditor to report directly to the Stock Exchanges in the event of non-cooperation by the stock broker. 15.6.6.2 Stock Exchanges shall ensure that, the Internal Auditors also monitor the corrective steps taken by the stock brokers to rectify the deficiencies observed in the inspection carried out by SEBI/Stock Exchanges and the compliance thereof. The compliance status shall be made as part of the internal audit report. 15.7 Monitoring of Financial Strength of Stock Brokers 15.7.1 The Stock Exchanges shall monitor the following financial indicators and ratios of stock brokers. 15.7.1.1 Financial Indicators: a. Percentage change in net worth over last year/last submission. b. Percentage change in reserves and surplus or in accumulated losses over last year.

33 c. Percentage change in advance/margin/collaterals from customers over last year/submission. d. Percentage change in inter corporate deposits given over last year/submission. 15.7.1.2 Financial Ratios: a. (Total outside liabilities i.e. all liabilities of a broker except those owed to his shareholders) / (Net worth). b. (Value of Investments or advances or loans to group companies or associates or firms or entities) / (Net worth). c. (Value of maximum outstanding inter corporate debt during the year) / (Net worth). d. Value of maximum outstanding inter corporate debt during the year) / (Share capital). 15.7.2 Stock Brokers shall submit financial statements to Stock Exchanges in the same format as prescribed under the Companies Act, 2013 irrespective of whether they fall under the purview of the Companies Act, 2013 or not. The due date for submission of the aforesaid financial statements to Stock Exchanges shall be the same as prescribed under the Companies Act, 2013 for submission to Registrar of Companies. 15.7.3 No stock broker shall appoint or re-appoint— 15.7.3.1 an individual as statutory auditor for more than one term of five consecutive years; and 15.7.3.2 an audit firm as statutory auditor for more than two terms of five consecutive years: Provided that – 15.7.4 An individual statutory auditor who has completed his term under para 15.7.3.1 above shall not be eligible for re-appointment as statutory auditor in the same stock broker for five years from the completion of his term. 15.7.5 A statutory audit firm which has completed its term under para 15.7.3.2

34 above, shall not be eligible for re-appointment as statutory auditor in the same stock broker for five years from the completion of such term. Provided further that as on the date of appointment no statutory audit firm having a common partner or partners to the other audit firm, whose tenure has expired in a stock broker immediately preceding the financial year, shall be appointed as statutory auditor of the same stock broker for a period of five years. 15.8 Standard Operating Procedures for Stock Brokers/Depository Participants - Actions to be contemplated by Stock Exchanges/Depositories for any event based discrepancies 15.8.1 As per existing norms, Stock Exchanges /Depositories are required to monitor their members/depository participants. It has been decided that the Stock Exchanges and Depositories shall frame various event based monitoring criteria based on market dynamics and market intelligence. An illustrative list of such monitoring criterias are given below: 15.8.1.1 Monitoring criteria for Stock Brokers a. Failure to furnish Networth certificate to Stock Exchange within 60 days for half year ending September 30th and half year ending March 31st. b. Failure to furnish Internal Audit report to Stock Exchanges for half year ending September 30th by November 30th and half year ending March 31st by May 31st. c. Failure to furnish Annual Audited Accounts by October 31st of the relevant year. d. Failure to co-operate with the Stock Exchange for conducting inspection by not submitting all the information/records sought within 45 days from the due date specified in the letter of intimation. e. Failure to submit data for the half yearly Risk Based Supervision within the time specified by Stock Exchange. f. Failure to assign appropriate Bank and Demat nomenclature within the time specified and to report the same to the Stock Exchanges. g. Failure to report new bank and demat accounts opened by the stock broker to exchanges within the time specified for reporting of such accounts.

35 h. Complaints pending for more than 30 days and total value of which is more than 50 per cent of the Networth of the Broker. i. If, at any point of time, Net worth of the Broker is negative or lower than 75 per cent of the requirement. j. In case stock broker shares incomplete/wrong data or fails to submit data on time. k. Failure to submit financial statements as per timeline prescribed under Companies Act, 2013. 15.8.1.2 Monitoring criteria for Depository Participants a. Failure to furnish Networth certificate to Depository for year ending March 31st by October 31st. b. Failure to furnish Internal Audit report to Depository for half year ending September 30th by November 15th and half year ending March 31st by May 15th. c. Failure to co-operate with the Depository for conducting inspection by not submitting all the information/records sought within 45 days from the due date specified in the letter of intimation. d. Failure to submit data for the half yearly Risk Based Supervision within the time specified by Depositories. e. Failure to furnish half yearly compliance certificate/report to Depository for half year ending June 30th by July 30th and half year ending December 31st by January 31st. f. Failure to furnish monthly Investor grievance report by 10th day of next month. g. In case depository participant shares incomplete/wrong data or fails to submit data on time. h. Failure to submit financial statements as per timeline prescribed by the Depositories. 15.8.1.3 The Stock Exchanges and Depositories shall jointly frame uniform penal action on stock brokers and depository participants respectively, in the event of noncompliance with the illustrative criteria listed above. Provided further that Stock Exchanges and Depositories may also frame more stringent criteria than as mentioned above. 15.9 Uploading clients' fund balance and securities balance by the Stock Brokers on Stock Exchange system

36 15.9.1 The Stock Exchanges shall put in place a mechanism and ensure that stock brokers upload the following data on a monthly basis for every client onto each Stock Exchange system where the broker is a member: 15.9.1.1 Exchange-wise end of day fund balance as per the client ledger, consolidated across all segments and also net funds payable or receivable by the broker to/from the client across all Exchanges. 15.9.1.2 End of day securities balances ISIN wise (as on last trading day of the month) and End of day securities balances (as on last trading day of the month) consolidated ISIN wise (i.e., total number of ISINs and total number of securities across all ISINs). 15.9.1.3 ISIN wise number of securities pledged, if any, and the funds raised from the pledging of such securities and consolidated number of securities pledged (i.e., total number of ISINs and total number of securities across all ISINs), if any and the funds raised from the pledging of such securities. 15.9.1.4 The data at Para 15.9.1.1, 15.9.1.2 and 15.9.1.3 pertains to the last trading day of the month. The stock broker shall submit the aforesaid data within seven calendar days of the last trading day of the month. 15.9.1.5 Stock Broker shall not be required to upload the data for the following clients onto the Stock Exchange system: a. Custodian settled clients b. Client with zero funds and securities zero balances and also not traded in the last 12 months. 15.9.2 Each Stock Exchange shall in turn forward – 15.9.2.1 Information at Para 15.9.1.1, 15.9.1.2 and 15.9.1.3 to clients via Email on the email IDs uploaded by the stock broker to the exchange for their clients. 15.9.2.2 Information at Para 15.9.1.1, 15.9.1.2 (only consolidated data) and 15.9.1.3 (only consolidated data) to clients via SMS on

37 mobile numbers uploaded by the stock broker to the Exchange for their clients. 15.10 Running Account Settlement20 15.10.1 The stock broker shall ensure that; 15.10.1.1 The TM, after considering the End of the Day (EOD) obligation of funds across all the Exchanges, shall settle the running accounts at the choice of the clients on quarterly and monthly basis, on the dates stipulated by the Stock Exchanges. 15.10.1.2 Stock exchanges shall, jointly, issue the annual calendar for the settlement of running account (quarterly and monthly) at the beginning of the financial year. 15.10.1.3 TM shall ensure that funds, if any, received from clients, whose running account has been settled, remain in the “Up Streaming Client Nodal Bank Account” and no such funds shall be used for settlement of running account of other clients. Stock Exchanges shall evolve a monitoring mechanism for this purpose. 15.10.1.4 For the purpose of settlement of funds, the mode of transfer of funds shall be by way of electronic funds transfer viz., through National Electronic Funds Transfer (NEFT), Real Time Gross Settlement (RTGS), etc. 15.10.1.5 The required bank details for initiating electronic fund transfers shall be obtained from new clients and shall be updated for existing clients. Only in cases where electronic payment instructions have failed or have been

20 Reference: Circular MIRSD/ SE /Cir-19/2009 dated December 03, 2009, Circular SEBI/HO/MIRSD/MIRSD2/CIR/P/2016/95 dated September 26, 2016 Circular SEBI/HO/MIRSD/DOP/P/CIR/2021/577 dated June 16, 2021, Circular SEBI/HO/MIRSD/DoP/P/CIR/2022/101 dated July 27, 2022 and Circular SEBI/HO/MIRSD/MIRSD-PoD1/P/CIR/2023/197 dated December 28, 2023

38 rejected by the bank, then the stock broker may issue a physical payment instrument. 15.10.1.6 In cases where physical payment instrument (cheque or demand draft) is issued by the TM towards the settlement of running account due to failure of electronic payment instructions, the date of realization of physical instrument into client’s bank account shall be considered as settlement date and not the date of issue of physical instrument. 15.10.1.7 Once the TM settles the running account of funds of a client, an intimation shall be sent to the client by SMS on mobile number and also by email. The intimation should also include details about the transfer of funds (in case of electronic transfer – transaction number and date; in case of physical payment instruments – instrument number and date). TM shall send the retention statement along with the statement of running accounts to the clients as per the existing provisions within five working days. 15.11 Providing PAN Number 15.11.1 The stock brokers shall provide Permanent Account Numbers of all their Directors, Key Management Personnel and dealers to the Stock Exchanges. Any change in the aforesaid details/information shall be intimated to the Stock Exchanges within seven days of such change. 16. Annual System Audit of Stock Brokers / Trading Members21 16.1 System audit guidelines for Stock Brokers / Trading members prescribed below includes System Audit Process, Auditor Selection Norms and Terms of Reference (TOR). 16.2 The Stock Exchanges should ensure that system audit of stock brokers / trading members is conducted in accordance with the prescribed guidelines.

21 Reference: Circular CIR/MRD/DMS/34/2013 dated November 06, 2013.

39 16.3 Exchanges are advised to keep track of findings of system audits of all brokers on quarterly basis and ensure that all major audit findings, specifically in critical areas, are rectified / complied in a time bound manner failing which follow up inspection of such brokers may be taken up for necessary corrective steps / actions thereafter, if any. 16.4 Stock Exchange should report all major non-compliances / observations of system auditors, broker wise, on a quarterly basis to SEBI. Table 8 Stock Broker System Audit Framework

1. Audit Process 1.1. System Audit of stock brokers should be conducted with the following periodicity: 1.1.1. Annual system audit is prescribed for stock brokers who satisfy any of the following criteria: a. Stock Brokers who use [Computer-to-Computer Link (CTCL) or Intermediate Messaging Layer (IML)] (or other similar trading facilities) / Internet Based Trading (IBT)/ Direct Market Access (DMA)/ Securities Trading using Wireless Technology (STWT) / Smart Order Routing (SOR) and have presence in more than 10 locations or number of terminals are more than fifty. b. Stock Brokers who are depository participants or are involved in offering any other financial services. 1.1.2. Half yearly system audit has been prescribed for stock brokers who use Algorithmic Trading or provide their clients with the facility of Algorithmic Trading as per SEBI Circular CIR/MRD/16/2013 dated May 21, 2013. 1.1.3. For all other stock brokers, system audit shall be conducted once in two years. 1.2. Such audit shall be conducted in accordance with the Norms, Terms of Reference (ToR) and Guidelines issued by SEBI and / or by Stock

40 Exchanges. Separate ToRs are specified for the following categories of brokers: 1.2.1. Type I Broker: Brokers who trade through exchange provided terminals such as NSE’s NEAT, BSE’s BOLT, MCX-SX’s TWS, etc. (ToR attached as Annexure-3 below);22 1.2.2. Type II Broker: Brokers who trade through API based trading terminals like [CTCL or IML] or IBT/DMA/STWT or SOR facility and who may also be TYPE I Brokers. (ToR attached as Annexure-4 below) 1.2.3. Type III Broker: Brokers who use Algorithmic Trading facility to trade and who may also be TYPE II Brokers. (ToR attached as Annexure-5 below) 1.3. Stock brokers shall select auditors as per the selection norms provided in the guidelines and directions issued by Stock Exchanges and SEBI from time to time. The Auditor may perform a maximum of three successive audits of the stock broker. 1.4. The Stock Exchanges shall periodically review ToR of such system audit and, if required, shall suitably revise the ToR after taking into consideration developments that have taken place in the securities market since the last review of ToR, observations reported in the audit reports of the stock brokers and directions issued by SEBI from time to time in this regard. 1.5. The auditor in its report shall specify compliance / non-compliance status with regard to areas mentioned in ToR. Observations on minor / major deviations as well as qualitative comments for scope for improvement shall also be specified in the report. The auditor shall also take into consideration the observations / issues mentioned in the previous audit reports and cover open items in the report. The audit report submitted by the auditor should be forwarded to the Stock Exchange by the Stock Broker along with management comments, within one month of submission of report by the auditor. 1.6. Stock Exchange shall ensure that the management of the stock broker

22 Vide Letter MRD/DMS/OW/9500/2015 dated March 31, 2015, SEBI informed Stock Exchanges that System Audit requirement for Type I brokers may be kept on hold till further communication from SEBI.

41 provides their comment about the non-compliance / non-conformities (NCs) and observations mentioned in the report. For each NC, specific time-bound (within 3 months of submission of report by the exchange) corrective action must be taken and reported to the Stock Exchange. The auditor should indicate if a follow-on audit is required to review the status of NCs. 1.7. In order to ensure that the corrective actions are taken by the stock broker, follow-on audit, if any, shall be scheduled by the stock broker within 6 months of submission of the audit report by the system auditor. 1.8. The system auditors should follow the reporting standard as specified in Annexure-6 of this Framework for the executive summary of the System Audit report to highlight the major findings of the System Audit. 2. Auditor Selection Norms 2.1. The Auditor shall have minimum three years of experience in IT audit of securities market participants e.g. Stock Exchanges, Clearing Corporation, Depositories, stock brokers, depository participants etc. The audit experience should cover all the major areas mentioned under Terms of Reference (ToR) of the system audit specified by SEBI / Stock Exchange. 2.2. It is recommended that resources employed shall have relevant industry recognized certifications e.g. D.I.S.A. (ICAI) Qualification, CISA (Certified Information System Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium, commonly known as (ISC). 2.3. The Auditor should have experience of IT audit/governance frameworks and processes conforming to industry leading practices like CobiT. 2.4. The Auditor shall not have any conflict of interest in conducting fair, objective and independent audit of the stock broker. Further, the directors / partners of Auditor firm shall not be related to any stock broker including its directors or promoters either directly or indirectly. 2.5. The Auditor shall not have any cases pending against its previous audited companies/firms, which fall under SEBI’s jurisdiction, which point to its incompetence and/or unsuitability to perform the audit task.

42 17. Early Warning Mechanism to prevent diversion of client securities23 17.1 It has been decided to put in place an Early Warning Mechanism and sharing of information between Stock Exchanges, Depositories and Clearing Corporations to detect the diversion of client’s securities by the stock broker at an early stage so as to take appropriate preventive measures. The threshold for such early warning signals shall be decided by the Stock Exchanges, Depositories and Clearing Corporations with mutual consultation. 17.2 Early warning signals, for prevention of diversion of clients' securities, may include the following: 17.2.1 Deterioration in financial health of the stock broker/ depository participant based on any of the following parameters: a) Significant reduction in net worth over previous half-year /year. b) Significant losses in the previous half years / years. c) Delay in reporting of Annual Report, Balance Sheet, Internal Audit Reports, Risk Based Supervision (RBS) data and any other data related to its financial health to the Stock Exchanges /Depositories. d) Failure to submit information sought by the Stock Exchange/ Depositories on its dealing with related parties / promoters. e) Significant mark-to-market loss on proprietary account/ related party accounts f) Repeated instances of pay-in shortages. g) Significant trading exposure or amount of loans or advances given to and investments made in related parties/ group. h) Sudden activation of significant number of dormant client's accounts and / or significant activity in the dormant account/s. i) Significant number of UCC modifications. j) Resignation of Statutory Auditors or Directors. 17.2.2 Early warning signals in relation to securities pledge transactions by the stock broker to be identified by the Depositories and shall be shared with Stock Exchanges which may include: a) Alerts for stock brokers maintaining multiple proprietary demat accounts and opening any new demat account in the name of stock

23 Reference: Circular SEBI/HO/MIRSD/DOP/CIR/P/2018/153 dated December 17,2018

43 broker for client purpose. b) Movement of shares to / from a large number of clients' demat accounts or large value shares to stock broker proprietary accounts and vice a versa. c) Transfer of large value of shares through off-market transfers other than for settlement purposes. d) Invocation of pledge of securities by lenders against stock broker or his clients. e) Significant depletion of client's shares in the stock broker client account maintained by the stock broker. 17.2.3 Increase in number of investor complaints against the stock broker/depository participant alleging un-authorized trading / unauthorized delivery instructions being processed and non-receipt of funds and securities and non-resolution of the same. 17.2.4 Alerts generated from the monthly / weekly submissions made by stock broker under Risk Based Supervision (RBS) or Enhanced Supervision to the Stock Exchanges. a) Non-recovery of significant dues from debit balance clients over a period of time. b) Significant dues to credit balance clients over a period of time. c) Failure by stock broker to upload weekly data regarding monitoring of clients' funds as specified in SEBI's circular on Enhanced Supervision, for three consecutive weeks. d) Pledging securities in case of clients having credit balance and using the funds so raised against them for own purposes or for funding debit balance of clients. e) Mis-reporting / wrong reporting about the client funds / securities. f) Significant increase in RBS score. 17.2.5 Stock broker’s terminal disabled for certain number of days in any segment / Stock Exchange in previous quarter. 17.2.6 Stock Exchanges and Depositories shall frame an internal policy /guidelines regarding non-cooperation by stock brokers and depository participants during inspections which shall lay down the time period, the type of documents critical for closing the inspections, which if not submitted, can be treated as non-cooperation. I. Failure to submit data sought for inspections especially relating to bank/demat accounts. client ledgers etc. despite repeated reminders.

44 II. Failure to provide reasonable access to the records or any office premises. 17.3 Stock Exchanges/ Clearing Corporations/ Depositories, shall devise a mechanism to detect diversion of clients’ securities and to share information among themselves in respect of: 17.3.1 Diversion of pay-out of securities to non-client accounts 17.3.2 Mis-matches between gross (client-wise) securities pay-in and pay-out files of a stock brokers generated by the Clearing Corporation which shall be compared with actual transfer of securities to/from the client’s depository accounts by the Depository. The cases of any mismatch found out by the Depository shall be informed to the concerned Stock Exchange / Clearing Corporation. 17.3.3 Stock Exchange shall seek clarification from the concerned stock broker on the mismatches reported by Depository and identify transfer to a non￾client/third party, without any trade obligation. 17.3.4 Such information on wrong / fraudulent / unauthorized transfer shall be shared by the Stock Exchange with other Stock Exchanges. 17.4 Any other alerts as the Stock Exchanges / Clearing Corporations and Depositories may deem fit. 17.5 Alerts triggered at one Stock Exchange / Clearing Corporation/ Depository through early warning mechanism shall be immediately shared with other Stock Exchanges / Depositories with respect to the stock broker / depository participant. 17.6 Based on the analysis of the early warning data, if it is established that the stock broker's financial health has deteriorated and/ or he has made unauthorized transfer of funds / securities of the client, in such cases Stock Exchanges / Depositories shall jointly take preventive actions on the stock broker which may include one or more of, but not limited, to the following: 17.6.1 Actions to be initiated by the Stock Exchanges like: 17.6.1.1 Blocking of certain percentage of available collaterals towards margin.

45 17.6.1.2 Check securities register in respect of securities received and transferred against pay-in /pay-out against settlement 17.6.1.3 Check details of funds and securities available with the clearing member, Clearing Corporation and the Depository of that stock broker. 17.6.1.4 Impose limits on proprietary trading by the stock broker. 17.6.1.5 Prescribe and monitor shorter time duration for settlement of Running Account of clients. 17.6.1.6 Conduct meeting with the designated directors of the stock broker to seek appropriate explanation. 17.6.1.7 Uniform action of deactivation of trading terminals by all Stock Exchanges based on the communication received from other Stock Exchange. 17.6.1.8 Initiate inspection of the stock broker / depository participant. 17.6.1.9 Cross check information submitted by stock broker with other independent sources like collateral details with the Clearing Corporation, transactions in Bank and Depositories, with statement collected directly etc. 17.6.1.10 Where client money and securities diversion is suspected, appointed forensic auditor to trace trails of entire funds and securities of clients. 17.6.2 Actions to be taken by the Depositories: 17.6.2.1 Imposition of 100% concurrent audit on the depository participant. 17.6.2.2 Cessation/ restriction on uses of Power of Attorney (POA) given to stock broker by clients mapped to such brokers only to meet settlement obligation of that client. Clients to

46 issue instructions electronically or through Delivery Instruction Slip (DIS) for delivery of shares for off market transfers. 17.6.3 Any other measures that Stock Exchanges/ Clearing Corporations/ Depositories may deem fit. 18. Enhanced obligations and responsibilities on Qualified Stock Brokers (QSBs)24 18.1 In order to further strengthen the compliance and monitoring requirements relating to stock brokers and to ensure efficient functioning of securities market, SEBI, vide Gazette Notification dated January 17, 2023, amended the SEBI (Stock Broker) Regulations, 1992 for designating certain stock brokers, having regard to their size and scale of operations, likely impact on investors and securities market, as well as governance and service standards, as Qualified Stock Brokers (QSBs), on the basis of certain parameters and appropriate weightages thereon. 18.2 The stock broker designated as a QSB shall be required to meet enhanced obligations and discharge responsibilities to ensure appropriate governance structure, appropriate risk management policy and processes, scalable infrastructure and appropriate technical capacity, framework for orderly winding down, robust cyber security framework, and investor services including online compliant redressal mechanism. 18.3 This circular details the parameters which shall be considered for designating a stock broker as QSB, enhanced obligations and responsibilities which shall be cast on such QSBs and guidelines on enhanced monitoring of QSBs which shall be carried out by Market Infrastructure Institutions (MIIs). 18.4 Parameters for designating a stock broker as QSB: 18.4.1 The following parameters shall be considered for designating a stock broker as QSB: 18.4.1.1 the total number of active clients of the stock broker; 18.4.1.2 the available total assets of clients with the stock broker;

24 Reference: Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/24 dated February 06, 2023 and Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2024/14 dated March 11, 2024

47 18.4.1.3 the trading volumes of the stock broker (excluding the proprietary trading volume of the stock broker); 18.4.1.4 the end of day margin obligations of all clients of a stock broker (excluding the proprietary margin obligation of the stock broker in all segments) 18.4.1.5 the proprietary trading volumes of the stock broker; 18.4.1.6 compliance score of the stock broker; and 18.4.1.7 grievance redressal score of the stock broker. Procedure for identifying a stock broker as QSB: 18.4.2 The following procedure shall be followed for identifying a stock broker as QSB: 18.4.2.1 For each stock broker, the percentage (%) of a particular parameter compared to aggregate of the respective parameter summed across all stock brokers shall be calculated, viz. % of count of active clients for a particular broker shall be calculated by dividing the individual count of active clients for a particular broker by total number of active clients of all the stock brokers and the value is multiplied by 100. Similarly, individual % shall be calculated for all the parameters mentioned at para 18.4.1.1 to 18.4.1.7 above. 18.4.2.2 Based on the % of various parameters calculated above, the following stock brokers shall be identified as QSBs: 18.4.2.2.1Stock brokers with a total sum of individual % of the parameters mentioned at para 18.4.1.1 to 18.4.1.5, greater than or equal to six point two five (6.25) shall be identified as QSBs. 18.4.2.2.2In case of the parameter mentioned at para 18.4.1.6, i.e., compliance score of the stock broker, all stockbrokers (subject to maximum of 5) shall be considered as QSBs, if their individual compliance score is equal to or more than 2%. 18.4.2.2.3In case of the parameter mentioned at para 18.4.1.7, i.e., grievance redressal score of the stock broker, all stockbrokers (subject to maximum of 5) shall be considered as QSBs, if their individual grievance redressal score is equal to or more than 5%. 18.4.3 The values shall be calculated on an annual basis and the revised list

48 of QSBs shall be released jointly by stock exchanges, in consultation with SEBI. For calculating the values for a particular year, parameters as on December 31st of such year shall be considered. 18.4.4 Once the revised list of QSBs is released, those QSBs which no longer belong to the list, shall continue to comply with the enhanced obligations and responsibilities, for an additional period of 3 financial years or such time, as may be specified by Market Infrastructure Institutions (MIIs), in consultation with SEBI. Facilitating stockbrokers to voluntarily get designated as QSBs: 18.4.5 In order to strengthen the compliance culture among stock brokers and thereby, encourage stock brokers to follow the enhanced obligations and responsibilities, it has been decided to facilitate stockbrokers to voluntarily get designated as QSBs, who otherwise would not have qualified to become QSBs by virtue of the parameters enumerated at para 18.4.1. 18.4.6 Such voluntarily designated QSBs shall have to abide by all the enhanced obligations and responsibilities for QSBs stated at paras 18.5 and 18.6 of this circular including such other provisions as may be prescribed by SEBI/stock exchanges from time to time. The detailed operational modalities in this regard shall be issued by stock exchanges, in consultation with SEBI. 18.5 Enhanced obligations and responsibilities for QSBs: 18.5.1 Governance structure and processes: 18.5.1.1 The Board of Directors (BoD) or analogous body of QSBs shall exercise oversight over incidents/vulnerabilities having an impact on functioning of the QSB in the securities market and investor protection including data security breaches that can affect investor data. 18.5.1.2 Further, QSBs shall have committees of the Board of Directors (BoD) or analogous body such as Audit Committee (for listed QSBs), Nomination and Remuneration Committee, Risk Management Committee, Information Technology (IT) Committee, Cybersecurity Committee and any other committee as mandated by SEBI from time to time.

49 a) The Chief Financial Officer (CFO) or analogous person of the QSB shall submit to the audit committee, details in respect of financial status of the entity, disclosure of any related party transactions, inter-corporate loans and investments, internal financial controls and risk management systems, compliance with listing and other legal requirements relating to financial statements, adherence to regulatory provisions etc. b) QSBs shall, before appointing directors, Key Managerial Personnel (KMP) and other employees, consult the nomination and remuneration committee with regard to their appointment, tenure and remuneration. c) QSBs shall seek inputs from various committees such as risk management committee and cybersecurity committee while framing policies relating to respective areas such as risk management of the organization and, establishing a robust cyber security framework and augmenting IT infrastructure and scalability of operations. 18.5.1.3 QSBs shall submit an annual report to the stock exchanges regarding the observations of the committees of BOD or analogous body, corrective action taken by the QSB and measures taken to prevent recurrence of such incidents. 18.5.2 Risk Management Policy and Processes: 18.5.2.1 QSBs shall devise a clear and a well-documented risk management policy which encompasses the following: a) List of all relevant risks which may have to be borne by the QSBs such as: i. risks which can arise during KYC and account opening process such as submission of incomplete KYC forms by the clients, submission of fake information with an intention to commit frauds and non-updation of information submitted as and when there is any change in the information submitted during KYC;

50 ii. operational risks such as faulty systems which can cause erroneous execution of orders from clients’ account and/or unauthorized trading on behalf of the client and misutilization of client’s sensitive information by any employee of the QSBs; iii. technology risks which include technical glitches and cyber-attacks; and iv. general risks such as fraud risk, credit risk, market risk, legal risk, reputation risk and risk due to outsourcing of activities to third parties. 18.5.2.2 Such risk management policy shall: a) strive to address the root cause of the risks and try to prevent recurrence of such risks; b) enable early identification and prevention of risk; c) assess the likely impact of a probable risk event on various aspects of the functioning of the QSB such as impact on investors, financial loss to the QSB, impact on other stakeholders in the market, reputational loss etc. and lay down measures to minimize the impact of such event and d) assign accountability and responsibility of Key Managerial Personnel (KMP) in the organization. Surveillance of client behaviour: 18.5.2.3 The risk management framework shall have measures for carrying out surveillance of client behaviour through analyzing the pattern of trading done by clients, detection of any unusual activity being done by such clients, reporting the same to stock exchanges and taking necessary measures to prevent any kind of fraudulent activity in the market in terms of the regulatory requirements prescribed by SEBI and MIIs. Ensuring Integrity of Operations:

51 18.5.2.4 QSBs shall maintain adequate human resources, systems, processes and procedures for seamless running of operations and protection of investor data. 18.5.2.5 The staff of the QSBs shall be given the necessary resources and support to carry out their duties effectively and efficiently. The QSBs shall train their employees at regular intervals in matters relating to the activities being handled by them. 18.5.2.6 A CXO level officer shall be designated as responsible for managing key risks, i.e., Chief Compliance Officer (responsible for all regulatory compliance related activities), Chief Information Security Officer (responsible for all cyber security related activities), Chief Risk Officer (responsible for overall risk management associated with functioning of the QSB). 18.5.2.7 QSBs shall employ adequate tools to automate process of risk management, reporting and compliance. 18.5.2.8 The risk management policy shall be reviewed on half yearly basis by the QSB and a report in this regard shall be submitted by the risk management committee of the QSB to the stock exchange. 18.5.2.9 The BoD/senior management shall view any recurrence of a particular incident seriously and take prompt and appropriate action including fixation of accountability. 18.5.3 Scalable infrastructure and appropriate technical capacity: 18.5.3.1 The QSBs shall put in place a policy framework, approved by its IT committee, for upgradation of infrastructure and technology from time to time to ensure smooth functioning and scalability for delivering services to investors at all times. Such framework should be reviewed on half-yearly basis. 18.5.3.2 QSBs shall, at all times, maintain adequate technical capacity to process 2 times the peak transaction load encountered during the preceding half year and shall also fulfill all other requirements as specified by SEBI/MIIs from time to time, in

52 this regard. 18.5.4 Framework for orderly winding down: 18.5.4.1 QSB shall put in place, a framework for orderly wind down of its business to ensure continuity of services to its clients in case of closure of business by the QSB due to its inability to provide services to its clients or meet the prescribed regulatory requirements or any other reason. Such wind-down framework shall encompass the following: a) Seamless portability of its clients to other SEBI registered stock brokers while protecting the funds and securities of such clients; b) Providing all necessary support to the clients to ensure a smooth and secure transfer process; c) Providing adequate notice to the clients before winding down of the operations after taking approval of the stock exchanges; and d) Preventing any significant impact on the market and inconvenience to the investors. 18.5.4.2 In case of wind down which may happen due to regulatory action, erosion of networth of the QSB etc., such wind down of operations of the QSB will be implemented under the supervision of the stock exchange. 18.5.5 Robust cyber security framework and processes: 18.5.5.1 Digitalization and online platforms have given rise to need for effective mitigation of information and cyber risks. SEBI, has specified the framework on cybersecurity and cyber resilience to be followed by all stock brokers. 18.5.5.2 However, QSBs handle sensitive data of a large number of the investors in the securities market and any cyber-attack on the systems of a QSB can compromise the confidentiality and integrity of such data.

53 18.5.5.3 Hence, QSBs shall have additional features in their cyber security framework which would be commensurate with the amount of data handled by them. The cyber security committee of the QSB shall review the framework on half￾yearly basis and review the instances of cyber-attacks, if any, and take steps to strengthen the cyber security framework of the QSB. 18.5.5.4 The QSBs shall have a dedicated team of security analysts, which may include domain experts in the field of cyber security and resilience, network security and data security which shall carry out the following activities: a) Prevention of cyber security incidents through continuous threat analysis, network and host scanning for vulnerabilities and breaches, deploying adequate and appropriate technology to prevent attacks originating from external environment and internal controls to manage insider threats etc. b) Monitoring, detection and analysis of potential intrusions/security incidents in real time and through historical trending on security-relevant data sources. c) Operating network defence technologies such as Intrusion Detection Systems (IDSes) and data collection/analysis systems. d) Conducting cyber-attack simulation on quarterly basis to aid in developing cyber resiliency measures and test the adequacy and effectiveness of the framework adopted. e) Conducting awareness and training programs for its employees with regard to cyber security and situational awareness on quarterly basis. f) Prevention of attacks similar to those already faced. 18.5.5.5 Such dedicated team shall submit a quarterly report to the BoD of QSB, on above mentioned activities carried out by them

54 along with details of cybersecurity incidents which occurred and details of incidents which were prevented from occurring. 18.5.5.6 The dedicated team of security analysts shall report to Chief Information Security Officer (CISO) of the QSB and such CISO shall be designated as a Key Managerial Personnel (KMP) and shall directly report to the MD &CEO of the QSB. 18.5.5.7 The QSB should have well-defined and documented processes for monitoring of its systems and networks, analysis of cyber security threats and potential intrusions / security incidents, usage of appropriate technology tools, classification of threats and attacks, escalation hierarchy of incidents, response to threats and breaches, and reporting of the incidents. Vulnerability Assessment and Penetration Testing (VAPT) 18.5.5.8 QSBs shall carry out continuous assessment of the threat landscape faced by them and on half yearly basis, conduct vulnerability assessment to detect security vulnerabilities in their IT environments exposed to internet. 18.5.5.9 QSB shall also carry out penetration tests on half-yearly basis, in order to conduct an in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks that are exposed to the internet. Business Continuity Plan: 18.5.5.10 QSB shall put in place a comprehensive Business Continuity Plan (BCP) and such policy shall be reviewed on half-yearly basis to minimize the incidents affecting the business continuity. 18.5.5.11 QSB shall develop and document mechanisms and standard operating procedures to recover from the cyber-attacks within the stipulated Recovery Time Objective (RTO) of the QSB, various scenarios and standard operating procedures for resuming operations from Disaster Recovery (DR) site of QSB. 18.5.5.12 The CISO of the QSB shall review the implementation of the

55 BCP and SOP on DR on monthly basis and submit a report to the board of QSBs. 18.5.5.13 All the provisions applicable to specified stock brokers (as stated in SEBI circular SEBI/HO/MIRSD/TPD￾1/P/CIR/2022/160 dated November 25, 2022 regarding Framework to address the ‘technical glitches’ in Stock Brokers’ Electronic Trading Systems) shall also be applicable to the QSBs. Periodic Audit 18.5.5.14 QSBs shall arrange to have their systems audited on half￾yearly basis by a CERT-IN empanelled auditor to check compliance with the above mentioned requirements related to cyber security and other circulars of SEBI on cybersecurity and technical glitches, to the extent they are relevant to them and shall submit the report to stock exchanges along with the comments of the cybersecurity committee within one month of completion of the half year. 18.5.6 Investor Services including online complaint redressal mechanism: 18.5.6.1 QSBs must have investor service centers in all cities where they have branches. 18.5.6.2 QSBs shall have online capabilities for engaging with clients, responding to investor queries and seamless facility for filing complaints by investors and clearly defined escalation procedures. 18.5.6.3 The complaints redressal mechanism should be investor friendly and convenient. The same should have capabilities of being retrieved easily by the complainant online through complaint reference number, e-mail id, mobile no. etc. 18.6 Enhanced Monitoring of QSBs: 18.6.1 QSBs shall be subjected to enhanced monitoring and surveillance including additional submissions to be made to MIIs/SEBI, as and when sought. 18.6.2 Stock Exchanges, in consultation with SEBI, shall carry out annual

56 inspection of QSBs and communicate the findings of such inspection along with action taken report to SEBI. 18.6.3 Stock Exchanges shall devise a comprehensive framework to carry out enhanced monitoring of such QSBs. An illustrative list of areas is as follows: i. Funds and securities of clients which are handled by the QSB; ii. Significant changes in net-worth of the QSB; iii. Significant changes in profits/losses, as compared to previous financial year; iv. Adverse findings in audit reports; v. Adherence to prescribed timelines in case of various periodic submissions to be made by QSB; vi. Timely submission of any information sought by SEBI/MIIs; vii. Adherence to enhanced obligations and responsibilities stated in this circular; and viii. Quality of services being provided to investors. 18.6.4 In case of any deviation/violation observed, Stock Exchanges shall take necessary steps to ensure that the same is corrected by QSBs including initiating disciplinary action, wherever found necessary, in accordance with the relevant regulatory provisions/bye-laws. 18.7 The effective date of implementation for different QSBs based on the parameter by which they are designated as QSBs has been prescribed in the table below: Parameters based on which a broker is designated as QSB Applicability of the circular Parameters mentioned at para 18.4.1.1 to 18.4.1.5 above June 1st of the subsequent year Parameters mentioned at para 18.4.1.6 and 18.4.1.7 above September 1st of the subsequent year

57 VI. DEALINGS WITH CLIENT 19. Unique Client Code25 19.1.It shall be mandatory for the broker to use unique client code for all clients. For this purpose, the broker shall collect and maintain in their back office the Permanent Account Number (PAN) allotted by the Income Tax Department for all their clients. 19.2.In case of other entities – 19.2.1. Brokers shall verify the documents with respect to the unique code and retain a copy of the document. 19.2.2. The brokers shall also be required to furnish the above particulars of their clients to the Stock Exchanges/Clearing Corporations and the same would be updated on a monthly basis. Such information for a specific month should reach the exchange within seven working days of the following month. 19.2.3. The Stock Exchanges shall be required to maintain a database of client details submitted by brokers. Historical records of all quarterly submissions shall be maintained for a period of seven years by the exchanges. 19.3.Mapping of Unique Client Code(UCC) with demat account of clients:26 For mapping of UCC with the demat account of the clients, the following Mechanism has been implemented in discussion with the Stock exchange and Depositories. 19.3.1. UCC allotted by the trading member (TM) to the client shall be mapped with the demat account of the client. 19.3.2. A client may trade through multiple TMs in which case each such UCC shall be mapped with one or more demat account(s).

25 Reference: Circular SMDRP/POLICY/CIR-39/2001 dated July 18, 2001 and Circular SEBI/MRD/SE/CIR-34/2003/29/09 dated September 29, 2003. 26 Reference: Circular SEBI/HO/MIRSD/DOP/CIR/P/2019/136 dated November 15, 2019

58 19.3.3. Stock Exchanges shall share the UCC data with the Depositories which shall include the PAN, segment, TM/CM code and UCC allotted. Such UCC data, in respect of new UCCs created, shall be shared with the Depositories, on a daily basis. 19.3.4. Depositories shall map the UCC data in the demat account based on the PAN provided in the UCC database. 19.3.5. Clients may make a request to their depository participants to delink or add UCC details which shall be processed by the Depository through depository participants. Before any addition of UCC in the demat account, the Depositories shall validate the same with the Stock Exchanges / client. 19.3.6 Stock Exchanges and Depositories shall have a mechanism in place to address clients’ complaints with regard to UCC mapping with their demat accounts. 19.3.7 Stock Exchanges and Depositories shall have a mechanism in place to ensure that inactive, non-operational UCCs are not misused and also a mechanism to ensure that inactive, non-operational UCCs are weeded out in the process of mapping clients’ UCC with their demat account. 20. Simplification and Rationalization of Trading Account Opening Process27 20.1.SEBI has devised the uniform documentation to be followed by all the stock brokers / trading members; a copy thereof to be provided by them to the clients. The details of such documents are listed below: 20.1.1 Index of documents giving details of various documents for client account opening process: Annexure-7

27 Reference: Circular CIR/MIRSD/16/2011 dated August 22, 2011, Circular MIRSD/SE/CIR-21/2011 dated October 05, 2011, Circular CIR/MIRSD/13/2013 dated December 26, 2013 and Circular CIR/MIRSD/64/2016 dated July 12, 2016, Circular CIR/MIRSD/66/2016 dated July 21, 2016, Circular SEBI/HO/MIRSD/DOP/CIR/P/2021/31 dated March 10, 2021, Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/95 dated June 21, 2023, Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/132 dated August 01, 2023 and Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/180 dated November 13, 2023.

59 20.1.2 Client Account Opening Form in two parts: 20.1.2.1 Know Your Client (KYC) form capturing the basic information about the client and instruction/check list to fill up the form: The KYC template finalised by Central Registry of Securitization and Asset Reconstruction and Security interest of India (CERSAI) and as specified by SEBI through various circulars issued from time to time, shall be used by the registered intermediaries as Part I of AOF for individuals and legal entities. 20.1.2.2 Document capturing additional information about the client related to trading account: Annexure-8 20.1.3 Document stating the Rights & Obligations of stock broker, and client for trading on exchanges (including additional rights & obligations in case of internet / wireless technology based trading): Annexure-9 20.1.4 Uniform Risk Disclosure Documents (for all segments / exchanges): Annexure-10 20.1.5 Guidance Note detailing Do’s and Don’ts for trading on exchanges: Annexure-11 20.1.6 Most Important Terms and Conditions 20.2.In the account opening process, the stock brokers / trading members would also give the following useful information to the clients: 20.2.1 A tariff sheet specifying various charges, including brokerage, payable by the client to avoid any disputes at a later date. 20.2.2 Information on contact details of senior officials within the stock broking firm and investor grievance cell in the Stock Exchange, so that the client can approach them in case of any grievance. 20.3.It may be noted that any voluntary clause / document added by the stock brokers shall form part of the non-mandatory documents. The stock broker shall ensure that any voluntary clause/document shall neither dilute the responsibility of the stock broker nor it shall be in conflict with any of the clauses in the mandatory documents, Rules, Bye-laws, Regulations, Notices,

60 Guidelines and Circulars issued by SEBI and the Stock Exchanges from time to time. Any such clause introduced in the existing as well as new documents shall stand null and void. 20.4.The client will now be required to sign only on one document i.e. Account Opening Form. Further, in the same form, the client shall continue to put his signatures instead of saying ‘yes’ or ‘tick mark’ while indicating preferences for trading in different exchanges / segments, in accordance with existing requirements. However, in case the investor wants to avail Running Account facility, execute Power of Attorney, Demat Debit and Pledge Instruction28 etc., he would have to give specific authorization to the stock broker in order to avoid any dispute in the future. The client would also be required to give acknowledgement of Most Important Terms and Conditions (MITC). 20.5.In order to ensure that clients are permitted to access all the stock exchanges in which the stock brokers are registered for the same segment, the format of “Trading Preferences” has been standardized as specified at Para C of Annexure-8. 20.6.All stock brokers are mandated to register their new clients on all the active stock exchanges after obtaining the trading preferences as per the aforementioned format. For existing clients, the stock brokers are mandated to offer them access on all the active stock exchanges for the segments already opted by them, as a default mode, within three months from the effective date of the circular and inform their respective clients through email / SMS. Clients shall be given a choice to opt out of such access by providing negative consent in this regard. Further, the stock brokers shall activate / deactivate the segments based on the preference of the clients. 20.7.The aforementioned format of “Trading Preferences” shall not be made applicable to members registered exclusively with commodity derivatives exchanges. Such members shall use the format as prescribed by the erstwhile Forward Markets Commission (FMC) vide its circular no. FMC/COMPL/IV/KRA-05/11/14 dated February 26, 2015. 20.8.The opting out facility should be provided to new as well as existing clients, and negative consent should be obtained separately from clients in writing. Stock brokers shall be mandated to maintain records of such written negative

28 Reference: Circular SEBI/HO/MIRSD/DoP/P/CIR/2022/44 dated April 04, 2022.

61 consent provided by the clients for at least five years. 20.9.The aforementioned provisions at para 20.5 and 20.6 shall also be applicable to the clients registered in accordance with SEBI Circular No. SEBI/HO/MIRSD/DOP/CIR/P/2020/73 dated April 24, 2020. 20.10.With regards to compliances related to MITC, as stated in para 20.1.6 and para 20.4 above, the date of implementation shall be as follows: 20.9.1 For onboarding of new clients, the date of the implementation and compliance by the market participants shall be April 01, 2024. 20.9.2 For existing clients, the MITC shall be informed to clients via email or any other suitable mode of communication (which can be preserved) by June 01, 2024. 20.11. In case the stock broker is also a depository participant, he can use the same KYC form (as specified at para 20.1.2.1 above) for basic details and take additional information pertaining to demat account. 20.12.Stock Broker shall make available these standard documents to the clients, either in electronic or physical form, depending upon the preference of the client as part of account opening kit. The preference of the client shall be sought as part of the account opening form. In case the documents are made available in electronic form, stock broker shall maintain logs of the same. 20.13.Stock Exchanges / stock brokers shall continue to make the documents mentioned in para 20.1.3 to 20.1.5 above, available on their website and keep the clients informed about the same. 20.14. Further, with a view to bring about uniformity in securities markets, the KYC form at para 20.1.2.1 above and supporting documents shall also be used by Depository Participants, Mutual Funds, Portfolio Managers, Collective Investment Schemes and Venture Capital Funds. The KYC form shall be filled by an investor at the account opening stage while dealing with any of the above intermediaries. Additional details specific to the area of activity of the intermediary being obtained now but not covered in the KYC form shall also be obtained from the investors in Part II of the account opening form.

62 21. Nomination for Eligible Trading Accounts29 21.1 Submission of ‘choice of nomination’ for trading accounts has been made voluntary as a step towards ease of doing business. 21.2 In line with Section 72 of Companies Act, 2013 on nomination by a holder of securities, investors opening new trading account(s) may have the choice of providing nomination or opting out nomination, as follows; a. The format for nomination form is given in Annexure-12 to this circular b. Opt out of nomination through ‘Declaration Form’, as provided in Annexure-13 to this circular. 21.3 The nomination and Declaration form shall be signed under wet signature of the account holder(s) and witness shall not be required. However, if the account holder(s) affixes thumb impression (instead of wet signature), then witness signature shall be required in the forms. 21.4 The on-line nomination and Declaration form may also be signed using e-Sign facility and in that case witness will not be required. 21.5 Trading Members shall ensure that adequate systems are in place including for providing for e-Sign facility and also take all necessary steps to maintain confidentiality and safety of client records. 21.6 Existing investors who have not submitted nomination details till date and intend to submit their nomination or opt out of nomination (not to nominate any one) may also be allowed to do so by way of two factor authentication (2FA) login on the internet trading platform for Stock Brokers providing such services. 21.7 Stock Brokers shall encourage their clients to update ‘choice of nomination’ by sending a communication on fortnightly basis by way of emails and SMS to all such UCCs wherein the ‘choice of nomination’ is not captured. The communication shall provide guidance through which the client can provide his/her ‘choice of nomination’. 21.8 Re-submission of nomination details shall be optional for the existing investors

29 Reference: Circular SEBI/HO/MIRSD/RTAMB/CIR/P/2021/601 dated July 23, 2021, Circular SEBI/HO/MIRSD/MIRSD_RTAMB/P/CIR/2022/23 dated February 24, 2022, Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/42 dated March 27, 2023 and SEBI/HO/MIRSD/POD￾1/P/CIR/2023/158 dated September 26, 2023.

63 who have already provided the nomination details prior to July 23, 2021. 21.9 The details required in the form at Annexure-12 of the circular viz. mobile number, e-mail ID and identification details of the nominee(s)/ guardian(s) of the minor nominee(s) are optional. 22. Requirements relating to dealings between a Client and a Stock Broker (Trading Members included)30 22.1. Running Account Authorization31 22.1.1. Unless otherwise specifically agreed to by a Client, the settlement of funds shall be done within twenty-four hours of the payout. However, a client may specifically authorize the stock broker to maintain a running account subject to the following conditions: a. The authorization shall be signed by the client only and not by any authorised person on his behalf or any holder of the Power of Attorney. b. The authorisation shall be dated and shall contain a clause that the clients may revoke the authorisation at any time. The stock brokers, while sending periodical statement of accounts to the clients, shall mention therein that their running account authorisation would continue until it is revoked by the clients. c. The TM, after considering the End of the Day (EOD) obligation of funds across all the Exchanges, shall settle the running accounts at the choice of the clients on quarterly and monthly basis, on the dates stipulated by the Stock Exchanges. d. Stock exchanges shall, jointly, issue the annual calendar for the settlement of running account (quarterly and monthly) at the

30 Reference: Circular MIRSD/SE/CIR-19/2009 dated December 03, 2009, Circular SEBI/MIRSD/CIR/01/2011 dated May 13, 2011 and Circular SEBI/HO/MIRSD/MIRSD2/CIR/P/2016/95 dated September 26, 2016. 31 Reference: Circular SEBI/HO/MIRSD/DOP/P/CIR/2021/577 dated June 16, 2021, Circular SEBI/HO/MIRSD/DoP/P/CIR/2022/101 dated July 27, 2022 and Circular SEBI/HO/MIRSD/MIRSD-PoD1/P/CIR/2023/197 dated December 28, 2023

64 beginning of the financial year. e. TM shall ensure that funds, if any, received from clients, whose running account has been settled, remain in the “Up Streaming Client Nodal Bank Account” and no such funds shall be used for settlement of running account of other clients. Stock Exchanges shall evolve a monitoring mechanism for this purpose. f. Once the TM settles the running account of funds of a client, an intimation shall be sent to the client by SMS on mobile number and also by email. The intimation should also include details about the transfer of funds (in case of electronic transfer – transaction number and date; in case of physical payment instruments – instrument number and date). TM shall send the retention statement along with the statement of running accounts to the clients as per the existing provisions within five working days. g. Client shall bring any dispute on the statement of running account, to the notice of TM within thirty working days from the date of the statement. h. Such periodic settlement of running account may not be necessary: i. for clients availing margin trading facility as per SEBI circular. ii. for funds received from the clients towards collaterals/margin in the form of bank guarantee (BG)/Fixed Deposit receipts (FDR)32 . i. The stock broker shall transfer the funds / securities lying in the credit of the client within one working day of the request if the same are lying with him and within three working days from the request if the same are lying with the Clearing Member/Clearing Corporation. j. There shall be no inter-client adjustments for the purpose of

32 Refer “Eligibility of bank instruments as collateral” as specified at para 92 of this circular.

65 settlement of the ‘running account’. k. These conditions shall not apply to institutional clients settling trades through custodians. The existing practice may continue for them. 22.2.Authorization for Electronic Contract Notes 22.2.1. The stock broker may issue electronic contract notes (ECN) if specifically authorized by the client subject to the following conditions: a. The authorization shall be in writing and be signed by the client only and not by any authorised person on his behalf or holder of the Power of Attorney. b. The email id shall not be created by the broker. The client desirous of receiving ECN shall create/provide his own email id to the stock broker. c. The authorization shall have a clause to the effect that that any change in the email-id shall be communicated by the client through a physical letter to the broker. In respect of internet clients, the request for change of email id may be made through the secured access by way of client specific user id and password. 22.3.The stock broker shall have documentary evidence of financial details provided by the clients who opt to deal in the derivative segment. In respect of other clients, the stock broker shall obtain the documents in accordance with its risk management system. 22.4.There shall be a mandatory document dealing with policies and procedures for each of the following under appropriate headings: 22.4.1. refusal of orders for penny stocks 22.4.2. setting up client’s exposure limits 22.4.3. applicable brokerage rate 22.4.4. imposition of penalty/delayed payment charges by either party,

66 specifying the rate and the period (This must not result in funding by the broker in contravention of the applicable laws) 22.4.5. the right to sell clients’ securities or close clients’ positions, without giving notice to the client, on account of non-payment of client’s dues (This shall be limited to the extent of settlement/margin obligation) 22.4.6. shortages in obligations arising out of internal netting of trades 22.4.7. conditions under which a client may not be allowed to take further position or the broker may close the existing position of a client 22.4.8. temporarily suspending or closing a client’s account at the client’s request, and 22.4.9. deregistering a client 22.5.All the documents in both the mandatory and the non-mandatory parts shall be printed in minimum font size of 11. 22.6.A copy of all the documents executed by client shall be given to him, free of charge, within seven days from the date of execution of documents by the client. The stock broker shall take client’s acknowledgement for receipt of the same. 22.7.The stock brokers having own web-sites shall display all the documents executed by a client, client’s position, margin and other related information, statement of accounts, etc. in the web-site and allow secured access by way of client-specific user id and password. 22.8.The stock broker shall frame the policy regarding treatment of inactive accounts which should, inter-alia, cover aspects of time period, return of client assets and procedure for reactivation of the same. It shall display the same on its web site, if any. 22.9.As on 31st March of every year, a statement of balance of Funds and Securities in hard form and signed by the broker shall be sent to all the clients. 23. Regulation of Transactions Between Clients and Brokers33

33 Reference: Circular SMD/SED/CIR/93/23321 dated November 18, 1993 and Circular CIR/HO/MIRSD/DOP/CIR/P/2019/75 dated June 20, 2019.

67 23.1. It shall be compulsory for all Member brokers to keep the money of the clients in a separate account and their own money in a separate account. No payment for transactions in which the Member broker is taking a position as a principal will be allowed to be made from the client’s account. The above principles and the circumstances under which transfer from client’s account to Member broker’s account would be allowed are enumerated below. 23.1.1. Member Broker to keep accounts: Every member broker shall keep such books of accounts, as will be necessary, to show and distinguish in connection with his business as a member: a. Moneys received from or on account of each of his clients and b. the moneys received and the moneys paid on Member’s own account 23.1.2. Obligation to pay money into "clients’ accounts". Every member broker who holds or receives money on account of a client shall forthwith pay such money to current or deposit account at bank to be kept in the name of the member in the title of which the word "clients" shall appear (hereinafter referred to as "clients account"). Member broker may keep one consolidated clients account for all the clients or accounts in the name of each client, as he thinks fit. Provided that when a Member broker receives a cheque or draft representing in part money belonging to the client and in part money due to the Member, he shall pay the whole of such cheque or draft into the clients account and effect subsequent transfer as laid down below in para 23.1.4(b). 23.1.3. What moneys to be paid into "clients account". No money shall be paid into clients account other than a. money held or received on account of clients. b. such money belonging to the Member as may be necessary for the purpose of opening or maintaining the account. c. money for replacement of any sum which may by mistake or accident have been drawn from the account in contravention of para 23.1.4 given below. d. a cheque or draft received by the Member representing in part money belonging to the client and in part money due to the Member.

68 23.1.4. What moneys to be withdrawn from "clients account". No money shall be drawn from clients account other than a. money properly required for payment to or on behalf of clients or for or towards payment of a debt due to the Member from clients or money drawn on client’s authority, or money in respect of which there is a liability of clients to the Member, provided that money so drawn shall not in any case exceed the total of the money so held for the time being for such each client; b. such money belonging to the Member as may have been paid into the client account under para 23.1.3(b) or 23.1.3(d) given above; c. money which may by mistake or accident have been paid into such account in contravention of para 23.1.3 above. 23.1.5. Right to lien, set-off etc., not affected. Nothing in this para 23.1 shall deprive a Member broker of any recourse or right, whether by way of lien, set-off, counter-claim charge or otherwise against moneys standing to the credit of clients account. 23.2.It shall be compulsory for all Member brokers to keep separate accounts for client’s securities and to keep such books of accounts, as may be necessary, to distinguish such securities from his/their own securities. Such accounts for client’s securities shall, inter-alia provide for the following: 23.2.1. Securities received for sale or kept pending delivery in the market. 23.2.2. Securities fully paid for, pending delivery to clients. 23.2.3. Securities received for transfer or sent for transfer by the Member, in the name of client or his nominee(s). 23.2.4. Securities that are fully paid for and are held in custody by the Member as security/margin etc. Proper authorization from client for the same shall be obtained by Member. 23.2.5. Fully paid for client’s securities registered in the name of Member, if any, towards margin requirements etc. 23.2.6. Securities given on Vyaj-badla. Member shall obtain authorization from

69 clients for the same. 23.3.Member Brokers shall make payment to their clients or deliver the securities purchased within 24 hours of pay-out unless the client has requested otherwise. 23.4.Member brokers shall issue the contract note for purchase/sale of securities to a client within 24 hours of the execution of the contract. 23.5.In case of sales on behalf of clients, Member broker shall be at liberty to close out the contract by effecting purchases if the client fails to deliver the securities sold with valid transfer documents within 48 hours of the contract note having been delivered or before delivery day (as fixed by Stock Exchange authorities for the concerned settlement period), whichever is earlier. Loss on the transaction, if any, will be deductible from the margin money of that client. 24. Collateral deposited by Clients with Brokers34 24.1.For brokers to maintain proper records of client collateral and to prevent misuse of client collateral, it is advised that: 24.1.1. Brokers should have adequate systems and procedures in place to ensure that client collateral is not used for any purposes other than meeting the respective client’s margin requirements / pay-ins. Brokers should also maintain records to ensure proper audit trail of use of client collateral. 24.1.2. Brokers should further be able to produce the aforesaid records during inspection. The records should include details of: a. Receipt of collateral from client and acknowledgement issued to client on receipt of collateral. b. Client authorization for deposit of collateral with Stock Exchange / Clearing Corporation / clearing house towards margin. c. Record of deposit of collateral with Stock Exchange / Clearing Corporation / Clearing House. d. Record of return of collateral to client. e. Credit of corporate action benefits to clients.

34 Reference: Circular MRD/DoP/SE/CIR-11/2008 dated April 17, 2008.

70 24.1.3. The records should be periodically reconciled with the actual collateral deposited with the broker. 24.1.4. Brokers should issue a daily statement of collateral utilization to clients which shall include, inter-alia, details of collateral deposited, collateral utilised and collateral status (available balance / due from client) with break up in terms of cash, Fixed Deposit Receipts (FDRs), Bank Guarantee35 and securities. 24.1.5. In case of complaints against brokers related to misuse of collateral deposited by clients, exchanges should look into the allegations, conduct inspection of broker if required and based on its findings take necessary action. 24.2.In case client collateral is found to be mis-utilised, the broker would attract appropriate deterrent penalty for violation of norms provided under SCRA 1956, SEBI Act 1992, SEBI Regulations and circulars, Exchange Byelaws, Rules, Regulations and circulars. 25. Severance of connections with other businesses36 25.1 Rule 8(1)(f) and Rule 8(3)(f) of the SCRR 1957, requires that members of a Stock Exchange, whether individual, partnership or corporate, shall not engage in any business other than that of securities. Stock Exchanges should be ensured that the applicants do not attract the above stated rule. 26. Applicability of Rule 8(1)(f) and 8(3)(f) of the Securities Contract (Regulation) Rules, 195737 26.1 Borrowing and lending of funds, by a trading member, in connection with or incidental to or consequential upon the securities business, would not be disqualified under Rule 8(1)(f) and 8(3)(f) of the SCRR 1957.

35 Refer “Eligibility of bank instruments as collateral” as specified at para 92 of this circular. 36 Reference: Circular SMD/VRN/1476/95 dated April 27, 1995. 37 Reference: Circular SMD/POLICY/CIR-6/97 dated May 07, 1997.

71 27. Mode of payment and delivery38 27.1 Brokers should not accept cash from the client whether against obligations or as margin for purchase of securities and / or give cash against sale of securities to the clients. 27.2 All payments shall be received / made by the stock brokers from / to the clients strictly by account payee crossed cheques/ demand drafts or by way of direct credit into the bank account through electronic fund transfer, or any other mode permitted by the Reserve Bank of India. The stock brokers shall accept cheques drawn only by the clients and also issue cheques in favour of the clients only, for their transactions. Stock Brokers shall not accept cash from their clients either directly or by way of cash deposit to the bank account of stock broker. 27.3 Similarly, in the case of securities also, giving / taking delivery of securities in “demat mode” should be directly to / from the “beneficiary accounts” of the clients except delivery of securities to a recognized entity under the approved scheme of the Stock Exchange and / or SEBI. 28. Pre- funded instruments / Electronic fund transfers39 28.1 To address the concerns regarding flow of third party funds / unidentified money, following guidelines shall be followed: 28.1.1 If the aggregate value of pre-funded instruments is Rs. 50,000/- (fifty thousand rupees) or more, per day per client, the stock brokers may accept the instruments only if the same are accompanied by the name of the bank account holder and number of the bank account debited for the purpose, duly certified by the issuing bank. The mode of certification may include the following: a. Certificate from the issuing bank on its letterhead or on a plain paper with the seal of the issuing bank. b. Certified copy of the requisition slip (portion which is retained by the bank) to issue the instrument. c. Certified copy of the passbook/bank statement for the account

38 Reference: Circular SEBI/MRD/SE/CIR-33/2003/27/08 dated August 27, 2003 and Circular: SEBI/HO/MIRSD/DOP/CIR/P/2018/113 dated July 12, 2018 39 Reference: Circular CIR/MIRSD/03/2011 dated June 09, 2011.

72 debited to issue the instrument. d. Authentication of the bank account-number debited and name of the account holder by the issuing bank on the reverse of the instrument. 28.1.2 Maintain an audit trail of the funds received through electronic fund transfers to ensure that the funds are received from their clients only. 29. Disclosure of proprietary trading by Broker to Client40 29.1 With a view to increase the transparency in the dealings between the broker and the client, every broker shall disclose to his client whether he does client based business or proprietary trading as well. 29.2 The broker shall disclose this information upfront to his new clients at the time of entering into the Know Your Client agreement. 29.3 In case of a broker who at present does not trade on proprietary account, chooses to do so at a later date, he shall be required to disclose this to his clients before carrying out any proprietary trading. 30. “Pro – account” trading terminal41 30.1 During the course of inspections carried out by SEBI and Stock Exchanges of the books of accounts and other documents of members, following observations were made: 30.1.1 Certain members are putting large number of orders on pro-account from various locations rather than using “pro-account” at the terminals located at the corporate office from where the owner / directors normally function. 30.1.2 These trades executed from various locations under “pro-account” are, many a time, transferred subsequently to the respective clients in the back office of the members. 30.2 The aforementioned practices clearly violate the requirement of putting the orders of clients under the appropriate client code through trading terminals.

40 Reference: Circular SEBI/MRD/SE/CIR-42/2003 dated November 19, 2003. 41 Reference: Circular SEBI/MRD/SE/CIR-32/2003/27/08 dated August 27, 2003

73 30.3 With a view to check such misuse of the above facility, if any, Stock Exchanges are directed to ensure the following: - 30.3.1 Facility of placing orders on “pro-account” through trading terminals shall be extended only at one location of the members as specified / required by the members. 30.3.2 Trading terminals located at places other than the above location shall have a facility to place orders only for and on behalf of a client by entering client code details as required / specified by the Exchange / SEBI. 30.3.3 In case any member requires the facility of using “pro-account” through trading terminals from more than one location, such member shall be required to submit an undertaking to the Stock Exchange stating the reason for using the “pro-account” at multiple locations and the Stock Exchange may, on case to case basis after due diligence, consider extending the facility of allowing use of “pro-account” from more than one location. 31. Review of norms relating to trading by Members42 31.1 Stock Exchanges are directed to ensure the following: 31.1.1 A stock broker of an exchange cannot deal with the brokers of the same exchange either for proprietary trading or for trading on behalf of clients, except with the prior permission of the exchange. The Stock Exchanges while giving such permission, shall consider the reasons stated by the brokers for dealing with brokers of the same exchange and after carrying out due diligence allow such brokers to deal with only one stock broker of the same exchange. 31.1.2 A stock broker of an exchange can deal with only one broker of another exchange for proprietary trading after intimating the names of such stock broker to his parent Stock Exchange.

42 Reference: Circular SEBI/MIRSD/CIR-06/2004 January 13, 2004

74 32. Market Access through Authorised Persons43 The framework governing the market access through authorised persons is prescribed below. This framework provides the minimum requirements and the Stock Exchanges and stock brokers may prescribe additional requirements, as they may deem appropriate, in the interest of investors and market. Regulatory Framework for Market Access through Authorised Persons 32.1 Who is an “Authorised Person”? Any person - individual, partnership firm, LLP or body corporate – who is appointed as such by a stock broker (including trading member) and who provides access to trading platform of a Stock Exchange as an agent of the stock broker. 32.2 Appointment of Authorised Person A stock broker may appoint one or more authorised person(s) after obtaining specific prior approval from the Stock Exchange concerned for each such person. The approval as well as the appointment shall be for specific segment of the exchange. 32.3 Procedure for Appointment 32.3.1 Stock Broker shall select a person in compliance with the criteria laid down by the Exchange and this framework for appointment as an authorized person and forward the application of the person to Stock Exchange for approval. 32.3.2 On receipt of the aforesaid application, the Stock Exchange a. may accord approval on satisfying itself that the person is eligible for appointment as authorized person, or b. may refuse approval on satisfying itself that the person is not eligible for appointment as authorized person.

43Reference: Circular MIRSD/DR-1/CIR-16/09 dated November 06, 2009 and Circular SEBI/CIR/MIRSD/AP/8/2010 dated July 23, 2010.

75 32.4 Eligibility Criteria 32.4.1 An individual is eligible to be appointed as authorised person if he: a. is a citizen of India; b. is not less than 18 years of age; c. has not been convicted of any offence involving fraud or dishonesty; d. has good reputation and character; e. has passed at least 10th standard or equivalent examination from an institution recognized by the Government 32.4.2 A partnership firm, LLP or a body corporate is eligible to be appointed as authorized person a. if all the partners or directors, as the case may be, comply with the requirements contained in para 32.4.1 above. b. the object clause of the partnership deed or of the Memorandum of Association contains a clause permitting the person to deal in securities business. 32.4.3 The person shall have the necessary infrastructure like adequate office space, equipment and manpower to effectively discharge the activities on behalf of the stock broker. 32.4.4 The approved users and/or sales personnel of Authorised Persons shall have the necessary certification of the respective segments at all points of time. 32.5 Conditions of Appointment 32.5.1 The following are the conditions of appointment of an authorised person: a. The stock broker shall be responsible for all acts of omission and commission of the authorized person. b. All acts of omission and commission of the authorized person shall be deemed to be those of the stock broker. c. The authorized person shall not receive or pay any money or securities in its own name or account. All receipts and payments of securities and funds shall be in the name or account of stock broker.

76 d. The authorised person shall receive his remuneration - fees, charges, commission, salary, etc. - for his services only from the stock broker and he shall not charge any amount from the clients. e. A person shall not be appointed as authorized person by more than one stock broker on the same Stock Exchange. f. A partner or director of an authorised person shall not be appointed as an authorised person on the same Stock Exchange. g. The stock broker and authorised person shall enter into written agreement(s) in the form(s) specified by Exchange. The agreement shall inter-alia cover scope of the activities, responsibilities, confidentiality of information, commission sharing, termination clause, etc. 32.6 Withdrawal of Approval 32.6.1 Approval given to an authorised person may be withdrawn by the Stock Exchange: a. on receipt of a request to that effect from the stock broker concerned or the authorised person, subject to compliance with the requirements prescribed by the Stock Exchange, or b. on being satisfied that the continuation of authorised person is detrimental to the interest of investors or securities market or the authorised person at a subsequent date becomes ineligible under para 32.4 above. 32.7 Obligations of Stock Broker 32.7.1 The stock broker shall be responsible for all acts of omission and commission of his authorised person(s) and/or their employees, including liabilities arising there from. 32.7.2 If any trading terminal is provided by the stock broker to an authorised person, the place where such trading terminal is located shall be treated as branch office of the stock broker. 32.7.3 Stock Broker shall display at each branch office additional information such as particulars of authorised person in charge of that branch, time lines for dealing through authorised person, etc., as may be specified

77 by the Stock Exchange. 32.7.4 Stock Broker shall notify changes, if any, in the authorised person to all registered clients of that branch at least thirty days before the change. 32.7.5 Stock Broker shall conduct periodic inspection of branches assigned to authorised persons and records of the operations carried out by them. 32.7.6 The client shall be registered with stock broker only. The funds and securities of the clients shall be settled directly between stock broker and client and all documents like contract note, statement of funds and securities would be issued to client by stock broker. Authorised person may provide administrative assistance in procurement of documents and settlement but shall not issue any document to client in its own name. No fund/securities of clients shall go to account of authorized person. 32.7.7 On noticing irregularities, if any, in the operations of authorised person, stock broker shall seek withdrawal of approval, withhold all moneys due to authorised person till resolution of investor problems, alert investors in the location where authorised person operates, file a complaint with the police, and take all measures required to protect the interest of investors and market. 32.8 Obligations of Exchange 32.8.1 The Stock Exchange shall maintain a database of all the authorised persons which shall include the following: a. PAN Number of authorised person and in case of partnership or body corporate, PAN Number of all the partners or directors as the case may be. b. Details of the broker with whom the authorised person is registered. c. Locations of branch assigned to authorised person(s). d. Number of terminals and their details, given to each authorised person. e. Withdrawal of approval of authorised person. f. Change in status or constitution of authorised person. g. Disciplinary action taken by the Exchange against the authorised person.

78 All the above details, except (a) above, shall be made available on web site of the Stock Exchange. 32.8.2 While conducting the inspection of the stock broker, the Stock Exchange shall also conduct inspection of branches where the terminals of authorised persons are located and records of the operations carried out by them. 32.8.3 Dispute between a client and an authorised person shall be treated as dispute between the client and the stock broker and the same shall be redressed by the Stock Exchange accordingly. 32.8.4 In case of withdrawal of approval of authorised person due to disciplinary action, the Stock Exchange shall issue a press release and disseminate the names of such authorised persons on its website citing the reason for cancellation. 33. SMS and E-mail alerts to investors by Stock Exchanges44 Stock Exchanges shall send details of the transactions to the investors, by the end of trading day, through SMS and E-mail alerts. This would be subject to the following guidelines: 33.1 Applicability – 33.1.1 These guidelines are applicable to equity - cash and derivative - segments of the Stock Exchanges. 33.2 Uploading of mobile number and E-mail address by stock brokers 33.2.1 Stock Exchanges shall provide a platform to stock brokers to upload the details of their clients, preferably, in sync with the UCC updation module. 33.2.2 Stock Brokers shall upload the details of clients, such as, name, mobile number, address for correspondence and E-mail address.

