August 26, 2019/NSE
New Rules: Online Trading Portals
Definitions
Online Trading Portal An online trading portal is a system, including mobile and other digital applications, set up by a Dealing Member which allows a potential client to open an account and permits new and existing clients to access their accounts, give instructions (to buy or sell securities) on the accounts, and also access information regarding securities and other information about the Dealing Member Firm.
Cloud Solution This is a solution for storing and accessing data and programs over the internet instead of a computer system’s hard drive.
Infrastructure Requirements
- Every Dealing Member that intends to set up an online trading portal shall procure and set up:
- dedicated and secure network connection; and
- an Order Management System (OMS)that are approved by The Exchange.
No Dealing Member shall operate an online trading portal without subjecting the online trading portal to Vulnerability Assessment Penetration Testing (VAPT) by an authorized, credible Information Security company (VAPT Assessor) on a regular basis and in any event not less than twice every year.
- The VAPT Assessor shall be duly accredited by The Exchange to carry out VAPT and shall certify in a report following the VAPT (VAPT Report) whether the online trading portal is secure for usage or not.
- The Dealing Member shall submit a VAPT report for each VAPT conducted on its online trading portal to The Exchange no later than ten (10) business days after receipt of the VAPT Report and in any event no later than the last business day in June and December for the first and second reports of the year respectively. The Exchange shall carry out routine spot checks on a periodic basis to confirm that any identified issues in the VAPT Reports are promptly addressed.
- Where a Dealing Members online trading portal was in existence prior to the effective date of these Online Trading Portal Rules, such Dealing Member shall within three (3) months of the effective date confirm that it has procured a dedicated and secure network connection, and an OMS, that are approved by The Exchange. The Dealing Member shall also engage the services of a VAPT Assessor to perform a VAPT on the online trading portal and provide the VAPT Assessor’s Report to The Exchange, no later than the last business day of the three (3) month period.
- Applications used by clients to access the OMS shall be protected by the requirement of strong passwords, strong authentication in line with industry standards, optimized for performance and regular security testing.
Know Your Client
- Any Dealing Member that intends to operate an online trading portal shall carry out a comprehensive Know Your Client (KYC) exercise on all clients registered through the online trading portal before an online trading account is activated and before any transaction is carried out by clients on the portal. The Dealing Member shall keep the KYC records and any related records for a minimum period of six (6) years.
Risk Management and Supervisory Control
- Following the effective date of these Online Trading Portal Rules, prior to setting up and operating its online trading portal, a Dealing Member shall:
- Establish and adopt robust risk management and information security standards which shall include:
- at least two (2) factor authentication
- encryption
iii. secure Hypertext Transfer Protocol (HTTPS)
- extended validation
- policies and procedures to mitigate and guard their online trading portals from fraud, Cyber-Crime and other risks to the firm and its clients and
- Other security standards as The Exchange may prescribe from time to time.
- Put in place a system of Change Management control on all its critical applications, including the online trading portal and the applications connected to it.
- Set up high-level security precautions and provide to The Exchange evidence of strong Authentication, Authorization and Access Controls to The Exchange, where a cloud solution is employed.
- Obtain The Exchanges written approval to operate an online trading portal
- Only the client of a Dealing Member that is duly registered with the Dealing Member to trade via its online trading portal shall be eligible to log on to the online trading portal using a personalized and non-transferrable password to communicate with the Dealing Member as permitted by the online trading portal, including to initiate, submit or effect changes or amendments to market orders put in by the client.
Miscellaneous Matters
- Dealing Members operating an online trading portal shall:
- Disclose to their clients, via their online trading portals, and on their account opening forms, the risks associated with using the online trading portal.
- Not share commissions from trade transactions effected via the online trading portal except with other Dealing Members and such other registered market operators as The Exchange may from time to time specify.
iii. Clearly display on the online trading portal all fees and charges (if any) associated with the usage of the online trading portal, as well as the details for customer service and the complaints management procedure.
- Take all reasonable precaution to ensure the availability, integrity, confidentiality and security of transmission of financial information to and from clients.
- Exercise care in determining clients financial sophistication and suitability for particular investments recommended by the Dealing Member.
- Suspend or close a clients account where the Dealing Members become aware that such account is being used for fraudulent transactions, money laundering, market abuse, and any other illegal purpose and notify The Exchange of such account suspension or closure within twenty-four (24) hours of the action.
Compliance with The Exchanges Rules and Regulations
- In operating their online trading portals, Dealing Members shall comply with all of The Exchanges Rules and Regulations, including those on communications, advertisement and publication.
- All trading activities on the online trading portal shall be duly monitored and supervised by an Authorized Clerk employed by the Dealing Member.
Obligation to Provide Information to The Exchange
- The Exchange may at any time require a Dealing Member to provide information regarding its online trading portal and any arrangements in that regard, within two (2) business days of The Exchanges request.
- The Compliance Officer of the Dealing Member shall be responsible for all matters connected with its online trading portal arrangements, including giving adequate responses to enquiries by The Exchange.
Authority of The Exchange to Issue Directive to Shut Down
- Where in the sole discretion of The Exchange, a security breach has occurred through a Dealing Members online trading portal, which puts the market at risk, The Exchange may direct the Dealing Member to shut down its online trading portal, or take any other appropriate measures that The Exchange may in its discretion determine, including but not limited to shutting down the electronic link between the online trading portal and The Exchanges trading facilities and/or other facilities.
Sanctions
- Any Dealing Member Firm that contravenes any of the Online Trading Portal Rules shall be liable to pay a fine of not less than N250,000.00 (Two Hundred and Fifty Thousand Naira) only and such other penalties as may be prescribed from time to time by The Exchange.