Media Release
Back

 Public Notice

Consultation Paper for Guidelines on Procedure, process and on implementation of Technology based measures to secure trading environment and to prevent unauthorised transactions in trading/demat account of investors  

SEBI has issued consultation paper on technology-based measures to create secure trading environment and to prevent unauthorized transaction in trading and demat account, on February 18, 2025. The consultation paper is available on SEBI website.

In continuation to the said consultation paper, stock exchanges shall be issuing detailed guidelines w.r.t. procedure, process and manner of implementation of the framework proposed in the said SEBI consultation paper. The draft guidelines on procedure & process on implementation is presented as Annexure.

The comments/ suggestions should be submitted latest by March 17, 2025. Click here to provide the comments / suggestions.

 

________________________________________________________________________________________________________

 

Annexure:

Guidelines on procedure, process and implementation of Technology based measures to secure trading environment and to prevent unauthorised transactions in trading/demat account of investors

 

  1. Background

 

1.1. SEBI has issued consultation paper on technology-based measures to create secure trading environment and to prevent unauthorized transaction in trading and demat account, on February 18, 2025. The consultation paper proposed the framework for creating secure and robust ecosystem for the trading using mobile and desktop applications.

 

1.2. In continuation to the said consultation paper, stock exchanges would be issuing detail guidelines wrt procedure, process and manner of implementation of the framework proposed in the said SEBI discussion paper. In this connection, stock exchanges seek comments from stakeholders on the proposed guidelines that will be issued by stock exchanges to implement the technology based measures to secure trading environment. 

 

  1. Authentication mechanism: Hard binding of SIM of the device with mobile and UCC of the clients:

 

Primary SIM bound device:

2.1 Investors opting for trading through online mode (i.e. IBT and STWT mode) will be required to register their mobile device with the stock broker. A mobile device possessing the registered mobile number and SIM number shall be linked to the Unique Client Code (UCC) of the clients. The hard bind device (i.e. SIM-Mobile-UCC enabled) would become primary SIM bound device. Stock brokers offering IBT trading facility shall provide facility to register the device in their mobile application.

 

2.2 The clients have option to bind the existing mobile number linked to UCCs as primary SIM bound device or registered new mobile device. In case of registering the new mobile device, the UCC of the client is required to be updated with the new mobile number to make it primary SIM bound device. Stock broker shall ensure that in all point in time the primary SIM bound device cannot be different from mobile number registered in UCC database.    

 

2.3 Stock broker shall develop a mechanism in the mobile trading application for seamless registration of the mobile device, SIM and UCC of the clients. Further, stock brokers shall ensure that following information is captured in their mobile application to ensure that only authorised users can access the trading accounts and also to mitigate the unauthorized trading

·         Mobile number

·         Device IMIE number/app installed ID

·         SIM (Unique identifier i.e. IMSI)

·         UCC of the client

·         Geolocation of the device

 

2.4 Stock Exchange will maintain the database of the hard binded devices & SIM linked to the UCC of the client. 

 

2.5 The first linkage of mobile device and SIM with UCC may take place through an encrypted authentication that is akin to current UPI handle creation. The following details summarize the process:

2.5.1    An investor installs the trading application and enters his mobile number in the trading application to initiate the first time registration/sign-in.

2.5.2    Trading application verifies whether such mobile number is linked to UCC of the client and whether the investor has provided consent for availing IBT/STWT services.

2.5.3    Stock brokers shall ensure that the devices with two SIMs would get valid authentication on desired SIM which is linked to UCC of the client. 

2.5.4    On confirmation, the application communicates an encrypted code from such mobile number to the stockbroker.

2.5.5    On decrypting and authenticating the received code, the application will allow the device to be a primary sim bound device that shall be the source for all authentications & authorizations.

2.5.6    Stock brokers shall ensure robust validation process while on-boarding new clients. The validation of the client as well as the validation of the mobile device shall take place through penny drop or reverse penny drop by UPI mandate so as to ensure that bank account details and mobile number indeed belongs to the on-boarded client.      

 

Secondary SIM-bound device:

 

2.6 In addition to primary device, client will have an option to register one more SIM and device with the UCC which would become as secondary SIM bound device. The process of the registration of secondary device would be similar to that of process mentioned in para 2.5 above. 

 

Authentication and log-in into multiple devices

 

2.7 Stock brokers shall ensure that every login into trading account shall take place only through mobile device either by biometric authentication or by facial recognition as a hard coded key to access trading account.

2.8 In case there is any technical glitch in bio-metric authentication, stock broker shall provide option to the client of mobile pin-based authentication.

 

2.9  In case the login is being attempted from a web-based trading application from multiple devices such as desktop/ laptop, a limited time based encrypted QR code is generated by the application on desktop/laptop (similar to login practice followed by many social media platform). The clients are required to scan it from the primary/secondary sim bound device to authenticate the login session. QR code shall have a minor time window (say 5 to 8 seconds) before it resets, similar to authenticator applications.

 

2.10         Stock brokers are required to ensure that at any point of time, a single instance per channel (Desktop/laptop) apart from the sim-bound primary/ secondary device can be made active.

 

2.11        Similar to banking applications, stock broker shall implement the access controls in the trading application to prevent scanning QR codes on phone gallery (or) messaging apps to ensure that a shared QR code is not being scanned.