44 Reference: Circular CIR/MIRSD/15/2011 dated August 02, 2011 and SEBI communication SE/10118 dated October 12, 1992.

79 33.2.3 Stock Brokers shall ensure that the mobile numbers/E-mail addresses of their employees /remisiers/authorized persons are not uploaded on behalf of clients. 33.2.4 Stock Brokers shall ensure that separate mobile number/E-mail address is uploaded for each client. However, under exceptional circumstances, the stock broker may, at the specific written request of a client, upload the same mobile number/E-mail address for more than one client provided such clients belong to one family. ‘Family’ for this purpose would mean self, spouse, dependent children and dependent parents. 33.3 Verification by the Stock Exchanges 33.3.1 After uploading of details by the stock brokers, the Stock Exchanges shall take necessary steps to verify the details by any mode as considered appropriate by them which may include the following: a. By way of sending SMS and E-mail directly to the investors at the numbers/E-mail address uploaded by the stock brokers. b. By way of sending letters to the address of the investors uploaded by the stock brokers. 33.4 Sending of alerts by the Stock Exchanges 33.4.1 Upon receipt of confirmation from the investors, the Stock Exchanges shall commence sending the transaction details generated based on investors’ Permanent Account Number, directly to them. 33.5 Handling of discrepancies, if any 33.5.1 If any discrepancy is observed by the Stock Exchanges in the details uploaded by the stock brokers including non-confirmation by investors, bounced E-mails, undelivered SMS/letters, etc., the Stock Exchanges shall inform the respective stock broker. 33.6 Meeting out the expenses for providing SMS and E-mail alerts 33.6.1 The Stock Exchanges may use the amount set aside from the listing fees (20% of the listing fees) for providing services to the investing public, to meet the expenses for providing this facility.

80 34. Prevention of Unauthorised Trading by Stock Brokers45 34.1 SEBI in the past has taken several steps to tackle the menace of “Unauthorized Trades” viz Periodic Running Account Settlement, Post transactions SMS/email by Stock Exchanges/Depositories, Ticker on broker/DP websites etc. It was observed that in spite of measures taken, a considerable proportion of investor complaints is of the nature of “Unauthorized Trades”. 34.2 To further strengthen regulatory provisions against un-authorized trades and also to harmonise the requirements across markets, it has now been decided that all brokers shall execute trades of clients only after keeping evidence of the client placing such order, it could be, inter alia, in the form of: a. Physical record written & signed by client, b. Telephone recording, c. Email from authorized email id, d. Log for internet transactions, e. Record of SMS messages, f. Any other legally verifiable record. 34.3 When a dispute arises, the broker shall produce the above mentioned records for the disputed trades. However, for exceptional cases such as technical failure etc. where broker fails to produce order placing evidences, the broker shall justify with reasons for the same and depending upon merit of the same, other appropriate evidences like post trade confirmation by client, receipt/payment of funds/ securities by client in respect of disputed trade, etc. shall also be considered. 34.4 Further, wherever the order instructions are received from clients through the telephone, the stock broker shall mandatorily use telephone recording system to record the instructions and maintain telephone recordings as part of its records. 34.5 The Brokers are required to maintain the records specified at para 34.2 above for a minimum period for which the arbitration accepts investors’ complaints as notified from time to time currently three years. However, in cases where dispute has been raised, such records shall be kept till final resolution of the dispute.

45 Reference: Circular SEBI/HO/MIRSD/DOP1/CIR/P/2018/54 dated March 22, 2018.

81 34.6 If SEBI desires that specific records be preserved, then such records shall be kept till further intimation by SEBI. 35. Execution of Power of Attorney (PoA) by the Client in favour of the Stock Broker/ Stock Broker and Depository Participant46 35.1 A Power of Attorney (PoA) is executed by the client in favour of the stock broker /stock broker and depository participant to authorize the broker to operate the client’s demat account and bank account to facilitate the delivery of shares and pay – in/ pay – out of funds. 35.2 Generally, the PoA is taken from the clients who want to avail internet based trading services. For offering internet based trading services, a Stock Broker requires necessary authorizations for seamless trading, collection of margins as well as settlement of funds and securities. Further, some of the Stock Brokers also obtain authorizations from their clients to offer non-internet based services. 35.3 It came to SEBI’s notice that the clients are compelled to give irrevocable power of attorney to manage client’s demat account and bank account so that the client is able to pay funds or deliver shares to its broker on time. In some cases, the PoA even allows a broker to open and close accounts on behalf of the client and to trade on client’s account without the consent of the client. 35.4 In order to standardize the norms to be followed by stock brokers/ stock broker and depository participants while obtaining PoA from the clients, guidelines as set out in the para 35.7, 35.8, 35.9, 35.10 and 35.11 below, shall be made applicable to stock brokers/ stock broker and depository participants. 35.5 Standardizing the norms for PoA must not be construed as making the PoA a condition precedent or mandatory for availing broking or depository participant services. PoA is merely an option available to the client for instructing his broker or depository participant to facilitate the delivery of shares and pay￾in/pay-out of funds etc. No stock broker or depository participant shall deny services to the client if the client refuses to execute a PoA in their favour. However, internet based trading is exempted from this clause. 35.6 Stock Broker/ DP may revoke those authorizations that are inconsistent with

46 Reference: Circular CIR/MRD/DMS/13/2010 dated April 23, 2010, Circular CIR/MRD/DMS/28/2010 dated August 31, 2010 and Circular SEBI/HO/MIRSD/DOP/CIR/P/2020/158 dated August 27, 2020

82 the present guidelines by communicating the inconsistent clauses to the existing clients. In the event, the deleted clauses are not accepted by the client, Stock Broker/ DP may be required to either obtain fresh PoA or close the account. In case of any addition to the existing PoA, Stock Broker / DP shall be required to obtain a new PoA from clients. 35.7 PoA favouring Stock Brokers 35.7.1 PoA executed in favour of a stock broker by the client should be limited to the following: 35.7.1.1 Securities47 a) For transfer of securities held in the beneficial owner accounts of the client towards Stock Exchange related deliveries / settlement obligations arising out of trades executed by clients on the Stock Exchange through the same stock broker. b) For pledging / re-pledging of securities in favour of TM / CM for the purpose of meeting margin requirements of the clients in connection with the trades executed by the clients on the Stock Exchange. c) To apply for various products like Mutual Funds, Public Issues (shares as well as debentures), rights, offer of shares, tendering shares in open offers, redemptions etc. pursuant to the instructions of the Client(s). However, a proper audit trail should be maintained by the stock broker to prove that the necessary application/act was made/done pursuant to receipt of instruction from Client. Further, redemptions are also included in PoA pursuant to client’s instructions. 35.7.1.2 Funds Transfer of funds from the bank account(s) of the clients for the following: a. For meeting the settlement obligations of the client(s)/ margin requirements of the client(s) in connection with the trades executed by the clients on the Stock Exchange through the same stock broker.

47 Refer to para 36 of this Master Circular.

83 b. For recovering any outstanding amount due from the client(s) arising out of clients trading activities on the Stock Exchanges through the same stock broker. c. For meeting obligations arising out of the client subscribing to such other products/facilities/services through the stock broker like Mutual Funds, Public Issues (shares as well as debentures), rights, offer of shares in etc. d. Towards monies/fees/charges, etc. due to the stock broker /depository participant/ principal payable by virtue of the client using/subscribing to any of the facilities/services availed by the client at his/her instance. Necessary audit trail should be available with the stock broker for such transactions. 35.8 PoA favouring Stock Brokers and Depository Participants 35.8.1 PoA executed in favour of a stock broker and Depository Participant by the client should: 35.8.1.1 Identify/provide the particulars of the beneficial owner account(s) and the bank account(s) of the client(s) that the stock broker is entitled to operate. 35.8.1.2 Provide the list of clients’ & brokers’ Bank accounts & demat accounts where funds and securities can be moved. Such bank & demat accounts should be accounts of related party only. The list of clients’ and brokers’ Bank account and demat accounts may be updated / amended by proper communication without executing a new PoA every time. Copies of such communication may be preserved as annexure to PoA. 35.8.1.3 Be executed in the name of the concerned SEBI registered entity only and not in the name of any employee or representative of the stock broker /depository participant. 35.8.1.4 Not provide the authority to transfer the rights in favour of any assignees of the stock broker/depository participant.

84 35.8.1.5 Be executed and stamped as per the rules / law prevailing in the place where the PoA is executed or the place where the PoA is kept as a record, as applicable. 35.8.1.6 Contain a clause by which the stock broker would return to the client(s), the securities or fund that may have been received by it erroneously or those securities or fund that it was not entitled to receive from the client(s). 35.8.1.7 Be revocable at any time. However, such revocation shall not be applicable for any outstanding settlement obligation arising out of the trades carried out prior to receiving request for revocation of PoA. Further, the PoA revocation requests should be dated and time stamped by the brokers for ensuring proper audit trail. 35.8.1.8 Be executed by all the joint holders (in case of a demat account held jointly). If the constitution of the account is changed for whatever reason, a new PoA should be executed. 35.8.1.9 Authorize the stock broker/depository participant to send consolidated summary of Client's scrip-wise buy and sell positions taken with average rates to the client by way of SMS / email on a daily basis, notwithstanding any other document to be disseminated as specified by SEBI from time to time. 35.9 General Guidelines 35.9.1 The PoA shall not facilitate the stock broker to do the following: 35.9.1.1 Off-market trades between parties other than the related parties as mentioned in the PoA. 35.9.1.2 Transfer of funds from the bank account(s) of the Clients for trades executed by the clients through another stock broker. 35.9.1.3 Open a broking / trading facility with any stock broker or for opening a beneficial owner account with any depository participant.

85 35.9.1.4 Execute trades in the name of the client(s) without the client(s) consent. 35.9.1.5 Prohibit issue of Delivery Instruction Slips (DIS) to beneficial owner (client). 35.9.1.6 Prohibit client(s) from operating the account. 35.9.1.7 Merging of balances (dues) under various accounts to nullify debit in any other account. 35.9.1.8 Open an email ID/ email account on behalf of the client(s) for receiving statement of transactions, bills, contract notes etc. from stock broker / depository participant. 35.9.1.9 Renounce liability for any loss or claim that may arise due to any blocking of funds that may be erroneously instructed by the stock broker to the designated bank. 35.10 Stock Broker / Depository Participant should ensure that: 35.10.1 A duplicate/ certified true copy of the PoA is provided to the Client(s) after execution. 35.10.2 In case of merger/ demerger of the stock broker/depository participant with another entity/ into another entity, the scheme of merger/ demerger should be approved by High Court and one month prior intimation given to the client about the corporate restructuring to facilitate investor/ client to continue or discontinue with the broker. 35.11 All off-market transfer of securities shall be permitted by the Depositories only by execution of Physical Delivery Instruction Slip (DIS) duly signed by the client himself or by way of electronic DIS. The Depositories shall also put in place a system of obtaining client’s consent through One Time Password (OTP) for such off market transfer of securities from client’s demat account.

86 36. Execution of ‘Demat Debit and Pledge Instruction’ (DDPI) for transfer of securities towards deliveries / settlement obligations and pledging / re￾pledging of securities48 36.1 While executing a PoA, authorization is given by client to the stock broker / stock broker and depository participant, to access the Beneficial Owner (BO) account of the client to meet settlement obligations of the trade executed by the client. In order to make the process more transparent and simpler, the following conditions shall be made part of a separate document viz. ‘Demat Debit and Pledge Instruction’ (DDPI) (Annexure-14): 36.1.1 Transfer of securities held in the beneficial owner accounts of the client towards Stock Exchange related deliveries / settlement obligations arising out of trades executed by clients on the Stock Exchange through the same stock broker. 36.1.2 Pledging / re-pledging of securities in favour of TM/ CM for the purpose of meeting margin requirements of the clients in connection with the trades executed by the clients on the Stock Exchange. 36.1.3 Mutual Fund transactions being executed on stock exchange order entry platforms and which shall be in compliance with SEBI circulars SEBI/HO/IMD/IMD-I DOF5/P/CIR/2021/634 dated October 04, 2021, SEBI/HO/IMD/IMD-I DOF5/P/CIR/2021/635 dated October 04, 2021 and SEBI/HO/IMD/IMD-I DOF5/P/CIR/2022/29 dated March 15, 2022 or any other circular which may be issued in this regard; and 36.1.4 Tendering shares in open offers which shall be in compliance with SEBI circular SEBI/HO/CFD/DCR-III/CIR/P/2021/615 dated August 13, 2021 or any other circular which may be issued in this regard. The DDPI shall serve the same purpose of PoA and significantly mitigate the misuse of PoA. The use of DDPI shall be limited only for the purposes as mentioned in para 36.1.1, 36.1.2, 36.1.3 and 36.1.4 above. 36.2 The client may use the DDPI or opt to complete the settlement by issuing physical Delivery Instruction Slip (DIS) or electronic Delivery Instruction Slip

48 Reference: Circular SEBI/HO/MIRSD/DoP/P/CIR/2022/44 dated April 04, 2022 Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2022/137 dated October 06, 2022

87 (eDIS) themselves. Hence, PoA shall no longer be executed for the conditions specified in para 36.1.1 and 36.1.2. 36.3 The DDPI, which is indexed as part of the Voluntary Documents in Annexure￾7 of this master circular, shall be executed only if the client provides his/her explicit consent for the same, including internet based trading. The DDPI shall also be adequately stamped. The DDPI can be digitally signed by the clients. 36.4 The existing PoAs shall continue to remain valid till the time client revokes the same. Thus, the stock broker/stock broker and depository participant shall not directly / indirectly compel the clients to execute the DDPI or deny services to the client if the client refuses to execute the DDPI. 36.5 PoA is optional and should not be insisted upon by the stock broker / stock broker depository participant for opening of the client account. 36.6 For the execution of the DDPI for fulfilling delivery / settlement obligations, prior to executing actual transfer of securities based on details provided by stock broker/stock broker and depository participant, the Depositories shall ensure matching and confirming the transfer of securities with client-wise net delivery obligation arising from the trade executed on the exchange, as provided by the Clearing Corporation to Depositories for each settlement date. 36.7 Securities transferred on the basis of the DDPI provided by the client shall be credited to client’s TM pool account / CM pool account / demat account of clearing corporation, as the case may be. The DDPI provided by the client shall be registered in the demat account of the client by TM /CM. Stock Exchanges and Depositories shall ensure that stock broker/stock broker and depository participant providing DDPI facility, has enabled its clients to revoke / cancel the DDPI provided by them. 36.8 For the clients who issue the DDPI to stock broker/stock broker and depository participant, the following provisions of the SEBI circulars issued with respect to PoA shall stand replaced with DDPI: 36.8.1 Para 35.7.1.1. (a) and (b) of this circular, 36.8.2 Para 35.7.1.1. (c) of this circular to the extent applicable for Mutual Fund transactions and tendering shares in open offers.

88 37. Modification of Client Codes of Non-institutional Trades executed on Stock Exchanges (All Segments)49 37.1 Stock Exchanges may allow modifications of client codes of non-institutional trades only to rectify a genuine error in entry of client code at the time of placing / modifying the related order. 37.2 If a Stock Exchange wishes to allow trading members to modify client codes of non-institutional trades, it shall 37.2.1 lay down strict objective criteria, with the approval of its Governing Board, for identification of genuine errors in client codes which may be modified, and disclose the same to market in advance, 37.2.2 set up a mechanism to monitor that the trading members modify client codes only as per the strict objective criteria, and 37.2.3 ensure that modification of client codes is covered in the internal audit of trading members 37.3 Notwithstanding the above, 37.3.1 The Stock Exchanges shall levy a penalty from trading members and credit the same to its Investor Protection Fund as under: Table 9 ‘a’ as % of ‘b’ Penalty as % of ‘a’ ≤ 5 1

5 2 Where a = Value (turnover) of non-institutional trades where client codes have been modified by a trading member in a segment during a month. b = Value (turnover) of non-institutional trades of the trading member in the segment during the month. 37.3.2 The Stock Exchange shall conduct a special inspection of the trading

49 Reference: Circular CIR/DNPD/6/2011 dated July 05, 2011, Circular CIR/MRD/DP/29/2014 dated October 21, 2014 and Circular SEBI/HO/CDMRD/DMP/CIR/P/2016/73 dated August 19, 2016

89 member to ascertain whether the modifications of client codes are being carried on as per the strict objective criteria set by the Stock Exchange, as directed in Para 37.2 above, if ‘a’ as % of ‘b’, as defined above, exceeds 1% during a month and take appropriate disciplinary action, if any deficiency is observed. 37.4 Shifting of trades to the error account of broker would not be treated as modification of client code, provided the trades in error account are subsequently liquidated in the market and not shifted to some other code. 37.5 Further, brokers shall disclose the codes of accounts which are classified as ‘error accounts’ to the Stock Exchanges. Each broker should have a well￾documented error policy approved by the management of the broker. Stock Exchanges shall periodically review the trades flowing to the error accounts of the brokers. 37.6 Waiver of Penalty 37.6.1 Stock exchanges may waive penalty for a client code modification where stock broker is able to produce evidence to the satisfaction of the stock exchange to establish that the modification was on account of a genuine error. 37.6.2 Not more than one such waiver per quarter may be given to a stock broker for modification in a client code. Explanation: If penalty wavier has been given with regard to a genuine client code modification from client code AB to client code BA, no more penalty waivers shall be allowed to the stock broker in the quarter for modifications related to client codes AB and BA. 37.7 Proprietary trades shall not be allowed to be modified as client trade and vice versa 37.8 Stock exchanges shall submit a report to SEBI every quarter regarding all such client code modifications where penalties have been waived. 37.9 Stock exchanges shall undertake stringent disciplinary actions against stock brokers who undertake frequent client code modifications.

90 38. Margin Trading Facility50 38.1 Equity Shares and units of Equity Exchange Traded Funds (ETFs)51 that are classified as 'Group I security' shall be eligible for margin trading facility. Group I securities are liquid securities which are traded at least eighty percent of the days over the previous six months and impact cost for which over the previous six months is less than or equal to one percent. (For securities that have been listed for less than six months, the trading frequency and the impact cost shall be computed using the entire trading history of the scrip) 38.2 Margin Requirement 38.2.1 In order to avail margin trading facility, initial margin required shall be as under: Table 10 Category of Stock Applicable margin Group I stocks available for trading in the F & O Segment VaR + 3 times of applicable ELM* Group I stocks other than F&O stocks and units of Equity ETFs VaR + 5 times of applicable ELM* *For aforesaid purpose the applicable VaR and ELM shall be as in the cash segment for a particular stock. 38.2.2 The initial margin payable by the client to the stock broker shall be in the form of cash, cash equivalent or Group I equity shares or units of Group I Equity ETFs, with appropriate haircut as specified by SEBI. 38.2.3 The stock brokers shall be required to comply with the following conditions: a. The stocks or units of Equity ETFs deposited as collateral with the stock broker for availing margin trading facility (‘Collaterals’) and the stocks purchased under the margin trading facility (‘Funded stocks’) shall be identifiable separately and no comingling shall be permitted for the purpose of computing funding amount;

50 Reference: Circular CIR/MRD/DP/54/2017 dated June 13, 2017, Circular CIR/MRD/DP/86/2017 dated August 01, 2017 and Circular SEBI/HO/MRD/MRD-PoD-3/P/CIR/2022/166 dated November 30, 2022. 51 Equity ETFs were included vide circular SEBI/HO/MRD/MRD-PoD-3/P/CIR/2022/166 dated November 30, 2022, which shall come into force with effect from 30th day of issuance of that circular.

91 b. Collateral and Funded stocks shall be marked to market on a daily basis; c. In case of increase in the value of Collaterals, stock brokers may have the option of granting further exposure to their clients subject to applicable haircuts; d. However, no such exposure shall be permitted on the increased value of funded stocks. 38.2.4 Stock Brokers shall ensure maintenance of the aforesaid margin at all times during the period that the margin trading facility is being availed by the client. In case of short fall, stock broker shall make necessary margin calls. 38.2.5 The exchange/stock broker, based on the risk assessment, shall have the discretion to impose/collect higher margin than the margin specified in para 38.2.1 above. 38.3 Liquidation of Securities by the stock broker in case of default by the client 38.3.1 The stock broker shall list out situations/conditions in which the securities may be liquidated and such situations/conditions shall be included in the “Rights and Obligations Document”. The broker shall liquidate the securities, if the client fails to meet the margin call to comply with the conditions as mentioned in this circular or specified in the "Rights and Obligations Document" specified by exchange. 38.3.2 However, the broker shall not liquidate or use in any manner the securities of the client in any situation other than the conditions stipulated at para 38.3.1 above. 38.4 Eligibility requirements for stock brokers to provide Margin Trading Facility to clients 38.4.1 Only corporate stock brokers with a net worth of at least three crore shall be eligible to offer margin trading facility to their clients. 38.4.2 The “net worth” for the purpose of margin trading facility shall be as specified in the Stock Brokers Regulations 1992. 38.4.3 The stock brokers shall submit to the Stock Exchange a half-yearly

92 certificate, as on 31st March and 30th September of each year, from an auditor confirming the net worth. Such a certificate shall be submitted not later than 30th April and 31st October of every year. 38.5 Source of Funds 38.5.1 For the purpose of providing the margin trading facility, a stock broker may use own funds or borrow funds from scheduled commercial banks and/or NBFCs regulated by the Reserve Bank of India, borrow funds by way of issuance of Commercial Papers (CPs) and by way of unsecured long term loans from their promoters and directors. The borrowing by way of issuance of CPs shall be subject to compliance with relevant RBI Guidelines. The borrowing by way of unsecured long term loans from the promoters and directors shall be subject to the compliance with appropriate provisions of the Companies Act, 2013. 38.5.2 A stock broker shall not be permitted to borrow funds from any other source, other than the sources stated above para 38.5.1 above 38.5.3 The stock broker shall not use the funds of any client for providing the margin trading facility to another client, even if the same is authorized by the first client. 38.6 Leverage and Exposure Limits 38.6.1 At any point of time, the total indebtedness of a stock broker for the purpose of margin trading shall not exceed five times of its net worth, calculated as per para 38.4.2 above. 38.6.2 The maximum allowable exposure of the broker towards the margin trading facility shall be within the self imposed prudential limits and shall not, in any case, exceed the borrowed funds and fifty percent of his “net worth”. 38.6.3 While providing the margin trading facility, the broker shall ensure that: a) exposure to any single client at any point of time shall not exceed ten percent of the broker’s maximum allowable exposure, as specified in para 38.6.2 above.

93 b) exposure towards stocks and/or Equity ETFs purchased under margin trading facility and collateral kept in the form of stocks and/or units of Equity ETFs are well diversified. Stock Brokers shall have appropriate Board approved policy in this regard. 38.6.4 For the purpose of applicable haircuts for units of Equity ETFs as collateral for margin trading facility, it is clarified that the haircuts applicable to Liquid (Group I) Equity Shares (under “Other Liquid Assets” category) as per SEBI circular MRD/DoP/SE/Cir-07/2005 dated February 23, 2005 shall be applicable to units of Equity ETFs. 38.7 Disclosure Requirement 38.7.1 The stock broker shall disclose to the Stock Exchanges details on gross exposure towards margin trading facility including name of the client, Category of holding (Promoter/promoter group or Non-promoter), clients' PAN, name of the scrips (Collateral stocks and Funded stocks) and if the stock broker has borrowed funds for the purpose of providing margin trading facility, name of the lender and amount borrowed, on or before 12 noon on the following trading day. The format for this disclosure by the stock broker to the stock exchange is enclosed at Annexure-15. 38.7.2 The Stock Exchanges shall disclose on their websites the scrip wise gross outstanding in margin accounts with all brokers to the market. Such disclosure regarding margin trading done on any day shall be made available after the trading hours, on the following day, through its website. 38.7.3 The Stock Exchanges shall put in place a suitable mechanism to capture and maintain all relevant details including member-wise, client￾wise, scrip-wise information regarding outstanding positions in margin trading facility and also source of funds of the stock brokers, on the exchange both on daily as well as on cumulative basis. 38.8 Rights and Obligations for Margin Trading 38.8.1 The Stock Exchanges shall frame a Rights and Obligations document laying down the rights and obligations of stock brokers and clients for the purpose of margin trading facility. The Rights and Obligations

94 document shall be mandatory and binding on the Broker/Trading Member and the clients for executing trade in the Margin Trading framework. 38.8.2 The broker/exchange may modify the Rights and Obligations document only for stipulating any additional or more stringent conditions, provided that no such modification shall have the effect of diluting any of the conditions laid down in the circular or in the Rights and Obligations document. 38.9 Maintenance of Records 38.9.1 The stock broker shall maintain separate client-wise ledgers for funds and securities of clients availing margin trading facility. 38.9.2 The stock broker shall maintain a separate record of details of the funds used and sources of funds for the purpose of margin trading. 38.9.3 The books of accounts, maintained by the broker, with respect to the margin trading facility offered by it, shall be audited on a half yearly basis. The stock broker shall submit an auditor’s certificate to the exchange within one month from the date of the half year ending 31st March and 30th September of a year certifying, inter alia, the extent of compliance with the conditions of margin trading facility. This certificate is in addition to the certificate on net worth specified in para 38.4.2 above. 38.10 Other Conditions 38.10.1A broker shall take adequate care and exercise due diligence before providing margin trading facility to any client. 38.10.2Any disputes arising between the client and the stock broker in connection with the margin trading facility shall have the same treatment as normal trades and should be covered under the investor grievance redressal mechanism, arbitration mechanism of the Stock Exchange. 38.10.3SGF and IPF shall be available for transactions done on the exchange, whether through normal or margin trading facility. However, any losses suffered in connection with the margin trading facility availed by the

95 client from the stock broker shall not be covered under IPF. 38.10.4 The stock brokers wishing to extend margin trading facility to their clients shall be required to obtain prior permission from the exchange where the margin trading facility is proposed to be offered. The exchange shall have right to withdraw this permission at a later date, after giving reasons for the same. 39. Collection and reporting of margins by Trading Member (TM) /Clearing Member (CM) in Cash Segment. 52 39.1 Collection of margins from the clients by TM/CM in cash segment: 39.1.1 The ‘margins’ for this purpose shall mean VaR margin, extreme loss margin (ELM), mark to market margin (MTM), delivery margin, special / additional margin or any other margin as prescribed by the Exchange to be collected by TM/CM from their clients. 39.1.2 Henceforth, like in derivatives segment, the TMs/CMs in cash segment are also required to mandatorily collect upfront VaR margins and ELM from their clients. The TMs/CMs will have time till ‘T+2’ working days to collect margins (except VaR margins and ELM) from their clients. (The clients must ensure that the VaR margins and ELM are paid in advance of trade and other margins are paid as soon as margin calls are made by the Stock Exchanges/TMs/CMs. The period of T+2 days has been allowed to TMs/CMs to collect margin from clients taking into account the practical difficulties often faced by them only for the purpose of levy of penalty and it should not be construed that clients have been allowed 2 days to pay margin due from them.) 39.1.3 If pay-in (both funds and securities) is made by T+2 working days, the other margins would deemed to have been collected and penalty for short / non collection of other margins shall not arise. 39.1.4 If Early Pay-In of securities has been made to the Clearing Corporation

52 Reference: Circular CIR/HO/MIRSD/DOP/CIR/P/2019/139 dated November 19, 2019, Circular SEBI/HO/MIRSD/DOP/CIR/P/2020/146 dated July 31,2020 and Circular SEBI/HO/MIRSD/DOP/CIR/P/2020/173 dated September 15, 2020

96 (CC), then all margins would deemed to have been collected and penalty for short / non-collection of margin including other margins shall not arise. 39.1.5 If client fails to make pay-in by T+2 working days and TM / CM do not collect other margins from the client by T+2 working days, the same shall also result in levy of penalty as applicable. 39.1.6 As prescribed in clause 7 of SEBI circular MRD/DoP/SE/Cir-07/2005 dated February 23, 2005, the TM/CM shall be exempted from collecting upfront margins from the institutional investors carrying out business transactions and in cases where early pay-in of securities is made by the clients. 39.1.7 If the TM/CM had collected adequate initial margins from the client to cover the potential losses over time till pay-in, he need not collect MTM from the client. 39.1.8 As like in derivatives segments, the TMs/CMs shall report to the Stock Exchange on T+5 day the actual short-collection/ non-collection of all margins from clients. 39.2 It is reiterated that CC shall continue to collect upfront VaR plus ELM and other margins from TM / CM as applicable from time to time. 39.3 Penalty structure for short-collection/non-collection of margins and false/incorrect reporting of margin collection from the clients by TMs/CMs: 39.3.1 For short-collection / non-collection of client margins, the Stock Exchanges shall take the disciplinary action as per the framework specified in SEBI Circular CIR/DNPD/7/2011 dated August 10, 2011. 39.3.2 If TM / CM collects minimum 20% upfront margin in lieu of VaR and ELM from the client, then penalty for short-collection / non-collection of margin shall not be applicable. 39.3.3 For false/incorrect reporting of margin collection from the clients by TMs/CMs, the Stock Exchanges shall take disciplinary action as per the framework CIR/HO/MIRSD/DOP/CIR/P/2019/88 dated August 01, 2019.

97 40. Framework to Enable Verification of Upfront Collection of Margins from Clients in Cash and Derivatives segments53 40.1 With an objective to enable uniform verification of upfront collection of margins from clients by TM/ CM and levy of penalty across segments, it has been decided that the Stock Exchanges/ Clearing Corporations shall adopt the framework specified in paras 40.2 to 40.5 below, for the purpose of ‘Mechanism for regular monitoring of and penalty for short collection/ non￾collection of margins from clients’ in Cash and Derivatives segments. 40.2 Clearing Corporations shall send minimum four snapshots of client wise margin requirement to TMs/CMs for them to know the intraday margin requirement per client in each segment. The number of times snapshots need to be sent in a day may be decided by the respective Clearing Corporation depending on market timings subject to a minimum of four snapshots in a day. The snapshots would be randomly taken in pre-defined time windows. Further, for commodity derivatives segment, clearing corporations shall send an additional minimum two snapshots for commodity derivative contracts which are traded till 9:00 PM and additional minimum three snapshots for the commodity derivatives contracts which are traded till 11:30/11:55 PM. Margins/EOD margins shall be determined as per the relevant Risk Parameter Files. 40.3 The client wise margin file (MG-12/13) provided by the CCs to TMs/CMs shall contain the EOD margin requirements of the client as well as the peak margin requirement of the client, across each of the intra-day snapshots. 40.4 The member shall have to report the margin collected from each client, as at EOD and peak margin collected during the day, in the following manner: 40.4.1 EOD margin obligation of the client shall be compared with the respective client margin available with the TM/CM at EOD. AND

53 Reference: Circular SEBI/HO/MRD2/DCAP/CIR/P/2020/127 dated July 20, 2020, Circular SEBI/HO/CDMRD/CDMRD_DRM/P/CIR/2021/689 dated December 16, 2021, Circular SEBI/HO/MRD2/DCAP/P/CIR/2022/60 dated May 10, 2022 and Circular SEBI/HO/MRD/MRD-PoD-2/P/CIR/2023/016 dated February 01, 2023

98 40.4.2 Peak margin obligation of the client, across the snapshots, shall be compared with respective client peak margin available with the TM/CM during the day. 40.5 Higher of the shortfall in collection of the margin obligations at para 40.4.1 and 40.4.2 above, shall be considered for levying of penalty as per the extant framework. 40.6 The verification of availability of margins with TM/ CM, as at para 40.4.1 and 40.4.2 above, shall be done by exchanges/ clearing corporations on a weekly basis by verification of the balances in the books/ ledgers of the TM/ CM in respect of the client. 40.7 The margin requirements to be considered for the intra-day snapshots in derivatives segments (including commodity derivatives), shall be calculated based on the fixed Beginning of Day (BOD) margin parameters. The BOD margin parameters would include all SPAN margin parameters as well as ELM requirements. 40.8 The End of Day (EOD) margin collection requirement from clients, in derivatives segments (including commodity derivatives), shall also be calculated based on the fixed BOD margin parameters. 40.9 The provisions at para 40.7 and 40.8 are only for the purpose of verification of upfront collection of margins from clients. The margin parameters applicable for collection of margin obligation by Clearing Corporations shall continue to be updated on intra-day and EOD basis, as per the extant provisions. 41. Margin obligation to be given by way of Pledge/ Re-pledge in the Depository System54 41.1 TM / CM shall, inter alia, accept collateral from clients in the form of securities, only by way of ‘margin pledge’, created in the Depository system in accordance with Section 12 of the Depositories Act, 1996 read with Regulation 79 of the Securities and Exchange Board of India (Depositories and Participants) Regulations, 2018 and the relevant Bye Laws of the Depositories. 41.2 The above sections and regulations clearly enumerate the manner of creating

54 Reference: Circular SEBI/HO/MIRSD/DOP/CIR/P/2020/28 dated February 25,2020 and Circular no. SEBI/HO/MIRSD/DOP/CIR/P/2020/88 dated May 25,2020

99 pledge of the dematerialised securities. Any procedure followed other than as specified under the aforesaid provisions of law for creating pledge of the dematerialised securities is prohibited. It is clarified that an off-market transfer of securities leads to change in ownership and shall not be treated as pledge. 41.3 Transfer of securities to the demat account of the TM / CM for margin purposes (i.e. title transfer collateral arrangements) shall be prohibited. In case, a client has given a power of attorney in favour of a TM / CM, such holding of power of attorney shall not be considered as equivalent to the collection of margin by the TM / CM in respect of securities held in the demat account of the client. 41.4 The TM / CM shall open a separate demat account for accepting margin pledge, which shall be tagged as ‘Client Securities Margin Pledge Account’. 41.5 For the purpose of providing collateral in form of securities as margin, a client shall pledge securities with TM, and TM shall re-pledge the same with CM, and CM in turn shall re-pledge the same to Clearing Corporation (CC). The complete trail of such re-pledge shall be reflected in the de-mat account of the pledgor. 41.6 The TM shall re-pledge securities to the CM’s ‘Client Securities Margin Pledge Account’ only from the TM’s ‘Client Securities Margin Pledge Account’. The CM shall create a re-pledge of securities on the approved list to CC only out of ‘Client Securities Margin Pledge Account’ (Re-pledge would mean endorsement of pledge by TM / CM in favour of CM/CC, as per procedure laid down by the Depositories) 41.7 The TM and CM shall ensure that the client’s securities re-pledged to the CC shall be available to give exposure limit to that client only. Dispute, if any, between the client, TM / CM with respect to pledge, re-pledge, invocation and release of pledge shall be settled inter-se amongst client and TM / CM through arbitration as per the bye-laws of the Depository. CC and Depositories shall not be held liable for the same. 41.8 Securities that are not on the approved list of a CC may be pledged in favour of the TM / CM. Each TM / CM may have their own list of acceptable securities that may be accepted as collateral from client. 41.9 Funded stocks held by the TM / CM under the margin trading facility shall be held by the TM / CM only by way of pledge. For this purpose, the TM / CM shall

100 be required to open a separate demat account tagged ‘Client Securities under Margin Funding Account’ in which only funded stocks in respect of margin funding shall be kept/ transferred, and no other transactions shall be permitted. Such funded stocks shall be transferred to respective client’s demat account followed by creation of an auto-pledge (i.e. without the requirement of a specific instruction from the client) with suitable reason, in favor of ‘Client Securities under Margin Funding Account’. 41.10 The TM / CM shall be required to transfer all client’s securities lying in such accounts to the respective clients’ demat accounts. Thereafter, TM / CM are prohibited from holding any client securities in any beneficial owner accounts of TM/CM, other than specifically tagged accounts as indicated above, and in pool account(s), unpaid securities account. 41.11 The operational mechanism for margin pledge is provided below: INITIATION OF MARGIN PLEDGE 41.11.1 For the purpose of providing collateral in form of dematerialised securities as margin, a client shall initiate the margin pledge only in favour of the TM / CM’s separate client securities margin account tagged as ‘Client Securities Margin Pledge Account’ through physical instruction or electronic instruction mechanism provided by the Depositories. Such instructions shall have details of client UCC, TM, CM and Default Segment. 41.11.2 In cases where a client has given a Power of Attorney (“POA”) to the TM / CM, the TM / CM may be allowed to execute the margin pledge on behalf of such client to the demat account of the TM / CM tagged as ‘Client Securities Margin Pledge Account’. 41.11.3 The ‘pledge request form’ shall have a clause regarding express consent by the client for re-pledge of the securities by the TM to CM and further by the CM to CC. 41.11.4 On receipt of the margin pledge instruction either from the client or by TM / CM as per the POA, DP of a client shall initiate a margin pledge in the client’s account and the status of instruction will remain pending till confirmation is received from client / pledgor. The client will submit acceptance by way of One Time Password (the “OTP”) confirmation on

101 mobile number / registered e-mail id of the client or other verifiable mechanism. Further no other OTP confirmation from client shall be required, if securities of such client are being re-pledged by TM/CM. The Depositories shall develop a verifiable mechanism for confirmation of the pledge by the client. 41.11.5 In client account, margin pledge or re-pledge shall be reflected against each security, if it is pledged / re-pledged and in whose favour i.e. TM / CM / CC. 41.11.6 The TM can re-pledge only in favour of CM’s demat account tagged as ‘Client Securities Margin Pledge Account’. The CM shall create a re￾pledge of securities on the approved list only to the CC out of ‘Client Securities Margin Pledge Account’. While re-pledging the securities to the CC, CM/TM shall fully disclose the details of the client wise pledge to the CC/CM. CM would need to have visibility of client level position and client collateral so that CM shall allow exposure and / or margin credit in respect of such securities to that client to whom such securities belong. RELEASE OF MARGIN PLEDGE 41.11.7 In case of a client creating pledge of the securities in favour of the TM / CM against margin, the TM / CM may release the ‘margin pledge’ after their internal exposure and risk management checks. The request for release of pledge can be made by the client to its DP or to the TM / CM, who shall release the pledge in the Depository system. 41.11.8 For release of client securities given to TM/CM as margin pledge and which are re-pledged in favour of the CC, the CM shall make a request to the CC. The client through TM, or the TM on his own, may request the CM to make an application to the CC for the release of margin pledge. CC shall do margin utilisation check at the CM level before releasing the re-pledge of securities to the CM. The CC will release the re-pledged client securities to CM after blocking other available free collateral of CM. The CM /TM in turn after doing their risk management shall release the securities to TM / client, as the case may be. INVOCATION OF MARGIN PLEDGE 41.11.9 In case of default by a client of TM where the clients securities are re-

102 pledged with the CM/ CC, the invocation request shall be made by the TM to CM and CM in turn will make request to CC as per the procedure laid down by the Depositories under their bye-laws. 41.11.10 In case of default by a client of TM who has pledged securities with TM, the TM shall invoke the pledge. 41.11.11 In case of default by a client of TM whose securities are re-pledged by TM with CM, the invocation request shall be made by TM to the CM. The CM, after doing its internal exposure and risk management, shall release the re-pledged securities to the ‘Client Securities Margin Pledge Account’ of the TM. The TM in turn will invoke the pledge of client’s securities. 41.11.12 In the event of default by a client of a TM, whose securities are re￾pledged by TM with CM and CM in turn has re-pledged with CC, the TM shall make a request for invocation of pledge with CM and CM in turn shall file a request with CC to release the re-pledged securities for invocation. The CC shall block equivalent available free collateral provided by CM and shall release the re-pledged securities of that defaulting client of TM to CM in “Client Securities Margin Pledge Account” of CM. The CM shall do his own risk assessment of TM and would release re-pledged securities of the defaulting client of TM in “Client Securities Margin Pledge Account” of TM and TM shall invoke the pledge in Demat account of the client. 41.11.13 In case of default by a client/ TM of CM whose securities are re-pledged with CC, CM shall file a request with CC for invocation of the pledged/ re-pledged securities of that client/TM. CC shall block the equivalent available free collateral provided by CM and shall release the re￾pledged securities of that defaulting client/TM in “Client Securities Margin Pledge Account” of CM and the CM shall invoke the pledge in Demat account of the client/ TM. 41.11.14 In case of default by TM or client of TM, CM shall be entitled to invoke pledged/ re-pledged securities of the TM. CM shall also be entitled to invoke directly the repledged securities of client of TM having open position with CM to close out such positions. 41.11.15 In case of default by the CM, CC shall invoke securities pledged by the

103 CM. After exhausting the CM own collateral, CC may also invoke re￾pledge securities of that client who has open position and their re￾pledged securities are blocked by CC to close out their open positions. The re-pledge securities of other clients who did not have any open position with CC, their securities shall not be available to CC for invocation to meet settlement default of the CM. 41.12 The framework for utilisation of pledged clients’ securities for exposure and margin is provided below: 41.12.1 At present, the margin requirement is computed in real time at client level by the CC and is aggregated at the level of CMs to arrive at the total margin requirement. The CC maintains and monitor the collateral at the level of CM. The CM is required to provide the collateral in various acceptable forms such as Cash, Bank Guarantee55, Government Securities, pledge of acceptable shares, etc. 41.12.2 The day to day real time risk management with respect to client / TM exposure, and the margin requirement shall continue to be the responsibility of the CM, and CC shall not monitor the client level exposure against the available client level collateral in real time. 41.12.3 In order to provide exposure to CM and/or to the clients / TM of a CM, CC shall aggregate margin requirement at CM level that shall be compared against the available collateral in real time as aggregate of; a. cash and cash equivalent deposited by CM, b. own securities pledged by CM with CC, c. CC requires minimum fifty percent of the collateral to be deposited in cash and cash equivalent, if the total securities pledged by CM with CC exceed the total cash and cash equivalent, the value of securities will be restricted to amount of cash and cash equivalent. d. The TM’s proprietary margin requirement will be treated as a client of CM and aggregated along with other clients. 41.12.4 CM shall be allowed to re-pledge acceptable/approved client securities with the CC by furnishing the UCC wise client details. CC shall not allow any exposure to the CM on re-pledged securities of the client / TM. In case of a trade by a client / TM whose securities are re-pledged with

55 Refer “Eligibility of bank instruments as collateral” as specified at para 92 of this circular.

104 CC, the CC shall first block the available collateral provided by CM as mentioned in point 41.12.3 above. However, at periodical interval (latest by end of day), CC shall release the blocked securities collateral of CM to the extent of re-pledged securities collateral of that client / TM available with the CC. 41.12.5 In the event of default by a client of TM, the TM shall make good the default to CM. In the event of default by a client or TM on its proprietary position, the CM shall make good the default to CC. However, in the event of default by client/s leading to default of TM and also the CM, the following process shall be applied by TM/CM/CC for invocation of pledged and re-pledged securities of client/TM/CM: a. In case of default by a client of TM/CM or default of TM leading to the default of CM, CC shall: i. encash the available collateral including cash, cash equivalent collateral, CM’s own pledged securities. ii. After encashing the available collateral of CM, also be entitled to directly invoke the re-pledged securities of client / TM who has any open position so as to close out the open positions of that client. iii. not be entitled to invoke re-pledged securities of those clients who did not have any open position to meet settlement obligation of the defaulting CM b. In case of default by a client of TM or default of TM, CM Shall: i. be entitled to liquidate available cash, cash equivalent collateral and TM’s own pledged /or re-pledged securities with CM/ CC to meet settlement/margin obligations of defaulting TM or client(s) of that TM. ii. After encashing the available collateral of TM, be entitled to directly invoke re-pledged securities of the client of defaulting TM who has open position through CM so as to close out his position. iii. not be entitled to invoke re-pledged securities of those clients of defaulting TM who did not have any open position, iv. ensure that the client securities of TM/ CM re-pledged with the CC are not utilized for meeting the margin requirement/ settlement obligation of a TM’s/CM’s own proprietary position or margin requirement/ settlement obligation of any other client of TM / CM.

105 42. Segregation and Monitoring of Collateral at Client Level56 42.1 In order to strengthen the mechanism of protection of client collateral from (i) misappropriation/ misuse by TM/ CM and (ii) default of TM/CM and/or other clients, the following framework for segregation and monitoring of collateral at client level is specified: Reporting Mechanism by TMs and CMs 42.2 With a view to providing visibility of client-wise collateral (for each client) at all levels, viz., TM, CM and Clearing Corporation (CC), a reporting mechanism, covering both cash and non-cash collateral, shall be specified by the CCs. Details in respect of the same are as under: a) The reporting structure shall entail disaggregated information (segment￾wise and asset type wise break-up) of each client collateral in the following manner: • TM shall report disaggregated information on collaterals up to the level of its clients to the CM. • CM shall report disaggregated information on collaterals up to the level of clients of TM and proprietary collaterals of the TMs to the Stock Exchanges (SEs) and CCs in respect of each segment. b) The details to be submitted in the report shall essentially cover the following information, in order to provide a holistic view of the entire client collateral at various levels up to the level of CC: Table 11 TM CM CM SE & CC Client collateral received by TM Client collateral received by TM Client collateral retained by TM Client collateral retained by TM Client collateral placed with CM Client collateral placed with CM Client collateral retained by CM Client collateral placed with CC c) The aforementioned information shall be required to be reported on a daily basis.

56 Reference: Circular SEBI/HO/MRD2_DCAP/CIR/2021/0598 dated July 20,2021

106 42.3 A web portal facility shall be provided by the CCs/SEs to allow clients to view aforesaid disaggregated collateral reporting by TM/CM. Collateral Deposit and Allocation 42.4 In case of securities collateral provided to CC through margin pledge/re-pledge in the Depository system, CC has visibility of the client to whom such securities belong to, and accordingly is able to assign the value of the securities collateral, based on applicable haircut, to that client’s account. 42.5 Similarly, for other forms of collateral placed with the CC, the CCs shall provide a facility to CMs for upfront segment-wise allocation of collateral to a TM/ client or CM’s own account. The CCs shall use such collateral allocation information to ensure that the collateral allocated to a client is used towards the margin obligation of that client only. 42.6 There shall be no change in the procedures pertaining to placing of securities as collateral through the margin pledge/re-pledge mechanism in the Depository system, and this collateral will be identified as belonging to a client or as being proprietary securities of the TM or CM, as the case may be, as per the existing procedures. 42.7 While depositing other forms of collateral i.e. Cash, Fixed Deposits (FDs), Bank Guarantees57 (BGs) or Government Securities provided through the SGL/CSGL route, etc, the CM shall allocate these collaterals into proprietary account of CM, and/or proprietary account of any TM clearing through the CM, and/or account of any of the clients (including Custodial Participants (CPs)) clearing through the CM, and/or of any of the clients trading through the TM who in turn is clearing through the CM, segment-wise. 42.8 In case of such collateral received by the CM from any TM, the CM shall not accept the same without the TM specifying break-up of such collateral into proprietary account of the TM and/or uniquely identified client account. Similarly, the CC shall not accept such collateral without the CM specifying appropriate break-up of such collateral into proprietary account of CM/ proprietary account of TM/ client account. The CM shall ensure that the sum of break-up of such collateral provided by TM is equal to the total value of such collateral provided by TM, and that the allocation of such collateral to any entity

57 Refer “Eligibility of bank instruments as collateral” as specified at para 92 of this circular.

107 as reported to the CC does not exceed the allocation of collateral reported by the TM for that entity. 42.9 The amount of collateral allocated shall not exceed the amount of collateral received by the TM/CM from the client and reported as such under the reporting mechanism (refer Para 42.2 above), excluding the securities collateral re-pledged to CC through margin pledge mechanism. Further, the sum of client collateral retained by the TM/CM and client collateral passed on to CM/CC shall equal the amount of collateral received by the TM/CM from the client. Also, the allocation of collateral at CC shall not be lower than the amount of collateral (except securities collateral repledged to CC) reported as having been passed on by the CM to the CC. The CC shall have appropriate validations in place in respect of allocations and reporting done by CMs. Further, CMs shall also perform validations at their end in respect of allocations and reporting done by TMs. 42.10 An illustration is provided at Annexure-16 regarding permitted and non￾permitted allocation of collateral. 42.11 ……. 58 . 42.12 The allocation thus provided by the CM to CC and by TM to CM shall be considered as final by the CC and CM respectively for the purpose of granting exposure and utilization during default. 42.13 The TM/CM shall ensure that sufficient collateral is allocated to clients to cover their margin requirements. However, if the client margin applicable at the CC for a client in a segment exceeds the collateral allocated to the client plus the securities collateral re-pledged to CC (from that client’s account) in the respective segment, then the proprietary collateral of the TM/CM shall be blocked (including repledged/pledged securities and allocated collateral). Such margin blocked from the proprietary collateral towards a client’s margin shall be deemed to have been the collateral allocated to that client. This provision shall include deemed allocation of TM’s proprietary collateral towards client margins and deemed allocation of CM’s proprietary collateral towards TM/CP/client margins. 42.14 The members shall ensure that allocated collateral plus value of securities

58 Deleted in view of Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/061 dated April 25, 2023

108 collateral re-pledged to the CC for a client is at all times greater than or equal to the minimum margin collection requirement for the respective client in the respective segment, since the amount of minimum margin collection requirement for a client may be different from the margin applicable at CC. CCs shall put in place effective deterrent mechanisms (penalty structure) in consultation with SEBI, which shall be applicable in cases where the allocated collateral plus the securities collateral re-pledged to CC in respect of a client, is falling short of minimum margin collection requirement in the respective segment. 42.15 Information regarding the collateral allocated by the CM shall be made available on a daily basis on the web portal facility to clients to view disaggregated collateral reporting by TM/CM (refer Para 42.3). Further, CC shall also provide a facility to the TMs of the clients to view such collateral allocation to the clients by the CM. Collateral Valuation 42.16 CMs are required to maintain at least 50% of the total collateral in the form of cash or cash equivalents. At individual client level, a client may have allocation of cash equivalent, less than the value of non-cash collateral provided by the client. In other words, the minimum 50% cash equivalent collateral requirement may not be applied at the client level. For the purpose of monitoring of at least 50% cash-equivalent collateral at the level of CM, the excess cash-equivalent collateral of a client shall not be considered for other client or for proprietary account of TM/CM. However, the excess cash-equivalent collateral of proprietary account of TM/CM can be considered for clients trading/clearing through them, for the purpose of monitoring minimum 50% cash-equivalent requirement. 42.17 An illustration of the above requirement is provided at Annexure-17. Blocking of Margins 42.18 The procedure for blocking of margins only specifies the order of blocking of collateral available with the CC. There shall be no change in the requirement of collection of upfront margins by the TM/CM. The TM/CM shall be required to ensure that sufficient collateral is allocated to clients to cover their margin requirements. (refer 42.12 and 42.13 above)

109 42.19 The terms “Client Collateral”, “TM Collateral”, “CP Collateral” and “CM Collateral” shall mean the total of the allocated collateral value plus the value of demat securities collateral provided through margin pledge/re-pledge by any individual client, TM, CP and CM respectively to the level of CC. The TM/CM collateral shall mean the proprietary collateral of the TM/CM only and shall not include the collateral of any of their clients. 42.20 On receipt of a trade from a client account by the CC, the margin shall first be blocked from the value of the client collateral. If the client collateral is not sufficient, the residual margin shall be blocked from the TM proprietary collateral of the TM of such client. If the TM proprietary collateral is also not sufficient, then the residual margin shall be blocked from the CM proprietary collateral of the CM of such TM. 42.21 In case of a trade from the proprietary account of a TM, the margin shall first be blocked from the TM proprietary collateral, and in case such collateral is not sufficient, then the residual margin shall be blocked from the CM proprietary collateral. 42.22 Margins based on trades from proprietary account of the CM shall be blocked from the proprietary collateral of the CM only. 42.23 An illustration of blocking of margins is provided at Annexure-18. 42.24 For monitoring of the risk reduction mode (90% utilization or such applicable limit), the following procedure shall be adopted: a.) TM level risk reduction mode: Client margin in excess of 90% of the client collateral shall be identified for each client under a TM. The total of such client margin in excess of 90% of the client collateral, plus the proprietary TM margin shall be assessed against the TM proprietary collateral for monitoring of TM level risk reduction mode. b.) CM level risk reduction mode: Sum of client margin in excess of 90% of the client collateral for each client under a TM plus the proprietary TM margin, in excess of 90% of TM proprietary collateral shall be calculated as TM margin in excess of 90% of TM collateral. Sum of such margin for each TM clearing through a CM, plus sum of client margin in excess of 90% of the client collateral for each client clearing through such CM, plus the proprietary CM margin shall be assessed against the proprietary CM

110 collateral for monitoring of CM level risk reduction mode. 42.25 An illustration for monitoring of risk reduction mode is provided at Annexure￾19. 42.26 In case of CP trades executed by TMs, the margin shall be blocked in the following order- (i) CP collateral through the executing TM, if any, (ii) residual margin from the proprietary collateral of the executing TM, and (iii) residual margin from the proprietary collateral of the CM of the executing TM. Upon confirmation of such trades by CM of the CP, the margin so blocked prior to the confirmation shall be released, and shall be blocked in the following order- (i) CP collateral through the confirming CM, and (ii) residual margin from the proprietary collateral of the confirming CM. In case of CP trades, the requirement to ensure that sufficient collateral is allocated to clients to cover their margin requirements shall be on the confirming CM. However, if the trade is confirmed under the auto approval facility provided by the CC, then margin shall be directly blocked in the following order- (i) CP collateral through the confirming CM, and (ii) residual margin from the proprietary collateral of the confirming CM. Change of Allocation 42.27 CMs shall be permitted to change the allocation of collateral deposited with the CC, subject to the value allocated to any client not exceeding the value of actual collateral received from that client (excluding the securities collateral re￾pledged to CC through margin pledge mechanism). However, such change of allocation shall be permitted subject to adequacy of available collateral with the CC after the change vis-à-vis the margin obligation. An illustration is provided at Annexure-20. 42.28 CC shall also provide notification of such change of allocation of collateral to the concerned client, in respect of whom the allocation has been changed, pursuant to the change of allocation. Client Margin Reporting 42.29 There shall be no change in the client margin reporting process. Settlement

111 42.30 There shall be no change in the settlement process. Withdrawal of Collateral 42.31 Subject to the CM not being in default and fulfilling all obligations on a going concern basis, the CM may place requests for withdrawal of collateral to the CC. 42.32 After validation of such requests, if the collateral is found to be releasable, the CC shall release the collateral to the CM. CM may return the collateral to TM/CP/Clients or utilize collateral of the entities who are in default. 42.33 CC shall also provide notification of such withdrawal of allocation of collateral to the concerned clients, in respect of whom the allocation has been withdrawn, pursuant to the withdrawal of allocation. Default Management Process 42.34 The default management process by the CCs in case of default by a CM shall take place in four stages: a. Stage 1: Completion of settlement to non-defaulting CMs b. Stage 2: Portability or immediate return of collateral c. Stage 3: Close-out of positions and provisional appropriation of collateral d. Stage 4: Identification of defaulting clients and final appropriation of collateral Stage 1: Completion of settlement to non-defaulting CMs 42.35 CC shall utilize available financial resources to complete settlement in a timely manner and complete the pay-outs to the non-defaulting members. Stage 2: Portability or immediate return of collateral 42.36 CC shall put in place a mechanism/ process for TMs/clients/CPs of defaulting CM to establish that they are not in default to the defaulting CM and have deposited collateral to the extent of allocation (including deemed allocation). This process shall be completed within a pre-specified time period. On identification of such nondefaulting TMs/clients/CPs, CC shall provide them opportunity for either porting of their positions and collateral to another CM or

112 immediate return of their collateral. 42.37 Portability of Positions and Collateral: a.) Entities desirous of availing the facility of portability shall be required to have established alternative trading/clearing arrangements with other TMs/CMs other than the defaulting CM. b.) If any pay-out is due to such entities, such pay-out shall be made to the entities. As a result, the amount of such pay-out shall be added to the pay￾in shortfall of the defaulting CM. 42.38 Immediate return of collateral: a.) Collateral of such entities shall only be utilized to the extent of losses due to liquidation of their respective positions, and the remaining collateral shall be returned, along with the pay-out due to such entities, if any. As a result, the amount of such pay-out shall be added to the pay-in shortfall of the defaulting CM. 42.39 In some circumstances, it may be desirable to liquidate the positions and even the collateral, since both are subject to risks. Under such circumstances, not closing out positions/collateral to allow for portability may lead to accumulation of losses. Considering the nature of positions, market conditions and such other risk assessment, the CC may at any stage decide to not provide the facility of portability. If the CC decides to not provide the opportunity for portability, the CC shall crystalize the profits/losses on close-out of positions and the value of collateral arrived at after liquidation of the same. Stage 3: Close-out of positions and provisional appropriation of collateral 42.40 For the remaining entities after Stage 2, i.e., entities other than the ones who could avail the opportunity of either porting or immediate return of collateral in Stage 2, following process shall be followed: a.) CC shall close out all open positions of the defaulting CM, including the positions of TMs/clients/CPs clearing through such CM. b.) CC shall first utilize the CM/TM/Client/CP collateral for meeting any losses in close-out of respective positions. It is clarified that TM/Client/CP collateral shall include both allocated collateral (including deemed allocated collateral)

113 and the value of securities collateral provided through margin pledge/re￾pledge to the level of CC. c.) In case of any shortfall in collateral of any entity under the CM, any excess proprietary collateral of the TM / CM of such entity shall be used. This shall follow the same order of utilization as in case of blocking of margins. Any shortage in the proprietary collateral of the TM / CM shall be met by applying the default waterfall of the CC. d.) With regard to the defaulted settlement obligations, following process shall be followed: i.) Any pay-out made to the non-defaulting clients in Stage 2 shall be added to the defaulted obligations. ii.) The defaulted obligations (including pay-out in Para (i) above) shall be first adjusted with the proprietary obligation of the defaulting CM to the extent of funds/securities payable for the proprietary trades. •Any shortage in the proprietary collateral of the defaulting CM shall be met by applying the default waterfall of the CC. •Any excess proprietary collateral of the CM shall also be used for meeting the defaulted obligations. iii.) Remaining defaulted obligations shall be attributed pro-rata: funds payin shortfall shall be attributed pro-rata among TM/clients/CP having funds payable and securities pay-in shortfall shall be attributed pro-rata among TM/clients/CP having deliverable positions in the security. Such losses shall be recovered from the collateral of the TM/clients/CP available, if any. • Any shortage in the collateral of such TM/clients/CP shall be met by applying the default waterfall of the CC. iv.) In case of any defaulted obligations attributed to a TM in Para (iii) above (and in turn to its clients), the process enunciated above at Para (ii) and (iii) above for a defaulting CM and its constituents shall apply, mutatis mutandis, to the TM. e.) The aforesaid pro-rata attribution of shortages shall be provisional. The actual attribution of shortages to clients shall be done in Stage-4.

114 f.) In case there is any profit to a TM/client/CP during the close-out process, such close-out profit shall be considered as pay-out due to the TM/client/CP. 42.41 An Illustration on the procedures to be followed in the Stage-2 and the Stage￾3 are given at Annexure-21. Stage 4: Identification of defaulting clients and final appropriation of collateral 42.42 The procedure for verification and settlement of claims of constituents of defaulting CM shall be as follows: a.) The process for identification of defaulting TM/CP/clients and the return of collateral of non-defaulting TM/CP/clients shall be administered by the appropriate committee viz., Member and Core Settlement Guarantee Fund Committee (MCSGFC) of the Exchange or the CC. b.) The amount that can be claimed by the non-defaulting TM/CP/clients from the CC shall be limited to the allocated collateral (including deemed allocated) and the value of securities collateral provided through margin pledge/re￾pledge to the level of CC, plus the pay-out (including profit if any during close￾out) due to the constituent, less the losses in close-out of positions of the constituent. c.) The MCSGFC of the CC/Exchange shall implement the relevant procedures for verification and settlement of claims of the non-defaulting TM/CP/clients of the defaulting CM. d.) The constituents actually in default shall be identified and the pro-rata attribution of shortages performed in Stage-3 shall be replaced by the actual attribution of shortages. If there has been any excess collateral appropriated at Stage-3 due to pro-rata attribution, such excess appropriation shall be corrected, and the constituents shall be returned the collateral in full along with the pay-out due to such entities. This amount shall be recovered from the constituents who have higher shortage (pursuant to actual attribution) than the one attributed on pro-rata basis. If such clients do not have sufficient collateral, then the default waterfall of the CC (including its Core Settlement Guarantee Fund (Core SGF), as per the specified order of waterfall) shall be applied.

115 e.) For any collateral of a client retained by TM/CM, and not allocated to that client’s account, the Exchange or the CC shall initiate suitable actions before appropriate court of law for liquidating the assets (movable and immovable) of the defaulter member as per the existing provisions. Further, eligible clients will also have the access to compensation from the Investor Protection Fund, as per the existing provisions. 42.43 Illustration on procedures to be followed in Stage-4 are provided at Annexure￾22. Default of TMs to CMs 42.44 The following procedure shall be adopted in case of default of TM to CM: a.) The CM shall continue to meet its obligations towards its other constituents, as well as the CC. b.) The CM shall close-out all open positions of the defaulting TM (including clients under the TM). c.) Under the supervision of the CC, the CM shall appropriate the collateral towards losses. The losses in closing-out open positions and the settlement obligations due from clients of the TM shall be appropriated first from the allocated collateral (as per allocation provided by TM to CM, including deemed allocated) and securities collateral provided through margin pledge/ repledge to the level of CM/CC of respective clients. Any residual losses as well as the losses in closing-out open positions and the settlement obligations of the TM proprietary account shall be appropriated from the TM proprietary collateral. In case of TM proprietary collateral being insufficient, the losses shall not be appropriated from any other constituent of the CM or any constituent of the defaulting TM. d.) After the above utilization towards losses in closing-out open positions of the defaulting TM (and clients under the TM) and net settlement shortfall, all remaining collateral/funds received from the defaulting TM (lying with CM/CC) shall be provided by the CM to the Stock Exchanges. e.) Since the TM will be leading to default, the Stock Exchanges shall institute relevant applicable procedures against the TM as per existing regulatory provisions, byelaws, rules and regulations of the Stock Exchanges.

116 Violations 42.45 Any false allocation by members shall be treated as a violation and disciplinary action shall be taken against the members. 42.46 The aforementioned framework for segregation and monitoring of collateral at client level shall be applicable to all segments and product classes at Stock Exchanges/ Clearing Corporations. 43. Maintenance of current accounts in multiple banks by Stock Brokers59 43.1 The Stock Brokers should maintain current accounts in appropriate number of banks (subject to the maximum limit prescribed by Stock Exchanges/SEBI from time to time) for holding the client funds (i.e., Client Account), for settlement purposes (i.e., Settlement Account) and any other accounts mandated by Stock Exchanges such as Exchange Dues Account subject to the condition that brokers are using these accounts for their defined purposes. 44. Block Mechanism in demat account of clients undertaking sale transactions60 44.1 When the client intends to make a sale transaction, shares will be blocked in the demat account of the client in favour of Clearing Corporation. If sale transaction is not executed, shares shall continue to remain in the client's demat account and will be unblocked at the end of the T day. Thus, this mechanism will do away with the movement of shares from client's demat account for early pay-in and back to client's demat account if trade is not executed. 44.2 Process for Block Mechanism: 44.2.1 The securities lying in client's demat account will be blocked either by client himself using depository's online system or eDIS mandate or through depository participant based on physical DIS given by client or Power of Attorney (POA) holder.

59 Reference: Circular SEBI/HO/MIRSD/DOP/P/CIR/2021/653 dated October 28,2021 60 Reference: Circular SEBI/HO/MIRSD/DOP/P/CIR/2021/595 dated July 16,2021, Circular SEBI/HO/MIRSD/DOP/P/CIR/2022/109 dated August 18, 2022 and Circular SEBI/HO/MIRSD/DoP/P/CIR/2022/143 dated October 27, 2022

117 44.2.2 Depositories may keep block on the securities in client's demat account in respect of Intra or Inter depository transfer instruction till pay-in day. The blocked securities will be transferred only after checking against the client level net delivery obligation received from CCs. 44.2.3 Depositories will provide the details of transfer instructions viz., UCC, TM ID, Exchange ID etc. to CCs for clients to avail EPI benefit. 44.2.4 CC will match the client level net obligations with the Block details provided by depositories and CC will provide EPI benefit to client if the client level net obligation exists for that client. Matched orders: 44.2.5 In case of matched orders, block securities will be debited from Client's demat account and will be credited to linked TM Pool account upto pay￾in day. TM shall further transfer such securities to CM Pool account. 44.2.6 TM shall not transfer the securities to any other pool account other than CM pool account mapped to the TM account. Pool to Pool transfers except TM pool to CM pool shall not be permitted. 44.2.7 Inter-settlement shall not be allowed from TM Pool account and CM pool account. 44.2.8 Securities lying in CM pool account will be delivered in settlement process on the Pay-in date. If TM Pool Account is also mapped as a CM Pool Account, then, securities lying in such TM/CM Pool Account can also be delivered in the settlement process. Unblocking of Securities: 44.2.9 After receiving client level net obligations on T day from CCs, depositories will match the Intra or Inter depository transfer instruction details with CC obligation details based on UCC, TM ID, CM ID, Exchange ID, etc. 44.2.10 ln case of unmatched orders, CCs shall upload cancellation of Block instruction on T day so that securities are unblocked and become free

118 in client's demat account on T day itself. 44.2.11 Broker or client shall not be allowed to unblock securities if EPI benefit is provided by CC to client for the same. Margining of Trades: 44.2.12 When the client intends to block securities for a sale transaction, shares will remain blocked in favour of CC. If securities are blocked in favour of CC, then all Margin would deemed to have been collected and penalty for short/non collection of margin including other margins shall not arise. 44.2.13 Blocking shall be on 'time basis' and would mean if the order is not executed by the end of the T day, the block shall be released. 44.3 The facility of block mechanism shall be mandatory for all Early Pay-In transactions. 44.4 The block mechanism shall not be applicable to clients having arrangements with custodians registered with SEBI for clearing and settlement of trades. 45. Handling of Client’s Securities by Trading Members/ Clearing Members61 45.1 In order to provide clarity with respect to a TM/CM maintaining a running account for client securities and pledging the client securities with Banks/NBFCs, after discussions with the Exchanges, Depositories and Clearing Corporations, the following advice is issued: 45.1.1 All the securities received in pay-out, shall be transferred to the demat account of the respective clients directly from the pool account of the TM/CM within one working day of the pay-out. 45.1.2 With regard to the unpaid securities (i.e., the securities that have not been paid for in full by the clients), such securities shall be transferred to respective client’s demat account followed by creation of an auto￾pledge (i.e., without any specific instruction from the client) with the reason “unpaid”, in favor of a separate account titled – “client unpaid securities pledgee account”, which shall be opened by TM/CM.

61 Reference: Circular CIR/HO/MIRSD/DOP/CIR/P/2019/75 dated June 20, 2019 and Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2022/153 dated November 11, 2022.

119 45.1.3 After the creation of pledge, a communication (email / SMS) shall be sent by TM/CM informing the client about their funds obligation and also about the right of TM/CM to sell such securities in event of failure by client to fulfill their obligation. 45.1.4 If the client fulfills its funds obligation within five trading days after the pay-out, TM/CM shall release the pledge so that the securities are available to the client as free balance. 45.1.5 If the client does not fulfill its funds obligation, TM / CM shall dispose off such unpaid securities in the market within five trading days after the pay-out. TM/CM, before disposing the securities, shall give an intimation (email / SMS) to the client, one trading day before such sale. 45.1.6 The unpaid securities shall be sold in the market with UCC of the respective client. Profit/loss on the sale transaction of the unpaid securities, if any, shall be transferred to/adjusted from the respective client account. 45.1.7 TM / CM shall invoke the pledge only against the delivery obligation of the client. On invocation, the securities shall be blocked for early pay-in in the client’s demat account with a trail being maintained in the TM/CM’s client unpaid securities pledgee account. 45.1.8 Once such securities are blocked for early pay-in in client’s demat account, the depositories shall verify the block details against the client level obligation. 45.1.9 In case, such pledge is neither invoked nor released within seven trading days after the pay-out, the pledge on securities shall be auto released and the securities shall be available to the client as free balance without encumbrance. 45.1.10 Such unpaid securities pledged in client’s account shall not be considered for the margin obligations of the client. 45.2 Monitoring with respect to handling of clients securities:

120 Stock Exchanges, Clearing Corporations and Depositories shall put in place a mechanism for monitoring of the following: 45.2.1 Handling of unpaid clients’ securities by the TM/CM – Mechanism of matching of transfer of securities with the securities obligation as obtained from the clearing corporation with respect to the following: i. Securities transferred from the client unpaid securities account to the pool account ii. Securities transferred from the client unpaid securities account to the concerned client account, iii. Securities transferred from pool account to the concerned client account 45.2.2 Securities lying with TM/CM in client unpaid securities account shall not be permitted to be pledged/transferred to Banks/NBFCs for raising funds by TM/CM. 46. Validation of Instructions for Pay-In of Securities from Client demat account to Trading Member (TM) Pool Account against obligations received from the Clearing Corporations62 46.1 Depositories, prior to executing actual transfer of the securities for Pay-In from client demat account to TM Pool account, shall validate the transfer instruction received through any of the available channels for the purpose of Pay-in, i.e. either initiated by clients themselves or by the Power of Attorney (POA) / Demat Debit and Pledge Instruction (DDPI) holder against the client-wise net delivery obligation received from CCs. 46.2 For Early Pay-In transactions, the existing facility of Block mechanism shall continue. 46.3 In order to validate the Pay-In Instructions, the following process shall be put in place by the Depositories: Validation of transfer instruction details with CC obligation details 46.3.1 Depositories receive the debit instruction for the purpose of Pay-In, given either by client himself using depository’s online system or eDIS

62 Reference: Circular SEBI/HO/MIRSD/DoP/P/CIR/2022/119 dated September 19, 2022.

121 mandate or through depository participant based on physical DIS / digitally signed DIS given by client or POA / DDPI holder. 46.3.2 CCs shall provide client-wise net delivery obligations on T day to the depositories. 46.3.3 Based on the obligation data provided by CCs, Depositories shall validate the depository transfer instruction details with CC obligation details based on UCC, TM ID, CM ID, Exchange ID, ISIN, quantity, settlement details etc. Matched instruction: 46.3.4 In case of matching of all details like UCC, TM ID, CM ID, ISIN, quantity, settlement details etc. of the transfer instruction with the obligation data, the instruction shall be carried out by the Depositories and such securities will be debited from client’s demat account and credited to linked TM Pool account on or before the settlement day. Unmatched instruction: 46.3.5 In case of discrepancies in details like UCC, TM ID, CM ID, ISIN etc., between instruction and obligation, such transfer instructions will be rejected by the depositories. 46.3.6 In case of discrepancies in quantity of securities between instruction and obligation, the following shall be noted: 46.3.6.1 If the quantity in instruction is less than the obligation provided by CC, then the instruction will be carried out by the depositories. 46.3.6.2 If the quantity in instruction is more than the obligation provided by CC, then the instruction will be partially processed by the depositories (i.e., upto the matching obligation quantity). Trades Confirmed by Custodians: 46.3.7 This process shall not be applicable to clients having arrangements with custodians registered with SEBI for clearing and settlement of trades.

