SEBI Fines BSE’s ICCL ₹5 Crore for Regulatory Violations

The Securities and Exchange Board of India (SEBI) has imposed a penalty of ₹5.05 crore on the Indian Clearing Corporation Ltd. (ICCL), a subsidiary of BSE Ltd., for regulatory violations. The penalty follows an inspection that revealed non-compliance with SEBI’s cybersecurity framework, IT asset management, and disaster recovery protocols. SEBI found that ICCL failed to maintain an updated inventory of critical IT assets, delayed resolving audit observations, and did not ensure proper alignment between its Disaster Recovery Site (DRS) and Primary Data Centre (PDC). Despite ICCL’s defense that the lapses were technical and did not harm investors, SEBI deemed the violations serious enough to warrant a financial penalty.

Key Findings from SEBI’s Inspection

Non-compliance with IT Asset Management

• ICCL failed to maintain an updated and accurate inventory of its critical IT assets.
• The centralized inventory lacked details on software assets and the criticality of these assets.

Failure to Comply with SEBI’s Cybersecurity Framework

• ICCL did not resolve audit observations in a timely manner.
• Some audit findings remained unresolved for over six months, violating SEBI’s guidelines.

Deficiencies in Disaster Recovery Systems

• SEBI’s review found that ICCL failed to maintain a one-to-one correspondence between the Disaster Recovery Site (DRS) and the Primary Data Centre (PDC).
• This failure threatened business continuity in the event of a disaster.

Regulatory Violations Identified

• Violations of the SEBI Act, 1992, Securities Contracts (Regulation) Act, 1956 (SCRA), and SEBI’s Stock Exchange and Clearing Corporations Regulations, 2018 (SECC) were noted.

ICCL’s Defense

• ICCL claimed the violations were technical in nature and did not cause financial harm to investors.
• It argued that corrective actions had already been taken, including updating the asset inventory and resolving audit findings.
• ICCL maintained that some issues, such as minor variations in server specifications, were discrepancies rather than violations.
• The clearing corporation contended that penalties should not be imposed for inadvertent, non-malicious lapses.

SEBI’s Ruling and Penalty

• Despite ICCL’s explanations, SEBI found the lapses serious, as they compromised the integrity and security of financial market operations.

SEBI imposed a total penalty of ₹5.05 crore, divided as follows,

• ₹5 lakh under Section 15HB of the SEBI Act
• ₹5 crore under Section 23GA of the SCRA
• ICCL is required to pay the penalty within 45 days of receiving the order.