Ever since the introduction of framework for prevention of insider trading (“PIT”), the Securities and Exchange Board of India (“SEBI”), as the primary regulator of securities markets has consistently been sharpening its tools to effectively discharge its duty of ensuring market integrity, curbing malpractices and safeguarding interests of investors.
One such tool named the ‘structured digital database’ (“SDD”) was added by SEBI in its mix of digital surveillance aids, through the SEBI (Prohibition of Insider Trading) (Amendment) Regulations, 2018 with effect from April 1, 2019. Thus, it has been more than four years since SDD was introduced in the PIT universe. Its implementation, however, still poses occasional challenges for market participants.
This blog provides a brief overview of the SDD, which seems to be increasingly becoming a strong aide of the market’s regulator for investigation into matters involving suspected insider trading.
What is SDD?
Under the SEBI (Prohibition of Insider Trading) Regulations, 2015, as amended from time to time, (“PIT Regulations”), entities that handle unpublished price sensitive information (“UPSI”) are mandated to maintain a digital database. The SDD must contain details of persons with whom UPSI is shared along with the details of those sharing such UPSI, and the nature of the shared UPSI. Apart from listed companies, such entities typically include intermediaries, that is, merchant bankers, asset management companies, stockbrokers, etc., and fiduciaries such as auditors, advisors to transactions, and other consultants.
To summarise, SDD is an electronic database of persons who have access to UPSI.
Why SDD?
SDD was introduced to address the need for a traceable trail of information flow of legitimately shared UPSI, aligning with the recommendations set forth in the Report of the Committee on Fair Market Conduct (“Report”)[1]. The Report inter-alia highlighted that once UPSI is shared for legitimate purposes, the company loses control over further use of that information by those who come into its possession. If such information is misused for insider trading, it becomes difficult to establish a connection between the company and the recipient of information.
Hence, SDD provisions were implemented by SEBI to establish an information trail that can aid SEBI / stock exchanges in the investigation of insider trading matters.
Key requirements
- Internal servers: SDD needs to be maintained internally and cannot be outsourced. Previously, FAQs considered SDD maintained on cloud servers hosted outside India as outsourced. The FAQs released in March 2023[2] have removed such clarification, providing some relief to entities. Without necessarily restricting the use of external servers, the responsibility to ensure security of data / logs of SDD has been parked with the board of directors and the compliance officer.
- Time-stamp: Every entry in the SDD needs to have a time-stamp, which provides details on when any particular person first received access to UPSI. This is the most crucial aspect and needs to be carefully dealt with as it could potentially form the basis for future regulatory actions.
- Tamper-proof: SDD must have adequate controls / checks with audit trails to prevent tampering with the database and consequently, the chain of information sharing. No modifications can be made to any entry in the SDD, and if any change is needed to the information already entered, it must be made by way of a separate entry.
- Access rights: The responsibility of maintaining an SDD primarily rests with the board of directors. Given this and the stringent requirements around maintenance of SDD (i.e. non-editable, audit trails, etc.), right to enter information in the SDD should be vested only with authorised personnel.
Entities to whom SDD is applicable choose to either onboard external software or develop such software in-house. These entities must ensure that the software through which the SDD is being maintained is compliant with the above requirements. In the context of listed entities, compliance of SDD forms part of the Annual Secretarial Compliance Report provided by an independent practicing company secretary and submitted to stock exchanges.[3]
Key Challenges
- Applicability: While the FAQs issued in November 2019, clarified that fiduciaries / intermediaries are required to maintain details of persons who have access to UPSI, the requirement was codified by way of an amendment[4] to PIT Regulations, stating that ‘every person required to handle UPSI’ has to maintain an SDD. This amendment significantly increased the ambit of entities required to ensure SDD compliance. Certain types of entities who may not have access to UPSI on a regular basis, have been evaluating whether they are required to maintain an SDD in terms of their exposure to listed entities / scrips and whether listed companies maintaining their data will suffice.
- Identifying information: A common dilemma amongst those to whom SDD applies is determining what information needs to be entered into the database. Maintenance of SDD is directly linked to the identification of UPSI, which itself is very subjective and remains to be a fact-specific assessment. This brings us back to the classic question, ‘is all confidential information UPSI?’ For e.g., when a company is considering corporate action, at what stage should it start maintaining SDD? Additionally, does the information have to be entered at every stage (or can it be done initially)? What if the idea for undertaking such corporate action emanates from an external consultant?
- Timing: Entities generally grapple with the question of how frequently should the information be entered into the SDD and the timeline for entering the information. While the PIT Regulations do not prescribe any timelines for updating the SDD, the regulatory expectation seems to be that the database is updated in real-time and in any event, immediately upon sharing of the information. This will ensure that the no information is missed and the SDD captures every such event.[5] This expectation has been highlighted by a warning letter issued by SEBI to a listed entity.
- Coverage: Ensuring adequate coverage of persons in an organisation is again a complicated exercise that needs to be undertaken thoughtfully. All those involved / having access to the UPSI, whether designated or not, internal or external, need to be entered into the SDD. This could again lead to procedural constraints for entities to enter information of such persons in the SDD.
- Alignment: Since entities that receive information are also required to maintain an SDD, it is important that both the provider and the recipient are clear on what information is to be entered as UPSI and that both their databases are aligned. In case, there is a gap in the SDDs and the same is identified as part of regulatory scrutiny, it could create reputational risks for either of the entities.
- Increased regulatory action: Of late, SDD has been on the regulatory radar, starting with the stock exchanges inspecting the SDD system maintained by the listed entities. Entities who were found to be non-compliant were flagged as SDD non-compliant on their respective pages on the exchange website until adequate compliance was ensured. In addition, listed companies, as well as, intermediaries / investors associated with listed companies regularly receive information requests from SEBI and stock exchanges. Such requests often involve seeking extract of SDD as part of their investigation process. All this has made SDD compliance very critical and a crucial aspect of capital markets / M&A transactions involving listed entities.
Conclusion
SEBI’s mandate of maintaining a SDD for sharing of price sensitive information underscores the regulator’s commitment to transparency and integrity in India’s securities markets. By holding entities accountable and ensuring a traceable record of UPSI dissemination, SEBI aims to keep a check on the flow of information within and outside the organisations. Having said this, the risk of regulatory action on account of certain challenges in SDD compliance (as highlighted above) will continue to be a hanging sword for entities dealing in information of listed securities. Navigating through this will require thoughtful consideration and a nuanced approach.
[1] Para 2.3 of the Report of the Committee on Fair Market Conduct dated August 8, 2018
[2] FAQ no. 7 of Comprehensive FAQs on SEBI (PIT) Regulations, 2015 issued on March 31, 2023
[3] Exchange circulars dated March 16, 2023
[4] SEBI (Prohibition of Insider Trading) (Amendment) Regulations, 2020 effective July 17, 2020
[5] FAQ no. 6 under ‘Standard Operating Process under SEBI (PIT) Regulations, 2015 for ensuring compliance with Structured Digital Database (SDD)’ issued by NSE and BSE on October 28, 2022