122 47. Settlement of Running Account of Client’s Funds lying with Trading Member (TM)63 47.1 Regarding Settlement of running account, following shall be complied with: 47.1.1 The TM, after considering the End of the Day (EOD) obligation of funds across all the Exchanges, shall settle the running accounts at the choice of the clients on quarterly and monthly basis, on the dates stipulated by the Stock Exchanges. 47.1.2 Stock exchanges shall, jointly, issue the annual calendar for the settlement of running account (quarterly and monthly) at the beginning of the financial year. 47.1.3 TM shall ensure that funds, if any, received from clients, whose running account has been settled, remain in the “Up Streaming Client Nodal Bank Account” and no such funds shall be used for settlement of running account of other clients. Stock Exchanges shall evolve a monitoring mechanism for this purpose. 47.2 In case of client having any outstanding trade position on the day on which settlement of running account of funds is scheduled, a TM may retain funds calculated in the manner specified below: 47.2.1 Entire pay-in obligation of funds outstanding at the end of the day on settlement of running account, of T day & T-1 day. 47.2.2 Margin liability as on the date of settlement of running account, in all segments and additional margins (maximum upto 125% of total margin liability on the day of settlement). The margin liability shall include the end of the day margin requirement excluding the MTM and pay-in obligation, therefore, TM may retain 225% of the total margin liability in all the segments across exchanges. Computation for arriving at retention of excess client funds based on above points would be as under:

63 Reference: Circular SEBI/HO/MIRSD/DOP/P/CIR/2021/577 dated June 16,2021, Circular SEBI/HO/MIRSD/DOP/P/CIR/2022/101 dated July 27, 2022 and Circular SEBI/HO/MIRSD/MIRSD-PoD1/P/CIR/2023/197 dated December 28, 2023

123 Table 12 Scen ario Fund pay in obligation of T day & T-1 day EOD/pea k margin requirem ent 225% of the margin Securitie s pledged/ repledge d Client fund balance Excess client funds retained A B C=225%*B D E F=E- [(C-D) +A] 1 110000 100000 225000 200000 300000 165000 2 50000 20000 45000 15000 50000 0 3 150000 100000 225000 280000 ^ 180000 30000 ^ Excess securities of Rs. 55,000 (i.e. 280000-225000) is not required to be unpledged. 47.3 Client’s running account shall be considered settled only by making actual payment into client’s bank account and not by making any journal entries. Journal entries in client account shall be permitted only for levy / reversal of charges in client’s account. 47.4 For the clients having credit balance, who have not done any transaction in the 30 calendar days since the last transaction, the credit balance shall be returned to the client by TM, within next three working days irrespective of the date when the running account was previously settled. 47.5 In cases where physical payment instrument (cheque or demand draft) is issued by the TM towards the settlement of running account due to failure of electronic payment instructions, the date of realization of physical instrument into client’s bank account shall be considered as settlement date and not the date of issue of physical instrument. 47.6 Retention of any amount towards administrative / operational difficulties in settling the accounts of regular trading clients (active clients), shall be discontinued. 47.7 The Authorized person is not permitted to accept client’s funds and securities. The TM should keep a proper check. Proprietary trading by Authorized person should be permitted only on his own funds and securities and not using any of

124 the client’s fund. 47.8 Once the TM settles the running account of funds of a client, an intimation shall be sent to the client by SMS on mobile number and also by email. The intimation should also include details about the transfer of funds (in case of electronic transfer – transaction number and date; in case of physical payment instruments – instrument number and date). TM shall send the retention statement along with the statement of running accounts to the clients as per the existing provisions within 5 working days. 47.9 Client shall bring any dispute on the statement of running account, to the notice of TM within 30 working days from the date of the statement. 47.10 Stock Exchanges shall develop online system for effective monitoring of timely settlement of running account for funds of client and to verify that excess clients’ funds are not retained by the TM as on the date of settlement of running account. The intent of the online system shall be to discourage TM from retaining excess funds of clients after settlement of running account, by considering all the client obligations across exchanges. The responsibility of monitoring settlement of running account compliance of TM may be shared among Stock Exchanges. 48. Risk disclosure with respect to trading by individual traders in Equity Futures & Options Segment64 48.1 With a view to facilitating informed decision making by the investors trading in derivatives segment, it has been decided to introduce ‘Risk disclosures’ with respect to trading in equity Futures & Options (F&O) segment. 48.2 Accordingly, all stock brokers shall display the ‘Risk disclosures’ given at Annexure-23 on their websites and to all their clients in the manner as specified below: 48.2.1 Upon login into their trading accounts with brokers, the clients may be prompted to read the ‘Risk disclosures’ (which may appear as a pop-up window upon login) and shall be allowed to proceed ahead only after acknowledging the same. 48.2.2 The ‘Risk disclosures’ shall be displayed prominently, covering at least 50 percent area of the screen.

64 Reference: Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/73 dated May 19, 2023

125 48.3 All Qualified Stock Brokers (QSBs) shall maintain the Profit and Loss (P&L) data of their clients on continuous basis as per the format given at Annexure￾24. The P&L data of the clients shall be retained for at least 5 years. 49. Ease of Doing Investments by Investors- Facility of voluntary freezing/ blocking of Trading Accounts by Clients65 49.1 To enhance ease of doing business and ease of investment, it has been decided that the framework for Trading Members to provide the facility of voluntary freezing/blocking the online access of the trading account to their clients on account of suspicious activities shall be laid down on or before April 01, 2024, by the ISF, under the aegis of stock exchanges, in consultation with SEBI and the same shall, inter-alia, contain necessary guidelines with respect to the following: 49.1.1 Detailed policy for voluntary freezing/ blocking the online access of the trading account of the client including the following:  modes through which a client can request/communicate to the Trading Member for voluntarily blocking the trading accounts;  issuing of acknowledgement to the clients on receipt of message;  time period within which the request shall be processed and the trading account shall be frozen/blocked. 49.1.2 Action to be taken by the Trading Member pursuant to the receipt of request for freezing/blocking of the trading account; 49.1.3 Process for re-enabling the client for trading/transfers; 49.1.4 Intimation to be provided by the trading member to the clients w.r.t. introduction of the facility to block the trading accounts. 49.2 Further, the Stock Exchanges shall ensure that the guidelines so issued under the aforesaid framework are implemented by Trading Members with effect from July 01, 2024. Stock Exchanges shall also put in place an appropriate reporting requirement by Trading Members to enforce the above system. A compliance report to this effect shall be submitted to SEBI by Stock Exchanges latest by August 31, 2024.

65 Reference: Circular SEBI/HO/MIRSD/POD-1/P/CIR/2024/4 dated January 12, 2024

126 50. Enhancement of operational efficiency and Risk Reduction-Pay-out of securities directly to client demat account66 50.1 To protect the clients’ securities from misuse, it has been decided to make the process of securities pay-out directly to client demat account mandatory, as detailed below: 50.1.1 The securities for pay-out shall be credited directly to the respective client’s demat account by the CCs. 50.1.2 CCs shall provide a mechanism for Trading Member(TM)/Clearing Members (CM) to identify the unpaid securities and funded stocks under the margin trading facility. 50.1.3 With regard to unpaid securities, the processes as specified at para 45 above shall be applicable. 50.2 The processes specified at para 50.1 above, shall not be applicable to clients having arrangements with custodians registered with SEBI for clearing and settlement of trades. 50.3 The processes specified at para 50.1 above shall come into force with effect from October 14, 2024. 50.4 Handling of shortages arising due to inter se netting of positions between clients: In case of any shortages arising due to inter se netting of positions between clients i.e., internal shortages, the following measures shall be taken to streamline the processes of handling of such shortages across the market: 50.4.1 TM/CM shall handle such shortages through the process of auction as specified by CCs. 50.4.2 In such cases, the brokers shall not levy any charges on the client over and above the charges levied by the CCs.

66 Reference Circular SEBI/HO/MIRSD/MIRSD-PoD1/P/CIR/2024/75 dated June 05, 2024

127 VII. TECHNOLOGY RELATED PROVISIONS 51. Electronic Contract Note67 51.1 Brokers are allowed to issue contract notes authenticated by means of digital signatures provided that the broker has obtained digital signature certificate from Certifying Authority under the Information and Technology Act, 2000 (hereinafter referred to as “IT Act 2000”). 51.2 Contract notes can be issued by the brokers in electronic form authenticated by means of digital signatures. 51.3 All the members of stock exchanges who are desirous of issuing Electronic Contract Notes (ECNs) to their clients shall comply with the following conditions: 51.3.1 Authorization for Electronic Contract Notes - The stock broker may issue electronic contract notes (ECN) if specifically authorized by the client subject to the following conditions: a. The authorization shall be in writing and be signed by the client only and not by any authorised person on his behalf or holder of the Power of Attorney. b. The email id shall not be created by the broker. The client desirous of receiving ECN shall create/provide his own email id to the stock broker. c. The authorization shall have a clause to the effect that that any change in the email-id shall be communicated by the client through a physical letter to the broker. In respect of internet clients, the request for change of email id may be made through the secured access by way of client specific user id and password. 51.3.2 Issuing ECNs when specifically, consented

67 Reference: Circular SMDRP/POLICY/CIR-56/00 dated December 15, 2000, Circular SEBI/SMD/SE/15/2003/29/04 dated April 29, 2003, Circular MRD/DoP/SE/CIR-20/2005 dated September 08, 2005 and Circular MIRSD/SE/CIR-19/2009 dated December 03, 2009

128 a. The digitally signed ECNs may be sent only to those clients who have opted to receive the contract notes in an electronic form, either in the Member – Client agreement / Tripartite agreement or by a separate letter. The mode of confirmation shall be as per the agreement entered into with the clients. 51.3.3 Where to send ECNs a. The usual mode of delivery of ECNs to the clients shall be through e￾mail. For this purpose, the client shall provide an appropriate e-mail account to the member which shall be made available at all times for such receipts of ECNs. 51.3.4 Requirement of digital signature a. All ECNs sent through the e-mail shall be digitally signed, encrypted, non-tamperable and shall comply with the provisions of the IT Act 2000. In case the ECN is sent through e-mail as an attachment, the attached file shall also be secured with the digital signature, encrypted and non-tamperable. 51.3.5 Requirements for acknowledgement, proof of delivery, log report etc. a. Acknowledgement i. The acknowledgement of the e-mail shall be retained by the member in a soft and non-tamperable form. b. Proof of delivery i. The proof of delivery i.e., log report generated by the system at the time of sending the contract notes shall be maintained by the member for the specified period under the extant regulations of SEBI/stock exchanges and shall be made available during inspection, audit, etc. ii. The member shall clearly communicate to the client in the agreement executed with the client for this purpose that non-receipt of bounced mail notification by the member shall amount to delivery of the contract note at the e-mail ID of the client.

129 c. Log Report for rejected or bounced mails i. The log report shall also provide the details of the contract notes that are not delivered to the client/e-mails rejected or bounced back. ii. Also, the member shall take all possible steps (including settings of mail servers, etc) to ensure receipt of notification of bounced mails by the member at all times within the stipulated time period under the extant regulations of SEBI/stock exchanges. 51.3.6 When to issue or send in Physical mode a. In the case of those clients who do not opt to receive the contract notes in the electronic form, the member shall continue to send contract notes in the physical mode to such clients. b. Wherever the ECNs have not been delivered to the client or has been rejected (bouncing of mails) by the e-mail ID of the client, the member shall send a contract note to the client in any of the following manner within the stipulated time under the extant regulations of SEBI/stock exchanges and maintain the proof of delivery of such contract notes i. A physical contract note; or ii. An ECN through electronic instant messaging services provided following safeguards are ensured:-  Members shall send ECN through SMS / electronic instant messaging services only to the applications linked to the registered mobile number/ email id of clients as uploaded by members on the Exchange portal/database.  ECN sent through SMS / electronic instant messaging services, shall be sent as an attachment and not as a link. The attached file may be secured with the digital signature, encrypted, non tamperable and password protected.  The messages sent through SMS / electronic instant messaging services not to be covered under the auto delete facility at the option of the members.

130  The members shall ensure that all ECNs are sent from the same ID and appropriate logs (sent/delivered/seen/not delivered/blocked etc.) are maintained by the members regarding the same. In case of not delivered/blocked etc, member shall issue physical contract note. 51.3.7 General requirements a. ECNs through website i. In addition to the e-mail communication of the ECNs in the manner stated above, in order to further strengthen the electronic communication channel, the member shall simultaneously publish the ECN on his designated web-site in a secured way and enable relevant access to the clients. b. Access to the website i. In order to enable clients to access the ECNs posted in the designated website in a secured way, the member shall allot a unique user name and password for the purpose, with an option to the client to access the same and save the contract note electronically or take a print out of the same. c. Preservation/Archive of electronic documents i. The member shall retain/archive such electronic documents as per the extant rules/regulations/circulars/guidelines issued by SEBI/Stock Exchanges from time to time. 52. Conditions to be met by Broker for providing Internet Based Trading Service68 52.1 Internet Based trading can take place through order routing systems, which will route client orders, to exchange trading systems, for execution of trades on the existing stock exchanges. SEBI Registered Brokers can introduce the

68 Reference: Circular SMDRP/POLICY/CIR-06/2000 dated January 31, 2000 and Circular FITTC/DC/CIR-1/98 dated June 16, 1998.

131 service after obtaining permission from respective Stock Exchanges. Exchanges while giving permission will be required to ensure minimum conditions specified in the report which is available on the SEBI’s web site. The salient conditions to be met are: 52.2 Application for permission by Brokers 52.2.1 SEBI registered Stock Brokers interested in providing Internet based trading services will be required to apply to the respective stock exchange for a formal permission. The stock exchange should grant approval or reject the application as the case may be, and communicate its decision to the member within thirty calendar days of the date of completed application submitted to the exchange. 52.2.2 The stock exchange, before giving permission to brokers to start Internet based services shall ensure the fulfilment of the following minimum conditions: a. Networth Requirement i. The broker must have a minimum net worth of rupees fifty lacs if the broker is providing the Internet based facility on his own. However, if some brokers collectively approach a service provider for providing the internet trading facility, net worth criteria as prescribed in the Stock Brokers Regulations 1992 will apply. b. Operational and System Requirements i. Operational Integrity: The Stock Exchange must ensure that the system used by the broker has provision for security, reliability and confidentiality of data through use of encryption technology. (Basic minimum security standards are specified in following paras). The Stock Exchange must also ensure that records maintained in electronic form by the broker are not susceptible to manipulation. ii. System Capacity: The Stock Exchange must ensure that the brokers maintain adequate backup systems and data storage capacity. The Stock Exchange must also ensure that the brokers have adequate system capacity for handling data transfer, and arranged for alternative means of communications in case of

132 Internet link failure. iii. Qualified Personnel: The Stock Exchange must lay down the minimum qualification for personnel to ensure that the broker has suitably qualified and adequate personnel to handle communication including trading instructions as well as other back office work which is likely to increase because of higher volumes. iv. Written Procedures: Stock Exchange must develop uniform written procedures to handle contingency situations and for review of incoming and outgoing electronic correspondence. v. Signature Verification/ Authentication: It is desirable that participants use authentication technologies. For this purpose it should be mandatory for participants to use certification agencies as and when notified by Government / SEBI. They should also clearly specify when manual signatures would be required. c. Client Broker Relationship i. Know Your Client: The Stock Exchange must ensure that brokers comply with all requirements of "Know Your Client" and have sufficient, verifiable information about clients, which would facilitate risk evaluation of clients. ii. Broker-Client Agreement: Brokers must enter into an agreement with clients spelling out all obligations and rights. This agreement should also include inter alia, the minimum service standards to be maintained by the broker for such services specified by SEBI/Exchanges for the Internet based trading from time to time. iii. Exchanges will prepare a model agreement for this purpose. The broker agreement with clients should not have any clause that is less stringent/contrary to the conditions stipulated in the model agreement. iv. Investor Information: The broker web site providing the internet based trading facility should contain information meant for investor protection such as rules and regulations affecting client broker relationship, arbitration rules, investor protection rules etc. The

133 broker web site providing the Internet based trading facility should also provide and display prominently, hyper link to the web site/ page on the web site of the relevant stock exchange(s) displaying rules/ regulations/circulars. Ticker/quote/order book displayed on the web-site of the broker should display the time stamp as well as the source of such information against the given information. v. Order/Trade Confirmation: Order/Trade confirmation should also be sent to the investor through email at client’s discretion at the time period specified by the client in addition to the other mode of display of such confirmations on real time basis on the broker web site. The investor should be allowed to specify the time interval on the web site itself within which he would like to receive this information through email. Facility for reconfirmation of orders which are larger than that specified by the member’s risk management system should be provided on the internet based system. vi. Handling Complaints by Investors: Exchanges should monitor complaints from investors regarding service provided by brokers to ensure a minimum level of service. Exchange should have separate cell specifically to handle Internet trading related complaints. It is desirable that exchanges should also have facility for on-line registration of complaints on their web-site. d. Risk Management i. Exchanges must ensure that brokers have a system-based control on the trading limits of clients, and exposures taken by clients. Brokers must set pre-defined limits on the exposure and turnover of each client. ii. The broker systems should be capable of assessing the risk of the client as soon as the order comes in. The client should be informed of acceptance/rejection of the order within a reasonable period. In case system based control rejects an order because of client having exceeded limits etc., the broker system may have a review and release facility to allow the order to pass through. iii. Reports on margin requirements, payment and delivery

134 obligations, etc. should be informed to the client through the system. e. Contract Notes i. Contract notes must be issued to clients as per existing regulations, within twenty-four hours of the trade execution. f. Cross Trades i. As in the case of existing system, brokers using Internet based systems for routing client orders will not be allowed to cross trades of their clients with each other. All orders must be offered to the market for matching. ii. It is emphasised that in addition to the requirements mentioned above, all existing obligations of the broker as per current regulation will continue without changes. Exchanges may also like to specify more stringent standards as they may deem fit for allowing Internet based trading facilities to their brokers. g. Network Security The following security features are mandatory for all Internet based trading systems: i. User id ii. First Level password (Private code) iii. Automatic expiry of passwords at the end of a reasonable duration. Reinitialise access on entering fresh passwords iv. All transaction logs with proper audit facilities to be maintained in the system. v. Secured Socket Level Security for server access through Internet vi. Suitable Firewalls between trading set-up directly connected to an Exchange trading system and the Internet trading set-up. The following advanced security products are advisable. i. Microprocessor based SMART cards ii. Dynamic Password (Secure ID Tokens)

135 iii. 64 bit/128 bit encryption ** iv. Second Level password (personal information e.g. village name, birth date etc.) **DOT policy and regulations will govern the level of encryption. h. Standards for Web Interfaces and Protocols i. Between a Trading Web Server and Trading Client Terminals, Interfaces Standards as per recommendations of IETF (Internet Engineering Task Force) and W3C (World Wide Web Consortium) may be adopted. E.g.: HTTP Ver 4 or above HTML Ver 4/XML. i. Systems Operations i. Brokers should follow the similar logic/priorities used by the Exchange to treat client orders. ii. Brokers should maintain all activities/ alerts log with audit trail facility iii. Broker Web Server should have internally generated unique numbering for all client order/trades iv. Brokers should seek permission from the Exchange before commencement of Internet trading facility after providing complete details of the features of implemented systems. v. Brokers should make periodic reporting to the Exchange as specified by the Exchange. 53. Securities Trading through Wireless medium on Wireless Application Protocol (WAP) platform69 53.1 A broker providing stock trading through WAP must be a SEBI registered broker who also has an Internet website which complies with all the requirements laid in para 51 above. With regard to the requirements mentioned above, some additional requirements are to be met by the broker for providing securities transaction through WAP. These requirements are provided in the following criteria:

69 Reference: Circular SMDRP/POLICY/CIR-48/2000 dated October 11, 2000.

136 53.2 Network Security 53.2.1 The break in data encryption at the WAP gateway server raises security issues. Until the shortcoming is addressed by WAP, the WAP server should be hosted by the broker itself and not by a third party. 53.2.2 Suitable firewalls should be installed between trading set-up directly connected to an Exchange trading system and the WAP server. 53.2.3 WTLS (Wireless Transport Layer Security) level security or a higher level of security (as and when available) for wireless communication is mandatory for wireless transactions. 53.2.4 The WTLS encrypts data upto the WAP Gateway server. Transmission from the WAP Gateway server to the Internet server should be secured using Secured Socket Level Security, preferably with 128 bit encryption, for server access through Internet. Alternately, the WAP Gateway server and Internet server may be co-hosted. The server resource should not be shared for any other applications. 53.2.5 The following security measures applicable for fixed Internet based systems should be made mandatory: a. User ID b. First Level password (Private code) c. Automatic expiry of passwords at the end of a reasonable duration. Reinitialize access on entering fresh passwords d. All transaction logs with proper audit facilities to be maintained in the system. 53.2.6 Digitally signed transactions ensure client authentication and support nonrepudiation. Digital certification should be mandatory for participants as and when certification agencies are notified by Government / SEBI. 53.2.7 In case of failure of the network, alternative means of communication such as telephone, Internet or e-mail should be available. 53.3 Price Quotes/ Order/ Trade Confirmations 53.3.1 Stock quotes should be time-stamped.

137 53.3.2 All orders and trades must be identified by a unique ID. Order confirmation must be provided to the user on submitting the order. Order modification/ cancellation facilities must also be provided. This may be provided using alternate protocols in case the same is not supported by WAP. 53.3.3 Trade confirmation should be provided to the user through e-mail and/or on the mobile phone. 53.4 System operations 53.4.1 Brokers should follow the similar logic/priorities used by the Exchange to treat client orders. 53.4.2 Orders/ trades placed through either fixed Internet or WAP system should be accessible from both systems. 53.4.3 Brokers should maintain all activities/ alerts log with audit trail facility. 53.4.4 Broker Web Server should have internally generated unique numbering for all client order/trades. 53.5 Risk Management 53.5.1 It is emphasised that risk management should be comprehensive and the risk management systems should take into account the overall positions of clients, irrespective of the medium of trading. 54. Securities Trading using Wireless Technology70 54.1 SEBI registered brokers who provide Internet Based Trading shall be eligible to provide securities trading using wireless technology. All relevant requirements applicable to internet based trading shall also be applicable to securities trading using wireless technology. 54.2 Securities Trading using Wireless technology shall include devices such as mobile phone, laptop with data card, etc, that use Internet Protocol (IP).

70 Reference: Circular CIR/MRD/DP/ 25/2010 dated August 27, 2010.

138 54.3 In addition, the stock exchange shall ensure that the broker complies with the following: 54.3.1 There shall be secure access, encryption and security of communication for internet based trading and securities trading using wireless technology. DOT policy and regulation shall govern the level of encryption. 54.3.2 Adequate measures should be taken for user identification, authentication and access control using means such as user-id, passwords, smart cards, biometric devices or other reliable means, to prevent misuse of facility by unauthorized persons. 54.3.3 Unique identification number as given in case of internet based trading shall be made applicable for securities trading using wireless technology. 54.3.4 In case of failure of the wireless network, alternative means of communication for placing orders should be available. 54.3.5 Additional provisions specifying possible risks, responsibilities and liabilities associated with securities trading using wireless technology should be incorporated in the Broker-Client agreement as an addendum or by bringing to the notice of clients, who are desirous of availing such facility, and taking their concurrence on the same. 54.3.6 As it may not be possible to give detailed information to the investor on a hand held device e.g. mobile phones, it may be ensured that minimum information may be given with addresses of the Internet web site/web page where detailed information would be available. 54.3.7 Order confirmation should be provided to the user on submitting the order. Order modification / cancellation facilities should also be provided. Trade confirmation should be provided to the user, along with history of trades for the day. 54.3.8 Session login details should not be stored on the devices used for internet based trading and securities trading using wireless technology.

139 54.3.9 Network security protocols and interface standards should be as per prevalent industry standards and sound audit trails should be available for all transactions conducted using wireless devices. 54.3.10The broker’s server routing orders to the exchange trading system shall be located in India. 54.3.11Stock exchanges shall arrange for periodic systems audits of broker systems to ensure that requirements specified in the circulars are being met. 54.3.12Stock exchange shall also include securities trading using wireless technology in their ongoing investor awareness and educational programme. 54.4 Stock exchanges may take such other measures and implement such other safeguards as they deem fit to ensure security and integrity of transactions conducted using wireless technology. 55. Additional Requirements for Internet Based Trading (IBT) and Securities trading using Wireless Technology (STWT)71 55.1 The stock exchange shall ensure that the broker comply with the following 55.1.1 The broker shall capture the IP (Internet Protocol) address (from where the orders are originating), for all IBT/ STWT orders. 55.1.2 The brokers system should have built-in high system availability to address any single point failure. 55.1.3 There should be secure end-to-end encryption for all data transmission between the client and the broker through a Secure Standardized Protocol. A procedure of mutual authentication between the client and the broker server should be implemented. 55.1.4 The broker system should have adequate safety features to ensure it is not susceptible to internal/ external attacks

71 Reference: Circular CIR/MRD/DP/08/2011 dated June 30, 2011.

140 55.1.5 In case of failure of IBT/ STWT, the alternate channel of communication shall have adequate capabilities for client identification and authentication. 55.1.6 Two-factor authentication for login session may be implemented for all orders emanating using Internet Protocol. Public Key Infrastructure (PKI) based implementation using digital signatures, supported by one of the agencies certified by the government of India, is advisable. Further the two factors in the Two-factor authentication framework should not be same. 55.1.7 In case of no activity by the client, the system should provide for automatic trading session logout. Further to the above, the following practice is advisable – 55.1.8 The back-up and restore systems implemented by the broker should be adequate to deliver sustained performance and high availability. The broker system should have on-site as well as remote site back-up capabilities 56. Direct Market Access facility72 56.1 Direct Market Access (DMA) is a facility which allows brokers to offer clients direct access to the exchange trading system through the broker’s infrastructure without manual intervention by the broker. Some of the advantages offered by DMA are direct control of clients over orders, faster execution of client orders, reduced risk of errors associated with manual order entry, greater transparency, increased liquidity, lower impact costs for large orders, better audit trails and better use of hedging and arbitrage opportunities through the use of decision support tools / algorithms for trading. 56.2 While ensuring conformity with the provisions of the SCRA 1956, Stock Exchanges may facilitate Direct Market Access for investors subject to the following conditions: 56.3 Application for Direct Market Access (DMA) facility

72 Reference: Circular MRD/DoP/SE/CIR-7/2008 dated April 03, 2008, Circular MRD/DoP/SE/CIR-03/2009 dated February 20, 2009 and Circular CIR/MRD/DP/20/2012 dated August 02, 2012.

141 56.3.1 Brokers interested to offer DMA facility shall apply to the respective stock exchanges giving details of the software and systems proposed to be used, which shall be duly certified by a Security Auditor as reliable. 56.3.2 The stock exchange should grant approval or reject the application as the case may be and communicate its decision to the member within thirty calendar days of the date of completed application submitted to the exchange. 56.3.3 The stock exchange, before giving permission to brokers to offer DMA facility shall ensure the fulfillment of the conditions specified below. 56.4 Operational specifications 56.4.1 All DMA orders shall be routed to the exchange trading system through the broker’s trading system. The broker’s server routing DMA orders to the exchange trading system shall be located in India. 56.4.2 The broker should ensure sound audit trail for all DMA orders and trades and be able to provide identification of actual user-id for all such orders and trades. The audit trail data should available for at least five years. 56.4.3 Exchanges should be able to identify and distinguish DMA orders and trades from other orders and trades. Exchanges shall maintain statistical data on DMA trades and provide information on the same to SEBI on a need basis. 56.4.4 The DMA system shall have sufficient security features including password protection for the user ID, automatic expiry of passwords at the end of a reasonable duration, and reinitialisation of access on entering fresh passwords. 56.4.5 In case where the clients access the DMA server of the broker through a third party service provider, the password maintenance and authentication can be done either by the broker of by third party network service provider, so long as the exchange/broker ensures secured access and communication and a sound audit trail for all DMA orders/ trades. The authorized user and client details should be part of the order

142 details received and authenticated at the DMA server of the broker.73 56.4.6 Brokers should follow the similar logic/priorities used by the Exchange to treat DMA client orders. Brokers should maintain all activities/ alerts log with audit trail facility. The DMA Server should have internally generated unique numbering for all such client order/trades. 56.4.7 A systems audit of the DMA systems and software shall be periodically carried out by the broker as may be specified by the exchange and certificate in this regard shall be submitted to the exchange. 56.4.8 The exchanges and brokers should provide for adequate systems and procedures to handle the DMA trades. 56.5 Risk Management 56.5.1 The broker shall ensure that trading limits/ exposure limits/ position limits are set for all DMA clients based on risk assessment, credit quality and available margins of the client. The broker system shall have appropriate authority levels to ensure that the limits can be set up only by persons authorized by the risk / compliance manager. 56.5.2 The broker shall ensure that all DMA orders are routed through electronic/automated risk management systems of the broker to carry out appropriate validations of all risk parameters including Quantity Limits, Price Range Checks, Order Value, and Credit Checks before the orders are released to the Exchange. 56.5.3 All DMA orders shall be subjected to the following limits: a. Order quantity / order value limit in terms of price and quantity specified for the client. b. All the position limits which are specified in the derivatives segment as applicable. c. Net position that can be outstanding so as to fully cover the risk emanating from the trades with the available margins of the specific client. d. Appropriate limits for securities which are subject to FII limits as

73 Letter no MRD/DoP/NSE/129791/2008 dated June 24, 2008

143 specified by the Reserve Bank of India. 56.5.4 The broker may provide for additional risk management parameters as they may consider appropriate. 56.6 Broker to be liable for DMA trades The broker shall be fully responsible and liable for all orders emanating through their DMA systems. It shall be the responsibility of the broker to ensure that only clients who fulfill the eligibility criteria are permitted to use the DMA facility. 56.7 Cross Trades Brokers using DMA facility for routing client orders shall not be allowed to cross trades of their clients with each other. All orders must be offered to the market for matching. 56.8 Other legal provisions In addition to the requirements mentioned above, all existing obligations of the broker as per current regulations and circulars will continue without change. Exchanges may also like to specify additional safeguards / conditions as they may deem fit for allowing DMA facilities to their brokers. 56.9 The facility of DMA provided by the stock broker shall be used by the client or an investment manager of the client. A SEBI registered entity shall be permitted to act as an investment manager on behalf of institutional clients. In case the facility of DMA is used by the client through an investment manager, the investment manager may execute the necessary documents on behalf of the client(s). 56.10 The facility of DMA provided by the stock broker shall be used by the client or an investment manager of the client. A SEBI registered entity shall be permitted to act as an investment manager on behalf of institutional clients. In case the facility of DMA is used by the client through an investment manager, the investment manager may execute the necessary documents on behalf of the client(s). 56.11 The exchange/ broker shall ensure that proper audit trails are available to establish identity of the ultimate client. The exchange may put in place such other safeguards as it deems fit to mitigate any concerns it may have.

144 56.12 The terms and Conditions for the purpose of DMA is specified in paras 55.13 to 55.49 below. The “Terms and Conditions” shall be provided to the client or investment manager acting on behalf of a client (s) for availing the DMA facility. In case the DMA facility provided by the stock broker is used by the client the paras 55.13 to 55.30 shall be applicable. In case the DMA facility provided by the stock broker is used by the client through an investment manager the paras 55.31 to 55.48 shall be applicable and additionally, the investment manager shall provide to the stock broker the details as specified at para 55.49 (Table 13). DMA FACILITY USED BY THE CLIENT 56.13 The client is expected to be fully aware of the risks associated with the market and the financial instruments being traded on stock exchanges through DMA. The client shall be responsible for complying with laws, rules, regulations, notifications etc issued by regulatory authorities as may be applicable from time to time. 56.14 The client shall ensure that DMA facility provided by the Broker is used only to execute the trades of the client and shall not be used for transactions on behalf of any other person / entity. 56.15 The client shall be responsible for ensuring that, only persons authorized by it shall access and use the DMA facility provided by the Broker. All orders originating from such facility / system shall be deemed to be authorized by the client. 56.16 Where the client accesses or proposes to access the Broker’s DMA platform through external applications, including but not restricted to services of third party service provider(s), own application(s), etc., the client shall ensure that such applications have adequate security features including but not limited to access controls, password protection etc; and that appropriate agreement(s) with such third party service provider(s) etc. for ensuring secured access and communication has been executed and are in place. 56.17 The client shall ensure that no person authorized by them to place orders through DMA facility provided by the broker has been / is involved in any adverse action by any regulatory authorities in any jurisdiction.

145 56.18 The client shall provide the names of authorized individual users to the broker prior to placing DMA orders. 56.19 The client shall not use or allow the use of DMA facility to engage in any form of market misconduct including insider trading and market manipulation or conduct that is otherwise in breach of applicable laws, rules and regulation. 56.20 The client is aware that Algorithmic trading i.e. generation of orders using automated execution logic is governed by Algorithmic trading guidelines issued by SEBI and Exchanges and requires prior approval of the exchanges. The client shall ensure that new algorithms and changes to existing approved algorithms are not used through the DMA facility without prior approval of concerned stock exchanges. The client shall ensure that it has necessary checks and balances, in place to identify and control dysfunctional algorithms and the Broker shall have the right to shut down the DMA facility and remove any outstanding client orders in case of any suspected dysfunctional algo. 56.21 The client is aware that authentication technologies and strict security measures are required for routing orders through DMA facility and undertakes to ensure that the password of the client and/or his representative are not revealed to any third party. 56.22 The client acknowledges that all DMA orders placed by them through the DMA facility would be validated by the risk management system of the broker. The Broker has the right to accept or reject any DMA order placed by the client at its sole discretion. 56.23 The client shall be solely responsible for all acts or omissions of any person using a DMA facility and shall be bound to accept and settle all transactions executed through the DMA facility provided by the Broker notwithstanding that such order(s) may have been submitted erroneously or by an unauthorized user, or that its data is inaccurate or incomplete when submitted, or the client subsequently determines for whatever reason that the order should not have been submitted. 56.24 The client shall notify the Broker in the event of DMA facility being compromised. Upon receipt of this notice, client’s DMA facility shall be promptly disabled but the client shall continue to be responsible for any misuse of the DMA facility or any orders placed through the DMA facility as a result of the compromise of the DMA facility at their end. The Broker shall not be liable

146 for any loss, liability or cost whatsoever arising as a result of any unauthorized use of DMA facility at the client’s end. 56.25 In the event of winding-up or insolvency of the client or his otherwise becoming incapable of settling their DMA obligation, broker may close out the transaction of the client as permissible under bye-laws, rules, regulations of the exchanges. The client shall continue to be liable for any losses, costs, damages arising thereof. 56.26 The client is fully aware of the risks of transmitting DMA orders to the Broker’s DMA facility through vendor systems or service providers and the Broker is not responsible for such risks. 56.27 The client should be aware of the fact that neither the DMA facility will be uninterrupted nor error free nor the results that may be obtained from the use of the service or as to the timeliness, sequence, accuracy, completeness, reliability or content of any information, service or transaction provided through DMA. The DMA service is provided on an "as is", "as available" basis without warranties of any kind, either express or implied, including, but not limited to, those of information access, order execution, merchantability and fitness for a particular purpose. The Broker shall not be liable for any loss, damage or injury including but not limited to direct lost profits or trading losses or any consequential, special, incidental, indirect, or similar damages from the use or inability to use the service or any part thereof. 56.28 The Broker shall have the right to withdraw the DMA facility in case of:- 56.28.1 Breach of the limits imposed by the broker or any regulatory authority. 56.28.2 On account of any misuse of the DMA facility by the client or on instructions from SEBI/Exchanges. 56.28.3 Any other reason, at the discretion of the broker. Broker shall endeavor to give reasonable notice to the client in such instances. 56.29 The Broker shall not be liable or responsible for non-execution of the DMA orders of the client due to any link/system failure at the client/ Broker/ exchange(s) end.

147 56.30 This document shall not be altered, amended and /or modified by the parties in a manner that shall be in contravention of any other provisions of this document. Any additional terms and conditions should not be in contravention with rules / regulations /bye-laws/circulars, of the relevant authorities including applicable stock exchanges as amended from time to time. DMA FACILITY USED BY THE CLIENT THROUGH AN INVESTMENT MANAGER 56.31 The client shall be solely responsible for all acts or omissions of any person using a DMA facility and shall be bound to accept and settle all transactions executed through the DMA facility provided by the Broker to the investment manager acting on behalf of the client, notwithstanding that such order(s) may have been submitted erroneously or by an unauthorized user, or that its data is inaccurate or incomplete when submitted, or the client subsequently determines for whatever reason that the order should not have been submitted. 56.32 The investment manager is expected to be fully aware of the risks associated with the market and the financial instruments being traded on stock exchanges through DMA. The investment manager shall be responsible for complying with laws, rules, regulations, notifications etc. issued by regulatory authorities as may be applicable from time to time. 56.33 Where the DMA facility provided by the Broker is used to execute trade on behalf of one or more clients, by the investment manager, then it is represented and warranted that, at each time an order is placed by such investment manager through the DMA facility of the Broker – 56.33.1 The investment manager has due authority to deal on behalf of the client(s) through the Broker, specifying the roles and responsibilities of the investment manager in execution of transactions on behalf of the client(s). 56.33.2 The investment manager shall comply with any applicable laws, rules and regulations affecting or relating to trading operations. 56.33.3 The investment manager and the client(s) are bound by the terms and conditions hereof; 56.33.4 The investment manager using the DMA facility for routing client(s) orders shall not cross trades of their client(s) with each other.

148 Accordingly, all orders should be offered in the market. 56.33.5 The stock exchange or SEBI may at any time call for any information from a client(s) or an investment manager acting on behalf of the client(s) with respect to any matter relating to the activity of the investment manager. The investment manager shall also furnish any information specifying the roles and responsibilities of the investment manager in execution of transactions on behalf of the client(s), as and when required by the exchanges or SEBI. 56.34 The investment manager shall be responsible for ensuring that, only persons authorized by it shall access and use the DMA facility provided by the Broker. All orders originating from such facility / system shall be deemed to be authorized by the client. 56.35 Where the investment manager accesses or proposes to access the Broker’s DMA platform through external applications, including but not restricted to services of third party service provider(s), own application(s), etc., the investment manager shall ensure that such applications have adequate security features including but not limited to access controls, password protection etc; and that appropriate agreement(s) with such third party service provider(s) etc. for ensuring secured access and communication has been executed and are in place. 56.36 The investment manager shall ensure that no person authorized by them to place orders through DMA facility provided by the broker has been / is involved in any adverse action by any regulatory authorities in any jurisdiction. 56.37 The investment manager shall provide the names of authorized individual users to the broker prior to placing DMA orders. 56.38 The investment manager shall not use or allow the use of DMA facility to engage in any form of market misconduct including insider trading and market manipulation or conduct that is otherwise in breach of applicable laws, rules and regulation. 56.39 The investment manager is aware that Algorithmic trading i.e. generation of orders using automated execution logic is governed by Algorithmic trading guidelines issued by SEBI and Exchanges and requires prior approval of the exchanges. The investment manager shall ensure that new algorithms and changes to existing approved algorithms are not used through the DMA facility

149 without prior approval of concerned stock exchanges. The investment manager shall ensure that it has necessary checks and balances, in place to identify and control dysfunctional algorithms and the Broker shall have the right to shut down the DMA facility and remove any outstanding client orders in case of any suspected dysfunctional algo. 56.40 The investment manager is aware that authentication technologies and strict security measures are required for routing orders through DMA facility and undertakes to ensure that the password of the investment manager and/or his representative are not revealed to any third party. 56.41 The investment manager acknowledges that all DMA orders placed by them through the DMA facility would be validated by the risk management system of the broker. The Broker has the right to accept or reject any DMA order placed by the investment manager at its sole discretion. 56.42 The investment manager shall notify the Broker in the event of DMA facility being compromised. Upon receipt of this notice, client’s DMA facility shall be promptly disabled but the client shall continue to be responsible for any misuse of the DMA facility or any orders placed through the DMA facility as a result of the compromise of the DMA facility at their end. The Broker shall not be liable for any loss, liability or cost whatsoever arising as a result of any unauthorized use of DMA facility at the client’s end. 56.43 In the event of winding-up or insolvency of the client or his otherwise becoming incapable of honoring their DMA obligation, broker may close out the transaction of the client as permissible under bye-laws, rules, regulations of the exchanges. The client shall continue to be liable for any losses, costs, damages arising thereof. 56.44 The investment manager is fully aware of the risks of transmitting DMA orders to the Broker’s DMA facility through vendor systems or service providers and the Broker is not responsible for such risks. 56.45 The investment manager should be aware of the fact that neither the DMA facility will be uninterrupted nor error free nor the results that may be obtained from the use of the service or as to the timeliness, sequence, accuracy, completeness, reliability or content of any information, service or transaction provided through DMA. The DMA service is provided on an "as is", "as available" basis without warranties of any kind, either express or implied,

150 including, but not limited to, those of information access, order execution, merchantability and fitness for a particular purpose. The Broker shall not be liable for any loss, damage or injury including but not limited to direct lost profits or trading losses or any consequential, special, incidental, indirect, or similar damages from the use or inability to use the service or any part thereof. 56.46 The Broker shall have the right to withdraw the DMA facility in case of:- 56.46.1 Breach of the limits imposed by the broker or any regulatory authority. 56.46.2 On account of any misuse of the DMA facility by the client/ investment manager or on instructions from SEBI/Exchanges. 56.46.3 Any other reason, at the discretion of the broker. 56.47 The Broker shall not be liable or responsible for non-execution of the DMA orders of the client due to any link/system failure at the client/ Broker/ exchange(s) end. 56.48 This document shall not be altered, amended and /or modified by the parties in a manner that shall be in contravention of any other provisions of this document. Any additional terms and conditions should not be in contravention with rules / regulations /bye-laws/circulars, of the relevant authorities including applicable stock exchanges as amended from time to time.

151 56.49 DETAILS TO BE PROVIDED TO THE STOCK BROKER Table 13 On the letter head of the Investment manager PART A DETAILS OF THE INVESTMENT MANAGER: NAME OF THE INVESTMENT MANAGER: NAME OF THE HOME REGULATOR COUNTRY OF JURISDICTION OF HOME REGULATOR REGISTERED /REGULATED IN HOME JURISDICTION AS: SEBI REGISTRATION NUMBER: PART B CLIENT(s) DETAILS: S. No. NAME OF THE ENTITY NAME OF THE REGULATOR REGULATED IN INDIA AS REGISTRATION NUMBER PAN 57. Smart Order Routing74 57.1 Smart Order Routing allows the brokers trading engines to systematically choose the execution destination based on factors viz. price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. 57.2 Stock Exchanges are advised to ensure the following conditions with regard to the Smart Order Routing facility: 57.2.1 Stock broker interested to offer Smart Order Routing facility shall apply to the respective stock exchanges.

74 Reference: Circular CIR/MRD/DP/26/2010 dated August 27, 2010 and Circular CIR/MRD/DP/36/2010 dated December 09, 2010.

152 57.2.2 Stock broker shall submit a third party system audit of its Smart Order Routing system and software. Stock exchanges shall disseminate to its stock brokers a list of approved system auditors (CISA or equivalent) qualified to undertake such system audits. 57.2.3 Stock broker shall provide the following to the respective stock exchanges: a. An undertaking to the respective stock exchanges that Smart Order Routing shall route orders in a neutral manner. b. Provide the features of the Smart Order Routing to stock exchange. 57.2.4 Stock exchange shall communicate its decision to the broker within thirty calendar days from the date of receipt of complete application by the stock exchange. Stock exchange shall not consider testing and demonstration of the SOR system/software as a criterion for declaring the application of the broker as ‘complete’. Further, testing and demonstration of SOR system/software, if required, shall be suitably scheduled within the aforesaid period of thirty calendar days. 57.2.5 In case of rejection of the application on smart order routing of a stock broker, the stock exchange shall communicate such reasons of rejections to the stock broker. Further, the decision of the stock exchange on the SOR application of the stock broker and reasons for rejection of the SOR application shall also be communicated to all the other stock exchanges where the broker’s SOR facility intends to route orders. 57.2.6 Stock exchange shall ensure that brokers adhere to the best execution policy while using Smart Order Routing. 57.2.7 Smart Order Routing facility shall be provided to all class of investors. 57.2.8 Stock Broker shall communicate to all clients the features, possible risks, rights, responsibilities and liabilities associated with the smart order routing facility, as part of ‘Rights and Obligation of Stock brokers and clients’ placed at Annexure 9 of this Master Circular. 57.2.9 Stock broker shall maintain logs of all activities to facilitate audit trail. Broker shall maintain record of orders, trades and data points for the

153 basis of decision. 57.2.10 Stock exchange shall permit smart order routing for all orders, without restricting to any specific type of order. The choice on order types shall be left to the client. 57.2.11 If stock exchange desires to advise its brokers to seek re-approval, it may do so only in case of – a. Inclusion of a new stock exchange for offering SOR facility; and/or, b. Material changes in the software/system of the smart order routing facility. 57.2.12 In case the client has availed Smart Order Routing facility and does not want to use the same for a particular order, the same shall be well documented by the stock broker. 57.2.13 System audit of the Smart Order Routing systems and software shall be periodically carried out by the brokers as may be specified by the exchange and certificate in this regard shall be submitted to the exchange. 57.2.14 Stock exchange shall ensure that Smart Order Routing is not used to place orders at venues other than the recognised stock exchanges. 57.2.15 The stock broker shall carry out appropriate validation of all risk parameters before the orders are placed in the Smart Order Routing system. 57.2.16 Stock exchange shall provide unique identification number for the orders placed through Smart Order Routing system. Further, stock exchanges shall maintain data on Smart Order Routing orders and trades. 57.2.17 Stock exchange shall have necessary surveillance mechanism in place to monitor trading done through Smart Order Routing. 57.2.18 Stock broker shall ensure that alternative mode of trading system is available in case of failure of Smart Order Routing facility.

154 57.2.19 Stock exchange shall ensure that within a period of three months from implementation of Smart Order Routing, a system is put in place to time stamp market data feed that is disseminated to the market, if the same is not already available. 57.2.20 Stock exchange shall strengthen investor grievance cell in order to address complaints, if any, received with regard to Smart Order Routing. Further, in case of any disputes or complaints, stock exchanges shall share necessary data as and when required in order to facilitate necessary examination. 57.2.21 Stock exchange shall synchronise their system clocks with atomic clock before the start of market. 57.2.22 The broker server routing orders placed through Smart Order Routing system to the exchange trading system shall be located in India. Stock exchange shall permit SOR approved brokers to offer SOR facility through all their servers irrespective of their location in India. 57.2.23 All other existing obligations for the broker as per current regulations and circulars will continue. 57.2.24 Stock exchange may specify additional safeguards as they deem fit for allowing Smart Order Routing facility to their brokers. 58. Broad Guidelines on Algorithmic Trading75 58.1 Any order that is generated using automated execution logic shall be known as algorithmic trading. Guidelines to the stock exchanges and the stock brokers 58.2 Stock exchanges shall ensure the following while permitting algorithmic trading: 58.2.1 The stock exchange shall have arrangements, procedures and system capability to manage the load on their systems in such a manner so as to achieve consistent response time to all stock brokers. The stock

75 Reference: Circular CIR/MRD/DP/09/2012 dated March 30, 2012, Circular CIR/MRD/DP/16/2013 dated May 21, 2013 and Circular SEBI/HO/MIRSD/DOP/P/CIR/2022/117 dated September 02, 2022.

155 exchange shall continuously study the performance of its systems and, if necessary, undertake system upgradation, including periodic upgradation of its surveillance system, in order to keep pace with the speed of trade and volume of data that may arise through algorithmic trading. 58.2.2 In order to ensure maintenance of orderly trading in the market, stock exchange shall put in place effective economic disincentives with regard to high daily order-to-trade ratio of algo orders of the stock broker. Further, the stock exchange shall put in place monitoring systems to identify and initiate measures to impede any possible instances of order flooding by algos. 58.2.3 The stock exchange shall ensure that all algorithmic orders are necessarily routed through broker servers located in India and the stock exchange has appropriate risk controls mechanism to address the risk emanating from algorithmic orders and trades. The minimum order-level risk controls shall include the following: a. Price check - The price quoted by the order shall not violate the price bands defined by the exchange for the security. For securities that do not have price bands, dummy filters shall be brought into effective use to serve as an early warning system to detect sudden surge in prices. b. Quantity Limit check - The quantity quoted in the order shall not violate the maximum permissible quantity per order as defined by the exchange for the security. 58.2.4 In the interest of orderly trading and market integrity, the stock exchange shall put in place a system to identify dysfunctional algos (i.e. algos leading to loop or runaway situation) and take suitable measures, including advising the member, to shut down such algos and remove any outstanding orders in the system that have emanated from such dysfunctional algos. Further, in exigency, the stock exchange should be in a position to shut down the broker’s terminal. 58.2.5 Terminals of the stock broker that are disabled upon exhaustion of collaterals shall be enabled manually by the stock exchange in accordance with its risk management procedures.

156 58.2.6 The stock exchange may seek details of trading strategies used by the algo for such purposes viz. inquiry, surveillance, investigation, etc. 58.2.7 In order to strengthen the surveillance mechanism related to algorithmic trading and prevent market manipulation, stock exchanges shall take necessary steps to ensure effective monitoring and surveillance of orders and trades resulting from trading algorithms. Stock exchanges shall periodically review their surveillance arrangements in order to better detect and investigate market manipulation and market disruptions. 58.2.8 The stock exchange shall include a report on algorithmic trading on the stock exchange in the Monthly Development Report (MDR) submitted to SEBI inter-alia incorporating turnover details of algorithmic trading, algorithmic trading as percentage of total trading, number of stock brokers / clients using algorithmic trading, action taken in respect of dysfunctional algos, status of grievances, if any, received and processed, etc. 58.2.9 The stock exchange shall synchronize its system clock with the atomic clock before the start of market such that its clock has precision of atleast one microsecond and accuracy of atleast +/- one millisecond. 58.3 Stock exchange shall ensure that the stock broker shall provide the facility of algorithmic trading only upon the prior permission of the stock exchange. Stock exchange shall subject the systems of the stock broker to initial conformance tests to ensure that the checks mentioned below are in place and that the stock broker’s system facilitate orderly trading and integrity of the securities market. Further, the stock exchange shall suitably schedule such conformance tests and thereafter, convey the outcome of the test to the stock broker. 58.4 For stock brokers already providing algo trading, the stock exchange shall ensure that the risk controls specified herein are implemented by the stock broker. 58.5 The stock brokers / trading members that provide the facility of algorithmic trading shall subject their algorithmic trading system to a system audit every six months in order to ensure that the requirements prescribed by SEBI / stock exchanges with regard to algorithmic trading are effectively implemented. Such system audit of algorithmic trading system shall be undertaken by a

157 system auditor who possess any of the following certifications: 58.5.1 CISA (Certified Information System Auditors) from ISACA; 58.5.2 DISA (Post Qualification Certification in Information Systems Audit) from Institute of Chartered Accountants of India (ICAI); 58.5.3 CISM (Certified Information Securities Manager) from ISACA; 58.5.4 CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium, commonly known as (ISC)². 58.6 Deficiencies or issues identified during the process of system audit of trading algorithm / software shall be reported by the stock broker / trading member to the stock exchange immediately on completion of the system audit. Further, the stock broker / trading member shall take immediate corrective actions to rectify such deficiencies / issues. 58.7 In case of serious deficiencies / issues or failure of the stock broker / trading member to take satisfactory corrective action, the stock exchange shall not allow the stock broker / trading member to use the trading software till deficiencies / issues with the trading software are rectified and a satisfactory system audit report is submitted to the stock exchange. Stock exchanges may also consider imposing suitable penalties in case of failure of the stock broker / trading member to take satisfactory corrective action to its system within the time-period specified by the stock exchanges. 58.8 The stock broker, desirous of placing orders generated using algos, shall satisfy the stock exchange with regard to the implementation of the following minimum levels of risk controls at its end - 58.8.1 Price check – Algo orders shall not be released in breach of the price bands defined by the exchange for the security. 58.8.2 Quantity check – Algo orders shall not be released in breach of the quantity limit as defined by the exchange for the security. 58.8.3 Order Value check - Algo orders shall not be released in breach of the ‘value per order’ as defined by the stock exchanges.

158 58.8.4 Cumulative Open Order Value check – The individual client level cumulative open order value check, may be prescribed by the broker for the clients. Cumulative Open Order Value for a client is the total value of its unexecuted orders released from the stock broker system. 58.8.5 Automated Execution check – An algo shall account for all executed, unexecuted and unconfirmed orders, placed by it before releasing further order(s). Further, the algo system shall have pre-defined parameters for an automatic stoppage in the event of algo execution leading to a loop or a runaway situation. 58.8.6 All algorithmic orders are tagged with a unique identifier provided by the stock exchange in order to establish audit trail. 58.9 The other risk management checks already put in place by the exchange shall continue and the exchange may re-evaluate such checks if deemed necessary in view of algo trading. 58.10 The stock broker, desirous of placing orders generated using algos, shall submit to the respective stock exchange an undertaking that - 58.10.1 The stock broker has proper procedures, systems and technical capability to carry out trading through the use of algorithms. 58.10.2 The stock broker has procedures and arrangements to safeguard algorithms from misuse or unauthorized access. 58.10.3 The stock broker has real-time monitoring systems to identify algorithms that may not behave as expected. Stock broker shall keep stock exchange informed of such incidents immediately. 58.10.4 The stock broker shall maintain logs of all trading activities to facilitate audit trail. The stock broker shall maintain record of control parameters, orders, trades and data points emanating from trades executed through algorithm trading. 58.10.5 The stock broker shall inform the stock exchange on any modification or change to the approved algos or systems used for algos.

159 58.11 The stock exchange, if required, shall seek conformance of such modified algo or systems to the requirements specified above. 58.12 In order to discourage repetitive instances of high daily order-to-trade ratio, stock exchanges shall impose an additional penalty in form of suspension of proprietary trading right of the stock broker / trading member for the first trading hour on the next trading day in case a stock broker / trading member is penalized for maintaining high daily order-to-trade ratio, provided penalty was imposed on the stock broker / trading member on more than ten occasions in the previous thirty trading days. 58.13 Stock Brokers who provide services relating to algorithmic trading shall not: 58.13.1 directly or indirectly make any reference to the past or expected future return/performance of the algorithm; and/or 58.13.2 directly or indirectly associate with any platform providing any reference to the past or expected future return/performance of the algorithm. 59. Testing of software used in or related to Trading and Risk Management76 59.1 The term ‘software’ shall mean electronic systems or applications used by stock brokers / trading members for connecting to the stock exchanges and for the purposes of trading and real-time risk management, including software used for Internet Based Trading (IBT), Direct Market Access (DMA), Securities Trading using Wireless Technology (STWT), Smart Order Routing (SOR), Algorithmic Trading (AT) etc. 59.2 Testing of Software 59.2.1 In addition to the testing and approval requirements specified by SEBI on IBT, DMA, STWT, SOR and AT, stock exchanges shall frame appropriate testing policies for functional as well as technical testing of the software. Such framework shall at the minimum include the following: a. Testing in a simulated test environment: Stock exchanges shall provide suitable facilities to market participants / software vendors

76 Reference: Circular CIR/MRD/DP/24/2013 dated August 19, 2013 and Circular CIR/MRD/DP/06/2014 dated February 07, 2014 and Circular SEBI/HO/MRD1/DSAP/CIR/P/2020/234 dated November 24, 2020.

160 to test new software or existing software that have undergone change. Subjecting the new software or existing software that have undergone change to such testing facility shall be mandatory for market participants, before putting it in use. b. Mock testing i. Stock exchanges shall organize mock trading sessions on regular basis, atleast once in a calendar month, to facilitate testing of new software or existing software that has undergone any change of functionality, in a close-to-real trading environment. Stock exchanges shall suitably design and plan such mock trading sessions to ensure maximum participation and sufficient trading volumes for the purpose of testing. ii. Stock exchanges shall mandate a minimum time period for such testing in the mock trading sessions. iii. In order to improve the efficacy of the mock trading sessions, all stock brokers / trading members shall ensure that all user￾ids approved for Algo trading, irrespective of the algorithm having undergone change or not, shall participate in the mock trading sessions. iv. The requirement of mandatory mock trading sessions to facilitate testing of new software or existing software that has undergone any change of functionality shall be optional if a Stock Exchange provides suitable simulated test environment to test new software or existing software that has undergone any change of functionality and ensures the following: i. The test environment shall be made available to all the members. ii. The test environment shall be made available for at least two hours after market hours and at least on two trading days in a week. iii. For the purpose of testing, Stock Exchange shall make available data from at least one trading day in all segments and the same shall not be older than one month from the day of the testing environment.

161 iv. All trading members (excluding those who use only Exchange provided front end and/or ASP services) having approved Algorithms available with the member, irrespective of the algorithm having undergone change or not, shall participate in the Simulated Environment at least on one trading day during each calendar month at all the exchanges where they are members. This shall be audited and reported in the System Auditors report. v. Exchange shall provide a daily log, including Algos used, of members participation in Simulated Environment to all participating members. The Exchange shall provide summary report of such activity to SEBI in the monthly development report (MDR). c. User Acceptance Test (UAT): The stock broker / trading member shall undertake UAT of the software to satisfy itself that the newly developed / modified software meets its requirements. d. With respect to testing of software related to (i) fixes to bugs in the software, (ii) changes undertaken to the stock brokers’ software / systems pursuant to a change to any stock exchange's trading system, and (iii) software purchased from a software vendor that has already been tested in the mock environment by certain number of stock brokers, stock exchanges may prescribe a faster approval process to make the process of approval expeditious. 59.2.2 Stock brokers / trading members shall also engage system auditor(s) to examine reports of mock tests and UAT in order to certify that the tests were satisfactorily undertaken. 59.2.3 Stock exchanges shall monitor compliance of stock brokers / trading members, who use trading algorithm, with regard to the requirement of participation in mock trading session as mandated herein. In cases where stock exchanges find that the stock broker / trading member has failed to participate in such mock trading sessions, stock exchange shall call for reasons and if found unsatisfactory, shall suspend the proprietary trading rights of the stock broker / trading member for a minimum period of one trading day. 59.2.4 Stock exchanges shall also ensure that the system auditors examine

162 the compliance of stock broker / trading member, who use trading algorithms, with regard to the requirement of participation in mock trading session, as mandated herein, and provide suitable comments in the periodic system audit report. In cases where the system audit report indicate that the stock broker / trading member has failed to participate in such mock trading sessions, stock exchange shall call for reasons from the stock broker / trading member and if found unsatisfactory, shall suspend the proprietary trading rights of the stock broker / trading member for a minimum period of one trading day. 59.2.5 For pre-approval / periodic system audit of Computer-to-Computer Link (CTCL) or Intermediate Messaging Layer (IML), IBT, DMA, STWT, SOR and AT, stock brokers / trading members shall engage a system auditor with any of the certifications specified in para 57.5.1 to 57.5.4 above. While finalizing the system auditor, stock brokers / trading members shall ensure the system auditor does not have any conflict of interest with the stock broker and the directors / promoters of the system auditor are not directly or indirectly related to the current directors or promoters of stock broker / trading member. 59.3 Approval of Software of stock broker / trading member 59.3.1 Stock brokers / trading members shall seek approval of the respective stock exchanges for deployment of the software in the securities market by submitting necessary details required by stock exchange including details of software, tests undertaken and certificate / report provided by the system auditor. Stock exchange may seek additional details as deemed necessary for evaluating the application of the stock broker / trading member. 59.3.2 Stock exchanges shall grant approval or reject the application of the stock broker as the case may be, and communicate the decision to the stock broker / trading member within fifteen working days from the date of receipt of completed application (or within any other such time period specified vide SEBI circulars on DMA, IBT, STWT, SOR, AT, etc.). In case of rejection of the application, the stock exchange shall also communicate reasons of rejection to the stock broker / trading member within such time period. 59.3.3 Before granting approval to use software in securities market, stock

163 exchange shall ensure that the requirements specified by SEBI / stock exchange with regard to software are met by the stock broker / trading member. 59.3.4 Stock exchanges may suitably schedule the requirements of mock testing, certification of test reports by system auditor(s) and the software approval process, so as to facilitate a speedy approval and a smooth transition of the stock brokers to the new / upgraded software. 59.3.5 In order to ensure that stock brokers are not using software without requisite approval of the stock exchanges, stock exchanges are advised to put in place suitable mechanism to prevent any unauthorized change to the approved software. 59.4 Undertaking to be provided by stock brokers / trading members 59.4.1 Stock brokers / trading members shall submit an undertaking to the respective stock exchanges stating the following at the minimum: a. M/s …….(name of the stock broker / trading member)…… will take all necessary steps to ensure that every new software and any change thereupon to the trading and/or risk management functionalities of the software will be tested as per the framework prescribed by SEBI / stock exchange before deployment of such new / modified software in securities market. b. M/s …….(name of the stock broker / trading member)…… will ensure that approval of the stock exchange is sought for all new / modified software and will comply with various requirements specified by SEBI or the stock exchange from time to time with regard to usage, testing and audit of the software. c. The absolute liability arising from failure to comply with the above provisions shall lie entirely with M/s …….(name of the stock broker / trading member)……. 59.4.2 Stock exchanges may include additional clauses as deemed necessary in the undertaking. 59.5 Sharing of Application Programming Interface (API) specifications by the stock exchange with stock brokers / trading members:

164 59.5.1 API is an interface that enables interaction of software with other software and typically includes language and message format that is used by an application program to communicate with the operating system or other application program. Stock brokers / trading members and software vendors require relevant API specifications to facilitate interaction of the developed software with the systems of the stock exchanges. 59.5.2 Stock exchanges shall provide relevant API specifications to all stock brokers / trading members and software vendors who are desirous of developing software for the securities market, after establishing their respective credentials. 59.5.3 In case of refusal to share APIs, stock exchanges shall provide reasons in writing to the desirous stock brokers / trading members or software vendors within a period of fifteen working days from the date of receipt of such request for sharing of API. 59.5.4 Further, stock exchanges shall not selectively release updates / modifications, if any, of the existing API specifications to few stock brokers / trading members or software vendors ahead of others and shall provide such updated / modified API specifications to all stock brokers / trading members and software vendors with whom the earlier API specifications were shared. 59.6 Penalty on malfunction of software used by stock broker / trading member: Stock exchanges shall examine the cases of malfunctioning of software used by stock brokers / trading members and apply deterrent penalties in form of fines or suspension to the stock broker / trading member whose software malfunctioned. In addition, stock brokers / trading members shall implement various mechanisms including the following to minimize their losses in the event of software malfunction: 59.6.1 include suitable clauses in their agreement with the software vendors to define liabilities of software vendor and stock broker / trading member in case of software malfunction, and / or, 59.6.2 consider taking suitable insurance cover to meet probable losses in case of software malfunction.

165 59.7 With regard to changes / updates to stock broker's trading software that intend to modify the 'look and feel' and do not affect the risk management system of the stock broker or the connectivity of the trading software with stock exchange's trading system, it is clarified that mock testing and consequent system audit may not be insisted upon by the stock exchanges. 59.8 Stock exchanges shall direct their stock brokers to put in place adequate mechanism to restore their trading systems to 'production state' at the end of testing session so as to ensure integrity of stock brokers' trading system. 60. Safeguards to avoid trading disruption in case of failure of software vendor77 60.1 Software vendors who provide software to market participants and market infrastructure institutions for the purpose of trading, risk management, clearing and settlement play a crucial role in the securities market. Any inability on the part of such software vendors to provide software or related services in timely and continuous manner may create a situation of stress in the securities market. 60.2 Adequate mechanism / procedure should be in place to ensure smooth transition by stock broker(s) to another software vendor in case of inability of the existing software vendor to provide software and related services in timely and continuous manner. 60.3 Stock exchanges may advise the stock brokers to take the following measures: 60.3.1 Explore the possibility of establishing a 'software escrow arrangement' with their existing software vendors. 60.3.2 In case of large stock brokers, consider reducing dependence on a single software vendor for trading and risk management systems, by engaging more than one software vendor. 60.3.3 Consider including the following in their contracts with the software vendors: a. access to documents related to design and development

77 Reference: Circular CIR/MRD/DP/07/2014 dated February 11, 2014.

166 specifications in the event software vendor fails to provide continuous and timely services to the stock broker; b. development of expertise at the end of the stock broker through appropriate training with regard to software usage and maintenance; c. appropriate penalty clauses for cases of disruptions to the trading system of the stock broker on account of (i) software vendor failing to provide continuous and timely services to the stock broker or (ii) glitches to the software provided by the software vendor; d. obligation on the part of the software vendor to cooperate in case of audit of software including forensic audit, if required. 61. Cyber Security and Cyber resilience framework for Stock Brokers.78 61.1 Stock brokers perform significant functions in providing services to holder of securities. So it is desirable that these entities have robust cyber security and cyber resilience framework in order to provide essential facilities and perform systematically critical functions relating to securities market. Accordingly, a framework on Cyber security and cyber resilience has been designed and prescribed at paras 60.3 to 60.6 below. 61.2 The Stock Brokers are mandated to conduct comprehensive cyber audit at least once in a financial year. All Stock Brokers shall submit with Stock Exchange a declaration from the MD/ CEO/ Partners/ Proprietors certifying compliance by the Stock Brokers with all SEBI Circulars and advisories related to Cyber security from time to time, along with the Cyber audit report. 61.3 Cyber-attacks and threats attempt to compromise the Confidentiality, Integrity and Availability (CIA) of the computer systems, networks and databases (Confidentiality refers to limiting access of systems and information to authorized users, Integrity is the assurance that the information is reliable and accurate, and Availability refers to guarantee of reliable access to the systems and information by authorized users). Cyber security framework includes measures, tools and processes that are intended to prevent cyber-attacks and improve cyber resilience. Cyber Resilience is an organization’s ability to

78Reference: Circular SEBI/HO/MIRSD/CIR/PB/2018/14 dated December 03, 2018, Circular CIR/HO/MIRSD/DOS2/CIR/PB/2019/038 dated March 15, 2019, Circular SEBI/HO/MIRSD/DOP/CIR/P/2019/109 dated October 15, 2019, Circular SEBI/HO/MIRSD/TPD/P/CIR/2022/80 dated June 07, 2022 and Circular SEBI/HO/MIRSD/TPD/P/CIR/2022/93 dated June 30, 2022

167 prepare and respond to a cyber-attack and to continue operation during, and recover from, a cyber-attack. Governance 61.4 As part of the operational risk management framework to manage risk to systems, networks and databases from cyber-attacks and threats, Stock Brokers should formulate a comprehensive Cyber Security and Cyber Resilience policy document encompassing the framework mentioned hereunder. In case of deviations from the suggested framework, reasons for such deviations, technical or otherwise, should be provided in the policy document. The policy document should be approved by the Board / Partners / Proprietor of the Stock Broker. The policy document should be reviewed by the aforementioned group at least annually with the view to strengthen and improve its Cyber Security and Cyber Resilience framework. 61.5 The Cyber Security Policy should include the following process to identify, assess, and manage Cyber Security risk associated with processes, information, networks and systems: a. ‘Identify’ critical IT assets and risks associated with such assets. b. ‘Protect’ assets by deploying suitable controls, tools and measures. c. ‘Detect’ incidents, anomalies and attacks through appropriate monitoring tools/processes. d. ‘Respond’ by taking immediate steps after identification of the incident, anomaly or attack. e. ‘Recover’ from incident through incident management and other appropriate recovery mechanisms. 61.6 The Cyber Security Policy of Stock Brokers trading through APIs based terminal should consider the principles prescribed by National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organization (NTRO), Government of India (titled ‘Guidelines for Protection of National Critical Information Infrastructure’) and subsequent revisions, if any, from time to time. 61.7 Stock Brokers trading through APIs based terminal may refer to best practices from international standards like ISO 27001, COBIT 5, etc., or their subsequent revisions, if any, from time to time. 61.8 Stock Brokers should designate a senior official or management personnel (henceforth, referred to as the “Designated Officer”) whose function would be

168 to assess, identify, and reduce security and Cyber Security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the Cyber Security Policy. 61.9 The Board / Partners / Proprietor of the Stock Brokers shall constitute a Technology Committee comprising experts. This Technology Committee should on a half yearly basis review the implementation of the Cyber Security and Cyber Resilience policy approved by their Board / Partners / Proprietor, and such review should include review of their current IT and Cyber Security and Cyber Resilience capabilities, set goals for a target level of Cyber Resilience, and establish plans to improve and strengthen Cyber Security and Cyber Resilience. The review shall be placed before the Board / Partners / Proprietor of the Stock Brokers for appropriate action. 61.10 Stock Brokers should establish a reporting procedure to facilitate communication of unusual activities and events to the Designated Officer in a timely manner. 61.11 The Designated officer and the technology committee of the Stock Brokers should periodically review instances of cyber-attacks, if any, domestically and globally, and take steps to strengthen Cyber Security and cyber resilience framework. 61.12 Stock Brokers should define responsibilities of its employees, outsourced staff, and employees of vendors, members or participants and other entities, who may have privileged access or use systems / networks of Stock Brokers towards ensuring the goal of Cyber Security. Identification 61.13 Stock Brokers shall identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management. The critical assets shall include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc. All the ancillary systems used for accessing/communicating with critical systems either for operations or maintenance shall also be classified as critical system. The Board/Partners/Proprietor of the Stock Brokers shall approve the list of critical systems. To this end, Stock Brokers shall maintain up-to date

169 inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows. 61.14 Stock Brokers should accordingly identify cyber risks (threats and vulnerabilities) that it may face, along with the likelihood of such threats and impact on the business and thereby, deploy controls commensurate to the criticality. Protection Access controls 61.15 No person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities. 61.16 Any access to Stock Brokers systems, applications, networks, databases, etc., should be for a defined purpose and for a defined period. Stock Brokers should grant access to IT systems, applications, databases and networks on a need￾to-use basis and based on the principle of least privilege. Such access should be for the period when the access is required and should be authorized using strong authentication mechanisms. 61.17 Stock Brokers should implement an access policy which addresses strong password controls for users’ access to systems, applications, networks and databases. Illustrative examples for this are given in Illustration C. 61.18 All critical systems of the Stock Broker accessible over the internet should have two-factor security (such as VPNs, Firewall controls etc.) 61.19 Stock Brokers should ensure that records of user access to critical systems, wherever possible, are uniquely identified and logged for audit and review purposes. Such logs should be maintained and stored in a secure location for a time period not less than two years. 61.20 Stock Brokers should deploy controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users) to Stock Broker’s critical systems. Such controls and measures should inter￾alia include restricting the number of privileged users, periodic review of privileged users’ activities, disallow privileged users from accessing systems

170 logs in which their activities are being captured, strong controls over remote access by privileged users, etc. 61.21 Employees and outsourced staff such as employees of vendors or service providers, who may be given authorized access to the Stock Brokers critical systems, networks and other computer resources, should be subject to stringent supervision, monitoring and access restrictions. 61.22 Stock Brokers should formulate an Internet access policy to monitor and regulate the use of internet and internet based services such as social media sites, cloud-based internet storage sites, etc. within the Stock Broker’s critical IT infrastructure. 61.23 User Management must address deactivation of access of privileges of users who are leaving the organization or whose access privileges have been withdrawn. Physical Security 61.24 Physical access to the critical systems should be restricted to minimum and only to authorized officials. Physical access of outsourced staff/visitors should be properly supervised by ensuring at the minimum that outsourced staff/visitors are accompanied at all times by authorized employees. 61.25 Physical access to the critical systems should be revoked immediately if the same is no longer required. 61.26 Stock Brokers should ensure that the perimeter of the critical equipment room, if any, are physically secured and monitored by employing physical, human and procedural controls such as the use of security guards, CCTVs, card access systems, mantraps, bollards, etc. where appropriate. Network Security Management 61.27 Stock Brokers should establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices and enterprise mobile devices within their IT environment. The LAN and wireless networks should be secured within the Stock Brokers’ premises with proper access controls.

