Mumbai, April 23, 2018

Securities and Exchange Board of India (Sebi) has proposed biometric authentication for traders and investors when they access mobile applications to buy and sell stocks.

Aimed at improving cyber security, this is part of a long list of recommended dos and don’ts compiled by the markets regulator in a note recently shared with stock exchanges and brokers.

“The draft note says that in case of applications installed on mobile devices such as smartphones and tablets, a cryptographically secure biometric twofactor authentication mechanism may be used,” a person familiar with the subject told ET.

The proposal, if implemented, would require retail investors use touch ID-enabled smartphones for trading and sharing biometric features like fingerprint or eye-scan to access their trading and demat accounts. Offered as an option to accountholders by some of the private sector banks, the mechanism involves the handheld device carrying out one step of the authentication instead of the service provider.

According to the Sebi note, after a certain number of failed log-in attempts, the customer’s account should be ‘locked’ till fresh authentication is completed by sending an email or a random one-time password to the customer.

The paper asks brokers to ensure that no person by virtue of rank or position has any right to access confidential data, applications, system resources or facilities. Further, they should formulate an internet access policy to monitor and regulate the use of internet and internet-based services such as social media sites and cloud-based internet storage sites within a broker’s critical IT infrastructure.

Concerns for Small Brokers
“For algorithmic trading facilities, adequate measures should be taken to isolate and secure the perimeter and connectivity to the servers running algo trading applications,” said the note.

Also, employees and outsources staff (such as employees of vendors or service providers) who may have authorised access to a broker’s critical system should be subject to stringent monitoring, says one of the recommenddations.

“Sebi has sought comments from different people and will have to examine the preparedness of brokers before implementing it. We have done categorisation. The proposals will be implemented in phases,” said a regulatory official.

Some of the recommendations in the draft note can be onerous for small brokers who operate on waferthin margins and low-cost structure.

“For instance, one of the suggestions is that off-the-shelf products being used for core business functionality, such as back office applications, should bear Indian common criteria for evaluation assurance level 4. Any technology person will admit this is a very demanding requirement as there are only one or two labs from where such certification can be obtained. The telecom department had attempted this in the past,” said a brokerage official.

According to an industry person, keeping in mind smaller brokers who can’t afford the cost, the regulator may explore the possibility of one of the stock exchanges managing the security setup for these entities.

While the Sebi draft paper is a compilation of suggestions from an expert committee, it has been circulated at a time when two well-known brokers serving retail and high networth investors faced cyber-attacks.

One of the intermediaries informed clients about the breach involving unauthorised access to customer information; in the other case, a virus found its way into a few back office servers and PCs, and even though there was no data breach or trading interruption, the brokerage concerned had to run some of the back office processes manually for a day or two till those servers were brought back online after a clean-up.

The attack on stockbrokers follows malware attacks on some of the Indian banks and credit card data bases over the past few years.

[The Economic Times]