 

Family accounts operations from primary device:

 

2.12        In case of family members and HUF who are using same mobile number, a mobile device/SIM can be linked to multiple UCCs. The maximum of 6 UCCs in case of family members, which is in conformity with the current framework followed in UCC, is permitted. A facility to manage/authenticate multiple user profiles on the same application may be provided by stock broker for such family oriented accounts or HUFs. Stock exchanges would facilitate such linking of the multiple UCCs through the UCC database.

 

2.13        A ‘mandate holder concept’ shall be introduced by stock broker for linking trading accounts of family members to the same SIM. The positive consent would be obtained from UCC holders to link their UCCs to registered mobile number of other members of the family or HUFs. Users who intend to trade on multiple accounts simultaneously would use QR based desktop authentication to operate those accounts.

 

Fall-back mechanism:

 

2.14        In case of change or loss of primary/secondary mobile device, the client would inform the stock broker from the registered email id about the change/loss of mobile device/SIM.

 

2.15        Stockbroker are required to place a freeze on the trading account on receipt of such information and upon verifying that the request is received from the registered email id.

 

2.16        Stock broker shall ensure that the IBT/STWT trading is disabled till the time the account holder carries verification akin to In-Person Verification (either through IPV or virtual IPV).

2.17        On completing the process new mobile device/SIM (same as registering primary device), the stockbroker shall enable the IBT/STWT on the trading account with the new details obtained from the client.

 

Maintenance of logs:

 

2.18        Stock broker are required to maintain the logs pertaining to log-in attempts from primary/secondary device as well as of web based applications through desktop/laptop. Such logs shall be maintained for the period of seven years.

 

Stakeholders are requested to offer their comments on the procedures and process stated above and suggest measures so as to make it effective and simpler for stakeholders.  

 

  1. Trade Authorization and Controls:

 

3.1 In order to put in place an enhanced level of controls in trading applications, stock brokers shall build the adequate controls in the trading applications. This would be similar to the facility offered by many banking applications wherein clients/users can place certain restrictions in their application. In this regard SEBI consultation paper has enumerated some of these controls.

 

Stakeholders are requested to offer their suggestions on types of controls that can make trading application more secure from client protection and ease of trading experience perspective.  

 

  1. Trading applications, session log-out and reporting:

 

4.1 Stock brokers’ mobile trading applications may be made available in the official Android Play Store / App Store. Stockbrokers and Exchanges shall circulate awareness alerts to all the registered clients, on their mobile numbers and email ids, to download the application solely from such authorized stores.

4.2 Stock brokers shall ensure that their trading applications proactively identifies the risk of unauthorized breaches/hacking etc. similar to the concept of rooted devices which possess inherent risk due to them being exposed to malware. Trading applications shall promptly inform the client about such risk. 

4.3 Stock brokers shall ensure that active sessions shall be compulsorily rolled out/logged out in all the devices at the end of each day (preferably at 00:00). Alternatively, a session time out feature may be also implemented in the trading applications.

 

4.4 Stock brokers shall submit mobile-SIM-UCC combination report to exchanges as part of their weekly submissions.

 

4.5 Stock broker shall develop a system to generate alerts about unsuccessful log-in attempt due to mismatch in device id, SIM and UCC combinations. Such alerts shall be shared with clients on their registered mobile number.

 

Stakeholders are requested to offer their suggestions on the compliance and reporting requirement stated above.  

 

  1. Mechanism for clients opting for call and trade / walk and trade facility:

 

5.1     The framework for call and trade or for walk-in trade clients has been prescribed by SEBI from time to time. This framework is further strengthened in the SEBI consultation paper. The regulatory essence of the call and trade/walk & trade mechanism is valid authentication process while accepting the orders and the tamper proof system of centralised recording of order (pre-trade confirmation) placed by the clients with uniform unchangeable time-stamp.

 

Stakeholders are requested to offer their suggestions to further strengthen the process of the call & trade and walk & trade facility.  

 

  1. Measures to prevent unauthorised creation of trading / demat accounts:

 

6.1 Exchange and Depositories would be developing a system to enable investors to ascertain and know the number of trading and demat accounts held with their PAN.

 

6.2 This will be implemented either through exchange provided web based interface or through mobile application of the stock brokers. This facility will enhance the awareness level among the clients and mitigate the possible mis-use of trading accounts or demat accounts.

 

6.3 Clients would be required to provide PAN details along with other authentication factors, the information about number of accounts under the UCC would be disseminated to the client.

 

Stakeholders are requested to offer their suggestions to strengthen the process and further measures to bring greater level of awareness among the clients.  

 

  1. Measures to prevent erroneous/unintended transactions in Demat Accounts:

 

7.1 SEBI consultation paper emphasised the measures to strengthen the transactions in demat account. Depositories would be creating enabling framework in this regard and make it available to the clients/investors through trading applications itself or through required change in the process for non-technology based measures.

 

Stakeholders are requested to offer their suggestions to strengthen the process to make demat transaction more secure for the clients.  

 

  1. Implementation:

 

8.1 SEBI consultation paper proposed that the framework (except para 6 as it is already being in place) would be made applicable initially to top 10 Qualified Stock Brokers within 6 months from the date of the SEBI circular. Further, it would be optional for their clients to opt for the proposed secure mechanism.

 

Stakeholders are requested to offer their suggestions for the manner in which the proposed framework would be implemented so as to benefit the large number of investors.  

 

********************