Why SEBI imposed ₹12 lakh fine on NSE Data and Analytics

The Securities and Exchange Board of India (SEBI) on Monday imposed a fine of ₹12 lakh on NSE Data and Analytics Limited (NDAL), a subsidiary of the National Stock Exchange (NSE), for multiple violations of Know-Your-Customer (KYC) processes and cybersecurity regulations [In the matter of In the matter of inspection of NSE Data And Analytics Limited].

NDAL has been directed to pay this penalty within 45 days of the September 30 order.

This action follows an inspection conducted by SEBI from September 6 to 7, 2023, which examined the company's operations between April 1, 2022, and July 31, 2023.

The inspection uncovered significant irregularities, particularly NDAL's failure to maintain adequate backup records and its lack of a comprehensive Business Continuity Plan (BCP) and Disaster Recovery (DR) framework during the inspection period.

SEBI's order noted that NDAL "was not having its own policy on BCP/DR during the Inspection Period," with a separate policy only being developed in January 2024 after SEBI raised concerns.

Among the key violations, NDAL was found to have failed to process and validate KYC records for 1,159 clients who used Aadhaar as an Officially Valid Document (OVD) within the mandated two-day turnaround time, breaching provisions of the SEBI (KYC Registration Agency) Regulations, 2011.

Additionally, SEBI emphasized that delays in sending acknowledgment letters to investors violated a SEBI Circular of 2011, which requires timely acknowledgment of KYC submissions.

In terms of cybersecurity, SEBI found that NDAL did not close identified vulnerabilities within the required timelines and failed to reflect these issues in its Cyber Security Audit Report.

The order stated that the company violated multiple clauses related to cybersecurity frameworks mandated by SEBI, raising concerns about NDAL's compliance with necessary regulations.

In its defense, NDAL had contested SEBI's allegations, asserting that it had adhered to the required regulations and had implemented a Vulnerability Assessment and Penetration Testing (VAPT) protocol

The company claimed that vulnerabilities were addressed within the stipulated three-month time frame but acknowledged delays in sending acknowledgment letters, which constituted a small fraction of total cases.

The regulatory process spanned several months, starting with SEBI communicating its findings to NDAL on October 31, 2023. The company responded on November 8, challenging the allegations. A personal hearing was initially scheduled for May 14, 2024, but was postponed to May 17 at NDAL's request, subsequent to which an order was passed on Monday.

In its order, SEBI's Adjudicating Officer Barnali Mukherjee reaffirmed the findings from the inspection and emphasized the critical importance of regulatory compliance.

“The Noticee being a registered intermediary is expected to adhere to fair practices and maintain a high degree of professionalism in the conduct of its business. The violations as established above certainly deserve imposition of penalty on the Noticee," the order said.

[Read Order]