171 61.28 For algorithmic trading facilities, adequate measures should be taken to isolate and secure the perimeter and connectivity to the servers running algorithmic trading applications. 61.29 Stock Brokers should install network security devices, such as firewalls, proxy servers, intrusion detection and prevention systems (IDS) to protect their IT infrastructure which is exposed to the internet, from security exposures originating from internal and external sources. 61.30 Adequate controls must be deployed to address virus / malware / ransomware attacks. These controls may include host / network / application based IDS systems, customized kernels for Linux, anti-virus and anti-malware software etc. Data security 61.31 Critical data must be identified and encrypted in motion and at rest by using strong encryption methods. Illustrative measures in this regard are given in Illustration A and B. 61.32 Stock Brokers should implement measures to prevent unauthorized access or copying or transmission of data / information held in contractual or fiduciary capacity. It should be ensured that confidentiality of information is not compromised during the process of exchanging and transferring information with external parties. Illustrative measures to ensure security during transportation of data over the internet are given in Illustration B. 61.33 The information security policy should also cover use of devices such as mobile phones, faxes, photocopiers, scanners, etc., within their critical IT infrastructure, that can be used for capturing and transmission of sensitive data. For instance, defining access policies for personnel, and network connectivity for such devices etc. 61.34 Stock Brokers should allow only authorized data storage devices within their IT infrastructure through appropriate validation processes. Hardening of Hardware and Software

172 61.35 Stock Brokers should only deploy hardened hardware / software, including replacing default passwords with strong passwords and disabling or removing services identified as unnecessary for the functioning of the system. 61.36 Open ports on networks and systems which are not in use or that can be potentially used for exploitation of data should be blocked and measures taken to secure them. Application Security in Customer Facing Applications 61.37 Application security for Customer facing applications offered over the Internet such as IBTs (Internet Based Trading applications), portals containing sensitive or private information and Back office applications (repository of financial and personal information offered by Brokers to Customers) are paramount as they carry significant attack surfaces by virtue of being available publicly over the Internet for mass use. An illustrative list of measures for ensuring security in such applications is provided in Illustration C. Certification of off-the-shelf products 61.38 Stock Brokers should ensure that off the shelf products being used for core business functionality (such as Back office applications) should bear Indian Common criteria certification of Evaluation Assurance Level 4. The Common criteria certification in India is being provided by (STQC) Standardisation Testing and Quality Certification (Ministry of Electronics and Information Technology). Custom developed / in-house software and components need not obtain the certification, but have to undergo intensive regression testing, configuration testing etc. The scope of tests should include business logic and security controls. Patch management 61.39 Stock Brokers should establish and ensure that the patch management procedures include the identification, categorization and prioritization of patches and updates. An implementation timeframe for each category of patches should be established to apply them in a timely manner. 61.40 Stock Brokers should perform rigorous testing of security patches and updates, where possible, before deployment into the production environment so as to ensure that the application of patches do not impact other systems.

173 Disposal of data, systems and storage devices 61.41 Stock Brokers should frame suitable policy for disposal of storage media and systems. The critical data / Information on such devices and systems should be removed by using methods such as crypto shredding / degauss / Physical destruction as applicable. 61.42 Stock Brokers should formulate a data-disposal and data retention policy to identify the value and lifetime of various parcels of data. Vulnerability Assessment and Penetration Testing (VAPT) 61.43 Stock Brokers shall carry out periodic Vulnerability Assessment and Penetration Tests (VAPT) which inter-alia include critical assets and infrastructure components like Servers, Networking systems, Security devices, load balancers, other IT systems pertaining to the activities done as Stock Brokers etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks. 61.44 Stock Brokers shall conduct VAPT at least once in a financial year. All Stock Brokers are required to engage only CERT-In empaneled organizations for conducting VAPT. The final report on said VAPT shall be submitted to the Stock Exchanges after approval from Technology Committee of respective Stock Brokers, within 1 month of completion of VAPT activity. In addition, Stock Brokers shall perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system which is a critical system or part of an existing critical system. 61.45 In case of vulnerabilities discovered in off-the-shelf products (used for core business) or applications provided by exchange empanelled vendors, Stock Brokers should report them to the vendors and the exchanges in a timely manner. 61.46 Any gaps/vulnerabilities detected shall be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to the Stock Exchanges within three months post the submission of final VAPT report.

174 Monitoring and Detection 61.47 Stock Brokers should establish appropriate security monitoring systems and processes to facilitate continuous monitoring of security events / alerts and timely detection of unauthorised or malicious activities, unauthorised changes, unauthorised access and unauthorised copying or transmission of data / information held in contractual or fiduciary capacity, by internal and external parties. The security logs of systems, applications and network devices exposed to the internet should also be monitored for anomalies. 61.48 Further, to ensure high resilience, high availability and timely detection of attacks on systems and networks exposed to the internet, Stock Brokers should implement suitable mechanisms to monitor capacity utilization of its critical systems and networks that are exposed to the internet, for example, controls such as firewalls to monitor bandwidth usage. Response and Recovery 61.49 Alerts generated from monitoring and detection systems should be suitably investigated in order to determine activities that are to be performed to prevent expansion of such incident of cyber-attack or breach, mitigate its effect and eradicate the incident. 61.50 The response and recovery plan of the Stock Brokers should have plans for the timely restoration of systems affected by incidents of cyber-attacks or breaches, for instance, offering alternate services or systems to Customers. Stock Brokers should have the same Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as specified by SEBI for Market Infrastructure Institutions vide SEBI circular CIR/MRD/DMS/17/20 dated June 22, 2012 as amended from time to time. 61.51 The response plan should define responsibilities and actions to be performed by its employees and support / outsourced staff in the event of cyber-attacks or breach of Cyber Security mechanism. 61.52 Any incident of loss or destruction of data or systems should be thoroughly analyzed and lessons learned from such incidents should be incorporated to strengthen the security mechanism and improve recovery planning and processes.

175 61.53 Stock Brokers should also conduct suitable periodic drills to test the adequacy and effectiveness of the aforementioned response and recovery plan. Sharing of Information 61.54 All Cyber-attacks, threats, cyber-incidents and breaches experienced by Stock Brokers shall be reported to Stock Exchanges & SEBI within six hours of noticing / detecting such incidents or being brought to notice about such incidents. This information shall be shared to SEBI through the dedicated e￾mail id: sbdp-cyberincidents@sebi.gov.in. 61.55 The incident shall also be reported to Indian Computer Emergency Response team (CERT-In) in accordance with the guidelines / directions issued by CERT￾In from time to time. Additionally, the Stock Brokers, whose systems have been identified as “Protected system” by National Critical Information Infrastructure Protection Centre (NCIIPC) shall also report the incident to NCIIPC. The quarterly reports containing information on cyber-attacks, threats, cyber-incidents and breaches experienced by Stock Brokers and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs / vulnerabilities, threats that may be useful for other Stock Brokers / Exchanges and SEBI, shall be submitted to Stock Exchanges within 15 days from the quarter ended June, September, December and March of every year (Format for Submitting the reports is attached in below Annexure-25). Training and Education 61.56 Stock Brokers should work on building Cyber Security and basic system hygiene awareness of staff (with a focus on staff from non-technical disciplines). 61.57 Stock Brokers should conduct periodic training programs to enhance knowledge of IT / Cyber Security Policy and standards among the employees incorporating up-to-date Cyber Security threat alerts. Where possible, this should be extended to outsourced staff, vendors etc. 61.58 The training programs should be reviewed and updated to ensure that the contents of the program remain current and relevant. Systems managed by vendors

176 61.59 Where the systems (IBT, Back office and other Customer facing applications, IT infrastructure, etc.) of a Stock Brokers are managed by vendors and the Stock Brokers may not be able to implement some of the aforementioned guidelines directly, the Stock Brokers should instruct the vendors to adhere to the applicable guidelines in the Cyber Security and Cyber Resilience policy and obtain the necessary self-certifications from them to ensure compliance with the policy guidelines. Systems managed by MIIs 61.60 Where applications are offered to customers over the internet by MIIs (Market Infrastructure Institutions), for eg.: NSE’s NOW, BSE’s BEST etc., the responsibility of ensuring Cyber Resilience on those applications reside with the MIIs and not with the Stock Broker. The Stock Broker is exempted from applying the aforementioned guidelines to such systems offered by MIIs such as NOW, BEST, etc. Periodic Audit 61.61 The Terms of Reference for the System Audit of Stock Brokers specified at para 16 above, shall accordingly stand modified to include audit of implementation of the areas mentioned at para 60.1 to 60.60 above. 61.62 The Type I Stock Brokers shall arrange to have their systems audited on an annual basis by a CERT-IN empanelled auditor, an independent DISA (ICAI) Qualification, CISA (Certified Information System Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium (commonly known as (ISC)2), to check compliance with the above areas and shall submit the report to Stock Exchanges along with the comments of the Board / Partners / Proprietor of Stock Broker within three months of the end of the financial year. 61.63 The periodicity of audit for the compliance with the provisions of Cyber Security and Cyber Resilience provisions for stock brokers, irrespective of number of terminals and location presence, shall be as under: Table 14

177 Type of stock broker as specified in SEBI circular CIR/MRD/DMS/34/2013 dated November 06, 2013 Periodicity Type I Annual Type II Annual Type III Half-yearly Table 15: Illustration A Illustrative Measures for Data Security on Customer Facing Applications

1. Analyse the different kinds of sensitive data shown to the Customer on the frontend application to ensure that only what is deemed absolutely necessary is transmitted and displayed.
2. Wherever possible, mask portions of sensitive data. For instance, rather than displaying the full phone number or a bank account number, display only a portion of it, enough for the Customer to identify, but useless to an unscrupulous party who may obtain covertly obtain it from the Customer’s screen. For instance, if a bank account number is “123 456 789”, consider displaying something akin to “XXX XXX 789” instead of the whole number. This also has the added benefit of not having to transmit the full piece of data over various networks.
3. Analyse data and databases holistically and draw out meaningful and “silos” (physical or virtual) into which different kinds of data can be isolated and cordoned off. For instance, a database with personal financial information need not be a part of the system or network that houses the public facing websites of the Stock Broker. They should ideally be in discrete silos or DMZs.
4. Implement strict data access controls amongst personnel, irrespective of their responsibilities, technical or otherwise. It is infeasible for certain personnel such as System Administrators and developers to not have privileged access to databases. For such cases, take strict measures to limit the number of personnel with direct access, and monitor, log, and audit their activities. Take measures to ensure that the confidentiality of data is not compromised under any of these scenarios.
5. Use industry standard, strong encryption algorithms (eg: RSA, AES etc.)

178 wherever encryption is implemented. It is important to identify data that warrants encryption as encrypting all data is infeasible and may open up additional attack vectors. In addition, it is critical to identify the right personnel to be in charge of, and the right methodologies for storing the encryption keys, as any compromise to either will render the encryption useless. 6. Ensure that all critical and sensitive data is adequately backed up, and that the backup locations are adequately secured. For instance, on servers on isolated networks that have no public access endpoints, or on￾premise servers or disk drives that are off-limits to unauthorized personnel. Without up-to-date backups, a meaningful recovery from a disaster or cyber-attack scenario becomes increasingly difficult. Table 16: Illustration B Illustrative Measures for Data Transport Security

1. When an Application transmitting sensitive data communicates over the Internet with the Stock Brokers’ systems, it should be over a secure, encrypted channel to prevent Man-In-The-Middle (MITM) attacks, for instance, an IBT or a Back office communicating from a Customer’s web browser or Desktop with the Stock Brokers’ systems over the internet, or intra or inter organizational communications. Strong transport encryption mechanisms such as TLS (Transport Layer Security, also referred to as SSL) should be used.
2. For Applications carrying sensitive data that are served as web pages over the internet, a valid, properly configured TLS (SSL) certificate on the web server is mandatory, making the transport channel HTTP(S).
3. Avoid the use of insecure protocols such as FTP (File Transfer Protocol) that can be easily compromised with MITM attacks. Instead, adopt secure protocols such as FTP(S), SSH and VPN tunnels, RDP (with TLS) etc. Table 17: Illustration C

179 Illustrative Measures for Application Authentication Security

1. Any Application offered by Stock Brokers to Customers containing sensitive, private, or critical data such as IBTs, SWSTs, Back office etc. referred to as “Application” hereafter) over the Internet should be password protected. A reasonable minimum length (and no arbitrary maximum length cap or character class requirements) should be enforced. While it is difficult to quantify password “complexity”, longer passphrases have more entropy and offer better security in general. Stock Brokers should attempt to educate Customers of these best practices.
2. Passwords, security PINs etc. should never be stored in plain text and should be one-way hashed using strong cryptographic hash functions (e.g.: bcrypt, PBKDF2) before being committed to storage. It is important to use one-way cryptographic hashes to ensure that stored password hashes are never transformed into the original plaintext values under any circumstances.
3. For added security, a multi-factor (e.g.: two-factor) authentication scheme may be used (hardware or software cryptographic tokens, VPNs, biometric devices, PKI etc.). In case of IBTs and SWSTs, a minimum of two-factors in the authentication flow are mandatory.
4. In case of Applications installed on mobile devices (such as smartphones and tablets), a cryptographically secure biometric two￾factor authentication mechanism may be used.
5. After a reasonable number of failed login attempts into Applications, the Customer’s account can be set to a “locked” state where further logins are not possible until a password and authentication reset is performed via an out-of-band channel validation, for instance, a cryptographically secure unique link that is sent to the Customer’s registered e-mail, a random OTP (One Time Password) that is sent as an SMS to the Customer’s registered mobile number, or manually by the Broker after verification of the Customer’s identity etc.
6. Avoid forcing Customers to change passwords at frequent intervals which may result in successive, similar, and enumerated passwords.

180 Instead, focus on strong multi-factor authentication for security and educate Customers to choose strong passphrases. Customers may be reminded within reasonable intervals to update their password and multi-factor credentials, and to ensure that their out-of-band authentication reset information (such as e-mail and phone number) are up-to-date. 7. Both successful and failed login attempts against a Customer’s account may be logged for a reasonable period of time. After successive login failures, it is recommended that measures such as CAPTCHAs or rate￾limiting be used in Applications to thwart manual and automated brute force and enumeration attacks against logins. 62. Reporting for Artificial Intelligence (AI) and Machine Learning (ML) applications and systems offered and used by market intermediaries79 62.1 Any set of applications / software / programs / executable / systems (computer systems) –cumulatively called application and systems, a) that are offered to investors (individuals and institutions) by market intermediaries to facilitate investing and trading, OR b) to disseminate investments strategies and advice, OR c) to carry out compliance operations / activities, where AI / ML is portrayed as a part of the public product offering or under usage for compliance or management purposes, is included in the scope of this circular. Here, “AI” / “ML” refers to the terms “Artificial Intelligence” and “Machine Learning” used as a part of the product offerings. In order to make the scope of this circular inclusive of various AI and ML technologies in use, the scope also covers Fin-Tech and Reg-Tech initiatives undertaken by market participants that involves AI and ML 62.2 Technologies that are considered to be categorized as AI and ML technologies in the scope of this circular, are explained in Annexure-27.

79 Reference: Circular SEBI/HO/MIRSD/DOS2/CIR/P/2019/10 dated January 04,2019

181 62.3 All registered Stock Brokers offering or using applications or systems as defined in Annexure-27, should participate in the reporting process by completing the AI / ML reporting form (see Annexure-26). 62.4 All registered Stock Brokers using AI / ML based application or system as defined in Annexure-27, are required to fill in the form (Annexure-26) and make submissions on quarterly basis within fifteen calendar days of the expiry of the quarter. 62.5 Stock Exchanges have to consolidate and compile a report, on AI / ML applications and systems reported by registered Stock Brokers in the reporting format (Annexure-28) on quarterly basis. The said report (Annexure-28) shall be submitted in soft copy only at AI_SE@sebi.gov.in to SEBI within thirty calendar days of the expiry of the quarter. 63. Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions80 63.1 Indian Computer Emergency Response Team (CERT-in) issued an advisory for Financial Sector organizations to improve their cyber Security Posture by availing Software as a Service (SaaS) based solution for managing their Governance, Risk & Compliance (GRC) functions. 63.2 The advisory was forwarded to SEBI for bringing the same to the notice of financial sector organization. The advisory is enclosed at Annexure-29. 63.3 Stock brokers are advised to ensure complete protection and seamless control over the critical systems at their organizations by continuous monitoring through direct control and supervision protocol mechanisms while keeping the critical data within the legal boundary of India. 63.4 The compliance of the advisory shall be reported in the half yearly report by stock brokers to stock exchanges with an undertaking, “Compliance of the SEBI circular for Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions has been made.”

80 Reference: Circular SEBI/HO/MIRSD2/DOR/CIR/P/2020/221 dated November 03, 2020

182 64. Framework to address the ‘technical glitches’ in Stock Brokers’ Electronic Trading Systems81 64.1 Technology related interruptions and glitches (technical glitches) and their impact on the investors’ opportunity to trade constitutes major technology related risk. Thus, the following framework to deal with technical glitches occurring in the trading systems of stock brokers shall be complied with. 64.2 Definition of Technical Glitch: Technical glitch shall mean any malfunction in the systems of stock broker including malfunction in its hardware, software, networks, processes or any products or services provided by the stock broker in the electronic form. The malfunction can be on account of inadequate Infrastructure / systems, cyber￾attacks / incidents, procedural errors and omissions, or process failures or otherwise, in their own systems or the one outsourced from any third parties, which may lead to either stoppage, slowing down or variance in the normal functions / operations / services of systems of the stock broker for a contiguous period of five minutes or more. 64.3 Reporting Requirements 64.3.1 Stock brokers shall inform about the technical glitch to the stock exchanges immediately but not later than one hour from the time of occurrence of the glitch. 64.3.2 Stock brokers shall submit a Preliminary Incident Report to the Exchange within T+1 day of the incident (T being the date of the incident). The report shall include the date and time of the incident, the details of the incident, effect of the incident and the immediate action taken to rectify the problem. 64.3.3 Stock brokers shall submit a Root Cause Analysis (RCA)Report (as per Annexure-30) of the technical glitch to stock exchange, within fourteen days from the date of the incident. 64.3.4 RCA report submitted by the stock brokers shall, inter-alia, include time of incident, cause of the technical glitch (including root cause from vendor(s), if applicable), duration, chronology of events, impact analysis

81 Reference: Circular SEBI/HO/MIRSD/TPD-1/P/CIR/2022/160 dated November 25, 2022

183 and details of corrective/ preventive measures taken (or to be taken), restoration of operations etc. 64.3.5 Stock brokers shall submit information stated in para 63.3.1, 63.3.2 and 63.3.3 above, by e-mail at infotechglitch@nse.co.in, a common email address for reporting across all stock exchanges. 64.3.6 All technical glitches reported by stock brokers as well as independently monitored by stock exchanges, shall be examined collectively by the stock exchanges along with the report/ RCA and appropriate action shall be taken. 64.4 Capacity Planning: 64.4.1 Increasing number of investors may create additional burden on the trading system of the stock broker and hence, adequate capacity planning is prerequisite for stock brokers to provide continuity of services to their clients. Stock brokers shall do capacity planning for entire trading infrastructure i.e. server capacities, network availability, and the serving capacity of trading applications. 64.4.2 Stock brokers shall monitor peak load in their trading applications, servers and network architecture. The Peak load shall be determined on the basis of highest peak load observed by the stock broker during a calendar quarter. The installed capacity shall be at least one and half times (1.5x) of the observed peak load. 64.4.3 Stock brokers shall deploy adequate monitoring mechanisms within their networks and systems to get timely alerts on current utilization of capacity going beyond permissible limit of seventy percent of its installed capacity. 64.4.4 To ensure the continuity of services at the primary data center, stock brokers as may be specified from time to time by stock exchange (hereafter referred to as specified stock brokers) shall strive to achieve full redundancy in their IT systems that are related to trading applications and trading related services.

184 64.4.5 Stock exchanges shall issue detailed guidelines with regard to frequency of capacity planning to review available capacity, peak load, and new capacity required to tackle future load on the system. 64.5 Software testing and change: 64.5.1 Software applications are prone to updates/changes and hence, it is imperative for the stock brokers to ensure that all software changes that are taking place in their applications are rigorously tested before they are used in production systems. Software changes could impact the functioning of the software if adequate testing is not carried out. In view of this, stock brokers shall adopt the following framework for carrying out software related changes / testing in their systems: 64.5.1.1 Stock brokers shall create test driven environments for all types of software developed by them or their vendors. Regression testing, security testing and unit testing shall be included in the software development, deployment and operations practices. 64.5.1.2 Specified stock brokers shall do their software testing in automated environments. 64.5.1.3 Stock Brokers shall prepare a traceability matrix between functionalities and unit tests, while developing any software that is used in trading activities. 64.5.1.4 Stock brokers shall implement a change management process to avoid any risk arising due to unplanned and unauthorized changes for all its information security assets (hardware, software, network, etc.). 64.5.1.5 Stock brokers shall periodically update all their assets including Servers, OS, databases, middleware, network devices, firewalls, IDS /IPS desktops etc. with latest applicable versions and patches. 64.5.1.6 Stock exchanges shall issue detailed guidelines with regard to testing of software, testing in automated environments,

185 traceability matrix, change management process and periodic updation of assets etc. 64.6 Monitoring mechanism: 64.6.1 Proactively and independently monitoring technical glitches shall be one of the approaches in mitigating the impact of such glitches. In this context, the stock exchange shall build API based Logging and Monitoring Mechanism (LAMA) to be operated between stock exchanges and specified stock brokers’ trading systems. Under this mechanism, specified stock brokers shall monitor key systems & functional parameters to ensure that their trading systems function in a smooth manner. Stock exchanges shall, through the API gateway, independently monitor these key parameters to gauge the health of the trading systems of the specified stock brokers. 64.6.2 Stock Exchanges shall identify the key parameters in consultation with stock brokers. These key parameters shall be monitored by specified stock brokers and by stock exchanges, on a real time or on a near real time basis. 64.6.3 Stock exchanges shall maintain a dedicated cell for monitoring the key parameters and the technical glitches occurring in stock brokers’ trading systems. The cell also shall intimate the specified stock broker concerned immediately about the breach of the key parameters monitored under LAMA. 64.6.4 Stock brokers and stock exchanges shall preserve the logs of the key parameters for a period of thirty days in normal course. However, if a technical glitch takes place, the data related to the glitch, shall be maintained for a period of two years. 64.7 Business Continuity Planning (BCP) and Disaster Recovery Site (DRS): 64.7.1 Stock brokers with a minimum client base across the exchanges, as may be specified by stock exchanges from time to time, shall mandatorily establish business continuity/DR set up. 64.7.2 Stock brokers shall put in place a comprehensive BCP-DR policy document outlining standard operating procedures to be followed in the

186 event of any disaster. A suitable framework shall be put in place to constantly monitor health and performance of critical systems in the normal course of business. The BCP-DR policy document shall be periodically reviewed to minimize incidents affecting the business continuity. 64.7.3 The DRS shall preferably be set up in different seismic zones. In case, due to any reasons like operational constraints, such a geographic separation is not possible, then the Primary Data Centre (PDC) and DRS shall be separated from each other by a distance of at least two hundred and fifty (250) kilometers to ensure that both of them do not get affected by the same natural disaster. The DR site shall be made accessible from primary data center to ensure syncing of data across two sites. 64.7.4 Specified stock brokers shall conduct DR drills / live trading from DR site. DR drills / live trading shall include running all operations from DRS for at least 1 full trading day. Stock exchanges in consultation with specified stock brokers shall decide the frequency of DR drill / live trading from DR site. 64.7.5 Stock brokers, shall constitute responsible teams for taking decisions about shifting of operations from primary site to DR site, putting adequate resources at DR site, and setting up mechanism to make DR site operational from primary data center etc. 64.7.6 Hardware, system software, application environment, network and security devices and associated application environments of DRS and PDC shall have one-to-one correspondence between them. Adequate resources shall be made available at all times to handle operations at PDC or DRS. 64.7.7 Stock exchanges in consultation with stock brokers shall decide upon Recovery Time Objective(RTO) i.e. the maximum time taken to restore operations from DRS after declaration of Disaster and, Recovery Point Objective (RPO) i.e. the maximum tolerable period for which data might be lost due to a major incident. 64.7.8 Replication architecture, bandwidth and load consideration between the DRS and PDC shall be within stipulated RTO and the whole system

187 shall ensure high availability, right sizing, and no single point of failure. Any updates made at the PDC shall be reflected at DRS immediately. 64.7.9 Specified stock brokers shall obtain ISO certification as may be specified by stock exchanges from time to time in the area of IT and IT enabled infrastructure/processes of the stock brokers. 64.7.10 The System Auditor, while covering the BCP – DR as a part of mandated annual System Audit, shall check the preparedness of the stock broker to shift its operations from PDC to DRS and also comment on documented results and observations on DR drills conducted by the stock brokers. 64.7.11 Stock exchanges shall define the term ‘critical systems’, ‘disaster’ and issue detailed guidelines with regard to review of BCP document, DR drill/live trading, operating DR site from PDC, timeline for obtaining ISO certification etc. 64.8 Stock exchanges shall put in place a structure of financial disincentives applicable to stock brokers for technical glitches occurring in their trading systems and non-compliance of the provisions made in this regard. 64.9 Stock exchanges shall disseminate on their websites the instances of Technical glitches occurred in the trading system of stock brokers along with Root Cause Analysis (RCA) on such glitches. 64.10 Stock exchanges shall build necessary systems for implementation of the provisions of this circular and issue appropriate guidelines to the stock brokers for compliance with the provisions of this circular. 65. Advisory for SEBI Regulated Entities (REs) regarding Cybersecurity best practices82 65.1 Considering the interconnectedness and interdependency of the financial entities to carry out their functions, the cyber risk of any given entity is no longer limited to the entity’s owned or controlled systems, networks and assets 65.2 Further, given the sophistication and persistence of the threat with a high level

82 Reference: Circular SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/032 dated February 22, 2023.

188 of coordination among threat actors, it is important to recognize that many traditional approaches to risk management and governance that worked in the past may not be comprehensive or agile enough to address the rapid changes in the threat environment and the pace of technological change that is redefining public and private enterprise. 65.3 Thus, an efficient and effective response to and recovery from a cyber-incident by REs are essential to limit any related financial stability risks. For ensuring the same, Financial Computer Security Incident Response Team (CSIRT-Fin) has provided important recommendations in its report sent to SEBI. The applicable recommendations, in the form of an advisory, are enclosed at Annexure-31 of this circular. 65.4 This advisory should be read in conjunction with the applicable SEBI circulars (including but not limited to Cybersecurity and Cyber Resilience framework, Annual System Audit framework, etc.) and subsequent updates issued by SEBI from time to time. 65.5 The compliance of the advisory shall be provided by the REs along with their cybersecurity audit report (conducted as per the applicable SEBI Cybersecurity and Cyber Resilience framework). The compliance shall be submitted as per the existing reporting mechanism and frequency of the respective cybersecurity audit. 66. Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs)83 66.1.Background: In recent times, the dependence on cloud computing for delivering the IT services is increasing. While cloud computing offers multiple advantages viz. ready to scale, ease of deployment, no overhead of maintaining physical infrastructure etc., the RE should also be aware of the new cyber security risks and challenges which cloud computing introduces. In view of the above, this cloud framework has been drafted to provide baseline standards of security and for the legal and regulatory compliances by the RE. The framework shall be seen as an addition to already existing SEBI circulars /guidelines /advisories. 66.2.Objective: The major purpose of this framework is to highlight the key risks, and mandatory control measures which REs need to put in place before

83 Reference: Circular SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033 dated March 06, 2023.

189 adopting cloud computing. The document also sets out the regulatory and legal compliances by REs if they adopt such solutions. 66.3.Applicability: The framework shall be applicable to the following REs: i. Stock Exchanges ii. Clearing Corporations iii.Depositories iv.Stock Brokers through Exchanges v. Depository Participants through Depositories vi.Asset Management Companies (AMCs)/ Mutual Funds (MFs) vii.Qualified Registrars to an Issue and Share Transfer Agents viii.KYC Registration Agencies (KRAs) 66.4.Transition Period i. The framework shall come into force with immediate effect for all new or proposed cloud onboarding assignments/ projects of the REs. ii. REs which are currently availing cloud services (as on date of issuance of this framework) shall ensure that, wherever applicable, all such arrangements are revised and they (RE) shall be in compliance with this framework not later than 12 (twelve) months from the date of issuance of the framework. iii. Additionally, the REs which are currently availing cloud services, shall provide milestone-based updates as follows: Table 18 SN. Timeline Milestone 1 Within one (1) month of issuance of framework REs shall provide 84details of the cloud services, if any, currently deployed by them. 2 Within three (3) months of issuance of framework The REs shall submit a roadmap (including details of major activities, timelines, etc.) for the implementation of the framework.

84 The details of cloud deployment shall be submitted in the format provided in Appendix￾A

190 3 From three (3) to twelve (12) months of issuance of framework Quarterly progress report as per the roadmap submitted by the RE. 4 After twelve (12) months of issuance of framework Compliance with respect to the framework to be reported regularly iv. The above-mentioned reporting shall be done to the authority as per the existing mechanism of reporting for systems audit/ cybersecurity audit. 66.5.Scope: i. As per NIST, cloud computing has four types of deployment models viz public cloud, community cloud, private cloud and hybrid cloud￾a. This cloud framework is applicable for adoption of public cloud and community cloud. Consequently, REs are permitted to deploy public cloud and community cloud models, subject to the conditions specified herein. b. A private cloud shall be considered as an on-premise deployment model and consequently, private cloud deployments shall be governed by SEBI circulars (for example cybersecurity circular, outsourcing circular, BCP￾DR, etc.), guidelines, advisories, etc. issued from time to time. Therefore, private cloud deployments (by REs) are permitted, however, such deployments may not be governed by this cloud framework. c. A hybrid cloud is a combination of two or more out of public cloud, community cloud and private cloud. Therefore, this cloud framework as well as the relevant SEBI circulars/ guidelines/ advisories shall be applicable for hybrid cloud deployments. In view of the above, hybrid cloud deployment is permitted, subject to the conditions specified herein. ii. Deployment of any other cloud model is prohibited unless explicitly permitted under this framework. However, as the field of cloud computing is a dynamic and emerging area, SEBI may allow deployment of other models after due consultations. The same may be specified by SEBI from time to time. 66.6.Approach: The cloud framework is a principle-based framework which covers

191 Governance, Risk and Compliance (GRC), selection of Cloud Service Providers (CSPs), data ownership and data localization, due- diligence by REs, security controls, legal and regulatory obligations, DR & BCP, and vendor lock-in risk. The principles are broadly stated guidelines to set the standards by which RE must comply with while adopting cloud services. The principles are stated below: i. Principle 1: Governance, Risk and Compliance Sub-Framework ii. Principle 2: Selection of Cloud Service Providers iii. Principle 3: Data Ownership and Data Localization iv. Principle 4: Responsibility of the Regulated Entity v. Principle 5: Due Diligence by the Regulated Entity vi. Principle 6: Security Controls vii. Principle 7: Contractual and Regulatory Obligations viii. Principle 8: BCP, Disaster Recovery & Cyber Resilience ix. Principle 9: Vendor Lock-in and Concentration Risk Management The detailed framework is enclosed at Annexure-32 of this circular.

192 VIII. CHANGE IN STATUS, CONSTITUTION, CONTROL, AFFILIATION 67. Periodical Report – Grant of prior approval to members of Stock Exchanges85 67.1 With the amendment in the Stock Brokers Regulations 1992 vide Notification No. LAD-NRO/GN/2011-12/03/12650 dated April 19, 2011, the requirement of members of the Stock Exchanges to obtain prior approval from SEBI for change in status or constitution has been done away with. However, the members of the Stock Exchanges would be required to take prior approval from SEBI for change in control. 67.2 The Stock Exchanges will continue to grant prior approval to their members for change in status or constitution, which would include the following: 67.2.1 in case of a body corporate — a. amalgamation, demerger, consolidation or any other kind of corporate restructuring falling within the scope of section 230 of the Companies Act, 2013 or the corresponding provision of any other law for the time being in force; b. change in its managing director, whole-time director or director appointed in compliance with clause (v) of sub-rule (4A) of rule 8 of the SCRR 1957; and c. any change in control over the body corporate; 67.2.2 any change between the following legal forms - individual, partnership firm, Hindu undivided family, private company, public company, unlimited company or statutory corporation and other similar changes; 67.2.3 in case of a partnership firm any change in partners not amounting to dissolution of the firm; 67.2.4 any other purpose as may be considered appropriate by the Stock Exchanges. 67.3 The Stock Exchanges shall submit a periodical report with details of the changes in status or constitution of the members, as per the format and in accordance with guidelines given at Annexure-33.

85 Reference: Circular CIR/MIRSD/2/2011 dated June 03, 2011.

193 68. Procedure for seeking prior approval for change in control86 68.1 Regulation 9(c) of the Stock Brokers Regulations 1992 and Regulation 9(c) read with Regulation 10B of the Stock Brokers Regulations 1992 provide respectively that stock broker and clearing member shall obtain prior approval of SEBI in case of change in control. 68.2 To streamline the process of providing approval to the proposed change in control of stock broker/clearing member (hereinafter referred as intermediary or applicant), it has been decided as under: 68.2.1 The Intermediary shall make an online application to SEBI for prior approval through the SEBI Intermediary Portal (‘SI Portal’) (https://siportal.sebi.gov.in). 68.2.2 The online application in SI portal shall be accompanied by the following information/declaration/undertaking about itself, the acquirer(s)/the person(s) who shall have the control and the directors/partners of the acquirer(s)/ the person(s) who shall have the control: 68.2.2.1Current and proposed shareholding pattern of the applicant 68.2.2.2Whether any application was made in the past to SEBI seeking registration in any capacity but was not granted? If yes, details thereof. 68.2.2.3Whether any action has been initiated / taken under SCRA 1956/SEBI Act 1992 or rules and regulations made thereunder? If yes, the status thereof along with the corrective action taken to avoid such violations in the future. The acquirer/ the person who shall have the control shall also confirm that it shall honour all past liabilities / obligations of the applicant, if any. 68.2.2.4Whether any investor complaint is pending? If yes, steps taken and confirmation that the acquirer/ the person who shall have the control shall resolve the same. 68.2.2.5Details of litigation(s), if any. 68.2.2.6Confirmation that all the fees due to SEBI have been paid. 68.2.2.7Declaration cum undertaking of the applicant and the acquirer/ the person who shall have the control (in a format

86 Reference: Circular SEBI/HO/MIRSD/ MIRSD-PoD-2/P/CIR/2022/163 dated November 28, 2022

194 enclosed at Annexure-34), duly stamped and signed by their authorized signatories that: 68.2.2.7.1 there will not be any change in the Board of Directors of incumbent, till the time prior approval is granted; 68.2.2.7.2 pursuant to grant of prior approval by SEBI, the incumbent shall inform all the existing investors/ clients about the proposed change prior to effecting the same, in order to enable them to take informed decision regarding their continuance or otherwise with the new management; and 68.2.2.7.3 the ‘fit and proper person’ criteria as specified in Schedule II of the Intermediaries Regulations 2008 are complied with. 68.2.2.8In case the incumbent is a registered stock broker, clearing member, depository participant, in addition to the above, it shall obtain approval /NOC from all the stock exchanges/clearing corporations/depositories, where the incumbent is a member/depository participant and submit self￾attested copy of the same to SEBI. 68.2.3 The prior approval granted by SEBI shall be valid for a period of six months from the date of such approval within which the applicant shall file application for fresh registration pursuant to change in control. 68.3 To streamline the process of providing approval to the proposed change in control of an intermediary in matters which involve scheme(s) of arrangement which needs sanction of the National Company Law Tribunal (“NCLT”) in terms of the provisions of the Companies Act, 2013, the following has been decided: 68.3.1 The application seeking approval for the proposed change in control of the intermediary shall be filed with SEBI prior to filing the application with NCLT. 68.3.2 Upon being satisfied with compliance of the applicable regulatory requirements, an in-principle approval will be granted by SEBI; 68.3.3 The validity of such in-principle approval shall be three months from the

195 date issuance, within which the relevant application shall be made to NCLT. 68.3.4 Within fifteen days from the date of order of NCLT, the intermediary shall submit an online application in terms of para 67.3 of this circular along with the following documents to SEBI for final approval: a) Copy of the NCLT Order approving the scheme; b) Copy of the approved scheme; c) Statement explaining modifications, if any, in the approved scheme vis-à-vis the draft scheme and the reasons for the same; and d) Details of compliance with the conditions/observations, if any, mentioned in the in-principle approval provided by SEBI. 68.4 With respect to transfer of shareholding among immediate relatives and transmission of shareholding, certain provisions are mentioned below: 87 68.4.1 Transfer /transmission of shareholding in case of unlisted body corporate intermediary: In following scenarios, change in shareholding of the intermediary will not be construed as change in control: a) Transfer of shareholding among immediate relatives shall not result into change in control. Immediate relative shall be construed as defined under Regulation 2(l) of the Takeover Regulations 2011 which inter-alia includes any spouse of that person, or any parent, brother, sister or child of the person or of the spouse; b) Transfer of shareholding by way of transmission to immediate relative or not, shall not result into change in control. 68.4.2 Transfer /transmission of shareholding in case of a proprietary firm type intermediary: In case of an intermediary being a proprietary concern, the transfer or bequeathing of the business/capital by way of transmission to another person is a change in the legal formation or ownership and hence by the definition of change in control, such transmission or transfer shall be considered as change in control. The legal heir / transferee in such cases is required to obtain prior approval and thereafter fresh registration shall be obtained in the name legal heir/transferee.

87 Reference: Circular no. SEBI/HO/MIRSD/DOR/CIR/P/2021/42 dated March 25,2021

196 68.4.3 Transfer /transmission of ownership interest in case of partnership firm type intermediary: Change in partners and their ownership interest of the partnership firm type intermediary shall be dealt in following manner: a) Transfer of ownership interest in case of partnership firm: In case a SEBI registered entity is registered as a partnership firm with more than two partners, then inter-se transfer amongst the partners shall not be construed to be change in control. Where the partnership firm consists of two partners only, the same would stand as dissolved upon the death of one of the partners. However, if a new partner is inducted in the firm, then the same would be considered as a change in control, requiring fresh registration and prior approval of SEBI. b) Transmission of ownership interest in case of partnership firm: Where the partnership deed contains a clause that in case of death of a partner, the legal heir(s) of deceased partner be admitted, then the legal heir(s) may become the partner (s) of the partnership firm. In such scenario the partnership firm is reconstituted. Bequeathing of partnership right to legal heir(s) by way of transmission shall not be considered as change in control. 68.4.4 Incoming entities/ shareholders becoming part of controlling interest in the intermediary pursuant to transfer of shares from immediate relative / transmission of shares (immediate relative or not), need to satisfy the fit and proper person criteria stipulated in Schedule II of the Intermediaries Regulations 2008. 69. Guidelines for seeking NOC by Stock Brokers / Clearing Members for setting up Wholly Owned Subsidiaries, Step Down Subsidiaries, Joint Ventures in GIFT IFSC88 69.1 SEBI receives applications from Stock Brokers / Clearing Members for granting NOCs for setting up Wholly Owned Subsidiaries, Step Down Subsidiaries, Joint Ventures, etc. in GIFT IFSC. With an endeavour to rationalise and streamline the process of application, the following guidelines are being issued. 69.1.1 The format of application along with list of supporting documents for seeking NOC for setting up Wholly Owned Subsidiaries, Step Down

88 Reference: Circular SEBI/HO/MIRSD/DoR/P/CIR/2022/61 dated May 13, 2022

197 Subsidiaries or entering into Joint Ventures in GIFT IFSC is placed as Annexure-35. 69.1.2 Stock Brokers and Clearing Members shall apply through a Stock Exchange where the applicant is a member, along with the required information, documents and NOC received from all Stock Exchanges/Clearing Corporations/Depositories in which the applicant is a member/participant. 69.1.3 Stock Exchanges / Clearing Corporations (where the applicant is only clearing member) are directed to forward the complete application to SEBI, after verification along with its recommendation.

198 IX. FOREIGN ACCOUNTS TAX COMPLIANCE ACT RELATED PROVISIONS 70. Inter-Governmental Agreement with United States of America under Foreign Accounts Tax Compliance Act - Registration89 70.1 The Government of India has advised that India and the United States of America (US) have reached an agreement in substance on the terms of an Inter-Governmental Agreement (IGA) to implement Foreign Accounts Tax Compliance Act (FATCA) and India is now treated as having an IGA in effect from April 11, 2014. However, the IGA may be signed in due course. Information on FATCA is available at: http://www.irs.gov/Businesses/Corporations/Foreign-Account-Tax￾ComplianceAct-FATCA. 70.2 As advised by the Government, the following points may be noted by all SEBI registered intermediaries: 70.2.1 Indian Financial Institutions would have time upto December 31, 2014 to register with US authorities and obtain a Global Intermediary Identification Number (GIIN). This time limit would also be applicable to Indian Financial Institutions having overseas branches in Model 1 jurisdictions, including those jurisdictions where an agreement under Model 1 has been reached in substance. Registration should be done only after the formal IGA is signed. 70.2.2 Overseas branches of Indian Financial Institutions in a jurisdiction having IGA 2 agreement or in a jurisdiction that does not have an IGA but permits financial institutions to register and agree to a Foreign Financial Institution (FFI) agreement, may register with US authorities within the stipulated time period and obtain a GIIN in accordance with the requirements to avoid potential withholding under FATCA. 70.2.3 Overseas branches of Indian Financial Institutions in a jurisdiction that does not have an IGA and does not permit financial institutions to register and agree to an FFI agreement may not register and their overseas branches would eventually be subject to withholding under FATCA.

89 Reference: Circular CIR/MIRSD/2/2014 dated June 30, 2014.

199 70.2.4 The Government has further advised that if registration of the parent intermediary/ head office is a pre-requisite for a branch to register, such intermediaries may register as indicated at para 70.2.1 and 70.2.2 above. 71. Implementation of the Multilateral Competent Authority Agreement and Foreign Account Tax Compliance Act90 71.1 India joined the Multilateral Competent Authority Agreement (MCAA) on Automatic Exchange of Financial Account Information on June 03, 2015. In terms of the MCAA, all countries which are signatory to MCAA, are obliged to exchange a wide range of financial information after collecting the same from financial institutions in their country / jurisdiction. 71.2 On July 09, 2015, the Governments of India and United States of America (USA) signed an agreement to improve international tax compliance and to implement the Foreign Account Tax Compliance Act (FATCA) in India. The USA enacted FATCA in 2010 to obtain information on accounts held by US taxpayers in other countries. As per the aforesaid agreement, foreign financial institutions (FFIs) in India will be required to report tax information about US account holders / taxpayers directly to the Indian Government which will, in turn, relay that information to the IS Internal Revenue Service (IRS). 71.3 For implementation of the MCAA and agreement with USA, the Government of India has made necessary legislative changes to Section 285BA of the Income Tac Act, 1961. Further, the Government of India has notified Rules 114F to 114H (herein after referred to as “the Rules”) under the Income Tax Rules, 1962 and form No. 61B for furnishing of statement of reportable account specified in the Rules. The Rule is available at http://www.incometaxindia.gov.in/communications/notification/notification%20 no.%2062%20dated%2007-08-2015.pdf 71.4 A “Guidance Note on implementation of Reporting Requirements under Rules 114F to 114H of the Income Tax Rules” as issued by the Department of Revenue, Ministry of Finance vide F.No.500/137/2011-FTTR-III dated August 31, 2015 is available at http://www.incometaxindia.gov.in/communications/notification/guidance_note s_on_im plementation_31_08_2015.pdf, for information and necessary action.

90Reference: Circular CIR/MIRSD/2/2015 dated August 26, 2015 and Circular CIR/MIRSD/3/2015 dated September 10, 2015.

200 71.5 All registered intermediaries shall take necessary steps to ensure compliance with the requirements specified in the aforesaid Rules after carrying out necessary due diligence.

201 X. INVESTOR GRIEVANCE REDRESSAL 72. Exclusive e-mail ID for redressal of Investor Complaints91 72.1 All the registered stock brokers shall designate an e-mail ID of the grievance redressal division/compliance officer exclusively for the purpose of registering complaints by investors. Stock Brokers shall also display the email ID and other relevant details prominently on their websites and in the various materials/pamphlets/advertisement campaigns initiated by them for creating investor awareness. 73. Redressal of Investor complaints against Stock Brokers in SEBI Complaints Redress System (SCORES)92 73.1 SEBI commenced processing of investor complaints in a centralized web based complaints redress system ‘SCORES’. The salient features of this system are: 73.1.1 Centralised database of all complaints, 73.1.2 Online movement of complaints to the concerned listed companies, 73.1.3 Online upload of Action Taken Reports (ATRs) by the concerned companies, and 73.1.4 Online viewing by investors of actions taken on the complaint and its current status. 73.2 The investor grievances received by SEBI against stock brokers are taken up electronically with the concerned Stock Exchange(s) through SCORES. The Stock Exchange(s) in turn, take up the matter with the concerned stock brokers. 73.3 Stock Exchanges shall ensure that the investor complaints shall be resolved within fifteen working days from the date of receipt of the complaint. Additional information, if any, required from the complainant, shall be sought within seven working days from the date of receipt of the complaint. The period of fifteen

91 Reference: Circular MRD/DoP/Dep/SE/CIR-22/06 dated December 18, 2006. 92 Reference: Circular CIR/MIRSD/18/2011 dated August 25, 2011 and Circular SEBI/HO/MIRSD/MIRSD6/CIR/P/2017/20 dated March 10, 2017.

202 working days shall be counted from the date of receipt of additional information sought.93 73.4 For redressal of investor grievances through the SEBI Complaints Redress System (SCORES) platform, the master circular issued by SEBI in this regard may be accessed at the following link: https://www.sebi.gov.in/legal/master-circulars/nov-2022/master-circular-on￾the-redressal-of-investor-grievances-through-the-sebi-complaints-redress￾system-scores-platform_64742.html 74. Information regarding Grievance Redressal Mechanism94 74.1 For information of all investors who deal/ invest/ transact in the market, the offices of all stock brokers (and its authorized person(s)) shall prominently display basic information, as provided in Annexure-36, about the grievance redressal mechanism available to investors. 75. Publishing Investor Charter and disclosure of Investor Complaints by Stock Brokers on their websites95 75.1 The Investor Charter for Stock Brokers inter-alia provide details about the services provided to Investors, Rights of Investors, various activities of Stock Brokers with timelines, DOs and DON’Ts for Investors and Grievance Redressal Mechanism. The same is placed at Annexure-37. 75.2 Stock Brokers shall bring the Investor Charter to the notice of their clients (existing as well as new clients) through disclosing the Investor Charter on their respective websites, making them available at prominent places in the office, provide a copy of Investor Charter as a part of account opening kit to the clients, through e-mails/ letters etc. 75.3 Additionally, in order to bring about transparency in the Investor Grievance Redressal Mechanism, all the Stock Brokers shall disclose on their respective websites, the data on complaints received against them or against issues dealt by them and redressal thereof, latest by seventh of succeeding month, as per the format enclosed at Annexure-38.

93 Reference: Circular SEBI/HO/MIRSD/DOC/CIR/P/2020/226 dated November 06, 2020 94 Reference: Circular CIR/MIRSD/3/2014 dated August 28, 2014. 95 Reference: Circular SEBI/HO/MIRSD/DOP/P/CIR/2021/676 dated December 02,2021

203 XI. DEFAULT RELATED PROVISIONS 76. Standard operating procedure in the cases of Trading Member / Clearing Member leading to default96 76.1 With the introduction of uniform membership structure of TM and CM across all segments, the TM shall make good the default of its clients to the CM and the CM shall make good the default of its clients / TM to the CC. The default of TM may not necessarily lead to default of CM, if the CM continues to fulfill the settlement obligation with the CC. To protect the interest of non-defaulting clients of a TM and /or non-defaulting clients / TM(s) of the CM, in the likely event of default by TM / CM, there is a need for Standard Operating Procedure (“SoP”) enumerating the steps to be taken by the SEs / CCs / Depositories in such cases where SE / CC is of the view that TM / CM is likely to default in repayment of funds or securities to its clients. 76.2 In order to harmonize the action amongst all SEs / CCs / Depositories in a time bound manner this SoP has been prepared in consultation with SEs, CCs and Depositories so as to achieve uniformity in implementation of actions. The SoP lays down the actions to be initiated by the SEs / CCs / Depositories within a time frame after detection of the early warning signals as laid out in the Circular dated December 17, 2018 and other triggers as laid down in this circular until declaration of defaulter of TM / CM by the SE / CC. Once the TM is declared defaulter, the proceedings shall be in compliance with the bye-laws, rules and regulations of SE / CC respectively. 76.3 On analysis of early warning signals or any of the following triggers, if the SE / CC is of the view that the TM / CM is likely to default in the repayment of funds / securities to its clients and / or fail to meet the settlement obligations to CM / CC, where: 76.3.1 There is shortage of funds / securities payable to the clients by Rs. 10 crore (SE may have their own criteria) and / or 76.3.2 TM / CM has failed to meet the settlement obligations to CM / CC and / or 76.3.3 There is sudden increase in the number of investor’s complaints against the TM / CM for non-payment of funds and / or transfer of securities,

96 Reference: Circular SEBI/HO/MIRSD/DPIEA/CIR/P/2020/115 dated July 01,2020 and Circular SEBI/HO/MIRSD/DPIEA/CIR/2022/72 dated May 27, 2022.

204 the following actions shall be taken by Initiating Stock Exchange (ISE) / SEs / CCs and Depositories as per the timeline given below: Table 19 S No. Action Timeline

1. Seek documents / explanation or Meeting with designated directors of TM. Within 3 trading days of trigger
2. 2 A limited purpose joint inspection of TM shall be initiated. ISE along with other SEs shall send a team of officials for taking possession of the copy of the books of accounts and other relevant records including but not restricted to securities register, trial balance, client master, bank books, debtors and creditors ledger (preferably in electronic mode) for the last 3 years (if available). Within 3 trading days of the meeting / explanation with the designated directors
3. 3 a) The explanations offered by the designated director(s) of the TM shall be analysed by the ISE and based on the information available, to protect the interest of non-defaulting clients, as an interim measure, the trading terminal of the TM may be directed to be disabled by the Managing Director of the ISE for reasons to be recorded in writing. b) A preliminary assessment of assets and liabilities of the TM shall be completed by the ISE. Within 7 trading days of 4.2
4. 4 ISE shall issue a notice / circular informing the disablement of the TM in all segments. Within 1 day of disablement
5. 5 ISE shall communicate the decision of disablement of the trading terminal(s) of the TM along with detailed reasons for disablement to the TM and CM(s) with an advice to CM(s) to square-off open positions of TM and its clients. Within 1 trading day of disablement

ISE shall inform the Depositories about the disablement immediately and advice Depositories to freeze the demat accounts of the TM (including TM Pool Accounts). (ISE Within 1 trading day of disablement

205 shall give specific instructions along with PAN to the Depositories). Any debit in the demat account of TM shall be made under supervision of ISE. 7. 7 ISE shall inform other SEs about the disablement immediately and the other SEs shall disable the said TM on receipt of information and the other SEs shall Issue a notice / circular in this regard. Within 1 trading day of receipt of intimation of disablement from ISE 8. 8 TM may also stand suspended to act as a client with any other TM / CM in any other segment / SEs. Within 1 trading day of date receipt of information of disablement from ISE 9. 9 In case of open positions of clients / TM, CM shall liquidate / square off the open positions. Within 15 trading days from the date of receipt of information by the CM. 10.1 0 a) All SEs shall immediately direct other TM / CM so as not to alienate the unencumbered surplus funds / securities held by them for such TM registered as a client. b) CM shall invoke the BGs of TM and all unencumbered funds of TM to be transferred to SE on demand. CM shall also ensure that the BG do not expire in the intervening period else they shall invoke even before the receipt of instructions from SE. Within 1 trading day of the date of receipt of information of disablement from ISE Upon instructions from SE 11.1 1 All SEs shall inform the CM / CC regarding pay-out proceeds due to the TM which shall be credited to the settlement account of the TM. As and when payout is made 12.1 2 If the open position of clients of TM could not be liquidated / squared off, the re-pledged Within 15 trading days from the date

206 securities of the client of the TM lying with the CM in the Client Securities Margin Pledge Account and other identifiable collateral of the client of TM such as cash / Bank Guarantee (BG) / Fixed Deposit Receipts (FDR) / Mutual Fund Units shall be taken / encashed over by CM wherever possible in accordance with guidelines issued in this regard from time to time. of receipt of information by the CM 13.1 3 All the securities lying in client unpaid securities account of the TM (CUSA) shall be liquidated by CM / CC / ISE and the sale proceeds shall be credited to respective client’s financial ledger. In this situation depository shall not levy any penalty on such transactions. Within 15 trading days from receipt of information of disablement from ISE 14.1 4 a) ISE, in consultation with SEs / CCs, shall appoint a forensic auditor to conduct forensic audit of books of accounts of the concerned TM. All SEs shall obtain details of the free securities / collateral available with their respective CM and CC and provide to the forensic auditor. b) An assessment of assets and liabilities of the TM shall be undertaken by the forensic auditor. The liabilities to the clients for funds and securities shall be established with demarcation of securities belonging to the fully paid clients or partly paid / unpaid clients. Within 15 trading days of disablement Within 3 weeks of appointment of forensic auditor 15.1 5 ISE shall also provide a report to SEBI on the reasons for trigger, the meetings held with directors of the TM / CM and the outcomes of limited purpose inspection, the details of actions taken and proposed to be taken under the SoP and any other information that the ISE may deem relevant. Within 30 trading days from the date of trigger Action by Depositories 16.1 6 Depositories to freeze the demat accounts of the TM (including TM Pool Accounts). Within 1 trading day from the receipt of

207 information of disablement 17.1 7 Depositories shall not allow new account opening by the DP (Defaulting TM / CM) and shall suspend all Power of Attorney in favour of the defaulting TM given by its clients. Within 1 trading days from the date of receipt of information of disablement 18.1 8 If the TM is also a Depository Participant (DP), the Depositories shall depute its officials / auditor to monitor the transactions in demat securities of the clients of TM and / or transfer the demat accounts of the clients to another DP. Within 3 trading days from the date of receipt of information of disablement 19.1 9 Depositories shall initiate concurrent audit for 100% verification of debit transfers executed from the client accounts and account closures processed by the DP. Within 7 trading days from the date of receipt of information of disablement 20.2 0 Depositories shall provide the details of pledges that were invoked by Banks/ NBFCs with whom TM’s own securities were pledged in the previous 30 days to the SE / CC. Within 15 trading days from the date of receipt of information of disablement Action by ISE /SEs / CCs and Banks 21.2 1 Issuance of instruction to the banks that the balance in all the bank accounts of TM / CM shall be frozen for debits by Banks. Within 1 trading day of receipt of information of disablement 22.2 2 SEs to direct CCs / CM to invoke the unencumbered collateral deposits including BGs / FDRs Within 1 trading day from disablement 23.2 3 CCs / CM shall secure the unencumbered collateral deposits, electronic balances in the depository accounts of the TM / CM, including BGs as per the directions received from SEs. Within 1 trading day on receipt of information of disablement Other actions by ISE/ SEs/ CCs 24.2 4 With regard to the restoration of securities of clients lying with the CM, post crystallization of balances in the financial ledger of clients by Within 30 trading days from

208 forensic auditor or as per the Auditor’s certificate as may be provided by Member: • ISE/ SE / CC shall endeavour to initiate the process to settle debit balance of such client accounts by selling their securities if such clients fail to clear their debit balance after giving notice period for 5 days. • After reconciling the Register of Securities (ROS), the securities of the credit balance clients (fully paid clients) shall be restored to their respective demat accounts. In this regard, the related parties of the trading member shall not be considered for settlement, for which the TM shall provide an undertaking to the SEs / CC. crystallization of balances 25. ISE / SEs / CCs shall endeavour to settle the claims of maximum number of clients by way of interim measures, under their supervision prior to issuing show cause notice (SCN) for declaring the TM a defaulter. The TM shall be instructed to pay small investors out of available funds and own resources (movable and immovable) under the supervision of the ISE/ SEs. Further, the unencumbered deposits available with the SEs/ CCs, after adjusting for any dues of the SE / CC and maintaining the minimum BMC, shall also be utilised for settling the credit balance of investors starting from the smallest amount. Such amount shall be paid in full to all such investors having credit balance up to the amount of Rs. 25,00,000/- (Rupees twenty five lakh), subject to availability of funds. Further, investors having credit balance of more than Rs. 25,00,000/- (Rupees twenty five lakh) shall be Within 30 trading days from crystallization of balances

209 paid on pro-rata basis from the remaining funds. Also, any surplus available with any SEs / CCs shall be utilised for settling the credit balances of clients with respect to other SEs. BGs of the TM shall be invoked and also the FDRs shall be encashed for utilisation. SEs / CC may settle such clients in tranches.For this purpose, the balances of client will be netted across exchanges to arrive at the final credit balance due to such client. The TM shall furnish the proof of payment to the clients, to the SEs. In this regard, the related parties of the TM shall not be considered for settlement, for which the TM shall provide an undertaking to the SEs/ CC. TM shall provide indemnity to the SEs to make available the funds to meet any shortfall in meeting investor’s claim (other than those who have withdrawn their claim). Clients withdrawing their claim will have to submit unconditional withdrawal letter to the SEs. 26.2 6 Issuance of SCN for declaration of TM as a defaulter and the list of members to whom the notice is issued shall be placed on the website of the SE and on such other place, as the relevant authority may deem fit. After finalization of assets and liabilities as per forensic audit or audit by SEs 27.2 7 SEs shall intimate the clients about the issuance of the notice / SCN to declare the TM as defaulter including through email / SMS. Within 3 trading days of the issuance of SCN

210 76.4 The above action shall equally apply to a likely event of default by a CM who is also a TM. However, in case of likely default of a Professional CM, the action to be initiated by the CM shall fall upon the CC. 76.5 As soon as TM is disabled that information shall be shared by ISE with all SEs / CCs. On receipt of such information respective SE shall also conduct their due diligence and may initiate action of disablement by issuing reasoned order by MD of SE concern. However, when SCN has been issued for declaring a TM / CM as a defaulter by any SE, its subsidiary / associate companies which are also member(s) on other segment / SE / CC shall also be put in suspension mode. All their open positions shall be squared off and their assets shall be frozen. 76.6 Once the Member is disabled or SCN is issued for declaration of defaulter to TM / CM (whichever is earlier), no further Investor Grievance Redressal Committee (IGRC) / Arbitration meetings shall be conducted. 76.7 Default proceedings shall take place as per bye laws / rules / regulations of the SE / CC. If the member is also a DP, Depositories shall take action as per its bye laws for termination / transfer of its participant-ship based on record. SEs shall not expel the TM immediately until the default proceedings are completed. 76.8 The TM shall provide a list of all its bank accounts to the SEs /CCs and the SEs / CCs shall obtain an undertaking from the TM within 90 days from the date of issuance of this Circular, undertaking that the SEs / CCs shall be empowered to instruct the bank(s) of the TM to freeze the bank account(s) for debits. The draft of undertaking is enclosed at Annexure-39. 76.9 The above SoP enumerates the minimum action which shall be initiated by the respective SEs / CCs / Depositories However, the respective SEs / CCs / Depositories are free to initiate any other actions as may be necessary in compliance with their bye laws / rules / regulations and / or to protect the interest of investors. The ISE / SEs/ CCs and Depositories are expected to follow the timelines with respect to each actions as enumerated, reasons shall be recorded in case of for any deviation in timelines prescribed.

211 77. Recovery of assets of defaulter member and recovery of funds from debit balance clients of defaulter member for meeting the obligations of clients / Stock Exchange / Clearing Corporation 97 77.1 In the case of default by TM/CM, it has been noted that in certain cases there is shortfall of funds/securities with defaulter member to meet the obligation of clients / SE / CC. The bye-laws of SE/CC provide for the procedure for declaring a member as defaulter when, amongst other reasons, the member is not able to fulfil its obligations and also provide for initiation of proceedings in a court of law whenever a member is declared as a defaulter and there is a shortfall of funds/securities with the defaulter member. 77.2 The SE/CC are advised to initiate suitable actions for liquidating the assets (movable and immovable) of defaulter member including that of debit balance clients (to the extent of debit balance), within six months of declaration of defaulter, for recovery of the assets not in possession of the SE/CC, before appropriate court of law.

97 Reference: Circular SEBI/HO/MIRSD/DPIEA/CIR/P/2020/186 dated September 28,2020

212 XII. MISCELLANEOUS 78. Advertisement by Brokers and grant of trading terminals98 78.1 The Stock Exchanges shall ensure that brokers do not issue advertisements of their business, including in their internet sites, by subsidiaries, group companies etc. in contravention to Clause C(4) and C(5) of the Code of Conduct specified in Schedule II of Regulation 9 of the Stock Brokers Regulations 1992 and Bye Laws of the concerned Stock Exchange. 78.2 Stock Exchanges shall grant trading terminals only at the members’ registered office and their branch offices. 79. Registration Number of Brokers to be quoted on all correspondences with SEBI99 79.1 Stock Exchanges shall quote SEBI Registration Number of the concerned Broker quoted on all correspondences with SEBI relating to them. Stock Exchanges shall instruct the Brokers to quote their SEBI Registration Number in all their correspondences with SEBI. 80. Maintenance of books of accounts and other documents sought by Enforcement Agencies from Stock Exchanges and Brokers100 80.1 In terms of Rules 14 and 15 of SCRR 1957 (hereinafter referred to as SCRR, 1957), every recognized stock exchange and its members are required to maintain and preserve the specified books of account and documents for a period ranging from two years to five years. Further, as per Regulation 18 of the Stock Brokers Regulations 1992 (hereinafter referred to as Stock Broker Regulations), every stock broker shall preserve the specified books of account and other records for a minimum period of five years. 80.2 Enforcement agencies like Central Bureau of Investigation, Police, Crime Branch etc. have been collecting copies of the various records/documents during the course of their investigation. These original documents both in physical form and electronic form would be required by such enforcement agencies during trial of the case also.

98 Reference: Circular SMD/POLICY/CIR-49/2001 dated October 22, 2001. 99 Reference: Circular SMD/DBA-II/Cir-16/9618/03 dated May 05, 2003. 100 Reference: Circular SEBI/MRD/SE/CIR-15/2005 dated August 04, 2005.

213 80.3 Notwithstanding anything contained in SCRR 1957 and the Stock Broker Regulations 1992, it is advised to preserve the originals of the documents, both in electronic and physical form, copies of which have been taken by CBI, Police or any other enforcement agency during the course of any investigation till the trial is completed. 81. Display of details by Stock Brokers (including Trading Members)101 81.1 While a stock broker may use the brand name / logo of its group companies, it must display more prominently: a. its name as registered with SEBI, its own logo, if any, its registration number, and its complete address with telephone numbers in its portal /web site, if any, notice / display boards, advertisements, publications, know your client forms, and member client agreements; b. its name as registered with SEBI, its own logo, if any, its registration number, and its complete address with telephone numbers, the name of the compliance officer, his telephone number and e-mail address in contract notes, statement of funds and securities, and correspondences with the clients. 82. Unauthenticated news circulated by SEBI Registered Market Intermediaries through various modes of communication102 82.1 It has been observed by SEBI that unauthenticated news related to various scrips are circulated in blogs/chat forums/e-mail etc. by employees of Broking Houses/Other Intermediaries without adequate caution as mandated in the Code of Conduct for Stock Brokers and respective Regulations of various intermediaries registered with SEBI. 82.2 It was also observed that the Intermediaries do not have proper internal controls and do not ensure that proper checks and balances are in place to govern the conduct of their employees. Due to lack of proper internal controls and poor training, employees of such intermediaries are sometimes not aware of the damage which can be caused by circulation of unauthenticated news or rumours. It is a well-established fact that market rumours can do considerable

101 Reference: Circular CIR/MIRSD/9/2010 dated November 04, 2010. 102 Reference: Circular CIR/ISD/1/2011 dated March 23, 2011 and Circular CIR/ISD/2/2011 dated March 24, 2011.

214 damage to the normal functioning and behaviour of the market and distort the price discovery mechanisms. 82.3 In view of the above facts, SEBI Registered Market Intermediaries are directed that: 82.3.1 Proper internal code of conduct and controls should be put in place. 82.3.2 Employees/temporary staff/voluntary workers etc. employed/working in the Offices of market intermediaries do not encourage or circulate rumours or unverified information obtained from client, industry, any trade or any other sources without verification. 82.3.3 Access to Blogs/Chat forums/Messenger sites etc. should either be restricted under supervision or access should not be allowed. 82.3.4 Logs for any usage of such Blogs/Chat forums/Messenger sites (called by any nomenclature) shall be treated as records and the same should be maintained as specified by the respective Regulations which govern the concerned intermediary. 82.3.5 Employees should be directed that any market related news received by them either in their official mail/personal mail/blog or in any other manner, should be forwarded only after the same has been seen and approved by the concerned Intermediary’s Compliance Officer. If an employee fails to do so, he/she shall be deemed to have violated the various provisions contained in SEBI Act/Rules/Regulations etc. and shall be liable for action. The Compliance Officer shall also be held liable for breach of duty in this regard. 83. Guidelines on Outsourcing of Activities by Stock Brokers103 83.1 SEBI Regulations for various intermediaries require that they shall render at all times high standards of service and exercise due diligence and ensure proper care in their operations. 83.2 It has been observed that often the stock brokers resort to outsourcing with a view to reduce costs, and at times, for strategic reasons.

