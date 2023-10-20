Capital markets regulator Sebi on Friday came out with guidelines to strengthen governance of qualified Registrars and Transfer Agents (QRTAs) for handling disruption and improving preparedness by conducting periodic drills.

In its circular, the regulator has asked QRTAs to put in place a Business Continuity Plan (BCP) and Disaster Recovery Site (DRS) in a bid to ensure continuity of operations and maintain data and transaction integrity.

Apart from DRS, all QRTAs are required to have a Near Site (NS) to ensure zero data loss.

Qualified RTAs -- RTAs having more than 2 crore folios -- are systemically important institutions as they provide the infrastructure necessary for the smooth and uninterrupted functioning of the securities market.

As part of operational risk management, these QRTAs need to have a high level of resilience to provide essential facilities and perform systemically critical functions uninterruptedly in the securities market.

The new guidelines are aimed at "strengthening overall resiliency, the procedures at or governance of QRTAs for handling disruption, augmentation of systems and practices to achieve better Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and to improve overall preparedness by conducting periodic announced/ unannounced drills.

Under the guidelines, Sebi said that the manpower deployed at DRS is required to have knowledge and expertise of various technological and procedural systems and processes relating to all operations such that DRS/NS (near site) can function at short notice, independently.

QRTAs need to have a sufficient number of trained staff at their DRS so as to have the capability of running live operations from the DRS without involving staff of the Primary Data Centre (PDC).

All QRTAs are required to constitute an Incident and Response Team (IRT) or Crisis Management Team (CMT), which will be chaired by the Managing Director (MD) of the QRTA or by the Chief Technology Officer (CTO), in case of non-availability of MD. Such a team will be responsible for the actual declaration of disaster, invoking the BCP and shifting operations from PDC to DRS whenever required.

Sebi said that the disaster recovery site should preferably be set up in different seismic zones and in case of certain reasons such as operational constraints, change of seismic zones, etc., a minimum distance of 500 kilometres needs to be ensured between PDC and DRS so that both DRS and PDC are not affected by the same disaster.

In the event of disruption of critical systems, the QRTA will have to be within 30 minutes of the incident, declare that incident as 'Disaster' and take measures to restore operations, including from DRS within 45 minutes of the declaration of 'Disaster'.

Accordingly, the Recovery Time Objective -- the maximum time taken to restore operations of 'Critical Systems' from DRS after the declaration of Disaster -- will be 45 minutes.

"QRTAs to also ensure that the Recovery Point Objective (RPO) -- the maximum tolerable period for which data might be lost due to a major incident -- shall be 15 minutes," Sebi said.

RTAs will have to conduct periodic training programmes to boost the preparedness and awareness level among its employees and outsourced staff, and vendors, among others as per BCP policy.

DR drills should be conducted on a quarterly basis. These drills should be closer to real-life scenarios (trading days) with minimal notice to the DRS staff involved. Further, QRTAs should also conduct unannounced live operations from its DRS for at least one day in every three months on normal working days. Moreover, unannounced live operations from DRS of QRTAs need to be done at a short notice of 45 minutes.

The regulator has asked QRTAs to submit their revised BCP-DR policy to it within three months.