Description

NSE circular detailing the procedure and requirements for empanelment of vendors providing surveillance software/applications for trading members, including auditor certification requirements.

Summary

NSE has issued a comprehensive circular outlining the procedure for empanelment of vendors providing surveillance software/applications to trading members. The circular includes detailed requirements for system audits, auditor certifications, and compliance standards that vendors and trading members must meet. This framework ensures that surveillance systems used by members comply with SEBI and Exchange requirements for monitoring trading activities.

Key Points

  • Surveillance software vendors must complete empanelment process with NSE
  • System audits required covering user management, report generation, and cyber security
  • Auditors must hold CISA/DISA/CISM/CISSP certifications
  • User Acceptance Testing (UAT) mandatory before live deployment
  • Separate requirements for vendor-provided and in-house developed software
  • All audit reports must be stamped and signed on auditor’s letterhead
  • Declaration of no conflict of interest required from auditors

Regulatory Changes

The circular establishes a formal vendor empanelment framework with specific compliance requirements:

Auditor Requirements

  • System auditors must possess professional certifications (CISA/DISA/CISM/CISSP)
  • No conflict of interest with members being audited
  • Directors/promoters of audit firms must not be related to member’s directors/promoters

Software Categories

  • New software implementations
  • Modifications to existing systems
  • Both vendor-provided and in-house developed solutions covered

Audit Classification System

  • Findings grouped into broad categories
  • Classifications: ‘Strong’, ‘Medium’, or ‘Weak’
  • Overall audit rating required

Compliance Requirements

User Management

  • Rights validation mechanisms
  • Privileges validation controls
  • Audit log of Users
  • Audit log of Alert Generation
  • Audit log of Alert Analysis

Report Generation & Submissions

  • Summary of Internal Alerts generated and processed
  • Summary of Exchange Alerts received and processed
  • Alert Generation Logic document
  • Alert Review document
  • Periodic reports per Exchange standardized formats and methodology
  • Standardized format reports as per Exchange requirements

Cyber Security & Cyber Resilience Framework

  • Access and security controls
  • Cyber security framework implementation
  • Cyber resilience measures

UAT Requirements

  • Comprehensive testing of all SEBI/Exchange mandated areas
  • Testing must be completed before live deployment
  • Auditor certification of successful UAT completion required

Documentation Requirements (Annexure IV - Auditor’s Report)

  • NSE Trading Member Code and Name
  • Detailed findings under broad categories
  • Overall audit rating
  • Auditor signature, registration number, date, place
  • Official stamp/seal

Certification Requirements (Annexure V - Auditor’s Certificate)

  • Section I: Applicable for all implementations
  • Section II: Additional requirements for in-house software only
  • Trading member details (code, name, category)
  • Software details (name, version, vendor, segment)
  • UAT performance dates
  • Confirmation of compliance with SEBI/Exchange circulars

Vendor Application (Annexure VI)

  • Formal application process for vendor empanelment

Important Dates

No specific implementation dates mentioned. The circular establishes ongoing procedural requirements for vendor empanelment and software certification.

Impact Assessment

Trading Members

  • Must ensure surveillance software used is from empanelled vendors or properly certified in-house systems
  • Mandatory UAT and system audit requirements before deployment
  • Ongoing compliance with reporting and alert management standards
  • Need qualified system auditors for certification

Software Vendors

  • Must complete formal empanelment process with NSE
  • Software must meet comprehensive compliance standards
  • Subject to system audits and UAT requirements
  • Version control and update management required

System Auditors

  • Must possess specific professional certifications
  • Strict conflict of interest guidelines
  • Detailed reporting and certification obligations
  • Responsibility for validating compliance across multiple domains

Market Infrastructure

  • Strengthens surveillance framework across trading ecosystem
  • Standardizes surveillance software capabilities
  • Enhances alert generation and analysis mechanisms
  • Improves cyber security and resilience of surveillance systems
  • Ensures uniformity in reporting and monitoring across members

Operational Impact

  • High - affects all trading members using surveillance systems
  • Requires investment in compliant software or in-house development
  • Ongoing audit and certification costs
  • Enhanced monitoring and reporting capabilities
  • Improved detection of irregular trading patterns

Impact Justification

Establishes critical compliance framework for surveillance software vendors and trading members, with mandatory system audits and certifications required for surveillance operations