103 Circular CIR/MIRSD/24/2011 dated December 15, 2011.

215 83.3 Outsourcing may be defined as the use of one or more than one third party – either within or outside the group - by a registered intermediary to perform the activities associated with services which the intermediary offers. 83.4 Principles for Outsourcing 83.4.1 The risks associated with outsourcing may be operational risk, reputational risk, legal risk, country risk, strategic risk, exit-strategy risk, counter party risk, concentration and systemic risk. The principles for outsourcing are given below at paras 82.7 to 82.14 below. 83.5 Activities that shall not be Outsourced 83.5.1 The stock brokers desirous of outsourcing their activities shall not, however, outsource their core business activities and compliance functions. An example of core business activity may be – execution of orders and monitoring of trading activities of clients in case of stock brokers. Regarding Know Your Client (KYC) requirements, the stock brokers shall comply with the provisions of Securities and Exchange Board of India {KYC (Know Your Client) Registration Agency} Regulations, 2011 and Guidelines issued thereunder from time to time. 83.6 Other Obligations 83.6.1 Reporting to Financial Intelligence Unit (FIU) - The stock brokers shall be responsible for reporting of any suspicious transactions / reports to FIU or any other competent authority in respect of activities carried out by the third parties. PRINCIPLES FOR OUTSOURCING FOR INTERMEDIARIES 83.7 An intermediary seeking to outsource activities shall have in place a comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced. The Board / partners (as the case may be) {hereinafter referred to as the “the Board”} of the intermediary shall have the responsibility for the outsourcing policy and related overall responsibility for activities undertaken under that policy. 83.7.1 The policy shall cover activities or the nature of activities that can be outsourced, the authorities who can approve outsourcing of such

216 activities, and the selection of third party to whom it can be outsourced. For example, an activity shall not be outsourced if it would impair the supervisory authority’s right to assess, or its ability to supervise the business of the intermediary. The policy shall be based on an evaluation of risk concentrations, limits on the acceptable overall level of outsourced activities, risks arising from outsourcing multiple activities to the same entity, etc. 83.7.2 The Board shall mandate a regular review of outsourcing policy for such activities in the wake of changing business environment. It shall also have overall responsibility for ensuring that all ongoing outsourcing decisions taken by the intermediary and the activities undertaken by the third-party, are in keeping with its outsourcing policy. 83.8 The intermediary shall establish a comprehensive outsourcing risk management programme to address the outsourced activities and the relationship with the third party. 83.8.1 An intermediary shall make an assessment of outsourcing risk which depends on several factors, including the scope and materiality of the outsourced activity, etc. The factors that could help in considering materiality in a risk management programme include￾83.8.1.1 The impact of failure of a third party to adequately perform the activity on the financial, reputational and operational performance of the intermediary and on the investors / clients; 83.8.1.2 Ability of the intermediary to cope up with the work, in case of non-performance or failure by a third party by having suitable back-up arrangements; 83.8.1.3 Regulatory status of the third party, including its fitness and probity status; 83.8.1.4 Situations involving conflict of interest between the intermediary and the third party and the measures put in place by the intermediary to address such potential conflicts, etc. 83.8.2 While there shall not be any prohibition on a group entity / associate of the intermediary to act as the third party, systems shall be put in place

217 to have an arm’s length distance between the intermediary and the third party in terms of infrastructure, manpower, decision-making, record keeping, etc. for avoidance of potential conflict of interests. Necessary disclosures in this regard shall be made as part of the contractual agreement. It shall be kept in mind that the risk management practices expected to be adopted by an intermediary while outsourcing to a related party or an associate would be identical to those followed while outsourcing to an unrelated party. 83.8.3 The records relating to all activities outsourced shall be preserved centrally so that the same is readily accessible for review by the Board of the intermediary and / or its senior management, as and when needed. Such records shall be regularly updated and may also form part of the corporate governance review by the management of the intermediary. 83.8.4 Regular reviews by internal or external auditors of the outsourcing policies, risk management system and requirements of the regulator shall be mandated by the Board wherever felt necessary. The intermediary shall review the financial and operational capabilities of the third party in order to assess its ability to continue to meet its outsourcing obligations. 83.9 The intermediary shall ensure that outsourcing arrangements neither diminish its ability to fulfill its obligations to customers and regulators, nor impede effective supervision by the regulators. 83.9.1 The intermediary shall be fully liable and accountable for the activities that are being outsourced to the same extent as if the service were provided in-house. 83.9.2 Outsourcing arrangements shall not affect the rights of an investor or client against the intermediary in any manner. The intermediary shall be liable to the investors for the loss incurred by them due to the failure of the third party and also be responsible for redressal of the grievances received from investors arising out of activities rendered by the third party. 83.9.3 The facilities / premises / data that are involved in carrying out the outsourced activity by the service provider shall be deemed to be those

218 of the registered intermediary. The intermediary itself and Regulator or the persons authorized by it shall have the right to access the same at any point of time. 83.9.4 Outsourcing arrangements shall not impair the ability of SEBI/SRO or auditors to exercise its regulatory responsibilities such as supervision/inspection of the intermediary. 83.10 The intermediary shall conduct appropriate due diligence in selecting the third party and in monitoring of its performance. 83.10.1 It is important that the intermediary exercises due care, skill, and diligence in the selection of the third party to ensure that the third party has the ability and capacity to undertake the provision of the service effectively. 83.10.2 The due diligence undertaken by an intermediary shall include assessment of: 83.10.2.1 third party’s resources and capabilities, including financial soundness, to perform the outsourcing work within the timelines fixed; 83.10.2.2 compatibility of the practices and systems of the third party with the intermediary’s requirements and objectives; 83.10.2.3 market feedback of the prospective third party’s business reputation and track record of their services rendered in the past; 83.10.2.4 level of concentration of the outsourced arrangements with a single third party; and 83.10.2.5 the environment of the foreign country where the third party is located. 83.11 Outsourcing relationships shall be governed by written contracts / agreements / terms and conditions (as deemed appropriate) {hereinafter referred to as “contract”} that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of the

219 parties to the contract, client confidentiality issues, termination procedures, etc. 83.11.1 Outsourcing arrangements shall be governed by a clearly defined and legally binding written contract between the intermediary and each of the third parties, the nature and detail of which shall be appropriate to the materiality of the outsourced activity in relation to the ongoing business of the intermediary. 83.11.2 Care shall be taken to ensure that the outsourcing contract: 83.11.2.1 clearly defines what activities are going to be outsourced, including appropriate service and performance levels; 83.11.2.2 provides for mutual rights, obligations and responsibilities of the intermediary and the third party, including indemnity by the parties; 83.11.2.3 provides for the liability of the third party to the intermediary for unsatisfactory performance/other breach of the contract 83.11.2.4 provides for the continuous monitoring and assessment by the intermediary of the third party so that any necessary corrective measures can be taken up immediately, i.e., the contract shall enable the intermediary to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations; 83.11.2.5 includes, where necessary, conditions of sub-contracting by the third-party, i.e. the contract shall enable intermediary to maintain a similar control over the risks when a third party outsources to further third parties as in the original direct outsourcing; 83.11.2.6 has unambiguous confidentiality clauses to ensure protection of proprietary and customer data during the tenure of the contract and also after the expiry of the contract; 83.11.2.7 specifies the responsibilities of the third party with respect to the IT security and contingency plans, insurance cover, business

220 continuity and disaster recovery plans, force majeure clause, etc.; 83.11.2.8 provides for preservation of the documents and data by third party; 83.11.2.9 provides for the mechanisms to resolve disputes arising from implementation of the outsourcing contract; 83.11.2.10 provides for termination of the contract, termination rights, transfer of information and exit strategies; 83.11.2.11 addresses additional issues arising from country risks and potential obstacles in exercising oversight and management of the arrangements when intermediary outsources its activities to foreign third party. For example, the contract shall include choice-of-law provisions and agreement covenants and jurisdictional covenants that provide for adjudication of disputes between the parties under the laws of a specific jurisdiction; 83.11.2.12 neither prevents nor impedes the intermediary from meeting its respective regulatory obligations, nor the regulator from exercising its regulatory powers; and 83.11.2.13 provides for the intermediary and /or the regulator or the persons authorized by it to have the ability to inspect, access all books, records and information relevant to the outsourced activity with the third party. 83.12 The intermediary and its third parties shall establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities. 83.12.1 Specific contingency plans shall be separately developed for each outsourcing arrangement, as is done in individual business lines. 83.12.2 An intermediary shall take appropriate steps to assess and address the potential consequence of a business disruption or other problems at the third party level. Notably, it shall consider contingency plans at the third party; co-ordination of contingency plans at both the intermediary and

221 the third party; and contingency plans of the intermediary in the event of non-performance by the third party. 83.12.3 To ensure business continuity, robust information technology security is a necessity. A breakdown in the IT capacity may impair the ability of the intermediary to fulfill its obligations to other market participants/clients/regulators and could undermine the privacy interests of its customers, harm the intermediary’s reputation, and may ultimately impact on its overall operational risk profile. Intermediaries shall, therefore, seek to ensure that third party maintains appropriate IT security and robust disaster recovery capabilities. 83.12.4 Periodic tests of the critical security procedures and systems and review of the backup facilities shall be undertaken by the intermediary to confirm the adequacy of the third party’s systems. 83.13 The intermediary shall take appropriate steps to require that third parties protect confidential information of both the intermediary and its customers from intentional or inadvertent disclosure to unauthorised persons. 83.13.1 An intermediary that engages in outsourcing is expected to take appropriate steps to protect its proprietary and confidential customer information and ensure that it is not misused or misappropriated. 83.13.2 The intermediary shall prevail upon the third party to ensure that the employees of the third party have limited access to the data handled and only on a “need to know” basis and the third party shall have adequate checks and balances to ensure the same. 83.13.3 In cases where the third party is providing similar services to multiple entities, the intermediary shall ensure that adequate care is taken by the third party to build safeguards for data security and confidentiality. 83.14 Potential risks posed where the outsourced activities of multiple intermediaries are concentrated with a limited number of third parties. 83.14.1 In instances, where the third party acts as an outsourcing agent for multiple intermediaries, it is the duty of the third party and the intermediary to ensure that strong safeguards are put in place so that there is no co-mingling of information /documents, records and assets.

222 84. General Guidelines for dealing with Conflicts of Interest of Stock Brokers and their Associated Persons in Securities Market.104 84.1 Stock brokers are presently governed by the provisions for avoidance of conflict of interest as mandated in the regulations read with relevant circulars issued from time to time by SEBI. On the lines of Principle 8 of the International Organisation of Securities Commissions (IOSCO) Objectives and Principles of Securities Regulations, it has been decided to put in place comprehensive guidelines to collectively cover such stock brokers, for elimination of their conflict of interest, as detailed hereunder. 84.2 Stock Brokers shall adhere to these guidelines for avoiding or dealing with or managing conflict of interest. They shall be responsible for educating their associated persons for compliance of these guidelines. 84.3 For the purpose of these guidelines "associated persons" shall have the same meaning as defined in the Securities and Exchange Board of India (Certification of Associated Persons in the Securities Markets) Regulations, 2007. 84.4 Stock brokers and their associated persons shall, 84.4.1 lay down, with active involvement of senior management, policies and internal procedures to identify and avoid or to deal or manage actual or potential conflict of interest, develop an internal code of conduct governing operations and formulate standards of appropriate conduct in the performance of their activities, and ensure to communicate such policies, procedures and code to all concerned; 84.4.2 at all times maintain high standards of integrity in the conduct of their business; 84.4.3 ensure fair treatment of their clients and not discriminate amongst them; 84.4.4 ensure that their personal interest does not, at any time conflict with their duty to their clients and client’s interest always takes primacy in their advice, investment decisions and transactions;

104 Reference: Circular CIR/MIRSD/5/2013 dated August 27, 2013.

223 84.4.5 make appropriate disclosure to the clients of possible source or potential areas of conflict of interest which would impair their ability to render fair, objective and unbiased services; 84.4.6 endeavor to reduce opportunities for conflict through prescriptive measures such as through information barriers to block or hinder the flow of information from one department/ unit to another, etc.; 84.4.7 place appropriate restrictions on transactions in securities while handling a mandate of issuer or client in respect of such security so as to avoid any conflict; 84.4.8 not deal in securities while in possession of material non published information; 84.4.9 not to communicate the material non published information while dealing in securities on behalf of others; 84.4.10 not in any way contribute to manipulate the demand for or supply of securities in the market or to influence prices of securities; 84.4.11 not have an incentive structure that encourages sale of products not suiting the risk profile of their clients; 84.4.12 not share information received from clients or pertaining to them, obtained as a result of their dealings, for their personal interest; 84.5 The Boards of Stock Brokers shall put in place systems for implementation of the aforementioned guidelines and provide necessary guidance enabling identification, elimination or management of conflict of interest situations. The Boards shall review the compliance of the above guidelines periodically. 84.6 The said guidelines shall be in addition to the provisions, if any, contained in respective regulations/ circulars issued by the Board from time to time regarding dealing with conflict of interest, in respect of such entities.

224 85. Digital Mode of Payment105 85.1 SEBI had notified the SEBI (Payment of Fees and Mode of Payment) (Amendment) Regulations, 2017 on March 06, 2017 to enable digital mode of payment (RTGS/NEFT/IMPS etc.) of fees/penalties/remittance/other payments etc. 85.2 Pursuant to above, SEBI has been receiving direct credit of amounts from various intermediaries / other entities. 85.3 In order to identify and account such direct credit in the SEBI account, intermediaries / other entities shall provide the information as mentioned in Annexure-40 to SEBI once the payment is made. 85.4 The above information should be emailed to the respective department(s) as well as to Treasury & Accounts division at tad@sebi.gov.in. 86. Regulatory Framework for Commodity Derivatives Brokers106 86.1 Erstwhile Forward Markets Commission (FMC) issued various circulars/letters/ directions to exchanges dealing in commodity derivatives for compliance by their members from time to time. Consequent to merger of FMC with SEBI, it is important that regulatory provisions for brokers across equity and commodity derivatives markets be harmonized. Accordingly, regulatory provisions have been divided into three parts as described below. 86.1.1 Annexure-41 contains details of FMC circulars which shall stand repealed and relevant SEBI circulars which shall be applicable. 86.1.2 Annexure-42 contains details of FMC circulars contents/norms of which shall continue as they are specific to commodity derivative markets. 86.1.3 Annexure-43 contains details of FMC circulars which shall stand repealed. 86.2 All commodity derivatives exchanges shall continue to levy penalties they are currently levying and any revision thereof shall be decided in consultation with

105 Reference: Circular SEBI/HO/GSD/T&A/CIR/P/2017/42 dated May 16, 2017. 106 Reference: Circular SEBI/HO/MIRSD/MIRSD2/CIR/P/2016/92 dated September 23, 2016 and Circular SEBI/HO/MIRSD/MIRSD1/CIR/P/2017/104 dated September 21, 2017.

225 SEBI. Accordingly, FMC circulars dealing with penalties including Uniform Penalty Circular dated Mar 05, 2010 shall stand repealed. 87. Approach to securities market data access and terms of usage of data provided by data sources in Indian securities market107 87.1 In order to further enhance the quantum as well as the ease of accessibility and usability of data disseminated in public by various data sources in Indian securities market and keeping in view the deliberations and recommendations of Market Data Advisory Committee (MDAC), Stock Brokers are advised to make note of the following: “As far as the data provided by various data sources in Indian securities markets pursuant to regulatory mandates for reporting and disclosure in public domain are concerned, such data should be made available to users, ‘free of charge’ both for ‘viewing’ the data as also for download in the format as specified by regulatory mandate for reporting, as well as their usage for the value addition purposes.” 87.2 Further, apart from the data made available free of cost, data which is chargeable should be appropriately identified as such in public domain. 88. Introduction of Investor Risk Reduction Access (IRRA) platform in case of disruption of trading services provided by the Trading Member (TM)108 88.1 In recent times, with increasing dependence on technology in securities market, there is a rise in instances of glitches in trading members’ systems, some of which lead to disruption of trading services and investor complaints. In such instances, investors with open positions are at risk of non-availability of avenues to close their positions, particularly if markets are volatile. 88.2 To address the issue, SEBI had extensive consultations with stock exchanges, clearing corporations (CCs) and TMs. As the respective business continuity plans, if any, of the TMs, may not be able to prevent disruption in some cases like TM being unable to move to Disaster Recovery Site within stipulated time, cyber-attacks etc., it has been decided that a contingency service shall be provided by the stock exchanges in the event of such disruption.

107 Reference: Circular SEBI/HO/DEPA-III/DEPA-III_SSU/P/CIR/2022/25 dated February 25,2022 108 Reference: Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2022/177 dated December 30, 2022

226 88.3 In this regard, the following has been decided: Development of the service: 88.3.1 A joint platform to provide Investor Risk Reduction Access (IRRA) service shall be developed by the exchanges to provide the investors an opportunity to square off/close the open positions and/or cancel pending orders in case of disruption of trading services provided by the Trading Member. 88.3.2 The IRRA service shall support multiple segments across multiple exchanges. Enablement of IRRA service: 88.3.3 TMs, upon facing technical glitches which lead to disruption of trading services, can request for enablement of the IRRA service as per the procedures specified by the stock exchanges from time to time and IRRA shall be enabled on receipt of such requests. 88.3.4 In addition, stock exchanges shall also monitor the parameters like connectivity, order flow, social media posts etc. and suo moto initiate the enablement of the service, if needed, irrespective of any such request by the TM. 88.3.5 This service shall be enabled by the exchanges, suo moto, only in case of disruption of trading services of TM across all the exchanges, where the TM is member. In case of disruption of trading services of TM with one/some of the exchanges, where the TM is member, TM may request the enablement, in which case TM shall use the service for all the exchanges. Access to Investors: 88.3.6 Once the service is enabled, all the investors of the TM shall be informed by the exchange of the availability of the service through email/SMS and a public notice on exchanges’ website. TMs shall also communicate the same by displaying on their website. 88.3.7 Investors can login to the service using either the Unique Client Code

227 (UCC) or the PAN number and they shall be authorized by a One Time Password (OTP) to be sent to their registered mobile numbers and email ids. Actions on IRRA service: 88.3.8 Once successfully authorized, the investors can￾88.3.8.1 square off/close the open positions across segments and exchange/s and/or 88.3.8.2 cancel the orders across segments which are pending at the exchange/s. 88.3.9 The IRRA service shall not permit any action that increases the risk of the investor. 88.3.10 Further, IRRA service shall also provide the TM with access to an Admin Terminal, through which the TM can monitor the actions of investors and also carry out the actions as mentioned at para 87.3.8 above, on instructions of investors. The TM shall maintain evidence of such instructions. The form of such evidence shall be as specified by SEBI/stock exchanges, through various circulars, from time to time. 88.3.11 In case of enablement of IRRA due to cyber-attacks, such Admin Terminal shall be on a network other than the network, which was subjected to the attack, to protect the other critical infrastructure. 88.3.12 The TM shall continue to be responsible for all the activities on the IRRA with respect to all obligations including settlement and margin requirements. Reverse Migration to the TM’s systems: 88.3.13Stock exchanges shall design a detailed framework for reverse migration from IRRA system to the TM’s trading system, as and when the TM’s trading system is revived successfully and a request is made in this regard. 88.3.14 Upon revival of the TM’s trading system, TM shall update their systems taking data from the exchanges thus ensuring that latest status of orders and trades is available to the investors.

228 88.3.15Stock exchanges shall decide on the reverse migration based on various parameters including the size of the broker, time required for reverse migration and remaining time of the trading session. 88.4 Exchanges shall ensure that credible and periodic testing of the IRRA platform is carried out from time to time for smooth functioning of the service. 88.5 Stock exchanges shall issue guidelines in this regard giving details like cut-off times for enablement of IRRA service, handling of various scenarios of open positions, framework for reverse migration etc. 88.6 In case of disruptions after the cut off time for enablement of IRRA service, exchanges, based on their assessment and in consultation with SEBI, may extend the market hours, if needed. 89. Maintenance of a website by stock brokers 109 89.1 All stock brokers are mandated to maintain a designated website. 89.2 Such website shall mandatorily display the following information, in addition to all such information, which have been mandated by SEBI/stock exchanges/depositories from time to time. i. Basic details of the stock broker such as registration number, registered address of Head Office and branches, if any. ii. Names and contact details such as email ids etc. of all key managerial personnel (KMPs) including compliance officer. iii. Step-by-step procedures for opening an account, filing a complaint on a designated email id, and finding out the status of the complaint, etc. iv. Details of Authorized Persons. 89.3 The URL to the website of a stock broker shall be reported to the stock exchanges. Any modification in the URL shall be reported to stock exchanges within 3 days of such changes.

109 Reference: Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/30 dated February 15, 2023

229 90. Framework for Regulatory Sandbox110 90.1 The Objective of Regulatory Sandbox is to grant certain facilities and flexibilities to the entities regulated by SEBI so that they can experiment with FinTech solutions in a live environment and on limited set of real users for a limited time frame. 90.2 The guidelines pertaining to the functioning of the Regulatory Sandbox are available at the link below: https://www.sebi.gov.in/legal/circulars/jun-2021/revised-framework-for￾regulatory-sandbox_50521.html and https://www.sebi.gov.in/legal/circulars/nov-2021/framework-for-regulatory￾sandbox_53982.html 91. Transactions in Corporate Bonds through Request for Quote (RFQ) platform by Stock Brokers (SBs)111 91.1.It has been decided to take steps to increase liquidity on RFQ platform vis-à￾vis trading in Corporate Bonds (CBs) by SBs, as under: 91.1.1. With effect from July 01, 2023, for all the trades in proprietary capacity, SBs shall undertake at least 10% of their total secondary market trades by value in CBs in that month by placing/seeking quotes through one￾to-one (OTO) or one-to-many (OTM) mode on the RFQ platform of stock exchanges. 91.1.2. Further, with effect from April 01, 2024, for all the trades in proprietary capacity, SBs shall undertake at least 25% of their total secondary market trades by value in CBs in that month by placing/seeking quotes through OTO or OTM mode on the RFQ platform of stock exchanges. 91.1.3. SBs shall consider the trades executed by value through OTO or OTM mode of RFQ with respect to the total secondary market trades in CBs, during the current month and immediate preceding two months on a

110 Reference: Circular SEBI/HO/ITD/ITD/CIR/P/2021/575 dated June 14, 2021 and Circular SEBI/HO/MIRSD/MIRSD_IT/P/CIR/2021/0000000658 dated November 16, 2021 111 Reference: Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/83 dated June 02, 2023

230 rolling basis. Only trades pertaining to proprietary capacity of SBs shall be considered for the purpose of such calculations. 91.1.4. Further, in terms of SEBI Circular SEBI/HO/DDHS/P/CIR/2022/142 dated October 19, 2022, quotes on RFQ platform can be placed to an identified counterparty (i.e. ‘one-to-one’ mode) or to all the participants (i.e. ‘one-to-many’ mode). SBs are encouraged to place bids (in proprietary capacity or for clients) on RFQ platform through OTM mode, as the same shall contribute towards achieving better price discovery. 92. Bank Guarantees (BGs) created out of clients’ funds112 92.1.It has been decided to implement the following measures in order to safeguard the interests of the investors: - 92.1.1. No new BGs shall be created out of clients’ funds by SBs/CMs. 92.1.2. Existing BGs created out of clients’ funds shall be wound down by September 30, 2023. 92.2.The provisions of this framework shall not be applicable for proprietary funds of SBs/CMs in any segment and SB’s proprietary funds deposited with CM in the capacity of a client. 92.3.The stock exchanges and clearing corporations shall take stock of the current position of the BGs issued out of clients’ funds by SBs/CMs and monitor the wind down to ensure implementation of the circular without any disruption of services to clients. For the purpose, stock exchanges and clearing corporations shall put in place periodic reporting mechanisms for SBs/CMs. 92.4.SBs/CMs shall be required to provide a certificate, by its statutory auditor confirming the implementation of provisions at para 91 of this circular. Such a certificate shall be submitted to stock exchanges/clearing corporations by October 16, 2023. 92.5.Stock exchanges and clearing corporations shall verify the compliance of the provisions of the circular in their periodic inspections/reporting. They shall also

112 Reference: SEBI circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/061 dated April 25, 2023

231 evolve adequate mechanisms to address cases of SBs/CMs who do not comply with the provisions of the circular by the stipulated dates. 93. Upstreaming of clients’ funds by Stock Brokers (SBs) / Clearing Members (CMs) to Clearing Corporations (CCs)113 93.1.Principle: SBs/CMs shall upstream all the clients’ clear credit balances to CCs on End of Day (EOD) basis. Such upstreaming shall be done only in the form of either cash, lien on Fixed Deposit Receipts (FDRs) created out of clients’ funds, or pledge of units of Mutual Fund Overnight Schemes (MFOS) created out of clients’ funds. Receipt/payment of funds by SBs and CMs from/to their clients: 93.2.Stock brokers shall maintain the following designated bank account (s) to receive/pay funds from/to their clients: a. Up Streaming Client Nodal Bank Account (USCNBA): SB/CM shall receive clients’ funds in USCNBA. The nomenclature for such accounts shall be “Name of the SB/CM – USCNB account”. b. Down Streaming Client Nodal Bank Account (DSCNBA): Payment to clients shall be done only from DSCNBA account. The nomenclature for such accounts shall be “Name of the SB/CM – DSCNB account”. 93.3.In addition, CMs, who clear trades for other SBs, shall only use the designated bank account(s) maintained with the nomenclature “Name of the CM –TM prop account” to receive/pay proprietary funds from/to stock brokers. 93.4.Payment to Clients: The clients may request SBs/CMs to release funds at any time during the day. The processing of such release requests shall be as per respective risk management practices of SB/CMs. All payment requests of the client received on a day shall be processed on or before the next settlement day. In cases, where the payment request is not processed on the same day, SB/CMs need to ensure that the funds of the client are placed with CC in terms of this circular.

113 Reference: SEBI Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/187 dated December 12, 2023

232 Upstreaming via FDRs created out of clients’ funds: 93.5.FDRs created out of clients’ funds by SBs/CMs shall satisfy the following conditions: a. The FDR shall be created only with banks which satisfy the CC’s exposure norms as specified by CCs/SEBI from time to time. b. FDRs shall be created only from ‘Up Streaming Client Nodal Bank Account (USCNBA)’. c. Such FDRs shall necessarily be lien-marked to one of the CCs at all times, and CCs shall have explicit precedence on the FDR funds over every other stakeholder, including over the bank providing the FDR. d. The tenor of such FDRs shall not be more than one year and one day; and the FDRs should be pre-terminable on demand. e. The principal amount of the FDR shall remain protected throughout the tenure, even after accounting for all possible pre-termination costs. f. SBs/CMs shall not avail any funded or non-funded banking facilities based on FDRs created out of clients’ funds. 93.6.It is clarified that existing FDRs (created out of clients’ funds and having tenor of more than one-year) created prior to June 30, 2023 shall be allowed to be grandfathered till maturity. Such FDRs at the time of renewal shall meet the conditions specified at para 92.5 above. Upstreaming via pledge of units of Mutual Fund Overnight Schemes (MFOS): 93.7.Units of Mutual Fund Overnight Schemes (MFOS) is a new avenue being made available to SBs/ CMs to deploy client funds into. MFOS ensures minimal risk transformation of client funds (that are withdrawable on demand) available with SBs/ CMs because of overnight tenure and exposure to only risk-free government securities. 93.8.SBs/CMs shall ensure that client funds are invested only in such MFOS that deploy funds into risk-free government bond overnight repo markets and overnight Tri-party Repo Dealing and Settlement (TREPS). Such MFOS units should be in dematerialized (demat) form, and must necessarily be pledged with a CC at all times. 93.9.SBs/CMs shall maintain a dedicated demat account (hereinafter referred to as “Client Nodal MFOS Account”) for subscription/ redemption of MFOS units.

233 The depositories shall allow subscription/redemption transactions only in the said account. 93.10. From “Client Nodal MFOS Account”, SBs/CMs shall provide MFOS units as collateral to the CC. While providing the units as collateral, SBs/CMs shall identify the end clients. In order to implement the same, a pledge shall be created from the Client Nodal MFOS account to SB/CM margin pledge account of the SB/CM. The SB/CM shall further repledge the same to CC using the existing pledge re-pledge mechanism. 93.11. To improve operational efficiency and reduce transaction costs, CCs shall build a mechanism for utilization of surplus unutilized collateral (i.e. collateral in excess of margin blocked) lying with CC in cash form, towards fund pay-in requirements across segments. 93.12. Further, to improve operational efficiency and to reduce costs, CCs shall also facilitate a mechanism to adjust the margin blocked in the form of cash, towards client fund pay-in obligations. As CCs are in the process of evolving such a mechanism since issuance of June Circulars, the same shall be made available by January 01, 2024. Eligibility of bank instruments as collateral: 93.13. The bank instruments provided by clients as collateral (i.e. client FDRs and BGs) cannot be upstreamed to CCs, and they shall be ineligible to be accepted as collateral in any segment of securities market. 93.14. However, in the interest of encouraging and development of hedging in the commodity derivatives market, it has been decided to allow Bank guarantees provided only by non-individual clients, based on certain terms and conditions. Such clients shall provide a declaration and underwriting that they shall have no recourse to SEBI or exchanges in case of wrongful invocation of such BGs by SB/CM. These BGs shall bear a condition that on invocation, the moneys shall be credited only to the (USCNBA) account and thereafter upstreamed to the CC. The other terms and conditions are mentioned in the Annexure 44. The CCs are at liberty to apply stricter conditions other than those specified based on their risk assessment. 93.15. The cut-off times for upstreaming of clear credit balance of clients shall be determined by the CCs in consultation with ISF. Any clear credit balance that

234 could not be upstreamed to CCs due to receipt of funds from clients beyond cut-off time shall necessarily remain in UNSCBA until it is upstreamed to CC on the next day. 93.16. The provisions of this framework shall not be applicable to bank-CMs (including Custodians that are banks), and for proprietary funds of SBs/CMs in any segment and SB’s proprietary funds deposited with CM in the capacity of a client. 94. Measures to instil confidence in securities market – Brokers’ Institutional mechanism for prevention and detection of fraud or market abuse114 94.1. Chapter IVA of the Securities and Exchange Board of India (Stock Brokers) (Amendment) Regulations, 2024 (hereinafter referred to as the “Broker Regulations”) requires stock brokers to put in place an institutional mechanism for prevention and detection of fraud or market abuse. Accordingly, it has been decided that stock brokers shall comply with the following obligations / mechanisms as laid down in Chapter IVA of the Broker Regulations: 94.1.1. Systems for surveillance of trading activities and internal controls 94.1.2. Obligations of the stock broker and its employees 94.1.3. Escalation and reporting mechanisms 94.1.4. Whistle Blower Policy 94.2. The effective date for implementation w.r.t. provisions mentioned in para 94.1 above, for different stock brokers has been prescribed in the table below: Number of active UCCs* of stockbroker Applicability of Operational / working Modalities & Guidance Note

50,000 January 01, 2025 2,001 to 50,000 April 01, 2025 upto 2,000 April 01, 2026

114 Reference Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2024/96 dated July 04, 2024

235

• -as on last day of the preceding month of the date of issuance of the circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2024/96 dated July 04, 2024. 94.3. In case of Qualified Stock Brokers (QSBs), considering that enhanced obligations and responsibilities such as governance structure and processes and surveillance of client behaviour are already being followed by them, the effective date for implementation of the circular for QSBs (irrespective of number of UCCs) is August 01, 2024.

236 XIII. REPORTING REQUIREMENTS S No. Para No. of the Master circular Reporting requirement Reporting to Stock Exchanges

1. 13.2 The member shall carry out complete internal audit on a half yearly basis and shall forward the report along with para-wise comments to the respective Stock Exchange/ Clearing Corporation within two months from the end of the half year period.
2. 15.4.1 The stock brokers shall inform the Stock Exchanges of existing and new bank account(s) in the format specified at Table 2.
3. 15.4.2 The stock brokers shall inform the Stock Exchanges of existing and new demat account(s) in the format specified at Table 3.
4. 15.6.5.1 Stock Brokers shall ensure that the internal audit reports are submitted to the Exchanges within two months of the end of respective half years for which the audit is being conducted.
5. 15.7.2 Stock Brokers shall submit financial statements to Stock Exchanges in the same format as prescribed under the Companies Act, 2013 irrespective of whether they fall under the purview of the Companies Act, 2013 or not. The due date for submission of the aforesaid financial statements to Stock Exchanges shall be the same as prescribed under the Companies Act, 2013 for submission to Registrar of Companies.
6. 15.9.1 The Stock Brokers shall upload the data (specified at para 15.9.1) on a monthly basis for every client onto each Stock Exchange system where the broker is a member
7. 19.2.2 The brokers shall be required to furnish the particulars (mentioned at para 19.1 and 19.2.1) of their clients to the Stock Exchanges/Clearing Corporations and the same would be updated on a monthly basis. Such information for a specific month should reach the exchange within seven working days of the following month.
8. 33.2.2 Stock Brokers shall upload the details of clients, such as, name, mobile number, address for correspondence and E￾mail address to Stock Exchanges

237 9. 38.4.3 The stock brokers shall submit to the Stock Exchange a half￾yearly certificate, as on 31st March and 30th September of each year, from an auditor confirming the net worth. Such a certificate shall be submitted not later than 30th April and 31st October of every year. 10. 38.7.1 The stock broker shall disclose to the Stock Exchanges details on gross exposure towards margin trading facility including name of the client, Category of holding (Promoter/promoter group or Non-promoter), clients' PAN, name of the scrips (Collateral stocks and Funded stocks) and if the stock broker has borrowed funds for the purpose of providing margin trading facility, name of the lender and amount borrowed, on or before 12 noon on the following trading day. The format for this disclosure by the stock broker to the stock exchange is enclosed at Annexure-15. 11. 38.9.3 The books of accounts, maintained by the broker, with respect to the margin trading facility offered by it, shall be audited on a half yearly basis. The stock broker shall submit an auditor’s certificate to the exchange within one month from the date of the half year ending 31st March and 30th September of a year certifying, inter alia, the extent of compliance with the conditions of margin trading facility. 12. 42.2 On a daily basis,  TM shall report disaggregated information on collaterals up to the level of its clients to the CM.  CM shall report disaggregated information on collaterals up to the level of clients of TM and proprietary collaterals of the TMs to the Stock Exchanges (SEs) and CCs in respect of each segment. 13. 57.5 & 57.6 The stock brokers / trading members that provide the facility of algorithmic trading shall subject their algorithmic trading system to a system audit every six months in order to ensure that the requirements prescribed by SEBI / stock exchanges with regard to algorithmic trading are effectively implemented. Deficiencies or issues identified during the process of system audit of trading algorithm / software shall be reported by the stock broker / trading member to the stock exchange immediately on completion of the system audit.

238 14. 61.4 All registered Stock Brokers using AI / ML based application or system as defined in Annexure 27, are required to fill in the form (Annexure 26) and make submissions on quarterly basis within fifteen calendar days of the expiry of the quarter. 15. 74.3 Stock Brokers shall disclose on their respective websites, the data on complaints received against them or against issues dealt by them and redressal thereof, latest by seventh of succeeding month, as per the format enclosed at Annexure￾38. 16. 88.3 The URL to the website of a stock broker shall be reported to the stock exchanges. Any modification in the URL shall be reported to stock exchanges within 3 days of such changes. Reporting to clients 17. 15.10.1.7, 22.1.1(f) & 47.8 Once the TM settles the running account of funds of a client, an intimation shall be sent to the client by SMS on mobile number and also by email. The intimation should also include details about the transfer of funds (in case of electronic transfer – transaction number and date; in case of physical payment instruments – instrument number and date). TM shall send the retention statement along with the statement of running accounts to the clients as per the existing provisions within five working days. 18. 22.9 As on 31st March of every year, a statement of balance of Funds and Securities in hard form and signed by the broker shall be sent to all the clients. 19. 50.3.7.a In addition to the e-mail communication of the ECNs in the manner stated above, in order to further strengthen the electronic communication channel, the member shall simultaneously publish the ECN on his designated web-site in a secured way and enable relevant access to the clients. 20. 51.2.2.e.i Contract notes must be issued to clients as per existing regulations, within twenty-four hours of the trade execution. 21. 73.1 For information of all investors who deal/ invest/ transact in the market, the offices of all stock brokers (and its authorized person(s)) shall prominently display basic information, as provided in Annexure-36, about the grievance redressal mechanism available to investors. 22. 74.2 Stock Brokers shall bring the Investor Charter to the notice of their clients (existing as well as new clients) through

239 disclosing the Investor Charter on their respective websites, making them available at prominent places in the office, provide a copy of Investor Charter as a part of account opening kit to the clients, through e-mails/ letters etc. Technology related reporting requirements 23. 16-Table – 8 (1.5) The system audit report submitted by the auditor should be forwarded to the Stock Exchange by the Stock Broker along with management comments, within one month of submission of report by the auditor. 24. 18.5.5.14 QSBs shall arrange to have their systems audited on half￾yearly basis by a CERT-IN empanelled auditor to check compliance with the above mentioned requirements related to cyber security and other circulars of SEBI on cybersecurity and technical glitches, to the extent they are relevant to them and shall submit the report to stock exchanges along with the comments of the cybersecurity committee within one month of completion of the half year. 25. 55.4.7 A systems audit of the DMA systems and software shall be periodically carried out by the broker as may be specified by the exchange and certificate in this regard shall be submitted to the exchange. 26. 56.2.13 System audit of the Smart Order Routing systems and software shall be periodically carried out by the brokers as may be specified by the exchange and certificate in this regard shall be submitted to the exchange. 27. 60.2 The Stock Brokers are mandated to conduct comprehensive cyber audit at least once in a financial year. All Stock Brokers shall submit with Stock Exchange a declaration from the MD/ CEO/ Partners/ Proprietors certifying compliance by the Stock Brokers with all SEBI Circulars and advisories related to Cyber security from time to time, along with the Cyber audit report. 28. 60.44 Stock Brokers shall conduct VAPT at least once in a financial year. All Stock Brokers are required to engage only CERT-In empaneled organizations for conducting VAPT. The final report on said VAPT shall be submitted to the Stock Exchanges after approval from Technology Committee of respective Stock Brokers, within 1 month of completion of VAPT activity.

240 29. 60.54 All Cyber-attacks, threats, cyber-incidents and breaches experienced by Stock Brokers shall be reported to Stock Exchanges & SEBI within six hours of noticing / detecting such incidents or being brought to notice about such incidents. This information shall be shared to SEBI through the dedicated e-mail id: sbdp-cyberincidents@sebi.gov.in. 30. 60.55 The incident shall also be reported to Indian Computer Emergency Response team (CERT-In) in accordance with the guidelines / directions issued by CERT-In from time to time. Additionally, the Stock Brokers, whose systems have been identified as “Protected system” by National Critical Information Infrastructure Protection Centre (NCIIPC) shall also report the incident to NCIIPC. The quarterly reports containing information on cyber￾attacks, threats, cyber-incidents and breaches experienced by Stock Brokers and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs / vulnerabilities, threats that may be useful for other Stock Brokers / Exchanges and SEBI, shall be submitted to Stock Exchanges within 15 days from the quarter ended June, September, December and March of every year (Format for Submitting the reports is attached in below Annexure 25). 31. 60.62 The Type I Stock Brokers shall arrange to have their systems audited on an annual basis by a CERT-IN empanelled auditor, an independent DISA (ICAI) Qualification, CISA (Certified Information System Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium (commonly known as (ISC)2), to check compliance with the above areas and shall submit the report to Stock Exchanges along with the comments of the Board / Partners / Proprietor of Stock Broker within three months of the end of the financial year. 32. 62.4 The compliance of the advisory shall be reported in the half yearly report by stock brokers to stock exchanges with an undertaking, “Compliance of the SEBI circular for Advisory

241 for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions has been made.” 33. 63.3.1 Stock brokers shall inform about the technical glitch to the stock exchanges immediately but not later than one hour from the time of occurrence of the glitch. 34. 63.3.2 Stock brokers shall submit a Preliminary Incident Report to the Exchange within T+1 day of the incident (T being the date of the incident). The report shall include the date and time of the incident, the details of the incident, effect of the incident and the immediate action taken to rectify the problem. 35. 63.3.3 Stock brokers shall submit a Root Cause Analysis (RCA) Report (as per Annexure 30) of the technical glitch to stock exchange, within fourteen days from the date of the incident. 36. 63.3.5 Stock brokers shall submit information stated in para 63.3.1, 63.3.2 and 63.3.3 above, by e-mail at infotechglitch@nse.co.in, a common email address for reporting across all stock exchanges. 37. 64.5 The compliance of the advisory shall be provided by the REs along with their cybersecurity audit report (conducted as per the applicable SEBI Cybersecurity and Cyber Resilience framework). The compliance shall be submitted as per the existing reporting mechanism and frequency of the respective cybersecurity audit. Reporting requirements for QSBs 38. 18.5.1.3 QSBs shall submit an annual report to the stock exchanges regarding the observations of the committees of BOD or analogous body, corrective action taken by the QSB and measures taken to prevent recurrence of such incidents. 39. 18.5.2.3 The risk management framework shall have measures for carrying out surveillance of client behaviour through analyzing the pattern of trading done by clients, detection of any unusual activity being done by such clients, reporting the same to stock exchanges. 40. 18.5.2.8 The risk management policy shall be reviewed on half yearly basis by the QSB and a report in this regard shall be submitted by the risk management committee of the QSB to the stock exchange. 41. 18.5.5.14 QSBs shall arrange to have their systems audited on half￾yearly basis by a CERT-IN empanelled auditor to check compliance with the above mentioned requirements related

242 to cyber security and other circulars of SEBI on cybersecurity and technical glitches, to the extent they are relevant to them and shall submit the report to stock exchanges along with the comments of the cybersecurity committee within one month of completion of the half year. Other reporting requirements 42. 82.6.1 Reporting to Financial Intelligence Unit (FIU) - The stock brokers shall be responsible for reporting of any suspicious transactions / reports to FIU or any other competent authority in respect of activities carried out by the third parties.

243 Annexures Annexure-1

1. Name of the Stock Exchange
2. Name of the Applicant Member Broker
3. Exchange Clearing Code No. (If allotted by the Stock Exchange)
4. Trade Name of Member
5. Address of Member Tel. No. (O): Tel No. (R): Fax No.
6. Form of Organisation: Please tick the relevant entity 6.1 Partnership 6.2 Corporate Body a. Financial Institution b. Others c. Foreign Joint Ventures (If an Indian Company is holding more than 25% of total equity in the joint venture, please give details of top five shareholders of Indian Company). Name of Indian Company Top five Shareholders % Holding 1 2 3 4 5 FIPB Approval, if applicable Sole Proprietorship: Name of proprietor Educational Qualification Age (on the date of filing of application) Experience (specify the nature and years) Partnership: Name of partners Age (on the date of application) Educational Qualification Experience (specify the nature and years) In case partner(s) is/are registered with SEBI,

244 give SEBI Regd. No. Corporate Body (Financial Institution /Others) MOA object clause contains stock broking as one of the object in Main Object Other Object Incidental Object (If, stock broking clause appears in other object please attach a copy of special resolution to amend the MOA to incorporate Stock Broking in main object clause) Mention relevant clause no. (Please enclose copy of the relevant clause of the MOA duly certified by the Stock Exchange. If certified copy is not enclosed application would be returned). Information regarding directors Name of directors with designation (whether whole time/designated/ additional Percentage of Share holding Educational Qualification Experience (specify nature and years) Whether directors in other corporate bodies engaged in capital markets (please give names and SEBI Regd. No.) Details of top five shareholders Name of shareholders Percentage of Share holding Educational Qualification Experience (specify nature and years) Whether shareholders in other corporate bodies engaged in capital markets (please give names and SEBI Regd. No.) 7. Date of Admission to Membership of the Stock Exchange.

245 8. Mode of Acquiring Membership (Please attach old SEBI Registration certificate in all cases other than the cases of new membership) 8.1 New Membership 8.2 Conversion 8.3 Succession 8.4 Auction Purchase (In case member has become defaulter) 8.5 Market Purchase 8.6 Transfer to another Company under same management (please specify reasons) 8.7 Others, please specify 9. Please give the following information in all the cases other than the case of new membership 9.1 Name of the previous holder of the card 9.2 SEBI Registration No. 9.3 Date of Registration with SEBI 10. Whether the applicant is member of more than one Stock Exchange? YES/ NO 11. If yes, please give name(s) of the Stock Exchange(s) with Code No. and SEBI registration no. 12. Whether any of the Associate Companies/Partnership/ Proprietorship Firm is /are having direct/indirect interest (* as defined below) in capital market? YES / NO

• The member is deemed to have direct/indirect interest in the following conditions: 12.1 Where he is individual, he or any of his relative being a broker/any intermediary, he or any of his relative being a partner in a broking firm/any intermediary, he or any of his relative being a director in a broking company/any intermediary or he or any of his relatives clubbed together holding substantial equity in any broking company/any intermediary engaged in capital market. 12.2 Where it is partnership firm/company, the relative(s) of partner(s)/director(s) in the firm(s)/corporate body being a broker/any intermediary or being partner(s)/director(s) in any broking/intermediary or the same set of shareholders holding substantial equity in other broking / any intermediary engaged in capital market. 12.3 Relative shall mean husband, wife, brother, unmarried sister or any linear ascendant or descendant of an individual. 12.4 If yes, please give details (you may attach separate sheet, if required)

246 Name Form of Organisation Type of Intermediary# Whether registered with SEBI (give Regd. No.) Nature of interest

Merchant Banker, Portfolio Manager, Registrar to Issue & Share Transfer Agent, Banker

to an Issue, Mutual Fund, Venture Capital , Underwriter, Debenture Trustee, FII. 13. Disciplinary Action initiated/taken against the Associate entities, as indicated in 12.4 above. (Please state details of nature of violation, action initiated/taken and by which authority) 13.1 Disciplinary action taken by SEBI (if yes, please attach details mentioning nature of violation and action taken) YES / NO 13.2 Disciplinary action taken by any other authority (please attach details of nature of violation and action initiated) YES / NO 13.3 Disciplinary action initiated by SEBI (if yes, please attach details of nature of violation and action taken) YES / NO 13.4 Disciplinary action initiated by any other authority (please attach details of nature of violation and action initiated ) YES / NO 14. Net-worth as per the requirement of the exchange (Rs in Lakhs) 15. Applicant’s net-worth as prescribed in SEBI (Stock Brokers) Regulations, 1992 (Rs in Lakhs) (Certificate from a qualified CA certifying the above should be enclosed) I/we declare that the information given in this form is true to the best of my knowledge and belief. Date: Signature Name and Address of the applicant List of Enclosures: a. Registration fees –Rs 50,000/- payable by the applicant by way of direct credit in the bank account through online payment using SEBI payment gateway.115

115 Amended by the SEBI (Payment of Fees and Mode of Payment) (Amendment) (Regulations) 2021 w.e.f. 05-05- 2021

247 b. Copy of relevant clause of MOA duly certified by the Stock Exchange. c. Certificate from the qualified Chartered Accountant certifying the networth and paid up capital. d. Undertaking by applicant that he/ it had not introduced through any member brokerof the Exchange any fake/forged/stolen shares in the Exchange/market. If yes, details thereof including action taken, if any, by the applicant. Certification by Stock Exchange The above details have been scrutinized as per record made available to the Stock Exchange. SIGNATURE: NAME: DESIGNATION: SEAL OF STOCK EXCHANGE Certification from the Stock Exchange: This is to certify that i) The member is eligible to be admitted as the member of the Exchange as per the provisions of SC(R)A, SC(R)R, bye-laws of the exchange and circulars issued by Government of India and SEBI, in particular the GOI guidelines dated November 09, 1989 and SEBI circular dated May 14, 1993. ii) ------------------- is admitted as a member of this exchange as approved by the Council of Management in its meeting held on _. iii) No complaints/ arbitration cases/ disciplinary action are pending against the transferor M/s _ and all the complaints received by the Exchange or referred by SEBI have been settled to the satisfaction of the Stock Exchange. iv) We have verified the educational qualification, age, experience of the member with respect to the original record and found it to be correct as per the information given in the application. v) No litigation with regard to transfer of card is pending in court of law. The application is recommended for registration with the Securities and Exchange Board of India under Securities and Exchange Board of India (Stock Brokers) Regulations, 1992. Signature: Name: Designation: List of Enclosures along with application:

248

1. Turnover fee details of the transferor in the prescribed format (enclosed).
2. Disciplinary record of the transferor
3. Board Resolution approving the membership (will be submitted by the Exchange)

249 Annexure-2 116 The common irregularities observed in the Stock Brokers/trading members books are brought to the notice of all. They are as follows: S. No. Description I Relating to KYC

1. ‘In person verification’ not done while opening the account. Photo copy of KYC &Rights and Obligations document are not provided to clients; if provided proof of delivery/dispatch is not maintained.
2. Adding clauses in Rights and Obligations document which are contrary to the clauses as prescribed by SEBI. Voluntary clauses are not highlighted as ‘voluntary’ and signatures of clients taken on all the documents. II Relating to Contract notes
3. Contract notes are not bearing serial numbers, SEBI registration numbers, Order no. & time. Contract notes are not issued in the prescribed format/not issued within twenty-hours of trade execution/not signed properly by the broker or his authorized representatives.
4. Duplicates/counterfoils/acknowledged copies of the contract notes issued not being maintained or maintained with inadequate details.
5. Not issuing contracts in the prescribed format while acting as principal.
6. Appropriate stamp duty not paid and charging Securities Transaction Tax (STT) on non-equity funds transactions by the brokers.
7. Brokerage is not shown separately on contract notes. The correct rate at which the transaction was executed is not passed on to the client.
8. Charges other than brokerage and statutory charges levied on the clients which are not specifically agreed upon by the clients or charging more than the limits prescribed.

116 Para VI(37) of Annexure of Circular SEBI/MIRSD/MASTER CIR-04/2010 dated March 17, 2010, deleted in view of Notification LAD-NRO/GN/2011-12/03/12650 dated April 19, 2011.

250 9. In case the Electronic Contract Notes (ECN) are issued, the same are not made available on brokers’ websites/ sending ECN on single email-id for a group of clients/not maintaining ECN logs for ECN sent to the clients. III Relating to Investor services 10.Deficiency in service to the clients. 11.Non maintenance of investor grievance register and lack of proper system for receipt and reconciliation of investor grievances/not taking adequate steps for redressal of grievances of investors within one month from the date of receipt of the complaint. 12.Non maintenance of client database or details captured wrongly in the database. 13.There are delays between pay-out by the exchange to their members and the transmission of shares/money received in such pay-out to their clients by brokers without any record of reasons for such delay. 14.Non dissemination of email ID created for receiving investor grievances to the investors. 15.Freezing of accounts of clients without giving adequate reason. 16.Providing multiple client codes to one client/using same PAN no. for more than one client. 17.Frequent trade modification/client code modification done in client account 18.Daily margin statement and quarterly statements not sent to clients 19.Relationship managers acting as portfolio managers by entering into verbal agreement with clients for trading on their behalf. IV Relating to funds and securities 20.Unauthorized trading activities carried out in client’s account. 21.Not having separate account for clients' funds/securities or having separate accounts for clients but not segregating clients' funds/securities from its own funds/securities.

251 22.The brokers are found involved in funding activities - with the exception of those in connection with or incidental to or consequential upon the securities business. 23.Non collection of margin from clients/wrong reporting of collection of margins to exchanges/clearing members. 24.Accepting cash from the clients. Accepting/giving third party payments/receipts. V Relating to terminals 25.Not putting the unique client code (UCC) of clients while placing orders in the trading system. 26.The broker granting the trading terminals at places other than that specified by SEBI e.g. registered office, branch office. 27.Terminals operated by personnel without having proper qualification/ persons operating the terminal are not employees/remisiers. VI Others 28.Non-maintenance or improper maintenance of Books of Accounts which are required to be maintained as per Rule 15 of SCRA Rules 1957 and Regulation 17 of Stock Brokers Regulations 1992. 29.Non-compliance with provisions relating to spot/negotiated deals. 30.Instances of the broker/dealers/others connected with the broker, involved in front running, circular trading, creating false markets, misuse of the exchange mechanism for securing financing transactions, entering fictitious transactions and illegal transactions. 31.Non submission of audit report/internal audit reports within the prescribed time limit. 32.Involved in business other than the securities business in violation of applicable laws. 33.Non-payment/ inadequate payment of SEBI registration fees by the stock brokers. 34.Not complying with the provisions of advertisements/internet based trading 35.Non appointment of compliance officer.

252 36.Non- compliance with trading restrictions imposed by Stock Exchanges 37.Trading in unlisted securities and in securities prior to their admission to dealings by Exchanges 38.Not reporting off-the-floor transactions (e.g.) (a) The transactions with stock brokers of other exchanges (b) Principal to principal transactions with clients (c) Transactions done after the trading hours. 39.Non-formation of policies related to internal controls, employee/insider trading, Prevention of Money Laundering (PML) etc. If policies are formulated, they are not implemented. 40.Delivery vs payment (DvP) trades are done in other than those circumstances as prescribed.

253 Annexure-3

1. Terms of Reference (ToR) for Type I Broker The system auditor shall at the minimum cover the following areas: 1.1. System controls and capabilities 1.1.1. Order Tracking – The system auditor should verify system process and controls at exchange provided terminals with regard to order entry, capturing of IP address of order entry terminals, modification / deletion of orders, status of the current order/outstanding orders and trade confirmation. 1.1.2. Order Status/ Capture – Whether the system has capability to generate / capture order id, time stamping, order type, scrip details, action, quantity, price and validity etc. 1.1.3. Rejection of orders – Whether system has capability to reject orders which do not go through order level validation at the end of the stock broker and at the servers of respective Stock Exchanges. 1.1.4. Communication of Trade Confirmation / Order Status – Whether the system has capability to timely communicate to Client regarding the Acceptance/ Rejection of an Order / Trade via various media including e￾mail; facility of viewing trade log. 1.1.5. Client ID Verification – Whether the system has capability to recognize only authorized Client Orders and mapping of Specific user Ids to specific predefined location for proprietary orders. 1.2. Risk Management System (RMS) 1.2.1. Online risk management capability – The system auditor should check whether the system of online risk management (including upfront real-time risk management) is in place for all orders placed through exchange provided terminals. 1.2.2. Trading Limits –Whether a system of pre-defined limits / checks such as Order Quantity and Value Limits, Symbol wise User Order / Quantity limit, User / Branch Order Limit, Order Price limit, etc) are in place and only such orders which are within the parameters specified by the RMS are allowed to be pushed into exchange trading engines. The system auditor should

254 check that no user or branch in the system is having unlimited limits on the above parameters. 1.2.3. Order Alerts and Reports –Whether the system has capability to generate alerts when orders that are placed are above the limits and has capability to generate reports relating to Margin Requirements, payments and delivery obligations. 1.2.4. Order Review –Whether the system has capability to facilitate review of such orders were not validated by the system. 1.2.5. Back testing for effectiveness of RMS – Whether the system has capability to identify trades which have exceeded the pre-defined limits (Order Quantity and Value Limits, Symbol wise User Order / Quantity limit, User / Branch Order Limit, Order Price limit) and also exceed corresponding margin availability of clients. Whether deviations from such pre-defined limits are captured by the system, documented and corrective steps taken. 1.2.6. Log Management – Whether the system maintains logs of alerts / changes / deletion / activation / deactivation of client codes and logs of changes to the risk management parameters mentioned above. Whether the system allows only authorized users to set the risk parameter in the RMS. 1.3. Password Security 1.3.1. Organization Access Policy – Whether the organization has a well￾documented policy that provides for a password policy as well as access control policy for the exchange provided terminals. 1.3.2. Authentication Capability – Whether the system authenticates user credentials by means of a password before allowing the user to login, and whether there is is a system for authentication of orders originating from Internet Protocol by means of two-factor authentication, including Public Key Infrastructure (PKI) based implementation of digital signatures. 1.3.3. Password Best Practices – Whether there is a system provision for masking of password, system prompt to change default password on first login, disablement of user id on entering multiple wrong passwords (as defined in the password policy document), periodic password change mandate and appropriate prompt to user, strong parameters for password, deactivation of dormant user id, etc. 1.4. Session Management 1.4.1. Session Authentication – Whether the system has provision for

255 Confidentiality, Integrity and Availability (CIA) of the session and the data transmitted during the session by means of appropriate user and session authentication mechanisms like SSL etc. 1.4.2. Session Security – Whether there is availability of an end-to-end encryption for all data exchanged between client and broker systems. or other means of ensuring session security. 1.4.3. Inactive Session – Whether the system allows for automatic trading session logout after a system defined period of inactivity. 1.4.4. Log Management – Whether the system generates and maintain logs of Number of users, activity logs, system logs, Number of active clients. 1.5. Network Integrity 1.5.1. Seamless connectivity – Whether stock broker has ensured that a backup network link is available in case of primary link failure with the exchange. 1.5.2. Network Architecture – Whether the web server is separate from the Application and Database Server. 1.5.3. Firewall Configuration – Whether appropriate firewall is present between stock broker's trading setup and various communication links to the exchange. Whether the firewall is appropriately configured to ensure maximum security. 1.6. Access Controls 1.6.1. Access to server rooms – Whether adequate controls are in place for access to server rooms and proper audit trails are maintained for the same. 1.6.2. Additional Access controls – Whether the system provides for any authentication mechanism to access to various components of the exchange provided terminals. Whether additional password requirements are set for critical features of the system. Whether the access control is adequate 1.7. Backup and Recovery 1.7.1. Backup and Recovery Policy – Whether the organization has a well documented policy on periodic backup of data generated from the broking operations. 1.7.2. Log generation and data consistency - Whether backup logs are

256 maintained and backup data is tested for consistency. 1.7.3. System Redundancy – Whether there are appropriate backups in case of failures of any critical system components. 1.8. BCP/DR (Only applicable for Stock Brokers having BCP / DR site) 1.8.1. BCP / DR Policy – Whether the stock broker has a well documented BCP/ DR policy and plan. The system auditor should comment on the documented incident response procedures. 1.8.2. Alternate channel of communication – Whether the stock broker has provided its clients with alternate means of communication including channel for communication in case of a disaster. Whether the alternate channel is capable of authenticating the user after asking for additional details or OTP (One-Time-Password). 1.8.3. High Availability – Whether BCP / DR systems and network connectivity provide high availability and have no single point of failure for any critical operations as identified by the BCP/DR policy. 1.8.4. Connectivity with other FMIs – The system auditor should check whether there is an alternative medium to communicate with Stock Exchanges and other FMIs. 1.9. Segregation of Data and Processing facilities – The system auditor should check and comment on the segregation of data and processing facilities at the stock broker in case the stock broker is also running other business. 1.10.Back office data 1.10.1. Data consistency – The system auditor should verify whether aggregate client code data available at the back office of broker matches with the data submitted / available with the Stock Exchanges through online data view / download provided by exchanges to members. 1.10.2. Trail Logs – The system auditor should specifically comment on the logs of Client Code data to ascertain whether editing or deletion of records have been properly documented and recorded and does not result in any irregularities. 1.11.IT Infrastructure Management (including use of various Cloud computing models such as Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS)) 1.11.1. IT Governance and Policy – The system auditor should verify

257 whether the relevant IT Infrastructure-related policies and standards exist and are regularly reviewed and updated. Compliance with these policies is periodically assessed. 1.11.2. IT Infrastructure Planning – The system auditor should verify whether the plans/policy for the appropriate management and replacement of aging IT infrastructure components have been documented, approved, and implemented. The activities, schedules and resources needed to achieve objectives related to IT infrastructure have been integrated into business plans and budgets. 1.11.3. IT Infrastructure Availability (SLA Parameters) – The system auditor should verify whether the broking firm has a process in place to define its required availability of the IT infrastructure, and its tolerance to outages. In cases where there is huge reliance on vendors for the provision of IT services to the brokerage firm the system auditor should also verify that the mean time to recovery (MTTR) mentioned in the Service Level Agreement (SLA) by the service provider satisfies the requirements of the broking firm. 1.11.4. IT Performance Monitoring (SLA Monitoring) – The system auditor should verify that the results of SLA performance monitoring are documented and are reported to the management of the broker. 1.12.Exchange specific exceptional reports – The additional checks recommended by a particular exchange need to be looked into and commented upon by the system auditor over and above the ToR of the system audit.

258 Annexure-4 2. ToR for Type II Broker The system auditor shall at the minimum cover the following areas: 2.1.System controls and capabilities (CTCL / IML terminals and servers) 2.1.1. Order Tracking – The system auditor should verify system process and controls at CTCL / IML terminals and CTCL/ IML servers covering order entry, capturing of IP address of order entry terminals, modification / deletion of orders, status of current order/outstanding orders and trade confirmation. 2.1.2. Order Status/ Capture – Whether the system has capability to generate / capture order id, time stamping, order type, scrip details, action, quantity, price and validity, etc. 2.1.3. Rejection of orders – Whether system has capability to reject orders which do not go through order level validation at CTCL servers and at the servers of respective Stock Exchanges. 2.1.4. Communication of Trade Confirmation / Order Status – Whether the system has capability to timely communicate to Client regarding the Acceptance/ Rejection of an Order / Trade via various media including e￾mail; facility of viewing trade log. 2.1.5. Client ID Verification – Whether the system has capability to recognize only authorized Client Orders and mapping of Specific user Ids to specific predefined location for proprietary orders. 2.1.6. Order type distinguishing capability – Whether system has capability to distinguish the orders originating from (CTCL or IML) / IBT/ DMA / STWT. 2.2.Software Change Management - The system auditor should check whether proper procedures have been followed and proper documentation has been maintained for the following: 2.2.1. Processing / approval methodology of new feature request or patches. 2.2.2. Fault reporting / tracking mechanism and process for resolution. 2.2.3. Testing of new releases / patches / modified software / bug fixes. 2.2.4. Version control- History, Change Management process, approval etc.

259 2.2.5. Development / Test / Production environment segregation. 2.2.6. New release in production – promotion, release note approvals. 2.2.7. Production issues / disruptions reported during last year, reasons for such disruptions and corrective actions taken. 2.2.8. User Awareness. The system auditor should check whether critical changes made to the (CTCL or IML) / IBT / DMA / STWT/ SOR are well documented and communicated to the Stock Exchange. 2.3.Risk Management System (RMS) 2.3.1. Online risk management capability – The system auditor should check whether system of online risk management including upfront real-time risk management, is in place for all orders placed through (CTCL or IML) / IBT / DMA / STWT. 2.3.2. Trading Limits – Whether a system of pre-defined limits /checks such as Order Quantity and Value Limits, Symbol wise User Order / Quantity limit, User / Branch Order Limit, Order Price limit, etc., are in place and only such orders which are within the parameters specified by the RMS are allowed to be pushed into exchange trading engines. The system auditor should check that no user or branch in the system is having unlimited limits on the above parameters. 2.3.3. Order Alerts and Reports – Whether the system has capability to generate alerts when orders that are placed are above the limits and has capability to generate reports relating to margin requirements, payments and delivery obligations. 2.3.4. Order Review – Whether the system has capability to facilitate review of such orders that were not validated by the system. 2.3.5. Back testing for effectiveness of RMS – Whether system has capability to identify trades which have exceeded the pre-defined limits (Order Quantity and Value Limits, Symbol wise User Order / Quantity limit, User / Branch Order Limit, Order Price limit) and also exceed corresponding margin availability of clients. Whether deviations from such pre-defined limits are captured by the system, documented and corrective steps taken. 2.3.6. Log Management – Whether the system maintains logs of alerts / changes / deletion / activation / deactivation of client codes and logs of

260 changes to the risk management parameters mentioned above. Whether the system allows only authorized users to set the risk parameter in the RMS. 2.4.Smart order routing (SOR) - The system auditor should check whether proper procedures have been followed and proper documentation has been maintained for the following: 2.4.1. Best Execution Policy – System adheres to the Best Execution Policy while routing the orders to the exchange. 2.4.2. Destination Neutral – The system routes orders to the recognized Stock Exchanges in a neutral manner. 2.4.3. Class Neutral – The system provides for SOR for all classes of investors. 2.4.4. Confidentiality - The system does not release orders to venues other than the recognized Stock Exchange. 2.4.5. Opt–out – The system provides functionality to the client who has availed of the SOR facility, to specify for individual orders for which the clients do not want to route order using SOR. 2.4.6. Time stamped market information – The system is capable of receiving time stamped market prices from recognized Stock Exchanges from which the member is authorized to avail SOR facility. 2.4.7. Audit Trail - Audit trail for SOR should capture order details, trades and data points used as a basis for routing decision. 2.4.8. Server Location – The system auditor should check whether the order routing server is located in India. 2.4.9. Alternate Mode - The system auditor should check whether an alternative mode of trading is available in case of failure of SOR Facility. 2.5.Password Security 2.5.1. Organization Access Policy – Whether organization has a well￾documented policy that provides for a password policy as well as access control policy for exchange provided terminals and for API based terminals. 2.5.2. Authentication Capability – Whether the system authenticates user credentials by means of a password before allowing the user to login, and whether there is a system for authentication of orders originating from

261 Internet Protocol by means of two-factor authentication, including Public Key Infrastructure (PKI) based implementation of digital signatures. 2.5.3. Password Best Practices – Whether there is a system provision for masking of password, system prompt to change default password on first login, disablement of user id on entering multiple wrong passwords (as defined in the password policy document), periodic password change mandate and appropriate prompt to user, strong parameters for password, deactivation of dormant user id, etc. 2.6.Session Management 2.6.1. Session Authentication – Whether system has provision for Confidentiality, Integrity and Availability (CIA) of the session and the data transmitted during the session by means of appropriate user and session authentication mechanisms like SSL etc. 2.6.2. Session Security – Whether there is availability of an end-to-end encryption for all data exchanged between client and broker systems or other means of ensuring session security. Whether session login details are stored on the devices used for IBT and STWT. 2.6.3. Inactive Session – Whether the system allows for automatic trading session logout after a system defined period of inactivity. 2.6.4. Log Management – Whether the system generates and maintains logs of Number of users, activity logs, system logs, Number of active clients. 2.7.Database Security 2.7.1. Access – Whether the system allows CTCL or IML database access only to authorized users / applications. 2.7.2. Controls – Whether the CTCL or IML database server is hosted on a secure platform, with Username and password stored in an encrypted form using strong encryption algorithms. 2.8.Network Integrity 2.8.1. Seamless connectivity – Whether the stock broker has ensured that a backup network link is available in case of primary link failure with the exchange. 2.8.2. Network Architecture – Whether the web server is separate from the Application and Database Server.

262 2.8.3. Firewall Configuration – Whether appropriate firewall is present between stock broker's trading setup and various communication links to the exchange. Whether the firewall is appropriately configured to ensure maximum security. 2.9.Access Controls 2.9.1. Access to server rooms – Whether adequate controls are in place for access to server rooms and proper audit trails are maintained for the same. 2.9.2. Additional Access controls – Whether the system provides for two factor authentication mechanism to access to various CTCL or IML components. Whether additional password requirements are set for critical features of the system. Whether the access control is adequate. 2.10.Backup and Recovery 2.10.1. Backup and Recovery Policy – Whether the organization has a well￾documented policy on periodic backup of data generated from the broking operations. 2.10.2. Log generation and data consistency - Whether backup logs are maintained and backup data is tested for consistency. 2.10.3. System Redundancy – Whether there are appropriate backups in case of failures of any critical system components. 2.11.BCP/DR (Only applicable for Stock Brokers having BCP / DR site) 2.11.1. BCP / DR Policy – Whether the stock broker has a well-documented BCP/ DR policy and plan. The system auditor should comment on the documented incident response procedures. 2.11.2. Alternate channel of communication – Whether the stock broker has provided its clients with alternate means of communication including channel for communication in case of a disaster. Whether the alternate channel is capable of authenticating the user after asking for additional details or OTP (One-Time-Password). 2.11.3. High Availability – Whether BCP / DR systems and network connectivity provide high availability and have no single point of failure for any critical operations as identified by the BCP/ DR policy. 2.11.4. Connectivity with other FMIs – The system auditor should check whether there is an alternative medium to communicate with Stock

263 Exchanges and other FMIs. 2.12.Segregation of Data and Processing facilities – The system auditor should check and comment on the segregation of data and processing facilities at the stock broker in case the stock broker is also running other business. 2.13.Back office data 2.13.1. Data consistency – The system auditor should verify whether aggregate client code data available at the back office of broker matches with the data submitted / available with the Stock Exchanges through online data view / download provided by exchanges to members. 2.13.2. Trail Logs – The system auditor should specifically comment on the logs of Client Code data to ascertain whether editing or deletion of records have been properly documented and recorded and does not result in any irregularities. 2.14.User Management 2.14.1. User Management Policy – The system auditor should check whether the stock broker has a well-documented policy that provides for user management and the user management policy explicitly defines user, database and application Access Matrix. 2.14.2. Access to Authorized users – The system auditor should check whether the system allows access only to the authorized users of the CTCL or IML System. Whether there is a proper documentation of the authorized users in the form of User Application approval, copies of User Qualification and other necessary documents. 2.14.3. User Creation / Deletion – The system auditor should check whether new user’s ids were created / deleted as per CTCL or IML guidelines of the exchanges and whether the user ids are unique in nature. 2.14.4. User Disablement – The system auditor should check whether non-complaint users are disabled and appropriate logs (such as event log and trade logs of the user) are maintained. 2.15.IT Infrastructure Management (including use of various Cloud computing models such as Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS)) 2.15.1. IT Governance and Policy – The system auditor should verify whether the relevant IT Infrastructure-related policies and standards exist

264 and are regularly reviewed and updated. Compliance with these policies is periodically assessed. 2.15.2. IT Infrastructure Planning – The system auditor should verify whether the plans/policy for the appropriate management and replacement of aging IT infrastructure components have been documented, approved, and implemented. The activities, schedules and resources needed to achieve objectives related to IT infrastructure have been integrated into business plans and budgets. 2.15.3. IT Infrastructure Availability (SLA Parameters) – The system auditor should verify whether the broking firm has a process in place to define its required availability of the IT infrastructure, and its tolerance to outages. In cases where there is huge reliance on vendors for the provision of IT services to the brokerage firm the system auditor should also verify that the mean time to recovery (MTTR) mentioned in the Service Level Agreement (SLA) by the service provider satisfies the requirements of the broking firm. 2.15.4. IT Performance Monitoring (SLA Monitoring) – The system auditor should verify that the results of SLA performance monitoring are documented and are reported to the management of the broker. 2.16.Exchange specific exceptional reports – The additional checks recommended by a particular exchange need to be looked into and commented upon by the System Auditor over and above the ToR of the System audit. 2.17.Software Testing Procedures - The system auditor should check whether the stock broker has complied with the guidelines and instructions of SEBI / Stock Exchanges with regard to testing of software and new patches, including the following: 2.17.1. Test Procedure Review – The system auditor should evaluate whether the procedures for system and software testing were proper and adequate. 2.17.2. Documentation – The system auditor should verify whether the documentation related to testing procedures, test data, and resulting output were adequate and follow the organization's standards. 2.17.3. Test Cases – The system auditor should review the internal test cases and comment upon the adequacy of the same with respect to the requirements of the Stock Exchange and SEBI.

