Structured Digital Database: some emerging concerns

– Corplaw Division, Vinod Kothari & Company (corplaw@vinodkothari.com)

Maintenance of Structured Digital Database (“SDD”) has been mandatory since April 1, 2019 in view of the relevant provisions under the SEBI (Prohibition of Insider Trading) Regulations, 2015 (‘PIT Regulations’) reproduced below. The provisions inter-alia stipulates the responsibility, the details to be captured in the SDD, manner of maintenance and the preservation period. The entities  have been maintaining for the last 3 years, however, since quarter ending June 30, 2022 the entities are additionally required to submit a compliance certificate, based on the email received from the stock exchanges where its securities are listed, duly certified by the Compliance Officer. We have been given to understand that this submission will be mandated on a quarterly basis and the same will henceforth required to be submitted duly certified by a practising company secretary. As on date, no SEBI circular or Exchange circular has been issued in this regard.

The last date for submission for the immediately preceding quarter was August 9, 2022. Based on the client queries received in this regard, format of the compliance certificate provided by the stock exchange and the views from the representatives of SEBI and stock exchanges as expressed in seminars from time to time, we intend to highlight certain points of concerns for your kind consideration.

Relevant provisions of Law:

Reg. 3 (5) and (6) of PIT Regulations:-

(5) The board of directors or head(s) of the organisation of every person required to handle unpublished price sensitive information shall ensure that a structured digital database is maintained containing the nature of unpublished price sensitive information and the names of such persons who have shared the information and also the names of such persons with whom information is shared under this regulation along with the Permanent Account Number or any other identifier authorized by law where Permanent Account Number is not available. Such database shall not be outsourced and shall be maintained internally with adequate internal controls and checks such as time stamping and audit trails to ensure non-tampering of the database.

(6) The board of directors or head(s) of the organisation of every person required to handle unpublished price sensitive information shall ensure that the structured digital database is preserved for a period of not less than eight years after completion of the relevant transactions and in the event of receipt of any information from the Board regarding any investigation or enforcement proceedings, the relevant information in the structured digital database shall be preserved till the completion of such proceedings.

Issues/ concerns

A. Entry to be made containing “nature of UPSI” and not of the “ UPSI itself”

The PIT Regulations require maintenance of SDD containing the names and unique identifiers of persons who share and with whom any UPSI has been shared. It further requires entry of the “nature of UPSI” which has been shared, as clear from the text of reg. 3 (5).

However, we have learnt that there is a common misconception amongst the concerned stakeholders to record the details of the UPSI itself. This is also evident from Pt. 3 of the certificate which requires following confirmation:

“3. Whether all the UPSI had been captured in the Database. If not details of events that had not been captured and the reason for the same?”

It is to be noted that in case the SDD contains the details of the UPSI itself, the same will result in the SDD becoming the store-house of the UPSI in the listed entity, thereby,  making all the persons having access to the SDD, becoming privy to all the UPSI recorded therein without on a need to know basis. In our view, therefore, such an exercise of making entries of the UPSI itself in the SDD is neither the intent of the law makers nor will help in meeting the objectives of maintaining an SDD. In fact, such outcome will be counter-intuitive and counter-productive to the intent of the PIT regulations.

We also understand that the intent of the confirmation in the Certificate is to ensure that SDD is complete in all respects, that is, with respect to  sharing of all UPSI for legitimate purpose, the nature of which should have been entered in SDD, relevant entries have been made in the SDD, and that there is no omission.

We therefore submit that –

• Adequate clarity must be provided that entry in SDD is that of the ‘nature of UPSI’ and not that of UPSI itself
• The language used in the Certificate should be suitably amended. Proposed language is as follows: “Whether there is any omission with respect to sharing of any UPSI, for which an entry should have been made in SDD, and has not been so made? If yes, reasons for the same.”