265 Annexure-5 3. ToR for Type III Broker The system auditor shall at the minimum cover the following areas: 3.1.System controls and capabilities (CTCL/IML Terminals and servers) 3.1.1. Order Tracking – The system auditor should verify system process and controls at CTCL / IML terminals and CTCL/ IML servers covering order entry, capturing IP address of order entry, modification / deletion of orders, status of current order/outstanding orders and trade confirmation. 3.1.2. Order Status/ Capture – Whether the system has capability to generate / capture order id, time stamping, order type, scrip details, action, quantity, price and validity etc. 3.1.3. Rejection of orders – Whether the system has capability to reject orders which do not go through order level validation at CTCL servers and at the servers of respective exchanges. 3.1.4. Communication of Trade Confirmation / Order Status – Whether the system has capability to timely communicate to client regarding the Acceptance/ Rejection of an Order / Trade via various media including e￾mail; facility of viewing trade log. 3.1.5. Client ID Verification – Whether the system has capability to recognize only authorized Client Orders and mapping of Specific user Ids to specific predefined location for proprietary orders. 3.1.6. Order type distinguishing capability – Whether the system has capability to distinguish the orders originating from (CTCL or IML) / IBT / DMA / STWT / SOR / Algorithmic Trading. 3.2.Software Change Management - The system auditor should check whether proper procedures have been followed and proper documentation has been maintained for the following: 3.2.1. Processing / approval methodology of new feature request or patches. 3.2.2. Fault reporting / tracking mechanism and process for resolution. 3.2.3. Testing of new releases / patches / modified software / bug fixes. 3.2.4. Version control- History, Change Management process, approval etc. 3.2.5. Development / Test / Production environment segregation.

266 3.2.6. New release in production – promotion, release note approvals. 3.2.7. Production issues / disruptions reported during last year, reasons for such disruptions and corrective actions taken. 3.2.8. User Awareness. The system auditor should check whether critical changes made to the (CTCL or IML) / IBT / DMA / STWT/ SOR are well documented and communicated to the Stock Exchange. 3.3.Risk Management System (RMS) 3.3.1. Online risk management capability – The system auditor should check whether the online risk management including upfront real-time risk management, is in place for all orders placed through (CTCL or IML) / IBT/ DMA / SOR / STWT / Algorithmic Trading. 3.3.2. Trading Limits – Whether a system of pre-defined limits / checks such as Order Quantity and Value Limits, Symbol wise User Order / Quantity limit, User / Branch Order Limit, Order Price limit, etc., are in place and only such orders which are within the parameters specified by the RMS are allowed to be pushed into exchange trading engines. The system auditor should check that no user or branch in the system is having unlimited limits on the above parameters. 3.3.3. Order Alerts and Reports – Whether the system has capability to generate alerts when orders that are placed are above the limits and has capability to generate reports relating to margin requirements, payments and delivery obligations. 3.3.4. Order Review – Whether the system has capability to facilitate review of such orders that were not validated by the system. 3.3.5. Back testing for effectiveness of RMS – Whether the system has capability to identify trades which have exceeded the pre-defined limits (Order Quantity and Value Limits, Symbol wise User Order / Quantity limit, User / Branch Order Limit, Order Price limit) and also exceed corresponding margin availability of clients. Whether deviations from such pre-defined limits should be captured by the system, documented and corrective steps taken. 3.3.6. Log Management – Whether the system maintains logs of alerts / changes / deletion / activation / deactivation of client codes and logs of changes to the risk management parameters mentioned above. Whether

267 the system allows only authorized users to set the risk parameter in the RMS. 3.4.Smart order routing (SOR) - The system auditor should check whether proper procedures have been followed and proper documentation has been maintained for the following: 3.4.1. Best Execution Policy – System adheres to the Best Execution Policy while routing the orders to the exchange. 3.4.2. Destination Neutral – The system routes orders to the recognized Stock Exchanges in a neutral manner. 3.4.3. Class Neutral – The system provides for SOR for all classes of investors. 3.4.4. Confidentiality - The system does not release orders to venues other than the recognized Stock Exchange. 3.4.5. Opt–out – The system provides functionality to the client who has availed of the SOR facility, to specify for individual orders for which the clients do not want to route order using SOR. 3.4.6. Time stamped market information – The system is capable of receiving time stamped market prices from recognized Stock Exchanges from which the member is authorized to avail SOR facility. 3.4.7. Audit Trail - Audit trail for SOR should capture order details, trades and data points used as a basis for routing decision. 3.4.8. Server Location – The system auditor should check whether the order routing server is located in India. 3.4.9. Alternate Mode - The system auditor should check whether an alternative mode of trading is available in case of failure of SOR Facility. 3.5.Algorithmic Trading - The system auditor should check whether proper procedures have been followed and proper documentation has been maintained for the following: 3.5.1. Change Management – Whether any changes (modification/addition) to the approved algos were informed to and approved by Stock Exchange. The inclusion / removal of different versions of algos should be well documented. 3.5.2. Online Risk Management capability - The CTCL or IML server should have capacity to monitor orders / trades routed through algo trading and

268 have online risk management for all orders through Algorithmic trading and ensure that Price Check, Quantity Check, Order Value Check, Cumulative Open Order Value Check are in place. 3.5.3. Risk Parameters Controls – The system should allow only authorized users to set the risk parameter. The System should also maintain a log of all the risk parameter changes made. 3.5.4. Information / Data Feed – The auditor should comment on the various sources of information / data for the algo and on the likely impact (run away /loop situation) of the failure one or more sources to provide timely feed to the algorithm. The system auditor should verify that the algo automatically stops further processing in the absence of data feed. 3.5.5. Check for preventing loop or runaway situations – The system auditor should check whether the brokers have real time monitoring systems to identify and shutdown/stop the algorithms which have not behaved as expected. 3.5.6. Algo / Co-location facility Sub-letting – The system auditor should verify if the algo / co-location facility has not been sub-letted to any other firms to access the exchange platform. 3.5.7. Audit Trail – The system auditor should check the following areas in audit trail: a. Whether the audit trails can be established using unique identification for all algorithmic orders and comment on the same. b. Whether the broker maintains logs of all trading activities. c. Whether the records of control parameters, orders, traders and data emanating from trades executed through algorithmic trading are preserved/ maintained by the stock broker. d. Whether changes to the control parameters have been made by authorized users as per the Access Matrix. The system auditor should specifically comment on the reasons and frequency for changing of such control parameters. Further, the system auditor should also comment on the possibility of such tweaking leading to run away/loop situation. e. Whether the system captures the IP address from where the algo orders are originating. 3.5.8. Systems and Procedures – The system auditor should check and comment on the procedures, systems and technical capabilities of stock broker for carrying out trading through use of Algorithms. The system auditor should also identify any misuse or unauthorized access to algorithms or the system which runs these algorithms.

269 3.5.9. Reporting to Stock Exchanges – The system auditor should check whether the stock broker is informing the Stock Exchange regarding any incidents where the algos have not behaved as expected. The system auditor should also comment upon the time taken by the stock broker to inform the Stock Exchanges regarding such incidents. 3.6.Password Security 3.6.1. Organization Access Policy – The system auditor should whether the stock broker has a well documented policy that provides for a password policy as well as access control policy for exchange provided terminals and for API based terminals. 3.6.2. Authentication Capability – Whether the system authenticates user credentials by means of a password before allowing the user to login. Whether there is a system for authentication of orders originating from Internet Protocol by means of two-factor authentication, including Public Key Infrastructure (PKI) based implementation of digital signatures. 3.6.3. Password Best Practices – Whether there is a system should for masking of password, system prompt to change default password on first login, disablement of user id on entering multiple wrong passwords (as defined in the password policy document), periodic password change mandate and appropriate prompt to user, strong parameters for password, deactivation of dormant user id, etc. 3.7.Session Management 3.7.1. Session Authentication – Whether the system has provision for Confidentiality, Integrity and Availability (CIA) of the session and the data transmitted during the session by means of appropriate user and session authentication mechanisms like SSL etc. 3.7.2. Session Security – Whether there is availability of an end-to-end encryption for all data exchanged between client and broker system or other means of ensuring session security. Whether session login details are stored on the devices used for IBT and STWT. 3.7.3. Inactive Session – Whether the system allows for automatic trading session logout after a system defined period of inactivity. 3.7.4. Log Management – Whether the system generates and maintains logs of number of users, activity logs, system logs, number of active clients. 3.8.Database Security

270 3.8.1. Access – Whether the system allows CTCL or IML database access only to authorized users / applications. 3.8.2. Controls – Whether the CTCL or IML database server is hosted on a secure platform, with username and password stored in an encrypted form using strong encryption algorithms. 3.9.Network Integrity 3.9.1. Seamless connectivity – Whether the stock broker has ensured that a backup network link is available in case of primary link failure with the exchange. 3.9.2. Network Architecture – Whether the web server is separate from the Application and Database Server. 3.9.3. Firewall Configuration – Whether appropriate firewall are present between the stock broker's trading setup and various communication links to the exchange. Whether the firewalls should be appropriately configured to ensure maximum security. 3.10.Access Controls 3.10.1. Access to server rooms – Whether adequate controls are in place for access to server rooms, proper audit trails should be maintained for the same. 3.10.2. Additional Access controls - Whether the system should provide for two factor authentication mechanism to access to various CTCL or IML components. Whether additional password requirements are set for critical features of the system. Whether the access control is adequate. 3.11.Backup and Recovery 3.11.1. Backup and Recovery Policy – Whether the organization has a well documented policy on periodic backup of data generated from the broking operations. 3.11.2. Log generation and data consistency – Whether backup logs are maintained and backup data should be tested for consistency. 3.11.3. System Redundancy – Whether there are appropriate backups in case of failures of any critical system components 3.12.BCP/DR (Only applicable for Stock Brokers having BCP / DR site)

271 3.12.1. BCP / DR Policy – Whether the stock broker has a well documented BCP / DR policy and plan. The system auditor should comment on the documented incident response procedures. 3.12.2. Alternate channel of communication – Whether the stock broker has provided its clients with alternative means of communication including channel for communication in case of a disaster. Whether the alternate channel is capable of authenticating the user after asking for additional details or OTP (One-Time-Password). 3.12.3. High Availability – Whether BCP / DR systems and network connectivity provide high availability and have no single point of failure for any critical operations as identified by the BCP / DR policy. 3.12.4. Connectivity with other FMIs – The system auditor should check whether there is an alternative medium to communicate with Stock Exchanges and other FMIs. 3.13.Segregation of Data and Processing facilities – The system auditor should check and comment on the segregation of data and processing facilities at the stock broker in case the stock broker is also running other business. 3.14.Back office data 3.14.1. Data consistency – The system auditor should verify whether aggregate client code data available at the back office of broker matches with the data submitted / available with the Stock Exchanges through online data view / download provided by exchanges to members. 3.14.2. Trail Logs – The system auditor should specifically comment on the logs of Client Code data to ascertain whether editing or deletion of records have been properly documented and recorded and does not result in any irregularities. 3.15.User Management 3.15.1. User Management Policy – The system auditor should verify whether the stock broker has a well documented policy that provides for user management and the user management policy explicitly defines user, database and application access matrix. 3.15.2. Access to Authorized users – The system auditor should verify whether the system allows access only to the authorized users of the CTCL or IML system. Whether there is a proper documentation of the authorized users in the form of user application approval, copies of user qualification and other necessary documents.

272 3.15.3. User Creation / Deletion – The system auditor should verify whether new users ids should be created / deleted as per CTCL or IML guidelines of the exchanges and whether the user ids are unique in nature. 3.15.4. User Disablement – The system auditor should verify whether non-complaint users are disabled and appropriate logs such as event log and trade logs of the user should be maintained. 3.16.IT Infrastructure Management (including use of various Cloud computing models such as Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS)) 3.16.1. IT Governance and Policy – The system auditor should verify whether the relevant IT Infrastructure-related policies and standards exist and are regularly reviewed and updated. Compliance with these policies is periodically assessed. 3.16.2. IT Infrastructure Planning – The system auditor should verify whether the plans/policy for the appropriate management and replacement of aging IT infrastructure components have been documented, approved, and implemented. The activities, schedules and resources needed to achieve objectives related to IT infrastructure have been integrated into business plans and budgets. 3.16.3. IT Infrastructure Availability (SLA Parameters) – The system auditor should verify whether the broking firm has a process in place to define its required availability of the IT infrastructure, and its tolerance to outages. In cases where there is huge reliance on vendors for the provision of IT services to the brokerage firm the system auditor should also verify that the mean time to recovery (MTTR) mentioned in the Service Level Agreement (SLA) by the service provider satisfies the requirements of the broking firm. 3.16.4. IT Performance Monitoring (SLA Monitoring) – The system auditor should verify that the results of SLA performance monitoring are documented and are reported to the management of the broker. 3.17.Exchange specific exceptional reports – The additional checks recommended by a particular exchange need to be looked into and commented upon by the system auditor over and above the ToR of the system audit. 3.18.Software Testing Procedures - The system auditor shall audit whether the stock broker has complied with the guidelines and instructions of SEBI / Stock

273 Exchanges with regard to testing of software and new patches including the following: 3.18.1. Test Procedure Review – The system auditor should review and evaluate the procedures for system and program testing. The system auditor should also review the adequacy of tests. 3.18.2. Documentation – The system auditor should review documented testing procedures, test data, and resulting output to determine if they are comprehensive and if they follow the organization's standards. 3.18.3. Test Cases – The system auditor should review the test cases and comment upon the adequacy of the same with respect to the requirements of the Stock Exchange and various SEBI Circulars.

274 Annexure-6 Executive Summary Reporting Format For Preliminary Audit Audit Date Obs erva tion Desc riptio n of Findi ng Depar tment Stat us / Nat ure of Find ings Risk Ratin gs of Findi ngs Audit TOR Claus e Audi ted by Root caus e Anal ysis Impac t Analy sis Sugg ested Corre ctive action Deadlin e for the Correcti ve Action Ve rifi ed By Clo sing dat e Description of relevant Table heads

1. Audit Date – This indicates the date of conducting the audit
2. Description of Findings/ Observations – Description of the findings in sufficient detail, referencing any accompanying evidence (e.g. copies of procedures, interview notes, screen shots etc.)
3. Status/ Nature of Findings - the category can be specified for example: a. Non Compliant b. Work In progress c. Observation d. Suggestion
4. Risk Rating of Findings – A rating has to been given for each of the observations based on their impact and severity to reflect the risk exposure, as well as the suggested priority for action. Rating Description HIGH Weakness in control those represent exposure to the organization or risks that could lead to instances of non-compliance with the requirements of TORs. These risks need to be addressed with utmost priority. MEDIUM Potential weakness in controls, which could develop into an exposure or issues that represent areas of concern and may impact internal controls. These should be addressed reasonably promptly. LOW Potential weaknesses in controls, which in combination with other weakness can develop into an exposure. Suggested improvements for situations not immediately/directly affecting controls.
5. Audit TOR Clause – The TOR clause corresponding to this observation.
6. Root cause Analysis –A detailed analysis on the cause of the nonconformity
7. Impact Analysis – An analysis of the likely impact on the operations/ activity of the organization.
8. Suggested Corrective Action –The action to be taken by the broker to correct the nonconformity.

275 For Follow on / Follow up System Audit Preli mina ry Audit Date S. No. Prelimi nary Observ ation Number Prelim inary Status Prelim inary Corre ctive Action Curren t Findin g Curren t Status Revise d Correc tive Action Deadlin e for the Revise d Correcti ve Action Verifi ed By Closin g date Description of relevant Table heads

1. Preliminary Status – The original finding as per the preliminary System Audit Report.
2. Preliminary Corrective Action – The original corrective action as prescribed in the preliminary System Audit report.
3. Current Finding – The current finding w.r.t. the issue.
4. Current Status – Current status of the issue viz Compliant, Non-Compliant, Work In Progress (WIP).
5. Revised Corrective Action – The revised corrective action prescribed w.r.t. the Non-Compliant / WIP issues.

276 Annexure-7 ACCOUNT OPENING KIT INDEX OF DOCUMENTS S. No. Name of the Document Brief Significance of the Document Page No MANDATORY DOCUMENTS AS PRESCRIBED BY SEBI & EXCHANGES 1 Account Opening Form A. KYC form - Document captures the basic information B. abDocouutmthenetcocapnstit tuuresentthaendaadnditioinstructi nal inofonr/cmhaetick lis on t. about the constituent relevant to trading account 2 and an instruction/check list. Rights and Obligations Document stating the Rights & Obligations of stock broker/trading memberand client for trading on exchanges (including additional rights & obligations in case of internet/wireless technology based 3 Risk Disclosure Document trading). (RDD) Document detailing risks associated with dealing in the 4 Guidance note sDoc ecuurmitiens mark t detaeiling t. do’s and don’ts for trading on exchange, 5 Policies and Procedures fDoc or thuemeendut cdeatscr ioniboifntghesiignnvifica estonrs. t policies and procedures of 6 Tariff sheet tDoc he sutmock entbrodektear iling(to bthe eadratdeed/amby outhnet sotfock brokbreorkagere). and other charges levied on the client for trading on the stock exchange(s) (to be added by the stock broker). VOLUNTARY DOCUMENTS AS PROVIDED BY THE STOCK BROKER 7 Demat Debit and Pledge Instruction’ (DDPI) Document seeking authorization by client to the stock broker, to access the demat account of the client for specified purposes only. 8 Name of stock broker/trading member/clearing member: ----------------------------------------------------------- ----------------- SEBI Registration No. and date: ------------------------------------------------------------------------- ----------------------------------- Registered office address: --------------------------------------------------------------- ---------------------------------------------------- Ph: ------------------------ Fax: ----------------------- Website: --------- --------------------------------------------------------------------- Correspondence office address: --------------------- --------------------------------------------------------------------------------------- Ph: ------------------------ Fax: ---------- ------------- Website: ------------------------------------------------------------------------------ Compliance officer

277 name, phone no. & email id: --------------------------------------------------------------------------------------- CEO name, phone no. & email id: ------------------------------------------------------------------------------------------------

For any grievance/dispute please contact stock broker (name) at the above address or email id￾xxx@email.com and Phone no. 91-XXXXXXXXXX. In case not satisfied with the response, please contact the concerned exchange(s) at xyz@email.com and Phone no. 91-XXXXXXXXXX.

278 Annexure-8 TRADING ACCOUNT RELATED DETAILS For Individuals & Non-individuals A. BANK ACCOUNT(S) DETAILS Bank Name Branch address Bank account no. Account Type: Saving/Current/ Others-In case of NRI/NRE/NRO MICR Number IFSC code B. DEPOSITORY ACCOUNT(S) DETAILS Depository Participant Name Depository Name (NSDL/CDSL) Beneficiary name DP ID Beneficiary ID (BO ID) C. TRADING PREFERENCES *Please sign in the relevant boxes where you wish to trade. Please strike off the segment not chosen by you. Exchanges NSE, BSE & MSEI MCX, NCDEX, BSE & NSE All Segments Cash / Mutual Fund F&O Currency Debt Commodity Derivatives If you do not wish to trade in any of segments / Mutual Fund, please mention here ____________________. D. OTHER DETAILS (For Individuals)

1. Gross Annual Income Details (please specify): Income Range per annum: Below Rs 1 Lac / 1-5 Lac /5-10 Lac / 10-25 Lac / >25 Lacs or Net-worth as on (date)…………………. (------------------------------) (Net worth should not be older than 1 year)
2. Occupation (please tick any one and give brief details): Private Sector/ Public Sector/ Government Service/Business/ Professional/ Agriculturist/ Retired/ Housewife/ Student/ Others
3. Please tick, if applicable: Politically Exposed Person (PEP)/ Related to a Politically Exposed Person (PEP)
4. Any other information: E. OTHER DETAILS (For Non-Individuals)
5. Gross Annual Income Details (please specify): Income Range per annum: Below Rs 1 Lac / 1-5 Lac /5-10 Lac / 10- 25 Lac / 25 Lacs-1 crore / > 1 crore
6. Net-worth as on (date) ………….….…. (dd/mm/yyyy): (Net worth should not be older than 1 year)
7. Name, PAN, residential address and photographs of Promoters/Partners/Karta/Trustees and whole time directors:
8. DIN/UID of Promoters/Partners/Karta and whole time directors:
9. Please tick, if applicable, for any of your authorized signatories/Promoters/Partners/Karta/Trustees/whole

279 time directors: Politically Exposed Person (PEP)/ Related to a Politically Exposed Person (PEP) 6. Any other information: F. PAST ACTIONS  Details of any action/proceedings initiated/pending/ taken by SEBI/ Stock exchange/any other authority against the applicant/constituent or its Partners/promoters/whole time directors/authorized persons in charge of dealing in securities during the last 3 years: …………………………………………………………………………………………… G. DEALINGS THROUGH OTHER STOCK BROKERS  Whether dealing with any other stock broker (if case dealing with multiple stock brokers, provide details of all) Name of stock broker:……………………………………………:…………………………..….. Client Code: …………………………….Exchange:…………………………………………….…………………………… Details of disputes/dues pending from/to such stock broker: ……………………….………………….………………… H. ADDITIONAL DETAILS  Whether you wish to receive physical contract note or Electronic Contract Note (ECN) (please specify): …………… Specify your Email id, if applicable: …………………………………………………………………………………………...  Whether you wish to avail of the facility of internet trading/ wireless technology (please specify): …………………….  Number of years of Investment/Trading Experience: ………………………………………………………………………  In case of non-individuals, name, designation, PAN, UID, signature, residential address and photographs of persons authorized to deal in securities on behalf of company/firm/others: ……………………………………………… Any other information: …………………………………………………………………………………………………….. I. INTRODUCER DETAILS (optional) Name of the Introducer: …………………………………………………………………………………………………………… (Surname) (Name) (Middle Name) Status of the Introducer: Remisier/Authorized Person/Existing Client/Others, please specify…………………… Address and phone no. of the Introducer: ……………………………. Signature of the Introducer: ………………………… J. NOMINATION DETAILS (for individuals only) I/We wish to nominate I/We do not wish to nominate Name of the Nominee: ………………………………………. Relationship with the Nominee: …………………………………. PAN of Nominee: ……………………………………………... Date of Birth of Nominee: ………………...……………………… Address and phone no. of the Nominee: ……………………………………………………………………………………………. If Nominee is a minor, details of guardian: Name of guardian: ……………………… Address and phone no. of Guardian: ……………………………..………………….. Signature of guardian ……………………………………………………………………………….…………………………………. WITNESSES (Only applicable in case the account holder has made nomination) Name ------------------------- Name ---------------------------- Signature --------------------- Signature ---------------------- Address ----------------------- Address ------------------------- DECLARATION

1. I/We hereby declare that the details furnished above are true and correct to the best of my/our knowledge and belief and I/we undertake to inform you of any changes therein, immediately. In case any of the above information is found to be false or untrue or misleading or misrepresenting, I am/we are aware that I/we may be held liable for it.

280 2. I/We confirm having read/been explained and understood the contents of the document on policy and procedures of the stock broker and the tariff sheet. 3. I/We further confirm having read and understood the contents of the ‘Rights and Obligations’ document(s) and ‘Risk Disclosure Document’. I/We do hereby agree to be bound by such provisions as outlined in these documents. I/We have also been informed that the standard set of documents has been displayed for Information on stock broker’s designated website, if any. Place ----------------------- (---------------------------------------------------) Date ------------------------ Signature of Client/ (all) Authorized Signatory (ies) FOR OFFICE USE ONLY UCC Code allotted to the Client: -------------------- Documents verified with Originals Client Interviewed By In-Person Verification done by Name of the Employee Employee Code Designation of the employee Date Signature I / We undertake that we have made the client aware of ‘Policy and Procedures’, tariff sheet and all the non-mandatory documents. I/We have also made the client aware of ‘Rights and Obligations’ document (s), RDD and Guidance Note. I/We have given/sent him a copy of all the KYC documents. I/We undertake that any change in the ‘Policy and Procedures’, tariff sheet and all the non-mandatory documents would be duly intimated to the clients. I/We also undertake that any change in the ‘Rights and Obligations’ and RDD would be made available on my/our website, if any, for the information of the clients. ……………………………………….. Signature of the Authorised Signatory Date …………………. Seal/Stamp of the stock broker INSTRUCTIONS/ CHECK LIST

1. Additional documents in case of trading in derivatives segments - illustrative list: Copy of ITR Acknowledgement Copy of Annual Accounts In case of salary income - Salary Slip, Copy of Form 16 Net worth certificate Copy of demat account holding statement. Bank account statement for last 6 months Any other relevant documents substantiating ownership of assets. Self declaration with relevant supporting documents. *In respect of other clients, documents as per risk management policy of the stock broker need to be provided by the client from time to time.

281 2. Copy of cancelled cheque leaf/ pass book/bank statement specifying name of the constituent, MICR Code or/and IFSC Code of the bank should be submitted. 3. Demat master or recent holding statement issued by DP bearing name of the client. 4. For individuals: a. Stock broker has an option of doing ‘in-person’ verification through web camera at the branch office of the stock broker b. In case of non-resident clients, employees at the stock broker’s local office, overseas can do in-person’ verification. Further, considering the infeasibility of carrying out ‘In-person’ verification of the non-resident clients by the stock broker’s staff, attestation of KYC documents by Notary Public, Court, Magistrate, Judge, Local Banker, Indian Embassy / Consulate General in the country where the client resides may be permitted. 5. For non-individuals: a. Form need to be initialized by all the authorized signatories. b. Copy of Board Resolution or declaration (on the letterhead) naming the persons authorized to deal in securities on behalf of company/firm/others and their specimen signatures.

282 Annexure-9 RIGHTS AND OBLIGATIONS OF STOCK BROKERS AND CLIENTS as prescribed by SEBI and Stock Exchanges

1. The client shall invest/trade in those securities/contracts/other instruments admitted to dealings on the Exchanges as defined in the Rules, Byelaws and Regulations of Exchanges/ Securities and Exchange Board of India (SEBI) and circulars/notices issued there under from time to time.
2. The stock broker, and the client shall be bound by all the Rules, Byelaws and Regulations of the Exchange and circulars/notices issued there under and Rules and Regulations of SEBI and relevant notifications of Government authorities as may be in force from time to time.
3. The client shall satisfy itself of the capacity of the stock broker to deal in securities and/or deal in derivatives contracts and wishes to execute its orders through the stock broker and the client shall from time to time continue to satisfy itself of such capability of the stock broker before executing orders through the stock broker.
4. The stock broker shall continuously satisfy itself about the genuineness and financial soundness of the client and investment objectives relevant to the services to be provided.
5. The stock broker shall take steps to make the client aware of the precise nature of the Stock broker’s liability for business to be conducted, including any limitations, the liability and the capacity in which the stock broker acts. CLIENT INFORMATION
6. The client shall furnish all such details in full as are required by the stock broker in "Account Opening Form” with supporting details, made mandatory by stock exchanges/SEBI from time to time.
7. The client shall familiarize himself with all the mandatory provisions in the Account Opening documents. Any additional clauses or documents specified by the stock broker shall be non-mandatory, as per terms & conditions accepted by the client.
8. The client shall immediately notify the stock broker in writing if there is any change in the information in the ‘account opening form’ as provided at the time of account opening and thereafter; including the information on winding up petition/insolvency petition or any litigation which may have material bearing on his capacity. The client shall provide/update the financial information to the stock broker on a periodic basis.
9. The stock broker shall maintain all the details of the client as mentioned in the account opening form or any other information pertaining to the client, confidentially and that they shall not disclose the same to any person/authority except as required under any law/regulatory requirements. Provided however that the stock broker may so disclose information about his client to any person or authority with the express permission of the client. MARGINS
10. The client shall pay applicable initial margins, withholding margins, special margins or such other

283 margins as are considered necessary by the stock broker or the Exchange or as may be directed by SEBI from time to time as applicable to the segment(s) in which the client trades. The stock broker is permitted in its sole and absolute discretion to collect additional margins (even though not required by the Exchange, Clearing House/Clearing Corporation or SEBI) and the client shall be obliged to pay such margins within the stipulated time. 11. The client understands that payment of margins by the client does not necessarily imply complete satisfaction of all dues. In spite of consistently having paid margins, the client may, on the settlement of its trade, be obliged to pay (or entitled to receive) such further sums as the contract may dictate/require. TRANSACTIONS AND SETTLEMENTS 12. The client shall give any order for buy or sell of a security/derivatives contract in writing or in such form or manner, as may be mutually agreed between the client and the stock broker. The stock broker shall ensure to place orders and execute the trades of the client, only in the Unique Client Code assigned to that client. 13. The stock broker shall inform the client and keep him apprised about trading/settlement cycles, delivery/payment schedules, any changes therein from time to time, and it shall be the responsibility in turn of the client to comply with such schedules/procedures of the relevant stock exchange where the trade is executed. 14. The stock broker shall ensure that the money/securities deposited by the client shall be kept in a separate account, distinct from his/its own account or account of any other client and shall not be used by the stock broker for himself/itself or for any other client or for any purpose other than the purposes mentioned in Rules, Regulations, circulars, notices, guidelines of SEBI and/or Rules, Regulations, Bye￾laws, circulars and notices of Exchange. 15. Where the Exchange(s) cancels trade(s) suo moto all such trades including the trade/s done on behalf of the client shall ipso facto stand cancelled, stock broker shall be entitled to cancel the respective contract(s) with client(s). 16. The transactions executed on the Exchange are subject to Rules, Byelaws and Regulations and circulars/notices issued thereunder of the Exchanges where the trade is executed and all parties to such trade shall have submitted to the jurisdiction of such court as may be specified by the Byelaws and Regulations of the Exchanges where the trade is executed for the purpose of giving effect to the provisions of the Rules, Byelaws and Regulations of the Exchanges and the circulars/notices issued thereunder. BROKERAGE 17. The Client shall pay to the stock broker brokerage and statutory levies as are prevailing from time to time and as they apply to the Client’s account, transactions and to the services that stock broker renders to the Client. The stock broker shall not charge brokerage more than the maximum brokerage permissible as per the rules, regulations and bye-laws of the relevant stock exchanges and/or rules and regulations of SEBI. LIQUIDATION AND CLOSE OUT OF POSITION 18. 1Without prejudice to the stock broker's other rights (including the right to refer a matter to arbitration), the client understands that the stock broker shall be entitled to liquidate/close out all or any of the client's

284 positions for non- payment of margins or other amounts, outstanding debts, etc. and adjust the proceeds of such liquidation/close out, if any, against the client's liabilities/obligations. Any and all losses and financial charges on account of such liquidation/closing-out shall be charged to and borne by the client. 19. In the event of death or insolvency of the client or his/its otherwise becoming incapable of receiving and paying for or delivering or transferring securities which the client has ordered to be bought or sold, stock broker may close out the transaction of the client and claim losses, if any, against the estate of the client. The client or his nominees, successors, heirs and assignee shall be entitled to any surplus which may result there from. The client shall note that transfer of funds/securities in favor of a Nominee shall be valid discharge by the stock broker against the legal heir. The stock broker shall bring to the notice of the relevant Exchange the information about default in payment/delivery and related aspects by a client. In case where defaulting client is a corporate Entity/partnership/proprietary firm or any other artificial legal entity, then the name(s) of Director(s)/Promoter(s)/Partner(s)/Proprietor as the case may be, shall also be communicated by the stock broker to the relevant Exchange(s). DISPUTE RESOLUTION 20. The stock broker shall provide the client with the relevant contact details of the concerned Exchanges and SEBI. 21. The stock broker shall co-operate in redressing grievances of the client in respect of all transactions routed through it and in removing objections for bad delivery of shares, rectification of bad delivery, etc. 22. The client and the stock broker shall refer any claims and/or disputes with respect to deposits, margin money, etc., to conciliation/arbitration as per the Rules, Byelaws and Regulations of the Exchanges where the trade is executed and circulars/notices issued thereunder as may be in force from time to time. 23. The stock broker shall ensure faster settlement of any dispute through conciliation/arbitration proceedings arising out of the transactions entered into between him vis-à-vis the client and he shall be liable to implement the conciliation report/settlement agreement /arbitration awards made in such proceedings. 24. The client/stock-broker understands that the instructions issued by an authorized representative for dispute resolution, if any, of the client/stock-broker shall be binding on the client/stock-broker in accordance with the letter authorizing the said representative to deal on behalf of the said client/stock￾broker. TERMINATION OF RELATIONSHIP 25. This relationship between the stock broker and the client shall be terminated; if the stock broker for any reason ceases to be a member of the stock exchange including cessation of membership by reason of the stock broker's default, death, resignation or expulsion or if the certificate is cancelled by the Board. 26. The stock broker and the client shall be entitled to terminate the relationship between them without giving any reasons to the other party, after giving notice in writing of not less than one month to the other parties. Notwithstanding any such termination, all rights, liabilities and obligations of the parties arising out of or in respect of transactions entered into prior to the termination of this relationship shall continue to subsist and vest in/be binding on the respective parties or his/its respective heirs, executors,

285 administrators, legal representatives or successors, as the case may be. ADDITIONAL RIGHTS AND OBLIGATIONS 27. The stock broker shall ensure due protection to the client regarding client’s rights to dividends, rights or bonus shares, etc. in respect of transactions routed through it and it shall not do anything which is likely to harm the interest of the client with whom and for whom they may have had transactions in securities. 28. The stock broker and client shall reconcile and settle their accounts from time to time as per the Rules, Regulations, Bye Laws, Circulars, Notices and Guidelines issued by SEBI and the relevant Exchanges where the trade is executed. 29. The stock broker shall issue a contract note to his constituents for trades executed in such format as may be prescribed by the Exchange from time to time containing records of all transactions including details of order number, trade number, trade time, trade price, trade quantity, details of the derivatives contract, client code, brokerage, all charges levied etc. and with all other relevant details as required therein to be filled in and issued in such manner and within such time as prescribed by the Exchange. The stock broker shall send contract notes to the investors within one working day of the execution of the trades in hard copy and/or in electronic form using digital signature. 30. The stock broker shall make pay out of funds or delivery of securities, as the case may be, to the Client within one working day of receipt of the payout from the relevant Exchange where the trade is executed unless otherwise specified by the client and subject to such terms and conditions as may be prescribed by the relevant Exchange from time to time where the trade is executed. 31. The stock broker shall send a complete `Statement of Accounts’ for both funds and securities in respect of each of its clients in such periodicity and format within such time, as may be prescribed by the relevant Exchange, from time to time, where the trade is executed. The Statement shall also state that the client shall report errors, if any, in the Statement within such time as may be prescribed by the relevant Exchange from time to time where the trade was executed, from the receipt thereof to the Stock broker. 32. The stock broker shall send daily margin statements to the clients. Daily Margin statement should include, inter- alia, details of collateral deposited, collateral utilized and collateral status (available balance/due from client) with break up in terms of cash, Fixed Deposit Receipts (FDRs), Bank Guarantee and securities. 33. The Client shall ensure that it has the required legal capacity to, and is authorized to, enter into the relationship with stock broker and is capable of performing his obligations and undertakings hereunder. All actions required to be taken to ensure compliance of all the transactions, which the Client may enter into shall be completed by the Client prior to such transaction being entered into. 34. The stock broker / stock broker and depository participant shall not directly /indirectly compel the clients to execute Power of Attorney (PoA) or Demat Debit and Pledge Instruction (DDPI) or deny services to the client if the client refuses to execute PoA or DDPI. ELECTRONIC CONTRACT NOTES (ECN) 35. In case, client opts to receive the contract note in electronic form, he shall provide an appropriate e-mail id to the stock broker. The client shall communicate to the stock broker any change in the email-id through a physical letter. If the client has opted for internet trading, the request for change of email id may be made through the secured access by way of client specific user id and password.

286 36. The stock broker shall ensure that all ECNs sent through the e-mail shall be digitally signed, encrypted, non-tamper able and in compliance with the provisions of the IT Act, 2000. In case, ECN is sent through e-mail as an attachment, the attached file shall also be secured with the digital signature, encrypted and non-tamperable. 37. The client shall note that non-receipt of bounced mail notification by the stock broker shall amount to delivery of the contract note at the e-mail ID of the client.

1. The stock broker shall retain ECN and acknowledgement of the e-mail in a soft and non-tamperable form in the manner prescribed by the exchange in compliance with the provisions of the IT Act, 2000 and as per the extant rules/regulations/circulars/guidelines issued by SEBI/Stock Exchanges from time to time. The proof of delivery i.e., log report generated by the system at the time of sending the contract notes shall be maintained by the stock broker for the specified period under the extant regulations of SEBI/stock exchanges. The log report shall provide the details of the contract notes that are not delivered to the client/e-mails rejected or bounced back. The stock broker shall take all possible steps to ensure receipt of notification of bounced mails by him at all times within the stipulated time period under the extant regulations of SEBI/stock exchanges.
2. The stock broker shall continue to send contract notes in the physical mode to such clients who do not opt to receive the contract notes in the electronic form. Wherever the ECNs have not been delivered to the client or has been rejected (bouncing of mails) by the e-mail ID of the client, the stock broker shall send either a physical contract note to the client or an ECN through electronic instant messaging services within the stipulated time under the extant regulations of SEBI/stock exchanges and maintain the proof of delivery of such physical contract notes.
3. In addition to the e-mail communication of the ECNs to the client, the stock broker shall simultaneously publish the ECN on his designated web-site, if any, in a secured way and enable relevant access to the clients and for this purpose, shall allot a unique user name and password to the client, with an option to the client to save the contract note electronically and/or take a print out of the same. LAW AND JURISDICTION
4. In addition to the specific rights set out in this document, the stock broker and the client shall be entitled to exercise any other rights which the stock broker or the client may have under the Rules, Bye-laws and Regulations of the Exchanges in which the client chooses to trade and circulars/notices issued thereunder or Rules and Regulations of SEBI.
5. The provisions of this document shall always be subject to Government notifications, any rules, regulations, guidelines and circulars/notices issued by SEBI and Rules, Regulations and Bye laws of the relevant stock exchanges, where the trade is executed, that may be in force from time to time.
6. The stock broker and the client shall abide by conciliation report/settlement agreement/arbitration award passed by the conciliator/Arbitrator(s) under the Arbitration and Conciliation Act, 1996. However, there is also a provision of appeal within the stock exchanges, if either party is not satisfied with the arbitration award.
7. Words and expressions which are used in this document but which are not defined herein shall, unless the context otherwise requires, have the same meaning as assigned thereto in the Rules, Byelaws and Regulations and circulars/notices issued thereunder of the Exchanges/SEBI.

287 8. All additional voluntary clauses/document added by the stock broker should not be in contravention with rules/regulations/notices/circulars of Exchanges/SEBI. Any changes in such voluntary clauses/document(s) need to be preceded by a notice of 15 days. Any changes in the rights and obligations which are specified by Exchanges/SEBI shall also be brought to the notice of the clients. 38. If the rights and obligations of the parties hereto are altered by virtue of change in Rules and regulations of SEBI or Bye-laws, Rules and Regulations of the relevant stock Exchanges where the trade is executed, such changes shall be deemed to have been incorporated herein in modification of the rights and obligations of the parties mentioned in this document. INTERNET & WIRELESS TECHNOLOGY BASED TRADING FACILITY PROVIDED BY STOCK BROKERS TO CLIENT (All the clauses mentioned in the ‘Rights and Obligations’ document(s) shall be applicable. Additionally, the clauses mentioned herein shall also be applicable.)

1. Stock broker is eligible for providing Internet based trading (IBT) and securities trading through the use of wireless technology that shall include the use of devices such as mobile phone, laptop with data card, etc. which use Internet Protocol (IP). The stock broker shall comply with all requirements applicable to internet based trading/securities trading using wireless technology as may be specified by SEBI & the Exchanges from time to time.
2. The client is desirous of investing/trading in securities and for this purpose, the client is desirous of using either the internet based trading facility or the facility for securities trading through use of wireless technology. The Stock broker shall provide the Stock broker’s IBT Service to the Client, and the Client shall avail of the Stock broker’s IBT Service, on and subject to SEBI/Exchanges Provisions and the terms and conditions specified on the Stock broker’s IBT Web Site provided that they are in line with the norms prescribed by Exchanges/SEBI.
3. The stock broker shall bring to the notice of client the features, risks, responsibilities, obligations and liabilities associated with securities trading through wireless technology/internet/smart order routing or any other technology should be brought to the notice of the client by the stock broker.
4. The stock broker shall make the client aware that the Stock Broker’s IBT system itself generates the initial password and its password policy as stipulated in line with norms prescribed by Exchanges/SEBI.
5. The Client shall be responsible for keeping the Username and Password confidential and secure and shall be solely responsible for all orders entered and transactions done by any person whosoever through the Stock broker’s IBT System using the Client’s Username and/or Password whether or not such person was authorized to do so. Also the client is aware that authentication technologies and strict security measures are required for the internet trading/securities trading through wireless technology through order routed system and undertakes to ensure that the password of the client and/or his authorized representative are not revealed to any third party including employees and dealers of the stock broker
6. The Client shall immediately notify the Stock broker in writing if he forgets his password, discovers security flaw in Stock Broker’s IBT System, discovers/suspects discrepancies/ unauthorized access through his username/password/account with full details of such unauthorized use, the date, the manner and the transactions effected pursuant to such unauthorized use, etc.
7. The Client is fully aware of and understands the risks associated with availing of a service for routing

288 orders over the internet/securities trading through wireless technology and Client shall be fully liable and responsible for any and all acts done in the Client’s Username/password in any manner whatsoever. 8. The stock broker shall send the order/trade confirmation through email to the client at his request. The client is aware that the order/ trade confirmation is also provided on the web portal. In case client is trading using wireless technology, the stock broker shall send the order/trade confirmation on the device of the client. 9. The client is aware that trading over the internet involves many uncertain factors and complex hardware, software, systems, communication lines, peripherals, etc. are susceptible to interruptions and dislocations. The Stock broker and the Exchange do not make any representation or warranty that the Stock broker’s IBT Service will be available to the Client at all times without any interruption. 10. The Client shall not have any claim against the Exchange or the Stock broker on account of any suspension, interruption, non-availability or malfunctioning of the Stock broker’s IBT System or Service or the Exchange’s service or systems or non-execution of his orders due to any link/system failure at the Client/Stock brokers/Exchange end for any reason beyond the control of the stock broker/Exchanges.

289 Annexure-10 RISK DISCLOSURE DOCUMENT FOR CAPITAL MARKET AND DERIVATIVES SEGMENTS This document contains important information on trading in Equities/Derivatives Segments of the stock exchanges. All prospective constituents should read this document before trading in Equities/Derivatives Segments of the Exchanges. Stock exchanges/SEBI does neither singly or jointly and expressly nor impliedly guarantee nor make any representation concerning the completeness, the adequacy or accuracy of this disclosure document nor have Stock exchanges /SEBI endorsed or passed any merits of participating in the trading segments. This brief statement does not disclose all the risks and other significant aspects of trading. In the light of the risks involved, you should undertake transactions only if you understand the nature of the relationship into which you are entering and the extent of your exposure to risk. You must know and appreciate that trading in Equity shares, derivatives contracts or other instruments traded on the Stock Exchange, which have varying element of risk, is generally not an appropriate avenue for someone of limited resources/limited investment and/or trading experience and low risk tolerance. You should therefore carefully consider whether such trading is suitable for you in the light of your financial condition. In case you trade on Stock exchanges and suffer adverse consequences or loss, you shall be solely responsible for the same and Stock exchanges/its Clearing Corporation and/or SEBI shall not be responsible, in any manner whatsoever, for the same and it will not be open for you to take a plea that no adequate disclosure regarding the risks involved was made or that you were not explained the full risk involved by the concerned stock broker. The constituent shall be solely responsible for the consequences and no contract can be rescinded on that account. You must acknowledge and accept that there can be no guarantee of profits or no exception from losses while executing orders for purchase and/or sale of a derivative contract being traded on Stock exchanges. It must be clearly understood by you that your dealings on Stock exchanges through a stock broker shall be subject to your fulfilling certain formalities set out by the stock broker, which may inter alia include your filling the know your client form, reading the rights and obligations, do’s and don’ts, etc., and are subject to the Rules, Byelaws and Regulations of relevant Stock exchanges, its Clearing Corporation, guidelines prescribed by SEBI and in force from time to time and Circulars as may be issued by Stock exchanges or its Clearing Corporation and in force from time to time.

290 Stock exchanges does not provide or purport to provide any advice and shall not be liable to any person who enters into any business relationship with any stock broker of Stock exchanges and/or any third party based on any information contained in this document. Any information contained in this document must not be construed as business advice. No consideration to trade should be made without thoroughly understanding and reviewing the risks involved in such trading. If you are unsure, you must seek professional advice on the same. In considering whether to trade or authorize someone to trade for you, you should be aware of or must get acquainted with the following:-

1. BASIC RISKS: 1.1 Risk of Higher Volatility: Volatility refers to the dynamic changes in price that a security/derivatives contract undergoes when trading activity continues on the Stock Exchanges. Generally, higher the volatility of a security/derivatives contract, greater is its price swings. There may be normally greater volatility in thinly traded securities / derivatives contracts than in active securities /derivatives contracts. As a result of volatility, your order may only be partially executed or not executed at all, or the price at which your order got executed may be substantially different from the last traded price or change substantially thereafter, resulting in notional or real losses. 1.2 Risk of Lower Liquidity: Liquidity refers to the ability of market participants to buy and/or sell securities / derivatives contracts expeditiously at a competitive price and with minimal price difference. Generally, it is assumed that more the numbers of orders available in a market, greater is the liquidity. Liquidity is important because with greater liquidity, it is easier for investors to buy and/or sell securities / derivatives contracts swiftly and with minimal price difference, and as a result, investors are more likely to pay or receive a competitive price for securities / derivatives contracts purchased or sold. There may be a risk of lower liquidity in some securities / derivatives contracts as compared to active securities / derivatives contracts. As a result, your order may only be partially executed, or may be executed with relatively greater price difference or may not be executed at all. 1.2.1 Buying or selling securities / derivatives contracts as part of a day trading strategy may also result into losses, because in such a situation, securities / derivatives contracts may have to be sold / purchased at low / high prices, compared to the expected price levels, so as not to have any open position or obligation to deliver or receive a security / derivatives contract. 1.3 Risk of Wider Spreads: Spread refers to the difference in best buy price and best sell price. It represents the differential between the price of buying a security / derivatives contract and immediately selling it or vice versa. Lower liquidity

291 and higher volatility may result in wider than normal spreads for less liquid or illiquid securities / derivatives contracts. This in turn will hamper better price formation. 1.4 Risk-reducing orders: The placing of orders (e.g., "stop loss” orders, or "limit" orders) which are intended to limit losses to certain amounts may not be effective many a time because rapid movement in market conditions may make it impossible to execute such orders. 1.4.1 A "market" order will be executed promptly, subject to availability of orders on opposite side, without regard to price and that, while the customer may receive a prompt execution of a "market" order, the execution may be at available prices of outstanding orders, which satisfy the order quantity, on price time priority. It may be understood that these prices may be significantly different from the last traded price or the best price in that security / derivatives contract. 1.4.2 A "limit" order will be executed only at the "limit" price specified for the order or a better price. However, while the customer receives price protection, there is a possibility that the order may not be executed at all. 1.4.3 A stop loss order is generally placed "away" from the current price of a stock / derivatives contract, and such order gets activated if and when the security / derivatives contract reaches, or trades through, the stop price. Sell stop orders are entered ordinarily below the current price, and buy stop orders are entered ordinarily above the current price. When the security / derivatives contract reaches the pre - determined price, or trades through such price, the stop loss order converts to a market/limit order and is executed at the limit or better. There is no assurance therefore that the limit order will be executable since a security / derivatives contract might penetrate the pre-determined price, in which case, the risk of such order not getting executed arises, just as with a regular limit order. 1.5 Risk of News Announcements: News announcements that may impact the price of stock / derivatives contract may occur during trading, and when combined with lower liquidity and higher volatility, may suddenly cause an unexpected positive or negative movement in the price of the security / contract. 1.6 Risk of Rumors: Rumors about companies / currencies at times float in the market through word of mouth, newspapers, websites or news agencies, etc. The investors should be wary of and should desist from acting on rumors. 1.7 System Risk:

292 High volume trading will frequently occur at the market opening and before market close. Such high volumes may also occur at any point in the day. These may cause delays in order execution or confirmation. 1.7.1 During periods of volatility, on account of market participants continuously modifying their order quantity or prices or placing fresh orders, there may be delays in order execution and its confirmations. 1.7.2 Under certain market conditions, it may be difficult or impossible to liquidate a position in the market at a reasonable price or at all, when there are no outstanding orders either on the buy side or the sell side, or if trading is halted in a security / derivatives contract due to any action on account of unusual trading activity or security / derivatives contract hitting circuit filters or for any other reason. 1.8 System/Network Congestion: Trading on exchanges is in electronic mode, based on satellite/leased line based communications, combination of technologies and computer systems to place and route orders. Thus, there exists a possibility of communication failure or system problems or slow or delayed response from system or trading halt, or any such other problem/glitch whereby not being able to establish access to the trading system/network, which may be beyond control and may result in delay in processing or not processing buy or sell orders either in part or in full. You are cautioned to note that although these problems may be temporary in nature, but when you have outstanding open positions or unexecuted orders, these represent a risk because of your obligations to settle all executed transactions. 2. As far as Derivatives segments are concerned, please note and get yourself acquainted with the following additional features:- 2.1 Effect of "Leverage" or "Gearing": In the derivatives market, the amount of margin is small relative to the value of the derivatives contract so the transactions are 'leveraged' or 'geared'. Derivatives trading, which is conducted with a relatively small amount of margin, provides the possibility of great profit or loss in comparison with the margin amount. But transactions in derivatives carry a high degree of risk. You should therefore completely understand the following statements before actually trading in derivatives and also trade with caution while taking into account one's circumstances, financial resources, etc. If the prices move against you, you may lose a part of or whole margin amount in a relatively short period of time. Moreover, the loss may exceed the original margin amount.

293 A. Futures trading involve daily settlement of all positions. Every day the open positions are marked to market based on the closing level of the index / derivatives contract. If the contract has moved against you, you will be required to deposit the amount of loss (notional) resulting from such movement. This amount will have to be paid within a stipulated time frame, generally before commencement of trading on next day. B. If you fail to deposit the additional amount by the deadline or if an outstanding debt occurs in your account, the stock broker may liquidate a part of or the whole position or substitute securities. In this case, you will be liable for any losses incurred due to such close-outs. C. Under certain market conditions, an investor may find it difficult or impossible to execute transactions. For example, this situation can occur due to factors such as illiquidity i.e. when there are insufficient bids or offers or suspension of trading due to price limit or circuit breakers etc. D. In order to maintain market stability, the following steps may be adopted: changes in the margin rate, increases in the cash margin rate or others. These new measures may also be applied to the existing open interests. In such conditions, you will be required to put up additional margins or reduce your positions. E. You must ask your broker to provide the full details of derivatives contracts you plan to trade i.e. the contract specifications and the associated obligations. 2.2 Currency specific risks:

1. The profit or loss in transactions in foreign currency-denominated contracts, whether they are traded in your own or another jurisdiction, will be affected by fluctuations in currency rates where there is a need to convert from the currency denomination of the contract to another currency.
2. Under certain market conditions, you may find it difficult or impossible to liquidate a position. This can occur, for example when a currency is deregulated or fixed trading bands are widened.
3. Currency prices are highly volatile. Price movements for currencies are influenced by, among other things: changing supply-demand relationships; trade, fiscal, monetary, exchange control programs and policies of governments; foreign political and economic events and policies; changes in national and international interest rates and inflation; currency devaluation; and sentiment of the market place. None of these factors can be controlled by any individual advisor and no assurance can be given that an advisor's advice will result in profitable trades for a participating customer or that a customer will not incur losses from such events. 2.3 Risk of Option holders:

294

1. An option holder runs the risk of losing the entire amount paid for the option in a relatively short period of time. This risk reflects the nature of an option as a wasting asset which becomes worthless when it expires. An option holder who neither sells his option in the secondary market nor exercises it prior to its expiration will necessarily lose his entire investment in the option. If the price of the underlying does not change in the anticipated direction before the option expires, to an extent sufficient to cover the cost of the option, the investor may lose all or a significant part of his investment in the option.
2. The Exchanges may impose exercise restrictions and have absolute authority to restrict the exercise of options at certain times in specified circumstances. 2.4 Risks of Option Writers:
3. If the price movement of the underlying is not in the anticipated direction, the option writer runs the risks of losing substantial amount.
4. The risk of being an option writer may be reduced by the purchase of other options on the same underlying interest and thereby assuming a spread position or by acquiring other types of hedging positions in the options markets or other markets. However, even where the writer has assumed a spread or other hedging position, the risks may still be significant. A spread position is not necessarily less risky than a simple 'long' or 'short' position.
5. Transactions that involve buying and writing multiple options in combination, or buying or writing options in combination with buying or selling short the underlying interests, present additional risks to investors. Combination transactions, such as option spreads, are more complex than buying or writing a single option. And it should be further noted that, as in any area of investing, a complexity not well understood is, in itself, a risk factor. While this is not to suggest that combination strategies should not be considered, it is advisable, as is the case with all investments in options, to consult with someone who is experienced and knowledgeable with respect to the risks and potential rewards of combination transactions under various market circumstances.
6. TRADING THROUGH WIRELESS TECHNOLOGY/ SMART ORDER ROUTING OR ANY OTHER TECHNOLOGY: Any additional provisions defining the features, risks, responsibilities, obligations and liabilities associated with securities trading through wireless technology/ smart order routing or any other technology should be brought to the notice of the client by the stock broker.
7. GENERAL

295 4.1 The term ‘constituent’ shall mean and include a client, a customer or an investor, who deals with a stock broker for the purpose of acquiring and/or selling of securities / derivatives contracts through the mechanism provided by the Exchanges. 4.2 The term ‘stock broker’ shall mean and include a stock broker, a broker or a stock broker, who has been admitted as such by the Exchanges and who holds a registration certificate from SEBI. Annexure-11 GUIDANCE NOTE - DO’s AND DON’Ts FOR TRADING ON THE EXCHANGE(S) FOR INVESTORS BEFORE YOU BEGIN TO TRADE

1. Ensure that you deal with and through only SEBI registered intermediaries. You may check their SEBI registration certificate number from the list available on the Stock exchanges www.exchange.com and SEBI website www.sebi.gov.in.
2. Ensure that you fill the KYC form completely and strike off the blank fields in the KYC form.
3. Ensure that you have read all the mandatory documents viz. Rights and Obligations, Risk Disclosure Document, Policy and Procedure document of the stock broker.
4. Ensure to read, understand and then sign the voluntary clauses, if any, agreed between you and the stock broker. Note that the clauses as agreed between you and the stock broker cannot be changed without your consent.
5. Get a clear idea about all brokerage, commissions, fees and other charges levied by the broker on you for trading and the relevant provisions/ guidelines specified by SEBI/Stock exchanges.
6. Obtain a copy of all the documents executed by you from the stock broker free of charge.
7. In case you wish to execute Power of Attorney (POA) in favour of the Stock broker, authorizing it to operate your bank and demat account, please refer to the guidelines issued by SEBI/Exchanges in this regard. TRANSACTIONS AND SETTLEMENTS
8. The stock broker may issue electronic contract notes (ECN) if specifically authorized by you in writing. You should provide your email id to the stock broker for the same. Don’t opt for ECN if you are not familiar with computers.
9. Don’t share your internet trading account’s password with anyone.
10. Don’t make any payment in cash to the stock broker.
11. Make the payments by account payee cheque in favour of the stock broker. Don’t issue cheques in the name of sub- broker. Ensure that you have a documentary proof of your payment/deposit of securities with the stock broker, stating date, scrip, quantity, towards which bank/ demat account such money or securities deposited and from which bank/ demat account.
12. Note that facility of Trade Verification is available on stock exchanges’ websites, where details of trade as mentioned in the contract note may be verified. Where trade details on the website do not tally with the details mentioned in the contract note, immediately get in touch with the Investors Grievance Cell of the relevant Stock exchange.
13. In case you have given specific authorization for maintaining running account, payout of funds or delivery of securities (as the case may be), may not be made to you within one working day from the receipt of payout

296 from the Exchange. Thus, the stock broker shall maintain running account for you subject to the following conditions: a) Such authorization from you shall be dated, signed by you only and contains the clause that you may revoke the same at any time. b) The actual settlement of funds and securities shall be done by the stock broker, at least once in a calendar quarter or month, depending on your preference. While settling the account, the stock broker shall send to you a ‘statement of accounts’ containing an extract from the client ledger for funds and an extract from the register of securities displaying all the receipts/deliveries of funds and securities. The statement shall also explain the retention of funds and securities and the details of the pledged shares, if any. c) On the date of settlement, the stock broker may retain the requisite securities/funds towards outstanding obligations and may also retain the funds expected to be required to meet derivatives margin obligations for next 5 trading days, calculated in the manner specified by the exchanges. In respect of cash market transactions, the stock broker may retain entire pay-in obligation of funds and securities due from clients as on date of settlement and for next day’s business, he may retain funds/securities/margin to the extent of value of transactions executed on the day of such settlement in cash market. d) You need to bring any dispute arising from the statement of account or settlement so made to the notice of the stock broker in writing preferably within 7 (seven) working days from the date of receipt of funds/securities or statement, as the case may be. In case of dispute, refer the matter in writing to the Investors Grievance Cell of the relevant Stock exchanges without delay. 14. In case you have not opted for maintaining running account and pay-out of funds/securities is not received on the next working day of the receipt of payout from the exchanges, please refer the matter to the stock broker. In case there is dispute, ensure that you lodge a complaint in writing immediately with the Investors Grievance Cell of the relevant Stock exchange. 15. Please register your mobile number and email id with the stock broker, to receive trade confirmation alerts/ details of the transactions through SMS or email, by the end of the trading day, from the stock exchanges. IN CASE OF TERMINATION OF TRADING MEMBERSHIP 16. In case, a stock broker surrenders his membership, is expelled from membership or declared a defaulter; Stock exchanges gives a public notice inviting claims relating to only the "transactions executed on the trading system" of Stock exchange, from the investors. Ensure that you lodge a claim with the relevant Stock exchanges within the stipulated period and with the supporting documents. 17. Familiarize yourself with the protection accorded to the money and/or securities you may deposit with your stock broker, particularly in the event of a default or the stock broker’s insolvency or bankruptcy and the extent to which you may recover such money and/or securities may be governed by the Bye-laws and Regulations of the relevant Stock exchange where the trade was executed and the scheme of the Investors’ Protection Fund in force from time to time. DISPUTES/ COMPLAINTS 18. Please note that the details of the arbitration proceedings, penal action against the brokers and investor complaints against the stock brokers are displayed on the website of the relevant Stock exchange. 19. In case your issue/problem/grievance is not being sorted out by concerned stock broker/sub-broker then you may take up the matter with the concerned Stock exchange. If you are not satisfied with the resolution of your complaint then you can escalate the matter to SEBI.

297 20. Note that all the stock broker/sub-brokers have been mandated by SEBI to designate an e-mail ID of the grievance redressal division/compliance officer exclusively for the purpose of registering complaints. Annexure-12 Nomination Form TM / DP Name and Address FORM FOR NOMINATION (To be filled in by individual applying singly or jointly) Date Y Y UCC/ DP ID Client ID I/We wish to make a nomination. [As per details given below] Nomination Details I/We wish to make a nomination and do hereby nominate the following person(s) who shall receive all the assets held in my / our account in the event of my / our death. Nomination can be made upto three nominees in the account. Details of 1st Nominee Details of 2nd Nominee Details of 3rd Nominee 1 Name of the nominee(s) (Mr./Ms.) 2 Share of each Nominee Equally [If not equally, please specify percentage] % % % Any odd lot after division shall be transferred to the first nominee mentioned in the form. 3 Relationship With the Applicant ( If Any) 4 Address of Nominee(s) City / Place: State & Country: PIN Code 5 Mobile / Telephone No. of nominee(s) # 6 Email ID of nominee(s) # D D M M Y Y I N

298 7 Nominee Identification details # [Please tick any one of following and provide details of same] Photograph & Signature PAN Aadhaar Saving Bank account no. Proof of Identity Demat Account ID Sr. Nos. 8-14 should be filled only if nominee(s) is a minor: 8 Date of Birth {in case of minor nominee(s)} 9 Name of Guardian (Mr./Ms.) {in case of minor nominee(s) } 10 Address of Guardian(s) City / Place: State & Country: PIN Code 11 Mobile / Telephone no. of Guardian # 12 Email ID of Guardian # 13 Relationship of Guardian with nominee 14 Guardian Identification details# [Please tick any one of following and provide details of same] Photograph & Signature PAN Aadhaar Saving Bank account no. Proof of Identity󠄀 Demat Account ID Name(s) of hollder(s) Signature(s) of holder* Sole / First Holder (Mr./Ms.) Second Holder (Mr./Ms.) Third Holder (Mr./Ms.)

• Signature of witness, along with name and address are required, if the account holder affixes thumb impression, instead of signature

Optional Fields (Information required at Serial nos. 5, 6, 7, 11, 12 & 14 is not mandatory)

Note:

299 This nomination shall supersede any prior nomination made by the account holder(s), if any. The Trading Member / Depository Participant shall provide acknowledgement of the nomination form to the account holder(s) Name and Signature of Holder(s)* 1.___________________________________2._______3

• Signature of witness, along with name and address are required, if the account holder affixes thumb impression, instead of signature Annexure-13 Declaration Form for opting out of nomination To Trading Member/Participant’s Name Trading Member/Participant’s Address Date D D M M Y UCC/DP ID I N Client ID (only for Demat account) Sole/First Holder Name Second Holder Name Third Holder Name I / We hereby confirm that I / We do not wish to appoint any nominee(s) in my / our trading / demat account and understand the issues involved in non-appointment of nominee(s) and further are aware that in case of death of all the account holder(s), my / our legal heirs would need to submit all the requisite documents / information for claiming of assets held in my / our trading / demat account, which may also include documents issued by Court or other such competent authority, based on the value of assets held in the trading / demat account. Name and Signature of Holder(s)* 1.___________________________________2._______3

300

• Signature of witness, along with name and address are required, if the account holder affixes thumb impression, instead of signature Annexure-14 Demat Debit and Pledge Instruction S.No. Purpose Signature of Client *

1. Transfer of securities held in the beneficial owner accounts of the client towards Stock Exchange related deliveries / settlement obligations arising out of trades executed by clients on the Stock Exchange through the same stock broker
2. Pledging / re-pledging of securities in favour of trading member (TM) / clearing member (CM) for the purpose of meeting margin requirements of the clients in connection with the trades executed by the clients on the Stock Exchange.
3. Mutual Fund transactions being executed on Stock Exchange order entry platforms
4. Tendering shares in open offers through Stock Exchange platforms

301

• the same may be signed physically against each purpose of DDPI. The same may also be eSigned. In case of eSign, client shall be given an option for choosing the specific purpose(s) of DDPI. Annexure-15 Format of the Daily Reporting by the members to the Exchange on the amount financed by them under the Margin Trading Facility Name of the member Clearing No. Name of Client Category of Holding (Promoter/Promoter Group or Non Promoter PAN Name of Stock or Equity ETF (Collateral or Funded Stock) Stock Exchange Quantity Financed (Number of shares or Units of Equity ETFs) Amount Financed (INR in lakhs) S. No. Particulars (INR in Lakhs) 1 Total outstanding on the beginning of the day 2 Add: Fresh exposure taken during the day 3 Less: Exposure liquidated during the day 4 Net outstanding at the end of the day Source of Funds 1 Out of net worth 2 Out of borrowed funds 3 If borrowed, name of lenders and amount borrowed to be specified separately Note: Disclosure is required to be made on or before 12 noon on the following trading day.

302 Annexure-16 : Allocation of collateral Illustration 1: Consider a self-clearing member (SCM) who has received the following cash collateral from its clients: Client Cash Received (Rs) Client-1 2 crore Client-2 3 crore Client-3 1 crore Client-4 1 crore Total 7 crore The member places Rs 6 crore with the CC – Rs 4 crore out of client funds and Rs 2 crore out of proprietary funds. Rs 3 crore worth of client collateral is maintained in the specified client bank account of the member. Few illustrations of allocations and whether permitted or not are provided below: Sl . Allocation Comments 1 Prop 2 Cr Permitted, since total Rs 4 cr is allocated among clients and allocations to individual clients do not exceed the respective collateral provided by them. Client-1 1 Cr Client-2 1 Cr Client-3 1 Cr Client-4 1 Cr 2 Prop 2 Cr Permitted, since total Rs 4 cr is allocated among clients and allocations to individual clients do not exceed the respective collateral provided by them. Client-1 2 Cr Client-2 2 Cr 3 Prop 2 Cr Permitted, since total Rs 4 cr is allocated among clients and allocations to individual clients do not exceed the respective collateral provided by them. Client-2 3 Cr Client-3 0.5 Cr Client-4 0.5 Cr 4 Prop 3 Cr Not permitted, client collateral allocated as Client-1 2 Cr proprietary. Total collateral received from clients Client-3 1 Cr

303 does not equal amount with the member plus amount allocated. 5 Prop 2 Cr Not permitted, allocation to Client-3 is in excess from the collateral received from the client. Client-2 2 Cr Client-3 2 Cr 6 Client-1 2 Cr Permitted, proprietary collateral can be allocated as client collateral provided the allocated amount does not exceed the actual collateral received from the client. Client-2 3 Cr Client-3 0.5 Cr Client-4 0.5 Cr 7 Client-1 4 Cr Not permitted, although proprietary collateral can be allocated as client collateral, such collateral cannot exceed the actual collateral received from the client Client-3 1 Cr Client-4 1 Cr Illustration 2: Suppose a SCM receives the following collateral from clients: Client Collateral Type Value (Rs) Client-1 Cash 1 crore Client-2 Approved securities 2 crore Client-2 Non-approved securities 2 crore The member re-pledges the approved securities to the CC. The non-approved securities cannot be provided to the CC. The member provides Rs 1 crore cash collateral of Client1 and Rs 5 crore proprietary cash collateral to the CC. The member may allocate the collateral as follows: Client Value (Rs) Client-1 1 crore Proprietary 5 crore Thus, only the collateral provided to the CC (excluding securities provided through the margin pledge mechanism) shall be allocated. To clarify, Client-2 would still get the benefit of eligible securities collateral re-pledged to CC, however the value for the same shall be assigned by the CC to the account of Client-2, and therefore no collateral allocation shall be done by the member. The non-approved securities collateral would be retained by the member. If the Client-2 wishes to trade in such a manner that the margin would exceed Rs 2 crore, the member may allocate the proprietary collateral to the client, as follows: Client Value (Rs)

304 Client-1 1 crore Client-2 2 crore Proprietary 3 crore Annexure-17: Monitoring of the minimum 50% cash-equivalent collateral requirement Consider the following example of collateral provided by various entities under a CM. Entity Cash￾equivalent (A) Non-cash (B) Excess cash-eq. If(A>B,A-B,0) Excess noncash If(B>A,B-A,0) CM Prop 100 40 60 0 TM-1 Prop 0 TM-1 Cli-1 200 250 0 50 TM-1 Cli-2 70 10 60 0 TM-1 Cli-3 70 100 0 30 TM-2 Prop 300 200 100 0 TM-2 Cli-4 70 90 0 20 TM-2 Cli-5 50 100 0 50 Considering TM-1, the excess cash-equivalent collateral of TM-1 Cli-2 cannot be used to offset the excess non-cash collateral of TM-1 Cli-1 and TM-1 Cli-3. Therefore, there will be excess non-cash collateral to the extent of 80 (50 for Cli-1 and 30 for Cli-3) under TM1. Considering TM-2, the excess proprietary cash-equivalent collateral of TM-2 can be used to offset the excess non-cash collateral of TM-2 Cli-4 and TM-2 Cli-5. Therefore, there will be no excess noncash collateral under TM-2. Summary of excess cash-equivalent and excess non-cash collateral under CM prop, TM1 and TM-2 would be as under: Entity Excess Cash-eq Excess noncash CM Prop 60 - TM-1 - 80 TM-2 30 -

305 The excess cash-equivalent collateral of TM-2 cannot be used to offset the excess noncash collateral of TM-1. However, the excess cash-equivalent collateral of CM Prop can be used to offset excess non-cash collateral of TM-1. Therefore, the overall excess noncash collateral will be 20, for TM-1. Entity Excess noncash TM-1 20 The benefit of this excess non-cash collateral (20) will not be available under TM￾1. The entities who will get benefit would be identified through a suitable mechanism by the CCs. In this example, suppose the CC applies FIFO rule and it is assumed that Cli-1 has pledged the non-cash collateral before Cli-3. Therefore, the Cli-1 will receive benefit for its entire collateral (so the effective value of collateral of Cli-1 will be 200+250=450). On the other hand, Cli-3 will not receive benefit of non-cash collateral to the extent of 20 (so the effective value of collateral of Cli-3 will be 70+80 = 150).

306 Annexure-18: Blocking of Margins Suppose the total collateral (allocated collateral plus securities collateral placed through margin pledge/ re-pledge to CC) available against various entities are as given below. Entity Collateral (Rs) CMTM Prop 1000 TM-1 Prop 500 TM-1 Cli-1 300 TM-1 Cli-2 300 •Trade-1: TM-1 Cli-2 trades with margin requirement of Rs 100. Blocking of margin shall be as follows: Entity Collateral (Rs) Blocking (Rs) CMTM Prop 1000 0 TM-1 Prop 500 0 TM-1 Cli-1 300 0 TM-1 Cli-2 300 100 •Trade-2: TM-1 Cli-1 trades with margin requirement of Rs 600. Blocking of margin shall be as follows: Entity Collateral (Rs) Blocking (Rs) CMTM Prop 1000 0 TM-1 Prop 500 300 TM-1 Cli-1 300 300 TM-1 Cli-2 300 100 •Trade-3: TM-1 Cli-2 trades with revised margin requirement for Cli-2 of Rs 600. Blocking of margin shall be as follows:

307 Entity Collateral (Rs) Blocking (Rs) CMTM Prop 1000 100 TM-1 Prop 500 500 TM-1 Cli-1 300 300 TM-1 Cli-2 300 300 •Trade-4: TM-1 Cli-2 trades with revised margin requirement for Cli-2 of Rs 900. Blocking of margin shall be as follows: Entity Collateral (Rs) Blocking (Rs) CMTM Prop 1000 400 TM-1 Prop 500 500 TM-1 Cli-1 300 300 TM-1 Cli-2 300 300 In the above examples, the collateral of Rs 500 blocked from the TM1-Prop, and the collateral of Rs 400 blocked from CMTM Prop, shall be deemed to be allocated to TM-1 Cli-1 and TM-1 Cli-2. The deemed allocation would be as follows: Client Margin (Rs) Blocked from client collateral (Rs) Deemed allocation from TM-1 Prop (Rs) Deemed allocation from CMTM Prop to TM-1 Prop (Rs) TM-1 Cli-1 600 300 300 400 TM-1 Cli-2 900 300 600 To clarify, the deemed allocation from CMTM Prop to TM-1 Prop is Rs 400, therefore the total TM-1 Prop collateral (including deemed allocated) would be Rs 900 (Rs 500 + Rs 400). Out of this, the excess client margin would be considered to be deemed allocated to the respective client.

308 Annexure-19: Monitoring of risk reduction mode Suppose the total collateral (allocated collateral plus securities collateral placed through margin pledge/ re-pledge to CC) available against various entities, along with their margin obligations, are as given below. CM TM Client Collateral (Rs) Margin (Rs) CliMrgn>90% (Rs) CM-1 - Prop 1200 800 - CM-1 TM-1 Prop 500 400 - CM-1 TM-1 Client-1 800 780 60 CM-1 TM-1 Client-2 500 450 0 CM-1 TM-1 Client-3 400 380 20 CM-1 TM-2 Prop 500 200 - CM-1 TM-2 Client-4 1000 920 20 CM-1 TM-2 Client-5 1000 880 0 TM level monitoring In the above table, “CliMrgn>90%”, or client margin in excess of 90%, has been calculated as margin for the client less 90% of the client collateral. Risk reduction mode monitoring for TM shall be based on assessment of [TM Prop Margin + CliMrgn>90%] against the [TM Prop collateral]. Accordingly, margin utilization percentage of TM1 and TM2 would be as under: • Margin utilization percentage of TM1 = [400 + (60 + 0 + 20)] /500 = 96%

• Margin utilization percentage of TM2 = [200 + (20 + 0)] /500 = 44% In other words, for TM1, margin of Rs 30 is in excess of 90% of its prop collateral, while there is no excess margin for TM2 against its prop collateral. The same has been tabulated below:

309 TM Total CliMrgn>90% (Rs) Prop Margin (Rs) 90% of TM prop collateral (Rs) TMMrgn>90% (Rs) TM-1 80 400 450 30 TM-2 20 200 450 0 CM level monitoring In the above table, “TMMrgn>90%”, or TM Margin in excess of 90%, has been calculated as [CliMrgn>90% + TM Prop margin] in excess of 90% of TM prop collateral. Risk reduction mode monitoring for CM shall be based on assessment of [CM Prop Margin + TMMrgn>90%] against the [CM Prop Collateral]. Accordingly, margin utilization percentage of CM1 would be as under: • Margin utilization percentage of CM1 = [800 + (30 + 0)]/1200 = 69.1%

310 Annexure-20: Change of Allocation Suppose a SCM has following collateral: Entity Cash (Rs) SCM Prop 200 Cli-1 200 Cli-2 200 Out of the total available cash of Rs 600, suppose the SCM has provided an FDR of Rs 400 to the CC (with Rs 200 cash remaining with the member). Suppose, the FDR provided to the CC is allocated by the SCM as follows. Here, the SCM has chosen not to allocate any collateral to Cli-2 in the total collateral placed with the CC: Suppose the margin requirement is as follows: Entity Collateral (Rs) Margin blocked (Rs) CM Prop 200 160 Cli-1 200 150 Change in allocation: Example 1 The member shall be permitted to change the allocation as follows (i.e. the member chooses to consider the cash retained with it to be as Rs 50 belonging to Cli-1 and Rs 150 belonging to Cli-2): Entity Collateral (Rs) CM Prop 200 Cli-1 150 Cli-2 50 Change in allocation: Example 2 Entity Collateral allocated (Rs) SCM Prop 200 Cli-1 200

311 The member shall not be permitted to change the allocation as follows (i.e. the member chooses to consider the cash retained with it to be as Rs 100 belonging to each client): Entity Collateral (Rs) CM Prop 200 Cli-1 100 Cli-2 100 This allocation shall not be permitted since Cli-1 has a margin requirement of Rs 150. Annexure-21: Procedures to be followed in Stage-2 and Stage-3 Consider an example of a SCM defaulting in the derivatives segment. An illustration of the cash settlement obligations of prop/clients and attribution of shortage is provided below (the available collateral shown against different entities comprises of both allocated collateral (including deemed allocated) and value of demat securities collateral provided through margin pledge/re-pledge to the level of CC): Entity (Pay-in)/ Pay￾out (Rs) Collateral (Rs) Position closeout loss (Rs) Remaining Collateral (Rs) Prop (3 crore) 10 crore 4 crore 6 crore Client-1 (3 crore) 10 crore 3 crore 7 crore Client-2 (3 crore) 15 crore 4 crore 11 crore Client-3 2 crore 15 crore 2 crore 13 crore Client-4 2 crore 3 crore 1 crore 2 crore Net Pay-in 5 crore Shortfall 5 crore Scenario 1: All pay-out clients establish not being in default 1.Suppose Client-3 and Client-4 establish within the pre-specified time period that they are not in default, do not have debit balance/dues towards the member and have not received the pay-out due. 2.The remaining collateral of Client-3 and Client-4 (Rs 13 crore and Rs 2 crore respectively), along with the pay-out for the clients (Rs 2 crore each), shall be provided to the clients. 3.The settlement shortfall would now be Rs 9 crore (Rs 5 crore shortfall in net payin, plus Rs 4 crore of pay-out made to Client-3 and Client-4). 4.The settlement shortfall of Rs 9 crore shall be first adjusted with the SCM

312 proprietary pay-in obligation of Rs 3 crore. Excess remaining proprietary collateral of SCM (Rs 3 crore) shall also be used towards the settlement shortfall. 5.Remaining settlement shortfall of Rs 3 crore shall be attributed pro-rata to clients having pay-in, i.e., settlement shortfall of Rs 1.5 crore each shall be attributed to Client-1 and Client-2 and appropriated from their collateral. Scenario 2: One pay-out client establishes not being in default 1.Suppose Client-3 establishes within the pre-specified time period of not being in default, not having debit balance/dues towards the member and not having received the pay-out due. 2.The remaining collateral of Client-3 (Rs 13 crore), along with the pay-out (Rs 2 crore), shall be provided to the Client-3. 3.The settlement shortfall would now be Rs 7 crore (Rs 5 crore shortfall in net payin, plus Rs 2 crore of pay-out made to Client-3). 4.The settlement shortfall of Rs 7 crore shall be first adjusted with the SCM proprietary pay-in obligation of Rs 3 crore. Excess remaining proprietary collateral of SCM (Rs 3 crore) shall also be used towards the settlement shortfall. 5.Remaining settlement shortfall of Rs 1 crore shall be attributed pro-rata to clients having pay-in, i.e., settlement shortfall of Rs 0.5 crore each shall be attributed to Client-1 and Client-2 and appropriated from their collateral. Scenario 3: One pay-out client and one pay-in client establish not being in default 1.Suppose Client-1 and Client-3 establish within the pre-specified time period of not being in default, not having debit balance/dues towards the member and not having received the pay-out due, where applicable. 2.The remaining collateral of Client-1 and Client-3 (Rs 7 crore and Rs 13 crore respectively) shall be provided to them. The pay-out due to Client-3 (Rs 2 crore) shall also be provided to Client-3. 3.The settlement shortfall would now be Rs 7 crore (Rs 5 crore shortfall in net payin, plus Rs 2 crore of pay-out made to Client-3). 4.The settlement shortfall of Rs 7 crore shall be first adjusted with the SCM proprietary pay-in obligation of Rs 3 crore. Excess remaining proprietary collateral of SCM (Rs 3 crore) shall also be used towards the settlement shortfall. 5.Remaining settlement shortfall of Rs 1 crore shall be attributed to Client-2 (since it is established that Client-1 is not in default, no shortage shall be attributed to

313 Client-1). Annexure-22: Procedures to be followed in Stage-4 Illustration 1: Suppose an SCM had no proprietary positions, and the net pay-in obligations were based on five clients. There was a pay-in shortfall of Rs 300, against the net pay￾in of Rs 600. Suppose none of the clients could establish within the pre-specified time period of not being in default, not having debit balance/dues towards the member and not having received the pay-out due. Assume there is no position close-out loss. The pay-in shortfall of Rs 300 would be attributed during the Stage 3 on a pro-rata basis from the clients having pay-in obligations. This would be utilized from their available collateral (the available collateral shown against different entities comprises of both allocated collateral (including deemed allocated) and value of securities collateral provided through margin pledge/re￾pledge to the level of CC). Entity (PI) / PO (Rs) Collateral (Rs) Utilized Collateral (Rs) Remaining Collateral (Rs) Client-1 150 200 0 200 Client-2 150 100 0 100 Client-3 -300 300 100 200 Client-4 -300 300 100 200 Client-5 -300 300 100 200 Suppose the actual client defaults and position of payables/receivables are identified as follows: Entity Findings Claim Client-1 Did not receive 150 payout Pay-out of 150 Return of collateral of 200 Client-2 Did not receive 150 payout Pay-out of 150 Return of collateral of 100 Client-3 Did not make any pay-in - Client-4 Did not make any pay-in - Client-5 Had made a pay-in of 300 Return of collateral of 300

314 Accordingly, the remaining collateral of defaulting clients shall be utilized to fulfil the claims of non-defaulting clients. The additional realization and claim settlement is tabulated below: Entity Additional utilization of collateral Claim Settled Client-1 - Pay-out of 150 Return of collateral of 200 Client-2 - Pay-out of 150 Return of collateral of 100 Client-3 Additional collateral of 200 utilized

Client-4 Additional collateral of 200 utilized

Client-5 - Return of collateral of 100 (from realized) Return of collateral of 200 (from remaining) In the event of the remaining collateral of Client-3 and Client-4 not being sufficient (say, due to excess losses in liquidation of positions), the default waterfall of the CC shall be applied for such losses. Illustration 2: The following illustration demonstrates the limit on maximum admissible claim against the collateral at the CC by the TM/clients/CP of the defaulting CM. The CC shall recognize the claim of the clients up to the collateral allocated by the CM, plus the value of securities re-pledged till the level of the CC, plus the collateral deemed to be allocated based on the margin requirement of the client. Some examples are tabulated below: Entity Collateral provided to member Margin Collateral allocated by member at CC Value of Securities Re￾pledged to CC Collateral deemed allocated (due to margins) Maximum Admissible claim against collateral at CC Client￾1 1000 800 700 300 0 1000 Client￾2 1000 0 400 600 0 1000

315 Client￾3 1000 0 400 400 0 800 Client￾4 1000 800 800 800 Client￾5 1000 Client￾6 0 200 100 0 100 0 In the last example (Client-6), the CM shall not be permitted to allocate collateral or permit client to trade beyond the available collateral. In case of such violations, the claim shall not be admissible, and the collateral (allocated and/or deemed so) shall be treated as proprietary collateral of the CM.

316 Annexure-23: Risk disclosures RISK DISCLOSURES ON DERIVATIVES  9 out of 10 individual traders in equity Futures and Options Segment, incurred net losses.  On an average, loss makers registered net trading loss close to ₹ 50,000.  Over and above the net trading losses incurred, loss makers expended an additional 28% of net trading losses as transaction costs.  Those making net trading profits, incurred between 15% to 50% of such profits as transaction cost. Source:

1. SEBI study dated January 25, 2023 on “Analysis of Profit and Loss of Individual Traders dealing in equity Futures and Options (F&O) Segment”, wherein Aggregate Level findings are based on annual Profit/Loss incurred by individual traders in equity F&O during FY 2021-22.

317 Annexure-24: Data Format A. Equity F&O Segment Notes:

1. Client-set: All Individual Clients (which includes HUF and NRIs; excludes Proprietary traders, institutions, partnership firms etc.)
2. Segment: Equity F&O
3. Period: Financial Year
4. Client level realized trading Profit/Loss during the period is considered.
5. With regard to cases where 1 leg of transaction falls under the period, while the other falls outside, explanation is given as under-  Example 1: Period: April 2018 to March 2019. Consider Contract-A with expiry in April

Contract- A purchased & sold in March 2018 - will not be considered Contract- A purchased in March 2018, sold in April 2018/ settled on expiry - will be considered  Example 2: Period: April 2018 to March 2019. Consider Contract-B with expiry in April 2019. Contract- B purchased & sold in March 2019 - will be considered Client Identifica tion No. Period Product Category Age Gender Income Group City PIN Code No. of transactions during period (Buy+Sell) Realized trading Profit/Loss excluding transaction charges during period (Rs.) Brokerage + Clearing Fee Exchang e Fee Stamp Duty SEBI turnove r Fee STT GST Period 1 Index Futures <20 M <5Lacs Period 2 Index Options 20-30 F 5-10L Stock Futures 30-40 Others 10-25L Stock Options 40-50 Not sepecified 25-50L 50-60 50-100L

60 >100L Not Available Not Available Transaction Cost (Rs.)

318 Contract- B purchased in March 2019, sold in April 2019/ settled on expiry - will not be considered 6. Contracts resulting in physical delivery of stocks may be excluded. 7. For PIN Codes - correspondence address may be considered.

319 B. Cash Segment Notes:

1. Client-set: All Individual Clients (which includes HUF and NRIs; excludes Proprietary traders, institutions, partnership firms etc.)
2. Segment: Cash Segment
3. Period: Financial year
4. Client level realized trading Profit/Loss during the period is considered.
5. For computation of Client level realised profit/loss in cash segment during the period, only transactions where both legs (buy and sell side) in a scrip are executed during the period, are considered. Client Identific ation No. Period Age Gender Income Group City PIN Code No. of transactions during Period (Buy+Sell) Daily Average holding value during Period (Rs.) Max. holding value during Period (Rs.) Realised Trading Profit/Loss excluding transaction charges during Period (Rs.) Brokerage

• Clearing Fee Exchange Fee Stamp Duty SEBI turnove r Fee STT GST Period 1 <20 M <5Lacs Period 2 20-30 F 5-10L 30-40 Others 10-25L 40-50 Not sepecified 25-50L 50-60 50-100L

60 >100L Not Available Not Available Transaction Cost (Rs.)

320 Annexure-25 Incident Reporting Form

1. Letter / Report Subject - Name of the Member / Depository Participant - Name of the Stock Exchange / Depository - Member ID / DP ID -
2. Reporting Periodicity Year-  Quarter 1 (Apr-Jun)  Quarter 2 (Jul-Sep)  Quarter 3 (Oct-Dec)  Quarter 4 (Jan-Mar)
3. Designated Officer (Reporting Officer details) - Name: Organization : Title: Phone / Fax No: Mobile: Email: Address: Cyber-attack / breach observed in Quarter: ( If yes, please fill Annexure -24A) ( If no, please submit the NIL report) Date & Time Brief information on the Cyber-attack / breached observed Annexure -24A
4. Physical location of affected computer / network and name of ISP -

321

2. Date and time incident occurred - Date: Time:
3. Information of affected system - IP Address: Computer/ Host Name: Operating System (incl. Ver. / release No.): Last Patched/ Updated: Hardware Vendor/ Model:
4. Type of incident -  Phishing  Network scanning /Probing Break￾in/Root Compromise  Virus/Malicious Code  Website Defacement  System Misuse  Spam  Bot/Botnet  Email Spoofing  Denial of Service(DoS)  Distributed Denial of Service(DDoS)  User Account Compromise  Website Intrusion  Social Engineering  Technical Vulnerability  IP Spoofing  Ransomware  Other
5. Description of incident -
6. Unusual behavior/symptoms (Tick the symptoms) -

322  System crashes  New user accounts/ Accounting discrepancies  Failed or successful social engineering attempts  Unexplained, poor system performance  Unaccounted for changes in the DNS tables, router rules, or firewall rules  Unexplained elevation or use of privileges Operation of a program or sniffer device to capture network traffic;  An indicated last time of usage of a user account that does not correspond to the actual last time of usage for that user  A system alarm or similar indication from an intrusion detection tool  Altered home pages, which are usually the intentional target for visibility, or other pages on the Web server  Anomalies  Suspicious probes  Suspicious browsing New files  Changes in file lengths or dates  Attempts to write to system  Data modification or deletion  Denial of service  Door knob rattling  Unusual time of usage  Unusual usage patterns  Unusual log file entries  Presence of new setuid or setgid files Changes in system directories and files  Presence of cracking utilities  Activity during non￾working hours or holidays  Other (Please specify) 7. Details of unusual behavior/symptoms - 8. Has this problem been experienced earlier? If yes, details - 9. Agencies notified - Law Enforcement Private Agency Affected Product Vendor Other 10. IP Address of apparent or suspected source -

323 Source IP address: Other information available: 11. How many host(s) are affected - 1 to 10 10 to 100 More than 100 12. Details of actions taken for mitigation and any preventive measure applied -

324 Annexure-26 Form to report on AI and ML technologies – To be submitted quarterly Intimation to Stock Exchange / Depository for the use of the AI and ML application and systems. SNo. Head Value 1 Entity SEBI registration number 2 Registered entity category 3 Entity name 4 Entity PAN no. 5 Application / System name 6 Date from when the Application / System was used 7 Type of area where AI or ML is used <order execution / Advisory services / KYC / AML / Surveillance / compliance/others (please specify in 256 characters)> 7.a Does the system involve order initiation, routing and execution? <Yes / NO> 7.b Does the system fall under discretionary investment or Portfolio management activities? <Yes / NO> 7.c Does the system disseminate investment or trading advice or strategies? <Yes / NO> 7.d Is the application/system used in area of Cyber Security to detect attacks <Yes / NO> 7.e What claims have been made regarding AI and ML Application / System – if any? <free text field> 8 What is the name of the Tool / Technology that is categorized as AI and ML system / Application and submissions are declared vide this response <free text field> 9 How was the AI or ML project implemented <Internally / through solution provider / Jointly with a solution provider or third party>

325 10 Are the key controls and control points in your AI or ML application or systems in accordance to circular of SEBI that mandate cyber security control requirements <free text field> 11 Is the AI / ML system included in the system audit, if applicable? <Yes / NO / NA> 12 Describe the application / system and how it uses AI / ML as portrayed in the product offering <free text field> 13 What safeguards are in place to prevent abnormal behavior of the AI or ML application / System <free text field>

326 Annexure 27 – Systems deemed to be based on AI and ML technology Applications and Systems belonging but not limited to following categories or a combination of these:

1. Natural Language Processing (NLP), sentiment analysis or text mining systems that gather intelligence from unstructured data. – In this case, Voice to text, text to intelligence systems in any natural language will be considered in scope. Eg: robo chat bots, big data intelligence gathering systems.
2. Neural Networks or a modified form of it. – In this case, any systems that uses a number of nodes (physical or software simulated nodes) mimicking natural neural networks of any scale, so as to carry out learning from previous firing of the nodes will be considered in scope. Eg: Recurrent Neural networks and Deep learning Neural Networks
3. Machine learning through supervised, unsupervised learning or a combination of both. – In this case, any application or systems that carry out knowledge representation to form a knowledge base of domain, by learning and creating its outputs with real world input data and deciding future outputs based upon the knowledge base. Eg: System based on Decision tree, random forest, K mean, Markov decision process, Gradient boosting Algorithms.
4. A system that uses statistical heuristics method instead of procedural algorithms or the system / application applies clustering or categorization algorithms to categorize data without a predefined set of categories
5. A system that uses a feedback mechanism to improve its parameters and bases it subsequent execution steps on these parameters.
6. A system that does knowledge representation and maintains a knowledge base.

327 Annexure 28 – Consolidated Quarterly Reporting Form Consolidated Quarterly report to SEBI of all registered intermediaries with Stock Exchange using AI and ML application and systems for the Quarter Ended DD/MM/YYYY Entit y regist rati on num ber Entity name Entity PAN no. Application / Syste m name Date used from Type of area where AI or ML is used To be filled if System Audit is applicable If system audit report is submitted by entity later than “date used from” If system audit report is submitted with adverse remarks and Stock Exchange is entitled to inspect the entity Does system audit report comply to Master Circular dated May 17, 2023 Is there any adverse commen t in the System audit report Was the entity inspected in past 1 year If inspec ted was any irregul arity noted <order execution / Advisory services / KYC / AML / Surveilla nce / complian ce/others (please specify in 256 character s)> <Yes / NO/> <Yes / NO/> <Yes / NO> <Yes / NO>

328 Annexure-29

329

330 Annexure-30

Root Cause Analysis Form/ RCA

1. Letter / Report Subject :- Name of the stock Broker: Exchange Name and Code: SEBI Registration number:
2. Designated Officer and/or Reporting Officer details Name: E-mail: Mobile:
3. Date & Time of Incident & Duration of the Incident Date: Time: Duration:

331 4. Incident Description & chronology of events (please use additional sheets if required) Brief information on the incident observed 5. Business Impact 6. Immediate action taken (please give full details) (Please use additional sheets if required) 7. Date & Time of Recovery Date: Time: 8. Root Cause Summary (Pl attach the detailed Report separately) 9. Details of corrective measures taken 10. Details of long-term preventive measures taken (please give full details) (please use additional sheets if required)

332 Annexure-31 In view of the increasing cybersecurity threat to the securities market, SEBI Regulated Entities (REs) are advised to implement the following practices as recommended by CSIRT-Fin:

1. Roles and Responsibilities of Chief Information Security Officer (CISO)/ Designated Officer: REs are advised to define roles and responsibilities of Chief Information Security Officer (CISO) and other senior personnel. Reporting and compliance requirements shall be clearly specified in the security policy.
2. Measures against Phishing attacks/ websites: i. The REs need to proactively monitor the cyberspace to identify phishing websites w.r.t. to REs domain and report the same to CSIRT-Fin/CERT-In for taking appropriate action. ii. Majority of the infections are primarily introduced via phishing emails, malicious adverts on websites, and third-party apps and programs. Hence, thoughtfully designed security awareness campaigns that stress the avoidance of clicking on links and attachments in email, can establish an essential pillar of defense. Additionally, the advisories issued by CERT-In/ CSIRT-Fin may be referred for assistance in conducting exercises for public awareness.
3. Patch Management and Vulnerability Assessment and Penetration Testing (VAPT): i. All operating systems and applications should be updated with the latest patches on a regular basis. As an interim measure for zero-day vulnerabilities and where patches are not available, virtual patching can be considered for protecting systems and networks. This measure hinders cybercriminals from gaining access to any system through vulnerabilities in end-of-support and end-of￾life applications and software. Patches should be sourced only from the authorized sites of the OEM. ii. Security audit / Vulnerability Assessment and Penetration Testing (VAPT) of the application should be conducted at regular basis and in accordance with the Cyber Security and Cyber Resilience circulars of SEBI issued from time to time. The observation/ gaps of VAPT/Security Audit should be resolved as per the timelines prescribed by SEBI.
4. Measures for Data Protection and Data breach: i. REs are advised to prepare detailed incident response plan. ii. Enforce effective data protection, backup, and recovery measures. iii. Encryption of the data at rest should be implemented to prevent the attacker from accessing the unencrypted data. iv. Identify and classify sensitive and Personally Identifiable Information (PII) data and apply measures for encrypting such data in transit and at rest. v. Deploy data leakage prevention (DLP) solutions / processes.

333 5. Log retention: Strong log retention policy should be implemented as per extant SEBI regulations and required by CERT-In and IT Act 2000. REs are advised to audit that all logsare being collected. Monitoring of all logs of events and incidents to identify unusual patterns and behaviours should be done. 6. Password Policy/ Authentication Mechanisms: i. Strong password policy should be implemented. The policy should include a clause of periodic review of accounts of ex-employees Passwords should not be reused across multiple accounts or list of passwords should not be stored on the system. ii. Enable multi factor authentication (MFA) for all users that connect using online/internet facility and also particularly for virtual private networks, webmail and accounts that access critical systems. iii. Maker and Checker framework should be implemented in strict manner and MFA should be enabled for all user accounts, especially for user accounts accessing critical applications. 7. Privilege Management: i. Maker-Checker framework should be implemented for modifying the user's right in internal applications. ii. For mitigating the insider threat problem, 'least privilege' approach to provide security for both on-and off-premises resources (i.e., zero-trust models) should be implemented. Zero Trust is rooted in the principle of "trust nothing, verify everything." This security model requires strict identity verification for each and every resource and device attempting to get access to any information on a private network, regardless of where they are situated, within or outside of a network perimeter. 8. Cybersecurity Controls: i. Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses, block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution. ii. Block the malicious domains/IPs after diligently verifying them without impacting the operations. CSIRT-Fin/CERT-In advisories which are published periodically should be referred for latest malicious domains/IPs, C&C DNS and links. iii. Restrict execution of "powershell" and "wscript" in enterprise environment, if not required. Ensure installation and use of the latest version of PowerShell, with enhanced logging enabled, script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. iv. Utilize host based firewall to prevent Remote Procedure Call (RPC) and Server Message Block (SMB) communication among endpoints whenever possible. This limits lateral movement as well as other attack activities. v. Practice of whitelisting of ports based on business usage at Firewall level should be implemented rather than blacklisting of certain ports. Traffic on all other ports which have not been whitelisted should be blocked by default.

334 9. Security of Cloud Services: i. Check public accessibility of all cloud instances in use. Make sure that no server/bucket is inadvertently leaking data due to inappropriate configurations. ii. Ensure proper security of cloud access tokens. The tokens should not be exposed publicly in website source code, any configuration files etc. iii. Implement appropriate security measures for testing, staging and backup environments hosted on cloud. Ensure that production environment is kept properly segregated from these. Disable/remove older or testing environments if their usage is no longer required. iv. Consider employing hybrid data security tools that focus on operating in a shared responsibility model for cloud-based environments. 10. Implementation of CERT-In/ CSIRT-Fin Advisories: The advisories issued by CERT-In should be implemented in letter and spirit by the regulated entities. Additionally, the advisories should be implemented promptly as and when received. 11. Concentration Risk on Outsourced Agencies: i. It has been observed that single third party vendors are providing services to multiple REs, which creates concentration risk. Here, such third parties though being small non-financial organizations, if any cyber-attack, happens at such organizations, the same could have systemic implication due to high concentration risk. ii. Thus, there is a need for identification of such organizations and prescribing specific cyber security controls, including audit of their systems and protocols from independent auditors, to mitigate such concentration risk. iii. Further, REs also need to take into account this concentration risk while outsourcing multiple critical services to the same vendor. 12. Audit and ISO Certification: i. SEBI’s instructions on external audit of REs by independent auditors empaneled by CERT-In should be complied with in letter and spirit. ii. The REs are also advised to go for ISO certification as the same provides a reasonable assurance on the preparedness of the RE with respect to cybersecurity. iii. Due diligence with respect to audit process and tools used for such audit needs to be undertaken to ensure competence and effectiveness of audits

335 Annexure-32 Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) 50. Executive Summary Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction – NIST Definition. Cloud computing has common characteristics like on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service. Due to these characteristics, cloud computing has advantages like reduced IT costs, scalability, business continuity, accessibility anywhere and with any device, higher performance and availability, quick application deployment, etc. When contemplating cloud adoption, factors including risk identification, control mechanisms, security and operational standards, vendor lock-in and compliance with the legal, technical and regulatory requirements must be taken into account. The framework is based on the study, survey, and consultations done with market participants, regulators, cloud associations, cloud service providers (CSPs), government agencies, and SEBI Advisory Committees. The summary of the framework is as follows: i. The RE may opt for any model of deployment on the basis of its business needs and technology risk assessment. However, compliance should be ensured with this cloud framework as well as other rules/ laws/ regulations/ circulars made by SEBI/ Government of India/ respective state government. ii. It is to be noted that although the IT services/ functionality may be outsourced (to a CSP), RE is solely accountable for all aspects related to the cloud services adopted by it including but not limited to availability of cloud applications, confidentiality, integrity and security of its data and logs, and ensuring RE’s compliance with the laws, rules, regulations, circulars, etc. issued by SEBI/

336 Government of India/ respective state government. Accordingly, the RE shall be responsible and accountable for any violation of the same. iii. The cloud services shall be taken only from the Ministry of Electronics and Information Technology (MeitY) empaneled CSPs. The CSP’s data center should hold a valid STQC (or any other equivalent agency appointed by Government of India) audit status. For selection of CSPs offering PaaS and SaaS services in India, RE shall choose only such CSPs which:

1. Utilize the underlying infrastructure of MeitY empaneled CSPs for providing services to the RE.
2. Host the application/ platform/ services provided to RE as well as store/ process data of the RE, only within the data centers as empaneled by MeitY and holding a valid STQC (or any other equivalent agency appointed by Government of India) audit status. iv. In a multi-tenant cloud architecture, adequate controls shall be provisioned to ensure that data (in motion, at rest and in use) shall be isolated and inaccessible to any other tenant. RE shall assess and ensure that the multi tenancy segregation controls are placed by CSP, and shall place additional security controls if required. v. Data shall be encrypted at all lifecycle stages (at rest, in motion and in use), source or location to ensure the confidentiality, privacy and integrity. vi. RE shall retain complete ownership of all its data, encryption keys, logs etc. residing in cloud. vii. Compliance with legal and regulatory requirements, including the requirements provided in this framework, has to be ensured by the RE at all times. viii. The cloud deployments of RE shall be monitored through Security Operations Centre (SOC) [in-house, third-party SOC or a managed SOC]. ix. The agreement between the RE and CSP shall cover security controls, legal and regulatory compliances, clear demarcation of roles, and liabilities, appropriate services and performance standards etc.

337 x. The reporting of compliance (with this framework) shall be done by the REs in their systems audit, cybersecurity audit and VAPT reports, and it shall be done in the standardized format notified by SEBI from time to time The cloud framework provides mandatory requirements to be fulfilled by the RE for adopting cloud computing to augment the business prospects through scalability, reduced operational cost, digital transformation and reduced IT infrastructure complexity. The cloud framework is a principle-based framework which has nine high-level principles. The framework highlights the risks associated with cloud adoption and recommends the necessary mandatory controls. The document also recommends baseline security measures required to be implemented (by RE and CSP), and RE may decide to add additional measures as per its business needs, technology risk assessment, risk appetite, compliance requirements in all the applicable circulars/ guidelines/ advisories issued by SEBI from time to time, etc.

338 Table of Contents Abbreviations: Definitions

1. Governance, Risk and Compliance (GRC):
2. Selection of CSPs:
3. Data Ownership and Localization:
4. Responsibility of the RE (with respect to CSPs):
5. Due Diligence by the RE (with respect to CSPs):
6. Security Controls: 6.1. Security of the Cloud: 6.2. Security in the Cloud: 6.2.1. Vulnerability Management and Patch Management:................................. 6.2.2. Vulnerability Assessment and Penetration Testing (VAPT): ..................... 6.2.3. Incident Management and SOC Integration:............................................. 6.2.4. Continuous Monitoring: ............................................................................. 6.2.5. Secure User Management: ....................................................................... 6.2.6. Security of Interfaces: ............................................................................... 6.2.6.1. Management interface:....................................................................... 6.2.6.2. Internet facing interfaces: ................................................................... 6.2.6.3. Interfaces connected between RE’s/relevant organizations (Through P2P or LAN/MPLS etc.) and CSP:...................................................................... 6.2.7. Secure Software Development: ................................................................ 6.2.8. Managed Service Provider (MSP) & System Integrator (SI): .................... 6.2.9. Encryption and Cryptographic Key Management:..................................... 6.2.10. End Point Security: ................................................................................

339 6.2.11. Network Security: .................................................................................. 6.2.12. Backup and recovery solution:............................................................... 6.2.13. Skillset: .................................................................................................. 6.2.14. Breach Notification:................................................................................ 7. Contractual and Regulatory Obligations: 8. Business Continuity Planning (BCP), Disaster Recovery & Cyber Resilience 9. Concentration Risk Management 10. Recommendations: Appendix-A Appendix-B 51. Abbreviations: Sr. No. Abbreviation Explanation/Expansion 1 2FA 2 Factor Authentication 2 API Application Programming Interface 3 BCP Business Continuity Planning 4 CISO Chief Information Security Officer 5 CSP Cloud Service Provider 6 DDOS Distributed Denial-of-Service 7 Dev Development Environment 8 DR Disaster Recovery 9 IPS Intrusion Prevention System 10 LAN Local Area Network 11 MeitY Ministry of Electronics and Information Technology 12 MII Market Infrastructure Institution 13 MPLS Multiprotocol Label Switching

340 14 MSP Managed Service Provider 15 NIST National Institute of Standards and Technology 16 P2P Point-to-Point connection 17 PII Personal Identifiable Information 18 RE Regulated Entity 19 SI System Integrator 20 SLA Service Level Agreement 21 SOAR Security Orchestration, Automation and Response 22 SOC Security Operations Center 23 SSL Secure Sockets Layer 24 STQC Standardization Testing and Quality Certification 25 UAT User Acceptance Testing 26 VAPT Vulnerability Assessment & Penetration Testing 27 VM Virtual Machine 28 VPN Virtual Private Network 29 WAF Web Application Firewall 52. Definitions

1. Cloud Model Description￾The description of common cloud deployment models (as per NIST)117 is given below: Sr. No Model Description 1 Private Cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third

117 Ref: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf

341 party, or some combination of them, and it may exist on or off premises. 2 Community Cloud The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises 3 Public Cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider 4 Hybrid Cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability. 2. Cloud Service Models￾A. The definitions of various cloud service models (as per NIST)118 are given below: i. Infrastructure as a Service (IaaS): The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run software, which can include operating systems and applications. The consumer does not directly manage or control the underlying cloud

118 Ref: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf

342 infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). A few examples of IaaS are Amazon Web Services (AWS) Elastic Compute Cloud, Microsoft Azure, etc. ii. Platform as a Service (PaaS): The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not directly manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. A few examples of PaaS are Google App Engine, Amazon Web Services (AWS) Elastic Beanstalk, etc. iii. Software as a Service (SaaS): The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings. A few examples of SaaS are Gmail, Microsoft Office 365, etc. B. Other deployment models such as Application as a Service, Security as a Service, etc. may be considered as a sub-part or variant of the above￾mentioned models as they contain components of IaaS, PaaS and SaaS. For example, Security as a Service is a form of SaaS which provides specialized information security services. Similarly, Application as a Service is a type of

343 SaaS in which applications (for example Google sheets, Google docs, etc.) are delivered on-demand to customers through the internet. 3. Regulated Entity (RE) – The term “Regulated Entity” refers to SEBI registered/ recognized intermediaries (for example brokers, mutual funds, KYC Registration Agencies, and QRTAs) and Market Infrastructure Institutions (Stock Exchanges, Clearing Corporations, and Depositories) regulated by SEBI. 4. Key Management￾In the context of encryption/ decryption, a key is typically a random string of bits generated to hide (encrypt) or reveal (decrypt) data. A key is most commonly used along with an algorithm (method) for encryption/ decryption of data. Therefore, Key management refers to management of cryptographic keys in a system, including their (keys’) generation, exchange, storage, etc. 5. Hardware Security Module (HSM)- A Hardware Security Module is a device that is used for management of Keys, as well as for implementing various functions like encryption, decryption, authentication, etc. Principle 1: Governance, Risk and Compliance Sub-Framework

1. Governance, Risk and Compliance (GRC): The REs shall put in place an effective GRC sub-framework for cloud computing to enable them to formulate a cloud strategy suitable for their circumstances/ needs. The RE shall also adhere with the governance framework mentioned in various circulars issued by SEBI. The various aspects that shall be considered by RE (including but not limited to) while formulating the GRC sub-framework are as follows:

344 i. Cloud Governance: The RE shall have a Board/ partners/ proprietors (as the case may be) {hereinafter referred to as “the Board”} approved governance model/ strategy for cloud computing in place. The model/ strategy shall include:

1. Details of cloud adoption such as cloud service models, deployment models etc.
2. Type of services to be on boarded on cloud considering various factors such as data classification, criticality of operations, etc. The classification/ categorization shall be done in-line with the circulars/ guidelines issued by SEBI.
3. Measures to ensure the protection of stakeholder’s interests
4. Measures to comply with the applicable legal and regulatory requirements. ii. Cloud Risk Management:
5. There is a paradigm shift in the manner of how cloud technology is built and managed in comparison with traditional on–premise infrastructure. Therefore, a comprehensive risk management should be undertaken by the RE to continually identify, monitor, and mitigate the risks posed by cloud computing.
6. The cloud risk management approach should be approved by the Board of the RE. The cloud risk management approach shall provide details regarding the various risks of cloud adoption such as technical, legal, business, regulatory etc., and the commensurate risk mitigation controls which should be proportionate to the criticality and sensitivity of the data/operations to be on-boarded on the cloud.
7. As part of risk management process, a thorough risk assessment shall also be done keeping in mind that the RE cannot outsource the risks and decision making associated with deployment of cloud services, to the CSP. The risk assessment shall include (but not limited to) standards like identifying threat sources and events, identifying vulnerabilities and pre-disposing conditions, control analysis, magnitude of impact, etc.

345 4. A clearly identified and named resource (typically CISO) shall be appointed and shall be responsible for security of the deployments in cloud. iii. Compliance and Legal Aspects: The RE shall have policies, processes, etc. in place to ensure compliance with the applicable legal and regulatory requirements (including but not limited to guidelines, circulars, advisories, etc.) for deployments in cloud, issued by SEBI/ Government of India/ respective state government. iv. In order to ensure the smooth functioning and adherence with the GRC sub￾framework, it is mandated to divide the roles and assign the responsibilities as given below:

1. Role of the Board/Key Management Personnel (KMP)- The Board/KMP shall be responsible for: a. Approval of cloud governance model and cloud risk management approach, and setting up processes for smooth on boarding on cloud while adhering with all legal, regulatory, technical and business objectives. b. Review of cloud governance model and cloud risk management approach as per requirement of the RE. However, the review shall be mandatorily conducted at least once every year. c. Setting up the administrative responsibility of senior management.
2. Role of Senior Management - The senior management shall be responsible for: a. Preparation of and adherence with various policies related to cloud adoption. b. Periodic assessment of cloud deployments and mitigation of risks arising out of the same. c. Continually monitoring and responding to the risks and intimating the same to board in a timely manner.

346 d. Assessment, at least on an annual basis, to review the financial and operational condition of the CSP in order to assess its ability to continue to meet the various requirements such as legal, business, compliance, etc. and highlighting any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness to the board in a timely manner. e. Periodic evaluation of the adherence of the cloud engagement with regulatory, legal and business objectives. f. Management of Human Resources: i. Identification of potential skill gaps which emerge as a result of transition to cloud computing. ii. Capacity building within organization to build adequate skillsets to manage cloud deployments effectively. 3. Role of IT team- The IT team shall be responsible for managing day to day operations and assisting senior management in achieving the objectives of cloud deployments. 4. Additional roles/ responsibilities may be added (to the Board/KMP, Senior Management, etc.) as per requirements of the RE. v. Grievance Redressal Mechanism: The RE shall have a robust grievance redressal mechanism, which in no way shall be compromised on account of cloud adoption i.e., responsibility and accountability for redressal of investors’/ members’ grievances related to cloud on boarded services shall rest with the RE. Adoption of cloud services shall not affect the rights of the investor/ member against the RE, including the ability of the investor/ member to obtain redressal of grievances as applicable under relevant laws.

347 vi. Monitoring and Control of Cloud Deployments:

1. RE shall have in place a management structure to monitor and control the activities and services deployed on cloud. This shall include, but not limited to, monitoring the performance, uptime (of the systems/ resources) and service availability, adherence to SLA requirements, incident response mechanism, etc.
2. RE shall conduct regular audits/VAPT of its cloud deployments. The frequency and scope of such audits/VAPT shall be in line with SEBI cyber guidelines /circulars /framework issued from time to time.
3. Additionally, the RE shall also assess the performance of the CSP, adequacy of the risk management practices adopted by the CSP, compliance with laws/regulations etc. vii. Country Risk: The engagement with a CSP having country of incorporation/registration outside of India, exposes the RE to country risk. To manage such risk, wherever applicable, the RE shall closely monitor the CSP’s country’s government policies and its political, social, economic and legal conditions on a continuous basis, and establish sound procedures for mitigating the country risk. This includes, inter alia, having appropriate contingency and exit strategies. In principle, arrangements shall only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements. The governing law of the arrangement shall also be clearly specified. viii. Contingency: The RE shall have appropriate contingency and exit strategies. The RE shall ensure that availability of records to the RE and the supervising authority are not affected under any circumstances, even in case of liquidation of the CSP. ix. Miscellaneous: Any other risk factors deemed relevant/ material by the RE.

348 Principle 2: Selection of Cloud Service Providers 2. Selection of CSPs: The RE shall ensure that the following conditions are met while choosing any Cloud Service Provider (CSP): i. The storage/ processing of data (DC, DR, near DR etc.) including logs and any other data pertaining to RE in any form in cloud, should be done within the MeitY empaneled CSPs’ data centers holding valid STQC (or any other equivalent agency appointed by Government of India) audit status. ii. For selection of CSPs offering PaaS and SaaS services in India, the RE shall choose only those CSPs which:

1. Utilize the underlying infrastructure/ platform of only MeitY empaneled CSPs for providing services to RE.
2. Host the application/ platform/ services (DC, DR, near DR, etc.) provided to the RE as well as store/ process data of the RE, only within the data centers as empaneled by MeitY and holding a valid STQC (or any other equivalent agency appointed by Government of India) audit status.
3. Have a back-to-back, clear and enforceable agreement with their partners/ vendors/ sub-contractors (including those that provide the underlying infrastructure/ platform) for ensuring their compliance with respect to the requirements provided in this framework including those in Principles 6 (Security Controls), 7 (Contractual and Regulatory Obligations) and 8 (BCP, Disaster Recovery & Cyber resilience). iii. Any other additional criteria that the RE considers appropriate/ as per RE's requirement.

349 iv. The RE shall ensure that storage/ processing/ transfer of its data should be done according to requirements provided in this framework as well as any other regulations/ circulars/ guidelines issued by SEBI and any other Government authorities. Principle 3: Data Ownership and Data Localization 3. Data Ownership and Localization: i. Data Ownership: The RE shall retain the complete ownership of all its data and logs, encryption keys, etc. residing in cloud. The CSP shall be working only in a fiduciary capacity. Therefore, the RE, SEBI and any other Government authority authorized under law, shall always have the right to access any or all of the data at any or all point of time. ii. Visibility: Whenever required (by RE/ SEBI), the CSP shall provide visibility to RE as well as SEBI into CSP’s infrastructure and processes, and its compliance to applicable policies and regulations issued by SEBI/ Government of India/ respective state government. iii. Data Localization: In order to ensure that RE and SEBI’s right to access RE’s data as well as SEBI’s rights of search and seizure are not affected by adoption of cloud services, the storage/ processing of data (DC, DR, near DR etc.) including logs and any other data/ information pertaining to RE in any form in cloud shall be done as per the following conditions:

1. The data should reside/be processed within the legal boundaries of India.
2. However, for the investors whose country of incorporation is outside India, the REs shall keep the original data/ transactions/ logs, available and easily accessible in legible and usable form, within the legal boundaries of India. The RE shall ensure that the above-mentioned requirements are fulfilled at all times during adoption/ usage of cloud services.

350 iv. It is to be noted that the REs are ultimately responsible and accountable for security of their data (including logs)/ applications/ services hosted in cloud as well as ensuring compliance with laws, rules, regulations, etc. issued by SEBI/ Government of India/ respective state government. Accordingly, RE shall put in place effective mechanism to continuously monitor the CSP and comply with various regulatory, legal and technical requirements notified by SEBI or any other Government authority from time to time. Principle 4: Responsibility of the Regulated Entity 4. Responsibility of the RE (with respect to CSPs): i. While it is acknowledged that there can be a segregation between the RE and the CSP with respect to (including but not limited to) the infrastructure management, and other technical aspects (for example with respect to data, cybersecurity, management of users, etc.), however, the RE is solely accountable for all aspects related to the cloud services adopted by it including, but not limited to, availability of cloud applications, confidentiality, integrity and security of its data and logs, and ensuring RE’s compliance with respect to the applicable laws, rules, regulations, circulars, etc. issued by SEBI/ Government of India/ respective state government. Accordingly, the RE shall be held accountable for any violation of the same. ii. There shall be an explicit and unambiguous delineation/ demarcation of responsibilities with respect to all activities (including but not limited to technical, managerial, governance related, etc.) of the cloud services between the RE and CSP. There shall be no "joint/ shared ownership" for any function/ task/ activity between the RE and CSP. If any function/ task/ activity has to be performed jointly by the RE and CSP, there shall be a clear delineation and fixing of responsibility for each sub-task/ line-item within the task. The aforementioned delineation of responsibilities shall be added explicitly in the agreement (as an annexure) signed between the RE and the CSP.

351 iii. In the event of a Managed Service Provider (MSP) or System Integrator (SI) being involved in procurement of cloud services, an explicit and unambiguous delineation/ demarcation of responsibilities shall also be done with respect to MSP/ SI, and the same shall be included in the agreement (in-line with the requirements given above). iv. Similarly, there shall be an explicit and unambiguous delineation/ demarcation of responsibilities between the RE and CSP (and MSP/SI wherever applicable) for ensuring compliance with respect to applicable circulars (for example cybersecurity and cyber resilience circular, outsourcing circular, BCP-DR etc.) issued by SEBI from time to time. There shall be no “joint/ shared ownership” for ensuring compliance with respect to any clause. If compliance for any clause has to be jointly ensured by RE and CSP (and MSP/SI wherever applicable), there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) for each sub-task/ line-item within the clause. This delineation shall also be added explicitly in the agreement (as an annexure) signed between the RE and the CSP (and MSP/SI wherever applicable). v. In view of the fact that a CSP is not a RE, the RE shall continue to have ultimate responsibility and liability for any violation of the laws, rules, regulations, circulars, etc. issued by SEBI or any other authority under any law, regardless of any delineation/ demarcation of responsibilities envisaged in the aforesaid paragraphs. Principle 5: Due Diligence by the Regulated Entity 5. Due Diligence by the RE (with respect to CSPs): i. The REs should evaluate the need, implications (financial, regulatory, etc.), risks, benefits, etc. of adopting cloud computing. The RE shall also conduct its due

352 diligence with respect to CSPs beforehand and on a periodic basis to ensure that legal, regulatory, business objectives, etc. of the RE are not hampered. The due diligence shall be risk-based depending on the criticality of the data/ services /operations planned to be on boarded on cloud. ii. A proper due diligence process should be established to assess the capabilities and suitability of a cloud service provider before the engagement. iii. An analysis (including but not limited to comparative analysis, SWOT analysis, etc.) shall also be conducted on the type of cloud model to be adopted. The analysis should include relevant factors like (including but not limited to) the risks associated with various models, need, suitability, capability of the organization, etc. The above mentioned evaluations / analyses should be conducted keeping in mind that although the IT services/ functionality can be outsourced (to a CSP), REs are ultimately accountable for all aspects related to the cloud services adopted by it including but not limited to availability of cloud applications, confidentiality, integrity and security of RE’s data and logs, and ensuring RE’s compliance with respect to the applicable laws, rules, regulations, circulars, etc. issued by SEBI/ Government of India/ respective state government. Accordingly, the RE shall be held accountable for any violation of the same. iv. The criteria that an RE shall look out for are (including but not limited to):

1. Financial soundness of CSP and its ability to service commitments even under adverse conditions.
2. CSP’s capability to identify and segregate RE’s data, whenever required.
3. Security risk assessment of the CSP.

353 4. Ensuring that appropriate controls, assurance requirements and possible contractual arrangements are in place to establish data ownership. 5. CSP’s ability to effectively service all the RE’s customers while maintaining confidentiality, especially where a CSP has exposure to multiple entities. 6. Ability to enforce agreements and the rights available thereunder including those relating to aspects such as data storage, data protection and confidentiality, SLA, etc. 7. RE shall ensure that CSP performs proper screening and background checks of its personnel and vendors before onboarding, and provides adequate trainings and awareness programs to ensure that the customer (RE) services are not hampered due to misconfiguration/inadvertent actions/operational issues/etc. 8. Capability of the CSP to deal with RE’s compliance needs, operational aspects, and ensure information security, data privacy, etc. 9. CSP’s ability to ensure compliance with this framework as well as all applicable rules/ regulations/ circulars issued by SEBI from time to time. 10.Any other additional criteria that the RE considers appropriate/ as per RE's requirement. Principle 6: Security Controls

354 6. Security Controls119: The RE shall ensure its compliance with the applicable circulars (for example cybersecurity circular, systems audit circular, DR-BCP circular, etc.)/ guidelines/ advisories, etc. issued by SEBI. Further, in reference to the security controls for adoption of cloud computing120, the following (including but not limited to) shall be implemented: 6.1.Security of the Cloud: RE shall perform the assessment of CSPs to ensure that adequate security controls are in place. Some of the common controls (including but not limited to) that the RE needs to check are given below: i. Vulnerability Management and Patch Management:

1. RE shall ensure that CSP has a vulnerability management process in place to mitigate vulnerabilities in all components of the services that the CSP is responsible for (i.e. managed by the CSP). The RE shall assess and ensure that the patch management of CSP adequately covers the components for which the CSP is responsible (i.e. components managed by the CSP). The patch management framework shall include the timely patching of all components coming under the purview of CSP.
2. The RE shall also ensure that CSP conducts Vulnerability Assessment and Penetration Testing (VAPT) for the components managed by the CSP and fixes the issues/ vulnerabilities within the prescribed timelines (as agreed upon by CSP and RE).
3. The RE shall also ensure that the vulnerability management, patch management and VAPT processes are conducted by CSP in-line with the requirements (for example scope, classification of vulnerabilities, duration for closure, etc.) provided in applicable circulars/ guidelines issued by SEBI.

355 ii. Monitoring: RE shall ensure that CSP has adequate security monitoring solutions in place. The monitoring solutions of CSP shall be responsible for the following:

1. Monitoring shall cover all components of the cloud. Additionally, the CSP shall continuously monitor the alerts generated and take appropriate actions as per the defined timelines.
2. The RE shall ensure that any event(s) which may have an impact (financial, reputational, operational, etc.) on the RE shall be intimated to RE by CSP in a timely manner. The reporting should be done in-line with the guidelines/ regulations/ circulars issued by SEBI/ Government of India and (wherever applicable) as per the contractual agreement signed between the CSP and RE. iii. Incident Management: The RE shall ensure that the CSP has incident management processes in place, to detect, respond and recover from any incident at the earliest. The processes should aim to minimize the impact to the RE. iv. Wherever Key management is being done by CSP for platform level encryption (for example, full disk encryption or VM level encryption), RE shall assess and ensure that the entire Key lifecycle management is being done by CSP in a secure manner. v. Secure User Management121: Wherever the user management is done by CSP, the RE shall ensure that role based access and rule based access are

119 For CSPs offering PaaS/ SaaS services, in the event any particular security control does not apply to their specific deployment model, such CSPs have to ensure that their vendor/ partner/ sub-contractor providing the underlying infrastructure/ platform fulfils the requirement of the security controls. The RE shall deploy the services of only those PaaS/ SaaS providers which have a back-to-back, clear and enforceable agreement with their vendor/ partner/ sub￾contractor for the same. 120 An indicative mind-map of security controls for cloud deployments is given in Appendix-B 121 Any type of access/ user provided to SEBI/ any law enforcement agency of Government of India or state government shall be exempt from this clause

356 strictly followed by CSP for its resources and it shall be based on the principle of least privilege. The following shall also be ensured:

1. Administrators and privileged users shall be given only minimal administrative capabilities for a pre-defined time period, and in response to specific issues/ needs.
2. With respect to administrative privileges/ users, the following shall also be followed: a. All administrative privileges/ users shall be tracked via a ticket/ request by the CSP, and the same shall be provided to the RE on request. Further, the RE shall also track any additional privilege granted to any user by the CSP. b. Access to systems or interfaces that could provide access to the RE’s data is granted only if the RE has given explicit time-limited permission for that access.
3. Multi Factor Authentication shall be used for administrator/ privileged accounts.
4. The necessary auditing and monitoring of the above shall be done by CSP and any anomalies shall be reported to the RE. vi. Multi-Tenancy: In a multi-tenant cloud architecture, the RE shall ensure that CSP has taken adequate controls to ensure that the RE’s data (in transit, at rest and in use) shall be isolated and inaccessible to any other tenants. RE shall appropriately assess and ensure the multi tenancy segregation controls placed by CSP and place additional security controls if required. Any access by other tenants/unauthorized access by CSP’s resources to RE’s data shall be considered as an incident/breach and the CSP shall ensure that the

357 incident/breach is notified to the RE (as per the norms/ guidelines/ circulars issued by SEBI/ Government of India and (wherever applicable) as per the contractual agreement signed between the CSP and RE, and adequate steps are taken to control the same. During such incident/breach, the RE shall ensure that CSP should provide all related forensic data, reports and event logs as required to the RE /SEBI /CERT-In/ any government agency for further investigation. All conditions and obligations of the RE and CSP under this framework shall also be applicable in multi-tenancy structure. vii. The RE shall ensure that the agreement with the CSP contains clause(s) for safe deletion/ erasure of RE’s information. The clause should cover various scenarios like business requirement of RE, exit strategy, etc. viii. For further assurance, the RE may assess the availability of global compliance standards like SOC-2 122 reporting for CSP. ix. RE shall ensure that CSP has adequate controls (for example anti-virus, encryption of data, micro-segmentation, etc.) in place to safeguard cloud infrastructure as well as to ensure the privacy, confidentiality, availability, processing integrity and security of the RE’s data right from data creation/transfer/etc. in the cloud till final expunging of data. 6.2.Security in the Cloud: RE shall perform risk-based assessment and place adequate controls depending on the criticality of the data/ services/ operations (placed in cloud environment) under the purview of RE. Some of the common controls (including but not limited to) that RE shall put in place are: 6.2.1. Vulnerability Management and Patch Management:

122 SOC-2 is a voluntary compliance standard for information security developed by American Institute of Certified Public Accountants (AICPA).

358 The RE shall have a well-defined Vulnerability Management policy in place and should strictly adhere with the same. The policy should also address the vulnerability management aspects of the infrastructure /services /etc. managed by RE in the cloud. The components managed by RE shall be up to date in terms of patches/OS/version etc. The patch management policy shall also mandate timely patch application. 6.2.2. Vulnerability Assessment and Penetration Testing (VAPT): The VAPT activity undertaken by RE should cover the infrastructure and applications/services hosted by the RE on cloud. The VAPT tactics, tools and procedures should be fine-tuned to test and assess the cloud native risks and vulnerabilities. VAPT should also be conducted before commissioning of any new system. Additionally, the VAPT activity shall be conducted as per the requirements (including scope, classification, duration for closure of vulnerabilities, etc.) provided in applicable circulars/ regulations issued by SEBI. 6.2.3. Incident Management and SOC Integration: i. The RE shall have incident management policy, procedures and processes in place. The RE shall adhere with the same for deployments being done in cloud. ii. SOC solution (in-house, third-party SOC or a managed SOC) of RE shall be integrated with the services/ application/ infrastructure deployed by RE in cloud. The continuous monitoring shall be done in an integrated manner and the services/ application/ infrastructure deployed in cloud should be treated as an extension of the RE’s on premise network. The SOC shall have complete visibility of information systems of the RE deployed on cloud and should be capable to take SOAR actions across the information systems owned

359 by the RE. Additionally, only logs, meta-data should be shipped to shared SOC. REs shall ensure that PII/sensitive data should not be shipped to the SOC. 6.2.4. Continuous Monitoring: Continuous monitoring shall be done by the RE to review the technical, legal and regulatory compliance of CSP and take corrective measures/ ensure CSP takes corrective measures wherever necessary. 6.2.5. Secure User Management: The RE shall ensure that the following Identity, Authentication and Authorization practices are followed (by CSP as well as by RE): i. Principle of least privilege shall be adopted for granting access to any resources for normal and admin/privileged accounts. ii. The identity and access management solution should give the complete view of the access permissions applicable to all resources. The access permissions shall be reviewed regularly in order to remove any unwanted access. iii. The access logs should be retained and reviewed frequently for any anomalous events. iv. Time bound access permissions shall be adopted wherever feasible. v. Multi factor authentication shall be adopted for admin accounts. 6.2.6. Security of Interfaces: Controls related to typical interfaces in a cloud deployment are given below:

360 6.2.6.1. Management interface: i. This is the interface provided to the RE by CSP to manage the infrastructure on cloud. This interface is also used to manage the account of the RE assigned by CSP. ii. To mitigate the risks, the interface shall have Two Factor Authentication (2FA)/ Multi Factor Authentication (MFA). For additional security, measures such as dedicated lease lines may be explored. The access logs and access list to the interface should be strictly monitored (by RE and CSP). The traffic to and from the interface shall be regulated through firewall, Intrusion prevention system, etc. 6.2.6.2. Internet facing interfaces: Any interface which is exposed to public at large on the internet in the form of a service/API/etc. is considered as internet facing interface. Adequate security controls such as IPS, Firewall, WAF, Anti DDOS, API gateways etc. should be in place and additional controls such as 2FA authentication, SSL VPN solutions shall also be considered. 6.2.6.3. Interfaces connected between RE’s/relevant organizations (Through P2P or LAN/MPLS etc.) and CSP: Security controls such as IPS, Firewall, WAF, Anti DDOS, etc. shall be in place and additional controls such as IPSEC VPN shall be adopted, wherever necessary, to secure such interfaces.

361 6.2.7. Secure Software Development: The RE shall undertake Secure Software Development practices for development of cloud-ready applications which shall include (but not limited to): i. RE shall adopt appropriate Secure Software Development processes, and security shall be an integral part right from the design phase itself. ii. A new approach for secure software development shall be implemented by RE for dealing with cloud native development concepts such as micro services, APIs, containers, server less architecture, etc. as the traditional security mechanisms of protecting typical web applications might not be relevant for cloud native development concepts. iii. Best practices such as zero trust principles, fine grained access control mechanism, API Gateways, etc. shall be adopted for development and usage of APIs. End to end security of the APIs shall also be taken care by the RE as per standard practices and guidelines. iv. Secure identification, authentication and authorization mechanisms shall be adopted by the RE. 6.2.8. Managed Service Provider (MSP) & System Integrator (SI): i. Wherever MSP and SI are involved in cloud services procurement, a clear demarcation of roles, and liabilities shall be clearly defined in the Agreement/Contract. ii. As there are new risks introduced in engaging MSP/SI or both, the same shall be assessed, and mitigated by the RE.

362 6.2.9. Encryption and Cryptographic Key Management: i. To ensure the confidentiality, privacy and integrity of the data, encryption as defined below shall be adopted by the RE:

1. Data-at-rest encryption to be done with strong encryption algorithms. Data object encryption, file level encryption or tokenization in addition to the encryption provided at the platform level shall be used.
2. Data-in-motion including the data within the cloud shall be encrypted. Session encryption or data object encryption in addition to the encryption provided at the platform level (Ex. TLS encryption) shall be used wherever any sensitive data is in transit.
3. Data-in-use i.e., wherever data that is being used or processed in the cloud, confidential computing solutions shall be implemented. ii. To ensure RE’s controls on encryption and Key management, the following shall be followed:
4. Wherever applicable: a. “Bring Your Own Key” (BYOK) approach shall be adopted, which ensures that the RE retains the control and management of cryptographic keys that would be uploaded to the cloud to perform data encryption. b. “Bring Your Own Encryption” (BYOE) approach shall be followed by the RE.
5. In case BYOK and BYOE approaches (as given above) are not implemented by RE, the RE shall conduct a detailed risk assessment and implement appropriate risk mitigation

363 measures to achieve equivalent functionality/ security to BYOK and BYOE approaches. 3. Generating, storing and managing the keys in a Hardware Security Module (HSM) shall be implemented in a dedicated HSM to have complete control of Key management. However, it is to be noted that HSM should be designed in fault tolerance mode to ensure that the failure of HSM should not have an impact on data retrieval and processing. 6.2.10. End Point Security: The RE shall ensure that the data security controls in the nature of anti￾virus, Data Leak Prevention (DLP) solution etc. are installed and configured on the cloud deployments for effective data security. The RE shall also evaluate the baseline security controls provided by the CSP and may demand additional controls (from CSP) if required. 6.2.11. Network Security: i. RE shall adopt the micro segmentation principle on cloud infrastructure. Only the essential communication channels between computing resources shall be allowed and the rest of the communication channels shall be blocked. ii. RE shall also consider the option of utilizing Cloud Access Security Broker (CASB)/ Secure Access Service Edge (SASE)/ similar frameworks or tools for effective monitoring of network, enforcement of policies etc. 6.2.12. Backup and recovery solution: i. The RE shall ensure that a backup and recovery policy is in place to address the backup requirement of cloud deployments. The backup

364 and recovery processes shall be checked at least twice in a year to ensure the adequacy of the backups. ii. The backup shall be logically segregated from production/dev/UAT environment to ensure that the malware infection in such systems does not percolate to backup environment. iii. Wherever CSP’s backup services are utilized, adequate care should be taken with encryption solution and Key management. 6.2.13. Skillset: RE shall equip staff overseeing cloud operations with the knowledge and skills required to securely use and manage the risks associated with cloud computing. The skills should also be imparted to oversee the management interfaces, security configurations etc. of CSP infrastructure. This is a critical factor as it will reduce the misconfigurations, vulnerabilities etc. and will increase the reliability of services. 6.2.14. Breach Notification: CSP shall notify the RE of any cybersecurity incident (for example data breach, ransomware, etc.) as mandated by the RE. The reporting shall be done as per the norms/ guidelines/ circulars issued by SEBI/ Government of India and (wherever applicable) as per the contractual agreement signed between the CSP and RE. The CSP shall provide all related forensic data, reports and event logs as required by RE/ SEBI/ CERT-In/ any other government agency. The incident shall be dealt as per the Security Incident Management Policy of the RE along with the relevant guidelines/ directions issued by SEBI/ Government of India/ respective state government. Principle 7: Contractual and Regulatory Obligations

365 7. Contractual and Regulatory Obligations123: i. A clear and enforceable cloud service provider engagement agreement should be in place to protect RE’s interests, risk management needs, and ability to comply with supervisory expectations. ii. The contractual/agreement terms between RE and CSP shall include the provisions for audit, and information access rights to the RE as well as SEBI for the purpose of performing due diligence and carrying out supervisory reviews. RE shall also ensure that its ability to manage risks, provide supervision and comply with regulatory requirements is not hampered by the contractual terms and agreement with CSP. iii. The contract/agreement shall be vetted with respect to legal and technical standpoint by the RE. The agreement shall be flexible enough to allow the RE to retain adequate control over the resources which are on boarded on cloud. The agreement should also provide RE the right to intervene with appropriate measures to meet legal and regulatory obligations. iv. SEBI/ CERT-In/ any other government agency shall at any time:

1. Conduct direct audits and inspection of resources of CSP (and its sub￾contractors/ vendors) pertaining to the RE or engage third party auditor to conduct the same and check the adherence with SEBI and government guidelines/ policies/ circulars and standard industry policies.
2. Perform search and seizure of CSP’s resources storing/ processing data and other relevant resources (including but not limited to logs, user details, etc.) pertaining to the RE. In this process, SEBI or SEBI authorized personnel/ agency may access RE's IT infrastructure, applications, data, documents, and other necessary information given to, stored or processed by the CSP and/ or its sub-contractors.

366 3. Engage a forensic auditor to identify the root cause of any incident (cyber security or other incidents) related to RE. 4. Seek the audit reports of the audits conducted by CSP. The RE shall ensure that adequate provisions are included in the agreement/ contract with CSP to enable the above functionalities. Additionally, RE shall also include provisions (in the contract/ agreement with CSP) mandating that CSP extends full cooperation to SEBI while conducting the above-mentioned activities. v. The RE shall also ensure that adequate provisions are included in the agreement/ contract for the following audit/ VAPT functions￾1. CSP shall be responsible for conducting audit/ VAPT of the services/ components managed by the CSP. 2. The RE shall be responsible for conducting audit/ VAPT of the services/ components managed by the RE. The audit/ VAPT shall be conducted as per the requirements (including scope, duration for closure of vulnerabilities, etc.) provided in various applicable circulars/ regulations issued by SEBI from time to time. 3. Implementation and configuration audit of the resources to be deployed by the RE in cloud environment shall be conducted by the RE and the same shall be certified by the RE after closing all non-compliances/ observations before go-live. 4. The RE may take into consideration the report/certificate of the audit of the CSP conducted by STQC. However, wherever required, CSP has to conduct additional audits (from CERT-In empaneled auditors) to fulfil all the requirements provided in various applicable circulars/ regulations issued by SEBI, and the same shall be ensured by the RE.

123 With respect to CSPs offering PaaS/SaaS services, REs shall deploy the services of only those CSPs which have a back-to-back, clear and enforceable agreement with their vendor/ partner/ sub-contractor providing their underlying infrastructure/ platform for fulfilling the requirements provided in this Principle.

367 5. The RE shall ensure that appropriate clauses/ terms (including SLA clauses) are added in the agreement (signed between RE and CSP) to enforce the above-mentioned audit/ VAPT requirements. vi. Contract/Agreement should have adequate provisions regarding the termination of contract with CSP, and appropriate exit strategies to ensure smooth exit without hindering any legal, regulatory or technical obligations of the RE. vii. As part of exit strategy, a clear expunging clause shall be defined in agreement with CSP, which shall state that whenever the RE intends to expunge the data, CSP shall securely and permanently erase the RE’s data in disks, backup devices, logs, etc. and no data shall remain in recoverable form. However, it is the responsibility of the RE to ensure that the minimum retention requirements for data (including logs) as prescribed by SEBI/ Government of India/ respective state government are met and that the required data, logs, etc. are archived, even if the RE moves out of the cloud/ changes CSPs. viii. The RE shall ensure that their data (including but not limited to logs, business data, etc.) is stored in an easily accessible, legible and usable manner (during utilization of cloud services and after exit from the cloud) and it shall be provided to SEBI/ any other government agency whenever required. ix. The RE is required to adhere with SEBI circulars/ guidelines issued from time to time and the cloud framework shall be seen as an addition/ complementary to existing circulars/ guidelines and not as a replacement. x. The agreement/contract made by RE shall also include (but not limited to) below mentioned terms/ provisions/ clauses:

1. Definition of the IT activities and resources being on boarded on cloud, including appropriate service and performance standards including for the material sub-contractors, if any.

368 2. Effective access to all the objects/ information relevant to the RE/ RE’s operation including data, books, records, logs, alerts, and data centre. 3. Continuous monitoring and assessment of the CSP by the RE so that any necessary corrective measure can be taken immediately, including termination of contract and any minimum period required to execute such provisions, if deemed necessary. 4. Type of material adverse events (e.g., data breaches, denial of service, service unavailability etc.) and incident reporting requirements to the RE to take prompt mitigation and recovery measures and ensure compliance with statutory and regulatory guidelines. 5. Compliance with the provisions of IT Act, other applicable legal requirements and standards to protect the customer (RE) data. 6. The deliverables, including SLAs, for formalizing the performance criteria to measure the quality and quantity of service levels. 7. Storage of data (as applicable to the RE) within the legal boundaries of India as per extant regulatory requirements. 8. Clauses requiring the CSP to provide details of data (captured, processed and stored) related to RE and RE’s customers to SEBI/ any other government agency. 9. Controls for maintaining confidentiality of data of RE and its customers, and incorporating CSP’s liability to the RE in the event of security breach and leakage of such information. 10. Types of data/ information that the CSP is permitted to share with the RE’s customers and/or any other party. 11. Specifying the resolution process for events of default, insolvency, etc. and indemnities, remedies, and recourse available to the respective parties. 12. Contingency plan(s) to ensure business continuity planning, RPO/RTO, and recovery requirements.