B. Responsibility for maintenance of SDD

The responsibility of ensuring that the SDD is maintained for the sharing of any UPSI is upon the board of directors of such an entity in terms of reg. 3 (5) of the PIT Regulations. Further, in terms of reg. 9A of the PIT Regulations, the managing director and the chief executive officer or such other analogous person is responsible for putting in place adequate and effective systems of internal controls to ensure various requirements specified in the regulations are complied with. The Audit Committee is responsible to verify the adequacy and operating effectiveness of the internal controls atleast annually.

In view of the same, it appears that the board of directors may provide any person the access to their SDD for making entries upon sharing of any UPSI. The UPSI is likely to be originating from/ available with the Designated Persons (DPs) in the listed entity, especially the various Heads of the Departments (HODs), and therefore, it is likely that the DPs/ HODs are given access to the SDD for making entries upon sharing of UPSI. However, all the DPs/ HODs within a listed entity cannot be expected to be aware of the intricate legal requirements with respect to maintaining the SDD.

Having said that , Reg. 2 (1) (c) of the PIT Regulations require the Compliance Officer to be “responsible for compliance of policies, procedures, maintenance of records, monitoring adherence to the rules for the preservation of unpublished price sensitive information, monitoring of trades and the implementation of the codes specified in these regulations”. Further, the quarterly compliance report on SDD to be submitted to the stock exchanges also requires the Compliance Officer to certify and affirm the compliance status with the SDD maintenance in the listed entity.

Therefore, while SDD would be accessible to various persons, the ultimate responsibility of maintaining the sanctity of SDD lies with the compliance officer. Therefore, in order to avoid omissions (for which the compliance officer may be held responsible without any negligence on his part)  a robust internal control system is required to be designed such that the DPs/ HODs ultimately report to the Compliance Officer at the time of sharing of any “UPSI”, so that the Compliance Officer can ensure that the SDD has been maintained properly. Here, we would like to reiterate that what is being shared with the Compliance Officer by the reporting DP/ HOD is the nature of such UPSI, and not the UPSI itself. Therefore, it cannot be contended that the Compliance Officer becomes privy to all such UPSI, unless proved to the contrary.

The internal control systems may be designed in such a manner that –

1. The giver of information (DP/ HOD), as the case may be, ensures to inform the Compliance Officer at the time of sharing of any UPSI;
2. The entry in SDD may be done either by the DP/ HOD, under notification to the Compliance officer or by the Compliance Officer;
3. The Compliance Officer can verify on a periodic basis the entries made in the SDD and seek necessary confirmations;
4. The mechanism of entering and control over SDD to be captured in the Code of Conduct or any internal control manual framed under the PIT Regulations;
5. Any irregularities to be brought into the notice of the audit committee for immediate action against the person responsible for such violation.

C. Applicability of entry in SDD on sharing among DPs

The view given in the FAQ no. 10 of SEBI’s Comprehensive FAQs on Insider Trading^[1] indicates that irrespective of the fact that information is shared within or outside the Company, requisite records  shall  be  updated  in the SDD  as  and  when  the  information  gets transmitted. This requires re-consideration by SEBI.

Reg. 9 (4) provides for the responsibility of the Board to identify the DPs in consultation with the compliance officer, on the basis of their role and function and the access that such role or function would provide to UPSI. Accordingly, it is evident that once a person is identified as a DP, it is presumed that he/she has access to UPSI basis the role or seniority. Therefore, there is no separate requirement of sharing of UPSI with such a person. There only exists a concept of closing the trading window to prohibit trading by the DPs while in possession of UPSI.

This is also evident from the discussion in Para 2.3 of the T K Vishwanathan Committee report on Fair Market Conduct which provides as under:

“Once UPSI is shared for legitimate purposes, the company loses control over further use of that information by those who come into its possession. If such information is misused for insider trading, it becomes difficult to establish a connection between the company and the recipient of information. It would thus be prudent to have a physical and/or digital trail of information flows of such legitimately shared information. It would also be prudent to intimate the persons receiving the UPSI of their obligation towards preventing mis-use of such information for insider trading, by way of an advance notice.”