369 13. Provisions to fulfill the search and seizure requirements (as provided above in this principle) and audit/ VAPT requirements (as provided above in this principle). 14. Right to seek information (by RE/ SEBI) from the CSP about the third parties (in the supply chain) engaged by the CSP. 15. Clauses making the CSP contractually liable for the performance and risk management practices of its sub-contractors. 16. Obligation of the CSP to comply with directions issued by SEBI in relation to the activities of the RE on boarded on cloud. 17. Termination rights of the RE, including the ability to orderly transfer the proposed cloud onboarding assignment to another CSP, if necessary or desirable. 18. Obligation of the CSP to co-operate with the relevant authorities in cases involving the RE as and when required. 19. Clauses for performing risk assessment by CSP with respect to hiring of third party vendors, the checks/ process followed by CSP before onboarding personnel/ vendors, etc. 20. Any other provision(s) required to ensure compliance with respect to circulars/ guidelines/ regulations (including this cloud framework) issued by SEBI. xi. Wherever the System integrator or managed service provider or both, along with CSP are involved, the contractual terms and agreement shall unambiguously demarcate/ delineate the roles, and liabilities of each participating party (in-line with the “Principle 4: Responsibility of the RE” of the framework) for each task/ activity/ function. There shall be no “joint/ shared ownership” for any task/ activity/ function/ component. xii. If any function/ task/ activity has to be performed jointly by the RE and CSP/MSP/SI, there shall be a clear delineation and fixing of responsibility

370 between the RE and the CSP (and MSP/SI wherever applicable) for each sub￾task/ line-item within the task. The aforementioned delineation of responsibilities shall be added explicitly in the agreement (as an annexure) signed between the RE and the CSP (and MSP/SI wherever applicable). However, any such clause in the agreement shall not absolve the RE from having the ultimate responsibility and liability for any violation of the laws, rules, regulations, circulars, etc. issued by SEBI or any other authority under any law, regardless of any delineation/ demarcation of responsibilities. xiii. Similarly, there shall be an explicit and unambiguous delineation/ demarcation of responsibilities between the RE and CSP (and MSP/SI wherever applicable) for ensuring compliance with respect to applicable circulars (for example cybersecurity and cyber resilience circular, outsourcing circular, BCP-DR etc.) issued by SEBI from time to time. There shall be no “joint/ shared ownership” for ensuring compliance with respect to any clause. If compliance for any clause has to be jointly ensured by RE and CSP (and MSP/SI wherever applicable), there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) for each sub-task/ line-item within the clause. This delineation shall also be added explicitly in the agreement (as an annexure) signed between the RE and the CSP. xiv. Reporting Requirements:

1. It is being reiterated that the RE is solely accountable for all aspects related to the cloud services adopted by it including but not limited to availability of cloud applications, confidentiality, integrity and security of its data and logs, and ensuring RE’s compliance with the applicable laws, rules, regulations, circulars, etc. issued by SEBI/ Government of India/ respective state government.
2. The RE shall explicitly and unambiguously specify the party (RE or CSP/MSP/SI) which is responsible for ensuring compliance with each clause

371 of the applicable SEBI circulars (for example cybersecurity circular, systems audit, etc.) in its audit reports. There shall be no “joint/ shared ownership” for any of the clauses. In case the responsibility of ensuring compliance (for any clause) rests with both parties, the task shall be split into sub-tasks/line￾items, and for each sub-task/line-items, the responsible party shall be indicated in the report. 3. The RE shall ensure that the demarcation/ delineation of responsibilities is provided for each clause of the applicable SEBI circular(s). 4. In view of the above requirements, as well as to ensure effective monitoring of cloud deployments by REs, reporting of compliance (with this framework) shall be done by the REs in their systems audit, cybersecurity audit and VAPT reports, and it shall be done in the standardized format notified by SEBI from time to time. 5. Reporting by Auditor: As part of system audit of the RE, the auditor shall verify, and certify, whether there is a clear delineation/ demarcation of roles and responsibilities between the RE and CSP/MSP/SI (in-line with the “Principle 4: Responsibility of the RE” of the framework): a. For each task/ function/ activity/ component (including the tasks/ functions stated in clause (x) above, wherever applicable). b. For each clause of applicable/ relevant SEBI circular/ guidelines/ regulations. The auditor shall also verify, and certify, whether the above-mentioned demarcations of roles and responsibilities have been incorporated in the agreement/ contract signed between the RE and CSP (and MSP/SI wherever applicable). xv. In the event of any CSP deployed by an RE losing its empanelment status with MeitY/ commits a passive breach of contract/ agreement in any way, the RE shall ensure that it becomes compliant with this framework within 6 (six) months of being notified of/ discovering the breach.

372 Principle 8: BCP, Disaster Recovery & Cyber Resilience 8. Business Continuity Planning (BCP), Disaster Recovery & Cyber Resilience: i. The RE shall assess its BCP framework and ensure that it is in compliance with this cloud framework as well as other guidelines/ circulars issued by SEBI from time to time. ii. RE shall also assess the capabilities, preparedness and readiness with respect to cyber resilience of CSP. The same can be periodically assessed by conducting DR drills (in accordance with circulars/ guidelines issued by SEBI) by involving necessary stakeholders. iii. Additionally, RE shall develop a viable and effective contingency plan to cope with situations involving a disruption/ shutdown of cloud services. Principle 9: Vendor Lock-In and Concentration Risk Management 9. Concentration Risk Management: i. RE shall assess its exposure to CSP lock-in and concentration risks. The risk evaluation shall be done before entering into contract/ agreement with CSP and the same should also be assessed on a periodic basis. ii. In order to mitigate the CSP concentration risks, RE shall explore the option of cloud-ready and CSP agnostic solutions (such as implementing multi-cloud ready solutions) which can facilitate the RE in migrating the solutions as and when necessary, with minimal changes. Exit strategies shall be developed, which should consider the pertinent risk indicators, exit triggers, exit scenarios, possible migration options, etc. iii. The RE shall also take measures to implement data portability and inter￾operability as part of exit/ transfer strategy.

373 iv. In order to mitigate the risk arising due to failure/ shutdown of a particular CSP, and to limit the impact of any such failure/ shutdown on the securities market, SEBI may specify concentration limits on CSPs (thereby setting a limit on the number of REs that a CSP may provide its services to). 10. Recommendations: i. RE may opt for any model of deployment on the basis of its business needs and technology risk assessment. However, compliance should be ensured with this cloud framework as well as other rules/ laws/ regulations/ circulars made by SEBI/ Government of India/ respective state government. ii. REs are solely accountable for all aspects related to the cloud services adopted by them including but not limited to availability of cloud applications, confidentiality, integrity and security of their data and logs, and ensuring RE’s compliance with respect to the applicable laws, rules, regulations, circulars, etc. issued by SEBI/ Government of India/ respective state government. Accordingly, the RE shall be held accountable for any violation of the same. iii. While deploying cloud services, the REs shall adopt the nine (9) principles as provided in this framework:

1. Principle 1: Governance, Risk and Compliance Sub-Framework
2. Principle 2: Selection of Cloud Service Providers
3. Principle 3: Data Ownership and Data Localization
4. Principle 4: Responsibility of the Regulated Entity
5. Principle 5: Due Diligence by the Regulated Entity
6. Principle 6: Security Controls
7. Principle 7: Contractual and Regulatory Obligations
8. Principle 8: BCP, Disaster Recovery & Cyber Resilience
9. Principle 9: Vendor Lock-in and Concentration Risk Management

374 The REs shall ensure that their cloud deployments are compliant, in letter and spirit, with the above-mentioned principles. iv. The cloud services shall be taken only from the MeitY empaneled CSPs. The CSP’s data center should hold a valid STQC (or any other equivalent agency appointed by Government of India) audit status. For selection of CSPs offering PaaS and SaaS services in India, RE shall choose only such CSPs which:

1. Utilize the underlying infrastructure/ platform of only MeitY empaneled CSPs for providing services to the RE.
2. Host the application/ platform/ services provided to RE, and store/ process data of the RE, only within the data centers as empaneled by MeitY and holding a valid STQC (or any other equivalent agency appointed by Government of India) audit status.
3. Have a back-to-back, clear and enforceable agreement with their partners/ vendors/ sub-contractors (including those that provide the underlying infrastructure/ platform) for ensuring their compliance with respect to the requirements provided in this framework including those in Principles 6 (Security Controls), 7 (Contractual and Regulatory Obligations) and 8 (BCP, Disaster Recovery & Cyber resilience). v. There should be an explicit and unambiguous delineation/ demarcation of responsibilities for all activities (technical, managerial, governance related, etc.) of the cloud services between the RE and CSP (and MSP/SI wherever applicable). There shall be no "joint/ shared ownership" for any function/ task/ activity between the RE and CSP. If any function/ task/ activity has to be performed jointly by the RE and CSP, there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) for each sub-task/ line-item within the task. The same should be a part of the agreement (as an annexure) between the RE and the CSP (and MSP/SI wherever applicable).

375 vi. Similarly, there should be an explicit and unambiguous delineation/ demarcation of responsibilities between the RE and CSP (and MSP/SI wherever applicable) for ensuring compliance with respect to circulars (for example cybersecurity and cyber resilience circular, outsourcing circular, BCP-DR etc.) issued by SEBI from time to time. There shall be no “joint/ shared ownership” for ensuring compliance with respect to any clause. If compliance for any clause has to be jointly ensured by RE and CSP (and MSP/SI wherever applicable), there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) for each sub-task/ line-item within the clause. This delineation shall also be added explicitly in the agreement (as an annexure) signed between the RE and the CSP (and MSP/SI wherever applicable). vii. As part of system audit of the RE, the auditor shall verify, and certify, whether there is a clear delineation/ demarcation of roles and responsibilities between the RE and CSP/MSP/SI (in-line with the “Principle 4: Responsibility of the RE” of the framework): a. For each task/ function/ activity/ component. b. For each clause of applicable/ relevant SEBI circular/ guidelines/ regulations The auditor shall also verify, and certify, whether the above-mentioned demarcations of roles and responsibilities have been incorporated in the agreement/ contract signed between the RE and CSP (and MSP/SI wherever applicable. viii. The contractual/agreement terms between RE and CSP shall include the provisions for audit, and information access rights to the RE as well as SEBI, for the purpose of performing due diligence and carrying out supervisory reviews. RE shall also ensure that its ability to manage risks, provide supervision and comply with regulatory requirements is not hampered by the contractual terms and agreement with CSP.

376 ix. SEBI/ CERT-In/ any other government agency shall at any time:

1. Conduct direct audits and inspection of resources of CSP (and its sub￾contractors/ vendors) pertaining to the RE or engage third party auditor to conduct the same and check the adherence with SEBI and government guidelines/ policies/ circulars and standard industry policies.
2. Perform search and seizure of CSP’s resources storing/ processing data and other relevant resources (including but not limited to logs, user details, etc.) pertaining to the RE. In this process, SEBI or SEBI authorized personnel/ agency may access RE's IT infrastructure, applications, data, documents, and other necessary information given to, stored or processed by the CSP and/ or its sub-contractors.
3. Engage a forensic auditor to identify the root cause of any incident (cyber security or other incidents) related to RE.
4. Seek the audit reports of the audits conducted by CSP. The RE shall ensure that adequate provisions are included in the agreement/ contract with CSP to enable the above functionalities. Additionally, RE shall also include provisions (in the contract/ agreement with CSP) mandating that CSP extends full cooperation to SEBI while conducting the above-mentioned activities. x. The cloud framework should be read along with the circulars (including circulars on outsourcing, cybersecurity, BCP-DR, etc.), directions, advisories, etc. issued by SEBI from time to time. xi. Transition Period:
5. For the REs which are not utilizing any cloud services currently, the framework shall be applicable/ come into force from the date of issuance.
6. For the REs which are currently utilizing cloud services, upto 12 months shall be given to ensure their compliance with the framework. Additionally, such REs shall provide regular milestone-based updates as follows:

377 SN. Timeline Milestone 1 Within one (1) month of issuance of framework REs shall provide details of the cloud services, if any, currently deployed by them. 2 Within three (3) months of issuance of framework The REs shall submit a roadmap (including details of major activities, timelines, etc.) for the implementation of the framework 3 From three (3) to twelve (12) months of issuance of framework Quarterly progress report as per the roadmap submitted by the RE. 4 After twelve (12) months of issuance of framework Compliance with respect to the framework to be reported regularly 3. The above-mentioned reporting shall be done to the authority as per the existing mechanism of reporting for systems audit/ cybersecurity audit. xii. The compliance with respect to the framework shall be submitted by the REs as part of their systems audit, cybersecurity audit, and VAPT reports, and no separate reporting is envisaged. The reporting shall be done as per the standardized format notified by SEBI from time to time. All other conditions for reporting (for example reporting authority, duration of reporting, etc.) shall be as per the existing mechanism of reporting for systems audit/ cybersecurity audit/VAPT.

378 Appendix-A Format for Submission of Details of Cloud Deployments The REs shall provide details of their cloud deployment in the following format￾A. Entity Name: B. Entity Type: (For example stock exchange, depository, mutual fund, etc.) C. Whether Utilizing Cloud Services? Yes/ No For Each Cloud application/ service/ system, please provide a response to the following: SN Details Required Entity Response 1 Name of the Application/ Service/ System 2 The type of deployment model utilized (public cloud, community cloud, etc.) 3 The type of service model utilized (For example IaaS, PaaS, etc.) 4 Name of the Cloud Service Provider (CSP) 5 Country of incorporation/ registration of CSP Name of the Managed Service Provider (MSP) / System Integrator (SI) [wherever applicable] 6 Country of incorporation/ registration of MSP/ SI 7 Whether the application/ service/ system is a critical or core application/ service/ system? 8 Details of Data hosted/ stored in cloud 9 Whether data is stored within the legal boundaries of India?

379 Appendix-B Indicative Mindmap for Cloud Security

380 Annexure-33 Format for reporting changes in "status or constitution" of Members Name of the Stock Exchange: Report for the quarter ending: June/September/December/March Year:- Date of report: S. No. Date of receip t Name of the member Registratio n number INB/F/E INS Type of chang e Details of changes PAN (incoming entities) Date of Chang e Date of approval by Stock Exchang e Pre Pos t Type Description of Change I Amalgamation, demerger, consolidation or any other kind of corporate restructuring falling within the scope of section 230 of the Companies Act, 2013 or the corresponding provision of any other law for the time being in force. II Change in managing director, whole-time director or director appointed in compliance with clause (v) of sub-rule (4A) of rule 8 of the Securities Contracts (Regulation) Rules, 1957. III Change in control. IV Any change between the following legal forms - individual, partnership firm, Hindu undivided family, private company, public company, unlimited company or statutory corporation and other similar changes. V In case of a partnership firm any change in partners not amounting to dissolution of the firm. VI Any other purpose as may be considered appropriate by the Stock Exchanges. Guidelines to fill up the format and sending the same to SEBI

1. A separate annexure shall be submitted for each "Type of change" as specified in the format.
2. The report shall be signed by an authorized representative of the Stock Exchange and the same shall be stamped.
3. The Stock Exchanges shall furnish the report to SEBI by 7th day of month following the end of each quarter.
4. The report shall be submitted by e-mail at serpa@sebi.gov.in. A hard copy of the report shall also be submitted to SEBI.

381 Annexure-34 Declaration-Cum-Undertaking We M/s. (Name of the intermediary/the acquirer/person who shall have the control), hereby declare and undertake the following with respect to the application for prior approval for change in control of (name of the intermediary along with the SEBI registration no.):

1. The applicant/intermediary (Name) and its principal officer, the directors or managing partners, the compliance officer and the key management persons and the promoters or persons holding controlling interest or persons exercising control over the applicant, directly or indirectly (in case of an unlisted applicant or intermediary, any person holding twenty percent or more voting rights, irrespective of whether they hold controlling interest or exercise control, shall be required to fulfill the ‘fit and proper person’ criteria) are fit and proper person in terms of Schedule II of SEBI (Intermediaries) Regulations, 2008.
2. We bear integrity, honesty, ethical behaviour, reputation, fairness and character.
3. We do not incur following disqualifications mentioned in Clause 3(b) of Schedule II of SEBI (Intermediaries) Regulations, 2008 i.e. i. No criminal complaint or information under section 154 of the Code of Criminal Procedure, 1973 (2 of 1974) has been filed against us by the Board and which is pending. ii. No charge sheet has been filed against us by any enforcement agency in matters concerning economic offences and is pending. iii. No order of restraint, prohibition or debarment has been passed against us by the Board or any other regulatory authority or enforcement agency in any matter concerning securities laws or financial markets and such order is in force. iv. No recovery proceedings have been initiated by the Board against us and are pending. v. No order of conviction has been passed against us by a court for any offence involving moral turpitude. vi. No winding up proceedings have been initiated or an order for winding up has been passed against us. vii. We have not been declared insolvent. viii. We have not been found to be of unsound mind by a court of competent jurisdiction and no such finding is in force. ix. We have not been categorized as a wilful defaulter. x. We have not been declared a fugitive economic offender.
4. We have not been declared as not ‘fit and proper person’ by an order of the Board.
5. No notice to show cause has been issued for proceedings under SEBI(Intermediaries) Regulations, 2008 or under section 11(4) or section

382 11B of the SEBI Act during last one year against us. 6. It is hereby declared that we and each of our promoters, directors, principal officer, compliance officer and key managerial persons are not associated with vanishing companies. 7. We hereby undertake that there will not be any change in the Board of Directors of incumbent, till the time prior approval is granted. 8. We hereby undertake that pursuant to grant of prior approval by SEBI, the incumbent shall inform all the existing investors/ clients about the proposed change prior to effecting the same, in order to enable them to take informed decision regarding their continuance or otherwise with the new management. The said information is true to our knowledge. (stamped and signed by the Authorised Signatories)

383 Annexure-35 APPLICATION TO SEBI FOR OPENING OF WHOLLY OWNED SUBSIDIARIES, STEP DOWN SUBSIDIARIES OR ENTERING INTO JOINT VENTURES IN GIFT IFSC Please read the instructions carefully before filling up the Application form:

1. Fill in all the particulars clearly.
2. The information should be complete in all respects.
3. Please attach the relevant enclosures.
4. The application shall be submitted through Stock Exchange / Clearing Corporation along with NOC obtained from all the Stock Exchanges/ Clearing Corporations/Depositories, where the applicant is a member/participant and other documents as listed in the present form. II. GENERAL INFORMATION: 1 Details of all registrations of the applicant company in India and abroad
5. Name of the entity (Earlier name, if any)
6. Type of Intermediary (If Broker, names of Exchanges and if DP, name of the Depositories)
7. Registration Number
8. Date of Registration 2 Networth of the applicant company (in Rs.) 3 Details of the following persons: a) Promoters (Name and PAN number) b) Directors ( Name, DIN and PAN number) c) Key Person of the applicant (Name and PAN number) 4 Details of regulatory action taken/ initiated/ pending, if any, against the applicant/ promoters/ directors/key personnel/ principal officer of the applicant company (in India/abroad)

384 5 Any fee remaining unpaid to SEBI by applicant/ associates 6 Amount of proposed investment (converted in Indian Rupees) 7 Whether the applicant is setting up a Wholly Owned subsidiary (WOS) or a Step Down Subsidiary (SDS) or entering into Joint Venture (JV) or acquiring stake in an existing company. 8 Details of the proposed WOS/SDS/JV in GIFT IFSC (provide relevant details in case of equity participation in existing company or joint venture with a company) a) Name of the proposed entity in GIFT IFSC b) Purpose for setting up the WOS/SDS/JV/Equity Participation etc. c) Nature of proposed activities 2. UNDERTAKING a) Pursuant to setting up Wholly Owned Subsidiary / investment in step down subsidiary/joint venture, etc., we shall maintain networth for each category of registration as per SEBI Act, 1992 & Regulations/ circulars issued there under and bye laws/ rules/ regulations/ circulars, etc. issued by respective stock exchanges/Depositories. Signature Name Designation Place: Date: III. ENCLOSURES: a. Certificate of Networth: i) Networth Certificate of the applicant based on the latest audited results (in Rs.), duly certified by a Chartered Accountant.

385 ii) In case the above Networth Certificate is more than 6 months old, then provide i) above as well as the latest provisional networth certificate, duly certified by a Chartered Accountant. b. NOC obtained from all the Stock Exchanges/Depositories where the applicant is a member/ participant, in case the applicant is a Stock Broker/Depository Participant. c. Details of any non-compliance w.r.t ‘fit and proper person’ criteria as specified in Schedule II of SEBI (Intermediaries) Regulations, 2008. d. Declaration cum undertaking (format enclosed) with regard to compliance with the ‘fit and proper person’ criteria as specified in Schedule II of SEBI (Intermediaries) Regulations, 2008 duly stamped and signed by the Authorized Signatories of the applicant. e. Latest shareholding pattern of the applicant and list of the shareholders who have controlling interest. Declaration Cum Undertaking We M/s. Name of the intermediary, having SEBI registration certificate in the capacity of _______________ bearing registration number ________________ hereby declare and undertake the following w.r.t our application for setting up WOS/SDS/JV in GIFT IFSC:

1. Name of the intermediary and its principal officer, directors or managing partners, compliance officer, key management persons, promoters or persons holding controlling interest or persons exercising control over the intermediary directly or indirectly and person holding twenty percent or more voting rights of the intermediary (hereinafter referred to as “We” or “Us”) are fit and proper person as per requirement laid down in Schedule II of SEBI (Intermediaries) Regulations, 2008.
2. We bear integrity, honesty, ethical behaviour, reputation, fairness and character.
3. We do not incur following disqualifications mentioned in Clause 3(b) of Schedule II of SEBI (Intermediaries) Regulations, 2008 i.e. (i) No criminal complaint or information under section 154 of the Code of Criminal Procedure, 1973 (2 of 1974) has been filed against us by the Board and which is pending.

386 (ii) No charge sheet has been filed against us by any enforcement agency in matters concerning economic offences and is pending. (iii) No order of restraint, prohibition or debarment has been passed against us by the Board or any other regulatory authority or enforcement agency in any matter concerning securities laws or financial markets and such order is in force. (iv) No recovery proceedings have been initiated by the Board against us and are pending. (v) No order of conviction has been passed against us by a court for any offence involving moral turpitude. (vi) No winding up proceedings have been initiated or an order for winding up has been passed against us. (vii) We have not been declared insolvent. (viii)We have not been found to be of unsound mind by a court of competent jurisdiction and no such finding is in force. (ix) We have not been categorized as a wilful defaulter. (x) We have not been declared a fugitive economic offender. 4. We have not been declared as not ‘fit and proper person’ by an order of the Board. 5. No notice to show cause has been issued for proceedings under SEBI (Intermediaries) Regulations, 2008 or under section 11(4) or section 11B of the SEBI Act during last one year against us. 6. It is hereby declared that we and each of our Promoters, Directors, Principal Officer, Compliance Officer and Key Managerial Persons are not associated with vanishing companies. 7. There is no outstanding SEBI fee payable by the intermediary. The said information is true to our knowledge. (stamped and signed by the Authorised Signatories)

387 Annexure-36 - Information regarding Grievance Redressal Mechanism Dear Investor, In case of any grievance / complaint against the Stock Broker / Depository Participant: Please contact Compliance Officer of the Stock Broker/ Depository Participant (Name) / email-id (xxx.@email.com) and Phone No. - 91-XXXXXXXXXX. You may also approach CEO/ Partner/Proprietor (Name) / email-id (xxx.@email.com) and Phone No. - 91-XXXXXXXXXX. If not satisfied with the response of the Stock Broker/ Depository Participant, you may contact the concerned Stock Exchange / Depository at the following: Web Address Contact No. Email-id NSE www.bseindia.com xxxxxxxxxx xxx@bseindia.com BSE www.nesindia.com Xxxxxxxxxx xxx@nse.co.in MSEI www.msei.in xxxxxxxxxx xxx@msei.in Web Address Contact No. Email-id CDSL www.cdslindia.com xxxxxxxxxx xxx@cdslindia.com NSDL www.nsdl.co.in xxxxxxxxxx xxx@nsdl.co.in You can also lodge your grievances with SEBI at http://scores.gov.in. For any queries, feedback or assistance, please contact SEBI Office on Toll Free Helpline at 1800 22 7575 / 1800 266 7575.

388 Annexure-37 Investor Charter – Stock Brokers VISION To follow highest standards of ethics and compliances while facilitating the trading by clients in securities in a fair and transparent manner, so as to contribute in creation of wealth for investors. MISSION i) To provide high quality and dependable service through innovation, capacity enhancement and use of technology. ii) To establish and maintain a relationship of trust and ethics with the investors. iii) To observe highest standard of compliances and transparency. iv) To always keep ‘protection of investors’ interest’ as goal while providing service. Services provided to Investors • Execution of trades on behalf of investors. • Issuance of Contract Notes. • Issuance of intimations regarding margin due payments. • Facilitate execution of early pay-in obligation instructions. • Settlement of client’s funds. • Intimation of securities held in Client Unpaid Securities Account (CUSA) Account. • Issuance of retention statement of funds. • Risk management systems to mitigate operational and market risk. • Facilitate client profile changes in the system as instructed by the client. • Information sharing with the client w.r.t. exchange circulars. • Redressal of Investor’s grievances.

389 Rights of Investors • Ask for and receive information from a firm about the work history and background of the person handling your account, as well as information about the firm itself. • Receive complete information about the risks, obligations, and costs of any investment before investing. • Receive recommendations consistent with your financial needs and investment objectives. • Receive a copy of all completed account forms and agreements. • Receive account statements that are accurate and understandable. • Understand the terms and conditions of transactions you undertake. • Access your funds in a timely manner and receive information about any restrictions or limitations on access. • Receive complete information about maintenance or service charges, transaction or redemption fees, and penalties. • Discuss your grievances with compliance officer of the firm and receive prompt attention to and fair consideration of your concerns. Various activities of Stock Brokers with timelines S.No. Activities Expected Timelines

1. KYC entered into KRA System and CKYCR 10 days of account opening
2. Client Onboarding Immediate, but not later than one week
3. Order execution Immediate on receipt of order, but not later than the same day
4. Allocation of Unique Client Code Before trading
5. Copy of duly completed Client Registration Documents to clients 7 days from the date of upload of Unique Client Code to the Exchange by the trading member
6. Issuance of contract notes 24 hours of execution of trades
7. Collection of upfront margin from client Before initiation of trade

390 8. Issuance of intimations regarding other margin due payments At the end of the T day 9. Settlement of client funds Monthly/ Quarterly for running account settlement (RAS) as per the preference of client. If consent not given for RAS – within 24 hours of pay-out 10. ‘Statement of Accounts’ for Funds, Securities and Commodities Weekly basis (Within four trading days of following week) 11. Issuance of retention statement of funds/commodities 5 days from the date of settlement 12. Issuance of Annual Global Statement 30 days from the end of the financial year 13. Investor grievances redressal 21 days from the receipt of the complaint DOs and DON’Ts for Investors DOs DON’Ts

1. Read all documents and conditions being agreed before signing the account opening form.
2. Receive a copy of KYC, copy of account opening documents and Unique Client Code.
3. Read the product / operational framework / timelines related to various Trading and Clearing & Settlement processes.
4. Do not deal with unregistered stock broker.
5. Do not forget to strike off blanks in your account opening and KYC.
6. Do not submit an incomplete account opening and KYC form.
7. Receive all information about brokerage, fees and other charges levied.
8. Register your mobile number and email ID in your trading, demat and bank accounts to get regular alerts on your transactions.
9. If executed, receive a copy of Power of Attorney. However, Power of Attorney is not a mandatory requirement as per SEBI / Stock Exchanges. Before granting Power of Attorney, carefully examine the scope and implications of powers being granted.
10. Do not forget to inform any change in information linked to trading account and obtain confirmation of updation in the system.
11. Do not transfer funds, for the purposes of trading to anyone other than a stock broker. No payment should be made in name of employee of stock broker.
12. Do not ignore any emails / SMSs received with regards

391 7. Receive contract notes for trades executed, showing transaction price, brokerage, GST and STT etc. as applicable, separately, within 24 hours of execution of trades. 8. Receive funds and securities / commodities on time within 24 hours from pay-out. 9. Verify details of trades, contract notes and statement of account and approach relevant authority for any discrepancies. Verify trade details on the Exchange websites from the trade verification facility provided by the Exchanges. 10. Receive statement of accounts periodically. If opted for running account settlement, account has to be settled by the stock broker as per the option given by the client (30 or 90 days). 11. In case of any grievances, approach stock broker or Stock Exchange or SEBI for getting the same resolved within prescribed timelines. to trades done, from the Stock Exchange and raise a concern, if discrepancy is observed. 7. Do not opt for digital contracts, if not familiar with computers. 8. Do not share trading password. 9. Do not fall prey to fixed / guaranteed returns schemes. 10. Do not fall prey to fraudsters sending emails and SMSs luring to trade in stocks / securities promising huge profits. 11. Do not follow herd mentality for investments. Seek expert and professional advice for your investments. Grievance Redressal Mechanism Level 1 – Approach the Stock Broker at the designated Investor Grievance e-mail ID of the stock broker. The Stock Broker will strive to redress the grievance immediately, but not later than 21 days of the receipt of the grievance. Level 2 – Approach the Stock Exchange using the grievance mechanism mentioned at the website of the respective exchange. Level 3 – The complaint not redressed at Stock Broker / Stock Exchange level, may be lodged with SEBI on SCORES (a web based centralized grievance redressal system of SEBI) @ https://scores.gov.in/scores/Welcome.html Complaints Resolution Process at Stock Exchange explained graphically:

392 Timelines for complaint resolution process at Stock Exchanges against stock brokers S. No. Type of Activity Timelines for activity

1. Receipt of Complaint Day of complaint (C Day).
2. Additional information sought from the investor, if any, and provisionally forwarded to stock broker. C + 7 Working days.
3. Registration of the complaint and forwarding to the stock broker. C+8 Working Days i.e. T day.
4. Amicable Resolution. T+15 Working Days.
5. Refer to Grievance Redressal Committee (GRC), in case of no amicable resolution. T+16 Working Days.
6. Complete resolution process post GRC. T + 30 Working Days.
7. In case where the GRC Member requires additional information, GRC order shall be completed within. T + 45 Working Days.
8. Implementation of GRC Order. On receipt of GRC Order, if the order is in favour of the investor, debit the funds of the stock broker. Order for debit is issued immediately or with explanation from Broker •GRC order acceptable satisfied with satisfied with satisfied with

393 as per the directions given in GRC order. 9. In case the stock broker is aggrieved by the GRC order, will provide intention to avail arbitration Within 7 days from receipt of order 10. If intention from stock broker is received and the GRC order amount is upto Rs.20 lakhs Investor is eligible for interim relief from Investor Protection Fund (IPF). The interim relief will be 50% of the GRC order amount or Rs.2 lakhs whichever is less. The same shall be provided after obtaining an Undertaking from the investor. 11. Stock Broker shall file for arbitration Within 3 months124 from the date of GRC recommendation 12. In case the stock broker does not file for arbitration within 3 months5 The GRC order amount shall be released to the investor after adjusting the amount released as interim relief, if any. Handling of Investor’s claims / complaints in case of default of a Trading Member / Clearing Member (TM/CM) Default of TM/CM Following steps are carried out by Stock Exchange for benefit of investor, in case stock broker defaults: •Circular is issued to inform about declaration of Stock Broker as Defaulter. •Information of defaulter stock broker is disseminated on Stock Exchange website. •Public Notice is issued informing declaration of a stock broker as defaulter and inviting claims within specified period.

124 Words “6 months” replaced with “3 months” in view of Circular - SEBI/HO/MIRSD/DOS3/P/CIR/dated June 3, 2022.

394 •Intimation to clients of defaulter stock brokers via emails and SMS for facilitating lodging of claims within the specified period. Following information is available on Stock Exchange website for information of investors: •Norms for eligibility of claims for compensation from IPF. •Claim form for lodging claim against defaulter stock broker. •FAQ on processing of investors’ claims against Defaulter stock broker. •Provision to check online status of client’s claim.

395 Annexure-38 Format for Investor Complaints Data to be displayed by Stock Brokers on their respective websites Data for every month ending S N Receive d from Carried forwar d from previou s month Receive d during the month Total Pendin g Resolve d* Pending at the end of the month** Average Resoluti on time^ (in days) Pending for less than 3 month s Pending for more than 3 month s 1 2 3 4 5 6 7 8 1 Directly from Investors 2 SEBI (SCORE S) 3 Stock Exchang es 4 Other Sources (if any) 5 Grand Total

396 Trend of monthly disposal of complaints SN Month Carried forward from previous month Received Resolved* Pending** 1 2 3 4 5 6 1 April -YYYY 2 May-YYYY 3 June-YYYY 4 July-YYYY …. ….. March-YYYY Grand Total *Should include complaints of previous months resolved in the current month, if any. **Should include total complaints pending as on the last day of the month, if any. ^Average resolution time is the sum total of time taken to resolve each complaint in the current month divided by total number of complaints resolved in the current month. Trend of annual disposal of complaints SN Year Carried forward from previous year Received during the year Resolved during the year Pending at the end of the year 1 2017-18 2 2018-19 3 2019-20 4 2020-21 5 2021-22 Grand Total

397 Annexure-39 To be on Stamp / Franked Paper of appropriate value and notarized AFFIDAVIT OF UNDERTAKING CUM INDEMNITY BOND TO BE SUBMITTED BY MEMBER TO ………… [NAME OF THE STOCK EXCHANGE / CLEARING CORPORATION]

This Undertaking cum Indemnity Bond is signed at Mumbai on this ________day of _______, 20. By I/We, Member of ……….. [Name of The Stock Exchange / Clearing Corporation] (bearing Trading / Clearing No. ________), having office at …………………………………………………, (hereinafter referred to as “Member”, which expression, unless repugnant to the context or meaning thereof, shall be deemed to include its successors and assigns). In favour of: ………………..Ltd., [Name of the Stock Exchange / Clearing Corporation] a company incorporated under the Companies Act, 1956 having its registered office at ………………………………………………… (hereinafter referred to as “…..”, which expression shall, unless repugnant to the context or meaning thereof, be deemed to include its successors and assigns). I/We hereby solemnly declare and undertake that: Whereas the Securities and Exchange Board of India (hereinafter referred to as “SEBI”) has issued circular dated July 01, 2020 on Standard Operating Procedure to be followed in the case of trading member/clearing member leading to default (hereinafter referred to as the “said circular”). Whereas in terms of the said circular the …….. [Name of the Stock Exchange / Clearing Corporation] has amended its bye-laws and is empowered …….. [Name of the Stock Exchange / Clearing Corporation] to issue instructions to the concerned bank/s to freeze the bank account/s maintained by the Member, for all debits / withdrawal by the Member in the event of a potential default by the Member in meeting its obligations to Stock Exchange / Clearing Member / Clearing Corporation and / or repayment of funds / securities to his / its clients. Now, in consideration of the above, I / We do hereby agree and confirm unconditionally to undertake that:

398

1. ………… [Name of the Stock Exchange / Clearing Corporation] is empowered to instruct the concerned banks to freeze my / our bank accounts for all debits / withdrawals from such accounts. The details of bank accounts held by me/ us are as follows:
2. Any debits to such bank account, post freezing by the banks, shall be done only on the express instructions to the said banks by ………… [Name of the Stock Exchange/ Clearing Corporation].
3. ………… [Name of the Stock Exchange / Clearing Corporation] shall not be liable in any way to me/us for any losses, claims, penalties, proceedings / actions, damages, consequential or otherwise, arising there from or occasioned thereby.
4. No proceeding/suit/action/claims would be adopted by me/us against ………… [Name of the Stock Exchange/ Clearing Corporation] for any act done with respect to issuance of instruction to the bank/s mentioned above for freezing of my/our account/s held with the bank/s.
5. I / We agree to indemnify and keep ………… [Name of the Stock Exchange/ Clearing Corporation] and/or its successors/assigns indemnified from time to time, and at all times hereafter, against all claims, demands, damages, liabilities, proceedings, losses, actions, charges and expenses made or suffered or incurred or caused or likely to suffer / incur directly or indirectly, to ………… [Name of the Stock Exchange/ Clearing Corporation] and/or its successors/assigns on account of freezing of my/our account/s held with bank/s.
6. I/ We shall keep the Bank appropriately notified of the obligations undertaken by me / us herein and authorizing them to honour the instructions from ………… [Name of the Stock Exchange / Clearing Corporation].
7. I / We undertake that a revised Undertaking cum Indemnity Bond shall be submitted by me / us to ………… [Name of the Stock Exchange / Clearing Corporation] within seven working days of opening of any new bank account or change in details of any existing bank account,
8. This Undertaking cum Indemnity Bond shall be binding on my / our successors, legal representatives and assigns.
9. I / We warrant that representations made by the undersigned / on behalf of the Member are true and correct. IN WITNESS WHEREOF, I/We hereby execute this Undertaking cum Indemnity Bond on the day, month and year above written.

399 Solemnly declared at ) this ___ day of ______, 20 ) BEFORE ME (Name of Designated Director) (Name of Trading Member) (with rubber stamp & SEBI Registration No.) In the presence of: 1. 2. Note: Board Resolution for execution of the said undertaking cum indemnity and authorization for signing the same should be enclosed along with the document.

400 Annexure-40 – Digital Mode of Payment Dat e Depart ment of SEBI Name of Intermed iary / Other entities Type of Interm ediary SEBI Registrati on No. (If any) PA N Amoun t (Rs) Purpose of Payment (including the period for which payment was made e.g. quarterly, annually) Bank name and Accoun t number from which paymen t is remitted UTR No.

401 Annexure-41 Following FMC circulars shall stand repealed and relevant SEBI circulars shall be applicable to all commodity derivatives exchanges including regional commodity derivative exchanges for compliance by their members. S. No. Subject FMC Circular being repealed SEBI circulars being made applicable i Segregation of Client and Own Funds and Securities No circular issued by FMC a) SMD/SED/CIR/93/23321 dated Nov 18, 1993. b) MRD/DoP/SE/Cir￾11/2008 dated Apr 17, 2008. ii Running Account Settlement a) FMC/4/2012/C/14 No. 1/2/2012/IR-I/Client￾Protect/ dated Feb 02, 2012. b) FMC/4/2013/C/59 No. 1/2/2012/IR-I/Client￾Protect dated May 20, 2013. c) No. 1/2/2012/IR-I/Client￾Protect dated Jun 25, 2013. d) FMC/4/2014/C/121 FMC/2014/04/23- Quarterly Settlement dated Oct 17, 2014. a) Clause 12 of Annexure A to MIRSD/ SE /Cir￾19/2009 dated Dec 3, 2009. b) MIRSD /Cir/ 01/ 2011 dated May 13, 2011. iii Requirements with respect to Financial Documents, PAN, Inactive Clients etc. a) No.IRD/Div/(1)FMCR/1/2 005 dated Feb 14, 2006. b) Div. III/I/(53)/06/PAN No. dated Nov 28, 2006. c) 9/3/2008-MKT-II dated Jan 12, 2009. d) No. 18/1/2007/MKT-III dated Feb 11, 2008. e) No. 9/1/2009-MKT-I dated Dec 07, 2009. f) No. 9/12009-MKT-I dated a) Clauses 6,8,14,15,16,18 and 19 of Annexure A to MIRSD/ SE /Cir-19/2009 dated Dec 03, 2009.125 b) CIR/MIRSD/01 /2013 dated Jan 04, 2013. c) CIR/MIRSD/64/2016 dated Jul 12, 2016. For new client accounts.

125 Words “Clauses 1 to 11 and Clauses 14 to 19 of Annexure A to MIRSD /SE/Cir-19/2009 dated Dec 3, 2009” replaced with “Clause 6,8,14,15,16,18 and 19 of Annexure A to MIRSD/SE/CIR-19/2009 dated December 03, 2009” in view of Clauses 1,2,3,4,5,7,9,10,11 and 17 of SEBI Circular dated December 03, 2009, being incorporated in various provisions of SEBI Circular CIR/MIRSD/16/2011 dated August 22, 2011 and FMC Circular FMC/4/2011/G/30 dated December 16, 2011 and Annexures specified in these circulars.

402 Aug 10, 2010. iv In-Person Verification Part C of FMC/4/2015/C/0015No. FMC/COMPL/IV/KRA￾05/11/14 dated Mar 13, 2015. a) Para 3 of MIRSD/Cir- 26 /2011 Dec 23, 2011. b) Point 4 of Part 'Instructions/Check List' of Annexure 3 of Circular CIR/MIRSD/16/2011 dated Aug 22, 2011. v KRA FMC/4/2015/C/0015 No. FMC/COMPL/IV/KRA￾05/11/14 dated Mar 13, 2015 a) MIRSD/Cir-23/2011 dated Dec 2, 2011. b) Para 1 of MIRSD/Cir- 26 /2011 dated Dec 23, 2011. vi Anti-Money Laundering and Maintenance of Records a) No.7/1/2008- MKT-II dated Oct 30, 2009. b) No.7/1/2008-MKT-II dated Jan 25, 2010. c) No. 7/1/2008-MKT-II dated Aug 25, 2010. d) FMC/4/2013/C/163; Div. III / I/ 89 / 07 dated Dec 18, 2013. e) No. 7/1/2013-MKT-1(A) dated Feb 04, 2015. a) CIR/ISD/AML/3/2010 dated Dec 31, 2010. b) CIR/MIRSD/2/2013 dated Jan 24, 2013. c) CIR/MIRSD/1/2014 dated Mar 12, 2014. vii Dealing in Cash FMC/2/2014/C/23 No. 9/1/2014 -MKT-I dated Mar 12, 2014. MRD/SE/Cir- 33/2003/27/08 dated Aug 27, 2003. viii Guidelines on Pre￾funded Instruments FMC/4/2011/G/0010FMC/Co mplt/Circular dated Sep 27, 2011. CIR/MIRSD/03/2011 dated Jun 9, 2011. ix SMS and Email alerts facility to clients a) FMC/4/2012/C/13 No. FMC/IR-I/Client protection/2012 dated Feb 02, 2012. b) FMC/Complt/Circular dated Jun 04, 2012. c) No:IR (2)/5/2012/SMS￾Email dated Dec 07,2012. d) No.IR(2)/5/2012/SMS￾Email dated Jan 21, 2013. e) No.IR(2)/5/2012/SMS/Em ail dated Mar 01, 2013. f) No.IR(2)/5/2012/SMS/Em ail dated Mar 06, 2013. g) No.IR(2)/5/2012/SMS/Em ail dated May 15, 2013. CIR/MIRSD/15/2011 dated Aug 02, 2011.

403 h) No.IR(2)/5/2012/SMS/E￾mail dated Jun 21, 2013. x Contract Note a) No. 07/2008/COMP/LAD￾ENF/AD(SN)/6609 dated Oct 27, 2009. b) FMC/COMPL/IV/2010/03/ 05/00011 dated Apr 19, 2011. c) Div.III/I/89/07 dated Mar 13, 2014. d) Div.III/I/89/07 dated Dec 24, 2014. a) SMDRP/Policy/Cir￾56/2000 dated Dec 15, 2000. b) SMD/SE/15/2003/29/04 dated Apr 29, 2003. c) MRD/DoP/SE/Cir￾20/2005 dated Sep 8, 2005. d) Clause 13 of Annexure A to MIRSD/ SE /Cir￾19/2009 dated Dec 3, 2009. xi Exclusive e-mail ID for redressel of Investor Complaints No circular issued by FMC MRD/DoP/Dep/SE/Cir-22/06 dated Dec 18, 2006. xii Display of information such as logo, registration number on notice board and contract note and investor grievance redressal mechanism on notice board No circular issued by FMC a) Cir/MIRSD/ 9 /2010 dated Nov 4, 2010. b) CIR/MIRSD/3/2014 dated Aug 28, 2014. xiii Internal Audit No circular issued by FMC Para 7 to 11 of circular MIRSD/Master Cir-04/2010 dated Mar 17, 2010. xiv Inspection of brokers a) No. Div./III/I/301/2011- 12/Audit dated Dec 23, 2011. b) No. Div./III/I/104/2008- 09/Audit dated Feb 02, 2012. c) FMC/1/2014/C/50No.Div.I II/I/300/2011-12/Audit dated Apr 23, 2014. d) FMC/1/2014/C/47 No. FMC/1/2014/Audit/C Dated Apr 23, 2014. a) Para 2 to 6 of circular MIRSD/Master Cir￾04/2010 dated Mar 17, 2010. b) CIR/MIRSD/13/2012 dated Dec 07, 2012. xv Change in control/ constitution a) No.IRD-Div-III/1/143/10- MR dated Aug 14, 2010. b) Div:III/I/120/MR-2011/2 dated Apr 07, 2011. c) FMC/6/2011/C/0018 No. a) MIRSD/MSS/Cir- 30/ 13289/03 dated Jul 09, 2003. b) CIR/MIRSD/2/2011 dated Jun 3, 2011.

404 Div.III/I/68/MR/General dated Sep 22, 2011. d) FMC/6/2011/C/0019 No. Div. III/I/157/10-MRDated Sep 27, 2011. e) FMC/4/2012/C/41 No. Div. III/I/157/10-MR dated Apr 04, 2012. f) Div. III/I/10/MR dated Apr 30, 2015. c) CIR/MIRSD/14/2011 dated Aug 02, 2011. xvi Procedure for surrender of membership a) FMC/6/2011/C/0018 No. Div.III/I/68/MR/General dated Sep 22, 2011. b) FMC/1/2014/C/146 dated Dec 31, 2014. c) No.Div.II/I/112/2015/Refu nd of Deposit dated Jan 19, 2015. d) No. III/I/10/MR dated Jul 08, 2015. MIRSD/MSS/Cir- 30/ 13289/03 dated Jul 09, 2003. xvii Guidelines on Outsourcing of Activities by Intermediaries No circular issued by FMC CIR/MIRSD/24/2011 dated Dec 15, 2011. xviii BPO/KPO services - Segregation thereof from Commodity Derivatives Market No. S/1/2009/MD-I dated Mar 28, 2011. a) Rule 8(1)(f) and 8(3)(f) of SCRR, 1957. b) SMD/POLICY/CIR-6//97 dated May 07, 1997. xix Authorized Persons No.6/3/2008-MKT – II; FMC/2/2012/G/3 dated Jan 11, 2012. a) MIRSD/ DR-1/ Cir- 16 /09 dated Nov 06, 2009. b) Cir/MIRSD/AP/8/2010 dated Jul 23, 2010.

405 Annexure-42 Following FMC circulars are specific to commodity derivatives market. Contents/norms specified in following circulars shall continue to be in force beyond September 28, 2016. Provisions of these circulars shall be applicable to all commodity derivatives exchanges including regional commodity derivatives exchanges for compliance by their members. S. No. Subject FMC Circular No. and Date I Account Opening Process a) No.-FMC/4/2011/G/30 Ref. No.: Div. III/I/89/07 dated Dec 16, 2011*. b) Div.III/I/89/07 dated Aug 23, 2013. c) F.No.FMC/COMPL/2013/10/30- FSLRC/FSDC dated Mar 28, 2014. d) Div.III/2/89/VOL IV dated Apr 23, 2014. e) No. FMC/COMPL/IV/KRA-05/11/14 dated Feb 26, 2015. Ii Customer Protection such as keeping evidence of client placing order No.FMC/Comp/VI/2009/04/06/114/5787 dated Sep 16, 2009. Iii Nomenclature of Stock brokers a) 4/5/2005- M&S/MCX/Unit-II dated Apr 25, 2006. b) No.IRD-DIV-III/I/FCR-I/2009 dated Dec 21, 2009. c) No. DIV-III/I/122/10/MR dated Jun 25, 2010. d) 6/3/2008-MKT – II dated Feb 18, 2011. Iv Surrender of membership F.No.1/4/2009/MD-I dated Jul 20, 2009. *All clauses to remain except to the extent as modified as described below. Annexure

• 3 (Rights and Obligations of Members, Authorized Persons and Clients) of Circular No.-FMC/4/2011/G/30 Ref. No.: Div. III/I/89/07 dated Dec 16, 2011 is modified as follows: In Clause 30, for the words "in the Statement immediately but not later than 30 calendar days of receipt thereof, to the Member. A detailed statement of accounts must be sent every month to all the clients in physical form. The proof of delivery of the same should be preserved by the Member" the words "in the Statement within such time as may be prescribed by the relevant Exchange from time to time where the trade was executed, from the receipt thereof to the Stock broker" shall be substituted. In Clause 31, for the words "monthly" the words "daily" shall be substituted. Para 3 C.A.iv which restricted seeking authorization through non-mandatory documents for any adjustment of funds among securities (stock) exchange and commodities exchange, will not be applicable, if such adjustment is within the same broking entity.

406 Annexure-43 Following FMC circulars shall stand repealed. S. No. Subject FMC Circular No. and Date i Segregation of Client Accounts in Commodity Futures Exchange and Spot Exchanges FMC/2/2011/C/0008; No.9/1/2011-MKT/I dated Sep 26, 2011. ii Member to obtain FMC Unique Code No. IRD/Div./III/(1)/FMCR/1/2005 dated Oct 28, 2005. iii Submission of networth certificate from the members No. Div-III/I/122/10/MR dated Nov 22, 2010. iv Nomenclature of Stock Brokers No. IRD-DIV-III/I/FCR-I/2009 dated Dec 21, 2009. No. DIV-III/I/122/10/MR dated Jun 25, 2010. 6/3/2008-MKT –II dated Feb 18, 2011.

407 Annexure-44 Eligible clients:

1. Only non-individual clients shall be allowed to give BGs as margins, specifically for commodities segment.
2. Net worth of such clients should be at least Rs. 1000 crores. If the net worth of the client is less than Rs. 1000 crores and client is a part of a group company of a MNC group or large conglomerate in India and that MNC or large conglomerate has Ultimate Beneficial Ownership of more than 50% in the concerned client, then the net worth of the MNC group as a whole or the net worth of the large conglomerate can be considered which should be minimum Rs. 5000 crores. Eligibility conditions for BGs
3. Only Banks approved by CCs shall be considered for issuance of such BGs.
4. BG terms and conditions should clearly mention the Upstreaming Client Nodal Bank Account (USCNBA) bank account number where the funds shall be credited in case of invocation by SB/CM.
5. In the event of invocation of BG, the funds shall be credited only to USCNBA bank account of the SB/CM and the funds shall be up-streamed on the same day to CC.
6. SB/CM shall mandatorily inform the CC at the time of invocation of BG.
7. SB/CM cannot accept BGs as margins from the above mentioned clients in excess of 25% of its net worth. Declaration and undertaking to be given by clients
8. CFO / COO / CEO / MD of such clients should give an undertaking to the Member at the time of giving BG as margins: a. We agree to issue the BG lien in favour of trading member __________ for trading in capital markets for client code _______ as per the contractual arrangement with the said trading member. b. We declare that we clearly understand that in case trading member wrongly invokes the BG, we shall not have any recourse to Exchange or SEBI to the

408 extent of BG amount and shall not be compensated in any manner from Investor Protection Fund. Other conditions 9. SB/CM shall put its own funds with CC to the extent of BG amount towards the margin requirements of these clients. 10.SB/CM cannot use borrowed funds for this purpose. Trading member shall give auditors certificate on half yearly basis to CC in this regard. As mentioned in para 92.14 of this circular, the CCs are at liberty to apply stricter conditions other than those specified above based on their risk assessment.

409 APPENDIX - LIST OF CIRCULARS / COMMUNICATION Sr. no Circular/ Notification No. and Date Subject

1. SEBI communication SE/10118 dated October 12, 1992. Listing fees from 1992-93 to 1996-97.
2. SMD/SED/CIR/93/23321 dated November 18, 1993. Regulation Of Transactions Between Clients and Brokers.
3. SMD/VRN/1476/95 dated April 27,

Severance of connections with other businesses. 4. SMD/POLICY/CIR-6/97 dated May 07, 1997. Applicability of Rule 8(1)(f) and 8(3)(f) of the Securities Contract (Regulation) Rules, 1957. 5. SMD/POLICY/CIRCULAR/30/97 dated November 25, 1997 Registration of Brokers. 6. SMD/POLICY/CIR-34/97 dated December 11, 1997. Conversion of individual membership into Corporate membership. 7. SMD/POLICY/CIR-11/98 dated March 16, 1998. Additional information to be submitted at the time of registration of Stock Broker with SEBI. 8. FITTC/DC/CR-1/98 dated June 16, 1998. Derivatives Trading in India. 9. SMD/POLICY(BRK.REG.)/CIR￾18/98 dated July 09, 1998. Merger/ Amalgamation of Trading Members. 10. SMDRP/POLICY/CIR- 06/2000 dated January 31, 2000. Conditions to be met by Broker for providing Internet Based Trading Service. 11. SMDRP/Policy/Cir-48/2000 dated October 11, 2000. Securities Trading through Wireless medium on Wireless Application Protocol (WAP) platform. 12. SMDRP/POLICY/CIR-56/00 dated December 15, 2000 Use of Digital Signature on Contract Notes 13. SMDRP/POLICY/CIR-39/2001 dated July 18, 2001. Unique Client Code. 14. SMD/POLICY/CIR-49/2001 dated October 22, 2001. Advertisement by Brokers/ Sub-Brokers and grant of trading terminals. 15. SMD/DBA-II/CIR-22/2002 dated September 12, 2002. Additional requirements for processing applications of Stock Brokers for Registration/ Prior approval for sale of membership/ Change of name/ trade

410 name. 16. SEBI/SMD/SE/15/2003/29/04 dated April 29, 2003 Issuance of Contract Notes in electronic form 17. SMD/DBA-II/Cir-16/9618/03 dated May 05, 2003. SEBI Registration Number of Brokers / Sub-Brokers to be quoted on all correspondences with SEBI. 18. SEBI/MIRSD/CIR-06/2004 January 13, 2004. Review of norms relating to trading by Members/Sub-Brokers. 19. MIRSD/DR-1/CIR-16/09 dated November 06, 2009. Market Access through Authorised Persons. 20. MIRSD/SE/CIR-19/2009 dated December 03, 2009. Dealings between a client and a stock broker (trading members included). 21. SEBI/MIRSD/MASTER CIR-04/2010 dated March 17, 2010. Master Circular on Oversight of Members (Stock Brokers/Trading Members/Clearing Members of any Segment of Stock Exchanges and Clearing Corporations). 22. SEBI/CIR/MIRSD/AP/8/2010 dated July 23, 2010. Market Access through Authorised Persons. 23. CIR/MIRSD/9/2010 dated November 04, 2010. Display of Details by Stock Brokers (including Trading Members). 24. SEBI/MIRSD/CIR/01/2011 dated May 13, 2011. Clarification on circular dated December 3, 2009 on ‘Dealings between a Client and a Stock broker. 25. CIR/MIRSD/2/2011 dated June 03, 2011. Periodical Report – Grant of prior approval to members of Stock Exchanges/Sub-Brokers. 26. CIR/MIRSD/03/2011 dated June 09, 2011. Pre- funded instruments / electronic fund transfers. 27. CIR/MIRSD/12/2011 dated July 11, 2011. Clarification regarding admission of Limited Liability Partnerships as Members of Stock Exchanges. 28. CIR/MIRSD/15/2011 dated August 02, 2011. SMS and E-mail alerts to investors by Stock Exchanges. 29. CIR/MIRSD/16/2011 dated August 22, 2011 Simplification and Rationalization of Trading Account Opening Process 30. CIR/MIRSD/18/2011 dated August 25, 2011. Redressal of investor grievances against Stock Brokers and Sub-Brokers in SEBI Complaints Redress System (SCORES).

411 31. MIRSD/SE/CIR-21/2011 dated October 05,2011. Uniform Know Your Client (KYC) requirements for the securities market 32. CIR/MIRSD/24/2011 dated December 15, 2011 Guidelines on Outsourcing of Activities by Intermediaries 33. CIR/MIRSD/13/2012 dated December 07, 2012. Oversight of Members (Stock Brokers/Trading Members/Clearing Members of any segment of Stock Exchanges/Clearing Corporations). 34. CIR/MIRSD/5/2013 dated August 27, 2013. General Guidelines for dealing with Conflicts of Interest of Intermediaries, Recognised Stock Exchanges, Recognised Clearing Corporations, Depositories and their Associated Persons in Securities Market. 35. CIR/MIRSD/13/2013 dated December 26, 2013 Know Your Client Requirements 36. CIR/MIRSD/2/2014 dated June 30, 2014. Inter-Governmental Agreement with United States of America under Foreign Accounts Tax Compliance Act – Registration. 37. CIR/MIRSD/3/2014 dated August 28, 2014. Information regarding Grievance Redressal Mechanism. 38. CIR/MIRSD/4/2014 dated October 13, 2014. Single registration for Stock Brokers & Clearing Members. 39. CIR/MIRSD/2/2015 dated August 26, 2015. Implementation of the Multilateral Competent Authority Agreement and Foreign Account Tax Compliance Act. 40. CIR/MIRSD/3/2015 dated September 10, 2015. Reporting Requirement under Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standards (CRS) – Guidance Note. 41. CIR/MIRSD/4/2015 dated September 29, 2015. Registration of Members of Commodity Derivatives Exchanges. 42. CIR/MIRSD/64/2016 dated July 12, 2016 Simplification of Account Opening Kit 43. CIR/MIRSD/66/2016 dated July 21, 2016 Operationalisation of Central KYC Records Registry (CKYCR) 44. SEBI/HO/MIRSD/MIRSD2/CIR/P/20 16/92 dated September 23, 2016. Regulatory Framework for Commodity Derivatives Brokers.

412 45. SEBI/HO/MIRSD/MIRSD2/CIR/P/20 16/95 dated September 26, 2016. Enhanced Supervision of Stock Brokers/Depository Participants. 46. SEBI/HO/MIRSD/MIRSD6/CIR/P/20 17/20 dated March 10, 2017. Redressal of complaints against Stock Brokers and Depository Participants in SEBI Complaints Redress System (SCORES). 47. SEBI/HO/MIRSD/MIRSD1/CIR/P/20 17/38 dated May 02, 2017. Online Registration Mechanism for Securities Market Intermediaries. 48. CIR/HO/MIRSD/MIRSD2/CIR/P/201 7/64 dated June 22, 2017. Clarification to Enhanced Supervision Circular. 49. CIR/HO/MIRSD/MIRSD2/CIR/P/201 7/73 dated June 30, 2017. Policy of Annual Inspection of Members by Stock Exchanges/Clearing Corporations. 50. SEBI/HO/MIRSD/MIRSD1/CIR/P/20 17/104 dated September 21, 2017. Integration of broking activities in Equity Markets and Commodity Derivatives Markets under single entity. 51. CIR/HO/MIRSD/MIRSD2/CIR/PB/20 17/107 dated September 25, 2017. Clarification to Enhanced Supervision Circular. 52. SEBI/HO/MIRSD/MIRSD2/CIR/P/20 17/123 dated November 29, 2017. Modification to Enhanced Supervision Circular. 53. SEBI/HO/MIRSD/DOP1/CIR/P/2018 /54 dated March 22, 2018. Circular on Prevention of Unauthorised Trading by Stock Brokers. 54. SEBI/HO/MIRSD/DOP/CIR/P/2018/ 113 dated July 12, 2018 Discontinuation of acceptance of cash by Stock Brokers 55. SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018 Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants 56. SEBI/HO/MIRSD/DOP/CIR/P/2018/ 153 dated December 17, 2018 Early Warning Mechanism to prevent diversion of client securities 57. SEBI/HO/MIRSD/DOS2/CIR/P/2019 /10 dated January 04, 2019 Reporting for Artificial Intelligence (AI) and Machine Learning (ML) applications and systems offered and used by market intermediaries 58. SEBI/HO/MIRSD/DOP/CIR/P/2019/ 14 dated January 11, 2019 Uniform membership structure across segments 59. CIR/HO/MIRSD/DOS2/CIR/PB/2019 /038 dated March 15, 2019 Clarification to Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants

413 60. CIR/HO/MIRSD/DOP/CIR/P/2019/7 5 dated June 20, 2019 Handling of Clients’ Securities by Trading Members/Clearing Members 61. SEBI/HO/MIRSD/DOP/CIR/P/2019/ 109 dated October 15, 2019 Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants-Clarifications 62. SEBI/HO/MIRSD/DOP/CIR/P/2019/ 136 dated November 15, 2019 Mapping of Unique Client Code (UCC) with demat account of the clients 63. CIR/HO/MIRSD/DOP/CIR/P/2019/1 39 dated November 19, 2019 Collection and reporting of margins by Trading Member(TM) /Clearing Member(CM) in Cash Segment 64. SEBI/HO/MIRSD/DOP/CIR/P/2020/ 28 dated February 25, 2020 Margin obligations to be given by way of Pledge/ Re-pledge in the Depository System 65. SEBI/HO/MIRSD/DOP/CIR/P/2020/ 88 dated May 25, 2020 Implementation of Circular on ‘Margin obligations to be given by way of Pledge / Re-pledge in the Depository System’ - Extension 66. SEBI/HO/MIRSD/DPIEA/CIR/P/202 0/115 dated July 01, 2020 Standard Operating Procedure in the cases of Trading Member / Clearing Member leading to default 67. SEBI/HO/MIRSD/DOP/CIR/P/2020/ 146 dated July 31, 2020 Collection and Reporting of Margins by Trading Member (TM) / Clearing Member (CM) in Cash Segment 68. SEBI/HO/MIRSD/DOP/CIR/P/2020/ 158 dated August 27, 2020 Execution of Power of Attorney (PoA) by the Client in favour of the Stock Broker / Stock Broker and Depository Participant 69. SEBI/HO/MIRSD/DOP/CIR/P/2020/ 173 dated September 15, 2020 Collection and Reporting of Margins by Trading Member (TM) / Clearing Member (CM) in Cash Segment - Clarification 70. SEBI/HO/MIRSD/DPIEA/CIR/P/202 0/186 dated September 28, 2020 Recovery of assets of defaulter member and recovery of funds from debit balance clients of defaulter member for meeting the obligations of clients / Stock Exchange / Clearing Corporation 71. SEBI/HO/MIRSD2/DOR/CIR/P/2020 /221 dated November 03, 2020 Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions 72. SEBI/HO/MIRSD/DOC/CIR/P/2020/ 226 dated November 06, 2020 Investor Grievance Redressal Mechanism

414 73. SEBI/HO/MIRSD/DOP/CIR/P/2021/ 31 dated March 10, 2021 Rollout of Legal Entity Template 74. SEBI/HO/MIRSD/DOR/CIR/P/2021/ 42 dated March 25, 2021 Prior Approval for Change in control: Transfer of shareholdings among immediate relatives and transmission of shareholdings and their effect on change in control 75. SEBI/HO/MIRSD/DOR/CIR/P/2021/ 46 dated March 26, 2021 Transfer of business by SEBI registered intermediaries to other legal entity 76. SEBI/HO/MIRSD/DOP/P/CIR/2021/ 577 dated June 16, 2021 Settlement of Running Account of Client’s Funds lying with Trading Member (TM) 77. SEBI/HO/MIRSD/DOP/P/CIR/2021/ 595 dated July 16, 2021 Block Mechanism in demat account of clients undertaking sale transactions 78. SEBI/HO/MIRSD/DOP/CIR/P/2021/ 653 dated October 28, 2021 Maintenance of current accounts in multiple banks by Stock Brokers 79. SEBI/HO/MIRSD/MIRSD_IT/P/CIR/ 2021/0000000658 dated November 16, 2021 Framework for Regulatory Sandbox 80. SEBI/HO/MIRSD/DOP/CIR/P/2021/ 676 dated December 02, 2021 Publishing Investor Charter and disclosure of Investor Complaints by Stock Brokers on their websites 81. SEBI/HO/MIRSD/DoP/P/CIR/2022/4 4 dated April 04, 2022 Execution of ‘Demat Debit and Pledge Instruction’ (DDPI) for transfer of securities towards deliveries / settlement obligations and pledging / re-pledging of securities 82. SEBI/HO/MIRSD/DoR/P/CIR/2022/6 1 dated May 13, 2022 Guidelines for seeking NOC by Stock Brokers / Clearing Members for setting up Wholly Owned Subsidiaries, Step Down Subsidiaries, Joint Ventures in GIFT IFSC 83. SEBI/HO/MIRSD/DPIEA/CIR/P/202 2/72 dated May 27, 2022 Modification to Standard Operating Procedure in the cases of Trading Member / Clearing Member leading to default 84. SEBI/HO/MIRSD/DOS3/P/CIR/2022 /78 dated June 03, 2022 Investor Redressal Grievance Mechanism 85. SEBI/HO/MIRSD/TPD/P/CIR/2022/8 0 dated June 07, 2022 Modification in Cyber Security and Cyber resilience framework for Stock Brokers /

415 Depository Participants 86. SEBI/HO/MIRSD/ MIRSD_DPIEA/P/CIR/2022/83 dated June 20, 2022 Naming / Tagging of demat accounts maintained by Stock Brokers 87. SEBI/HO/MIRSD/TPD/P/CIR/2022/9 3 dated June 30, 2022 Modification in Cyber Security and Cyber resilience framework for Stock Brokers / Depository Participants 88. SEBI/HO/MIRSD/DoP/P/CIR/2022/1 01 dated July 27, 2022 Settlement of Running Account of Client’s Funds lying with Trading Member (TM) 89. SEBI/HO/MIRSD/DoP/P/CIR/2022/1 09 dated August 18, 2022 Block Mechanism in demat account of clients undertaking sale transactions 90. SEBI/HO/MIRSD/DOP/P/CIR/2022/ 117 dated September 02, 2022 Performance/return claimed by unregulated platforms offering algorithmic strategies for trading 91. SEBI/HO/MIRSD/DoP/P/CIR/2022/1 19 dated September 19, 2022 Validation of Instructions for Pay-In of Securities from Client demat account to Trading Member (TM) Pool Account against obligations received from the Clearing Corporations 92. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2022/137 dated October 06, 2022 Execution of ‘Demat Debit and Pledge Instruction’ (DDPI) for transfer of securities towards deliveries / settlement obligations and pledging / re-pledging of securities-Clarification 93. SEBI/HO/MIRSD/DOP/P/CIR/2022/ 143 dated October 27, 2022 Block Mechanism in demat account of clients undertaking sale transactions-Clarification 94. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2022/153 dated November 11, 2022 Handling of Clients’ Securities by Trading Members (TM)/ Clearing Members (CM) 95. SEBI/HO/MIRSD/DoP/P/CIR/2022/1 62 dated November 25, 2022 Extension of timelines for implementation of SEBI circulars SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2022/137 and SEBI/HO/MIRSD/DoP/P/CIR/2022/119 96. SEBI/HO/MIRSD/TPD￾1/P/CIR/2022/160 dated November 25, 2022 Framework to address the ‘technical glitches’ in Stock Brokers’ Electronic Trading Systems

416 97. SEBI/HO/MIRSD/MIRSD-PoD￾2/P/CIR/2022/163 dated November 28, 2022 Procedure for seeking prior approval for change in control 98. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2022/177 dated December 30, 2022 Introduction of Investor Risk Reduction Access (IRRA) platform in case of disruption of trading services provided by the Trading Member (TM) 99. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2023/24 dated February 06,2023 Enhanced obligations and responsibilities on Qualified Stock Brokers (QSBs) 100. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2023/30 dated February 15, 2023 Maintenance of a website by stock brokers and depository participants 101. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2023/42 dated March 27, 2023 Nomination for Eligible Trading and Demat Accounts –Extension of timelines for existing account holders 102. SEBI letter dated June 24, 2008 SEBI letter number MRD/DoP/NSE/129791/2008 103. SEBI letter dated March 31, 2015 SEBI letter number MRD/DMS/OW/9500/2015 104. Email dated April 13, 2022 Issuance of Electronic Contract Notes (ECN) through SMS/electronic instant messaging services 105. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2023/061 dated April 25, 2023 Bank Guarantees (BGs) created out of clients’ funds 106. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2023/73 dated May 19, 2023 Risk disclosure with respect to trading by individual traders in Equity Futures & Options Segment 107. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2023/83 dated June 02, 2023 Transactions in Corporate Bonds through Request for Quote (RFQ) platform by Stock Brokers(SBs). 108. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2023/95 dated June 21, 2023 Trading Preferences by Clients 109. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2023/132 dated August 01, 2023 Trading Preferences by Clients – Applicability for commodity derivatives 110. SEBI/HO/MIRSD/POD- Extension of timelines (i) for nomination

417 1/P/CIR/2023/158 dated September 26, 2023 in eligible demat accounts and (ii) for submission of PAN, Nomination and KYC details by physical security holders; and voluntary nomination for trading accounts 111. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2023/180 dated November 13, 2023 Most Important Terms and Conditions (MITC) 112. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2023/187 dated December 12, 2023 Upstreaming of clients’ funds by Stock Brokers (SBs) / Clearing Members (CMs) to Clearing Corporations (CCs) 113. SEBI/HO/MIRSD/MIRSD￾PoD1/P/CIR/2023/197 dated December 28, 2023 Settlement of Running Account of Client’s Funds lying with Trading Member (TM) 114. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2024/03 dated January 12, 2024 Ease of doing business-Changes in reporting 115. SEBI/HO/MIRSD/POD￾1/P/CIR/2024/4 dated January 12, 2024 Ease of Doing Investments by Investors￾Facility of voluntary freezing/ blocking of Trading Accounts by Clients 116. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2024/14 dated March 11, 2024 Measures to instill trust in securities market – Expanding the framework of Qualified Stock Brokers (QSBs) to more stock brokers 117. SEBI/HO/MIRSD/MIRSD￾PoD1/P/CIR/2024/75 dated June 05, 2024 Enhancement of operational efficiency and Risk reduction – Pay-out of securities directly to client demat account 118. SEBI/HO/MIRSD/MIRSD-PoD￾1/P/CIR/2024/96 dated July 04, 2024 Measures to instil confidence in securities market – Brokers’ institutional mechanism for prevention and detection of fraud or market abuse

418 List of Changes Annexure A S. No. Changes Page and para number 1. SEBI/HO/MIRSD/MIRSD-PoD1/P/CIR/2024/75 on ‘Enhancement of operational efficiency and Risk reduction – Pay-out of securities directly to client demat account’ dated June 05, 2024 Para 50 at page no. 126 Para 41.9 at page no. 99 2. SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2024/96 on ‘Measures to instil confidence in securities market – Brokers’ institutional mechanism for prevention and detection of fraud or market abuse’ dated July 04, 2024 Para 94 at Page no. 234 3. Para 51.3.6 wherein option has been given to broker to send contract note either in physical mode or through electronic instant messaging services in case ECN has not been delivered to the client or has been rejected by email id of client Para 51.3.6 at page no. 129 Accordingly para 50.3.8 of Master Circular for stock brokers dated May 22, 2024 stands deleted Point no. 37.2 of Annexure 9 ‘Rights and Obligation of Stock brokers and clients’ at page no. 282 4. SEBI/HO/MIRSD/MIRSD-PoD1/P/CIR/2024/95 on “Modification to Enhanced Supervision of Stock brokers and Depository Participants’ dated July 04, 2024 Para 15.8.1.1.c at page no. 34 and Para 15.8.1.2.a at page no. 35 5. Provisions related to conciliation proceedings have been incorporated. Point no. 22, 23 and 37.6 of Annexure 9 ‘Rights and Obligation of Stock brokers and clients’ at page no. 282

419 6. There was typo error, wherein erroneously demat account under ‘5’ categories was mentioned despite total 6 categories of demat accounts being given in the table. Para 15.3.2.4 at page no. 25 7. Smart Order Routing wherein Client Broker agreement has been replaced with ‘Rights and Obligation of Stock brokers and clients’ Para 57.2.8 at page no. 152