Losing control over further use is possible only when information is shared with someone external, who is not governed by the Code of Conduct. This can be substantiated from the provisions of reg. 9A (2) (a) and (d) that mandates having internal controls for i) identification of employees who have access to UPSI as DPs and ii) maintenance of list of employees and other persons with whom UPSI is shared. In the latter case, confidentiality agreements are required to be signed or notice is required to be served. Reg. 9A (2) (c) provides for having internal controls for adequate restrictions on communication and procurement of UPSI.  These restrictions are typically covered in the Code of Conduct that are applicable to the DPs. However, the requirement to make an entry in SDD each time the UPSI is communicated among DPs seems counterintuitive. For e.g. sharing of agenda with Board members, sharing of UPSI amongst KMPs or SMPs are governed by the Code of Conduct by way of chinese wall procedures, sharing of UPSI for performance of duties etc. will only increase the quantum of entries in the SDD without serving any fruitful purpose. The scope of sharing of UPSI that needs to be entered in SDD is required to be reconsidered by SEBI in view of the intent behind the amendments made in 2018.

D. Applicability of maintenance of SDD on “listed securities”

PIT Regulations apply to entities that are listed or are proposed to be listed. Further, it is clear from the definition of UPSI under reg. 2 (1) (n), that the prerequisite for identification of UPSI are:

1. that the information has to directly or indirectly relate to the company or its securities;
2. the information should not be generally available; and
3. The information should be likely to materially affect the price of the securities.

The term ‘securities’ has been defined under the Securities Contract (Regulation) Act, 1956 and the PIT Regulations have adopted the same definition with the units of mutual fund being an exception. Commercial Papers (‘CPs’) are a type of debt-instrument which may be listed and traded on the stock exchanges, however, the same does not fall within the meaning of “securities” as CPs are in the nature of promissory notes with a tenure of 7 days to 1 year. Therefore, in our view, for a company which has listed only CPs, cannot be regarded as a listed or proposed to be listed entity and the requirement of maintaining SDD does not arise as PIT Regulations will not be applicable on such company. We have come across a view to the contrary in the market, and therefore, the need for clarification is there.

E. Entry of information pertaining to subsidiaries

There are varying views on whether sharing of the information pertaining to any unlisted subsidiary of a listed entity is also required to be included under the SDD. Here again, we would like to stress on the primary fact that the information, if in the nature of UPSI for the listed entity or securities of a listed company, will require entry into SDD upon sharing of the same. If the information shared pertaining to the subsidiary (listed or unlisted, material or non-material) of a listed company, has the potential to materially influence the price of securities of the listed company, sharing of the same needs to be entered into the SDD, irrespective of whether the subsidiary is listed or unlisted and material or non-material.

F. Maintenance of SDD by intermediaries/ fiduciaries

The obligations under the PIT Regulations are two-fold, i.e.; it is applicable both on the listed entities as well as on its fiduciaries who might be having access to the UPSI pertaining to the listed entities (in the capacity of being connected persons). Regulation 3(5) requires the board of directors or head(s) of the organisation of every person required to handle UPSI to ensure that entries in SDD are made upon sharing of any UPSI. We understand that SDD covers the outward flow of UPSI from one person to another, and the person sharing the UPSI is responsible for maintaining the SDD, and not the recipient of such UPSI. However, if the recipient of the UPSI shares such information with a third party for legitimate purposes, the requirement of maintaining SDD by such first mentioned recipient will be applicable.

For example, a listed company engages the services of a practising professional  firm to conduct the due diligence of a company it proposes to acquire. The information about the proposed acquisition being in the nature of UPSI, is shared and an entry for the same is made in the SDD of the listed company. The practising firm, in the course of due diligence, is neither likely to nor permitted to share such UPSI made available to it. A non-disclosure agreement (NDA) will have also been entered into between the parties in relation to the same. However, in case the practising professional firm shares such an information with any third party for any legitimate purpose (for example, a subject specialist for assistance in the due diligence conduct), the same is required to be entered into an SDD maintained by the firm, unless not entered into the SDD maintained by the listed company.

The view given in the FAQ no. 6 of SEBI’s Comprehensive FAQs on Insider Trading^[2] indicates that the fiduciary or intermediary receiving the UPSI will make a counter copy of SDD inserting the same details as entered by the listed entity. The purpose of maintaining these duplicate entries is not clear and needs to be revisited by SEBI.

G. Sharing of all information need not be entered into the SDD

A company is required to share various information with various parties including regulators. The SDD is a database containing a complete trail of sharing of UPSI  by one person to another. However, sharing of all information need not be entered into SDD. Only such information which  is in the nature of UPSI needs to be recorded in the SDD. The distinction lies on the following factors –

1. There must be an information;
2. Such  information must be unpublished;
3. Such unpublished  information must have an impact on the price of the securities; and
4. The impact on the price of securities must be material.

Where an information, though unpublished, does not bear the aforesaid essential characteristics, the same is not said to be UPSI and the requirement of making entries in the SDD does not arise. Unless the distinction is clearly made, the SDD will be loaded with unnecessary voluminous information, which may result into making the entire exercise infructuous, and unable to serve the purpose for which the same is required to be maintained.

H. Other concerns with the format of Compliance Certificate

We have a few comments/ suggestions in the existing format of the Certificate prescribed by the Stock Exchanges. Below we present the extant format of the Certificate with our suggestions and comments –

COMPLIANCE CERTIFICATE FOR THE QUARTER ENDED JUNE 2022

(Pursuant to Securities and Exchange Board of India (Prohibition of Insider Trading) Regulations,2015)

I,___________, Compliance Officer, have examined the following compliance requirement of _____________ and certify that the Company has maintained a Structured Digital Database (SDD) pursuant to provisions of Regulation 3(5) and 3(6) of Securities and Exchange Board of India (Prohibition of Insider Trading) Regulations, 2015 (PIT Regulations):

Note:  The information of the audit should cover the period when such information was inserted in the SDD upto the date of disclosure.

The number of days for which non-compliance was observed:

Our comments – The compliance certificate requires confirmation with respect to making entries of sharing of UPSI in the SDD, maintenance of audit trail and time stamping, safeguards against tampering of SDD etc. While the format requires reporting of the number of days for which non-compliance occurred, it is not clear as to “which” non-compliance  does  it  pertain  to.  In  our  view,  the same  should  relate to  the delay made in the entry in the SDD for sharing of UPSI, however, clarity is needed on the same.

Further I also confirm that the Company was required to capture ______ number of events during the quarter ended and has captured ____ number of the said required events.

Note: The attached certificate should cover events which have been disclosed by the listed entity to the stock exchange so that the secretarial auditor will not be exposed to UPSI.

Our comments – The note is not clear. If the intent is to mandate confirmation only with respect to such UPSI that are generally available at the time of furnishing the certificate, then the certificate will not reflect a true picture for all UPSI shared during that quarter. Further, as explained above, the SDD will not capture the UPSI but the nature of UPSI. Therefore, the certifying professional, if any, will not be privy to UPSI merely upon verifying entries in the SDD.

Our other relevant resources on the subject –

• FAQs on Structured Digital Database
• SEBI prescribes norms for structured digital database, system driven disclosures & CoC violations

Discussion on Structured Digital Database

^[1] https://www.sebi.gov.in/enforcement/clarifications-on-insider-trading/apr-2021/comprehensive-faqs-on-sebi-pit-regulations-2015_49999.html

^[2] https://www.sebi.gov.in/enforcement/clarifications-on-insider-trading/apr-2021/comprehensive-faqs-on-sebi-pit-regulations-2015_49999.html