Guide to Compliance Certificate for Structured Digital Database under PIT Regulations

/0 Comments/in , , /by

– Vinod Kothari | corplaw@vinodkothari.com

The requirement of maintaining a structured digital database (SDD) arises from Reg 3 (5) of the PIT Regulations, 2015. The PIT Regulations itself does not talk about any compliance certificate as to maintenance of the SDD. However, the requirement of such a certificate emanates from the mails sent by national stock exchanges dated 4th August, 2022. 

The requirement of the certificate was made effective from Q1 of 2022-23; however, no format of the certificate was provided so far. Vide the BSE’s notice no. 20221028-15 and 20221028-16 dated 28th October, 2022, issued for equity and debt listed entities respectively, the stock exchange has provided the format of the certificate. The said letter also states that the compliance certificate may be given either by the compliance officer of the company, or by a practising company secretary.

In this write up, we have tried providing a basic guidance on the compliance certificate. While the article is primarily focused on certification by a practising professional, the approach may, with appropriate modifications, apply to certification by the compliance officer too.

Why certification by a professional?

As per BSE’s notice, the Compliance Certificate may be given either by the compliance officer or by a practising company secretary. A question arises as to whether  and for what reasons we would normally expect the certificate to be given by the former, or by the latter?

The Compliance Certificate relates not only to the structural requirement of SDD, it also relates to capturing of UPSI shared internally or externally. The compliance officer being a part of the entire process, and with intrinsic familiarity with internal sharing of information, will be in a better position to give the certificate.

However, listed entities may approach a practising professional to give a certificate to ensure independent checking of the SDD mechanism. The Compliance Officer is usually the one who is assigned with the responsibility of preparation and maintenance of the SDD itself. Therefore, a certificate by the compliance officer does not do justice to the maker-checker distinction. Maintenance of SDD serves as an important part of the internal control mechanism on insider trading, and therefore, the Board/Audit Committee may, for their own comfort, have the certificate from a practising professional.

Who may give compliance certificate?

Is the compliance certificate to be given by the secretarial auditor, or by any practising company secretary? Since the BSE Letter talks about a certificate by a PCS, such certifying PCS need not be the secretarial auditor.

In fact, it is possible that in a certain quarter, the certificate is given by the compliance officer, and for the next quarter, the certificate is given by a professional. It is also possible that the certificate is given by different professionals in different quarters.

The secretarial auditor, as a part of the secretarial audit process, has to check for compliances with SEBI regulations, of which the PIT Regulations is an important piece. The secretarial auditor has to get into the maintenance of SDD as well. Therefore, companies may choose to avoid a new professional getting into the task of ensuring SDD compliances, by getting a compliance certificate from the secretarial auditor itself. 

Approach to certification

Assuming a professional is giving the Compliance Certificate on maintenance of SDD. What should be the approach, documentation and format of certificate, if the same is separately attachable. 

It is important to note that the Certificate is not in general adherence with Reg 3 (5) of PIT Regulations; though it is possible to argue that  the first point (see below) is actually indicating adherence to the requirements of the Regulations on SDD. However, the way the points are worded, it seems that the certification is on specific items. While the compliance officer will be in a more advantageous position, the level of work or basis of certification is the same in both the cases. However, for the PCS giving the certificate, obviously, there is a process of data gathering before giving the assurance. 

There are 6 items in the certificate, and 2 items in the following paragraphs. We discuss the potential approach to each of these:

1. The Company has a Structured Digital Database in place

This point may be read as a mere confirmation of the existence of SDD, or may be read in a wider context of adherence to regulations pertaining to SDD. Properly speaking, the intent couldn’t have been a simple affirmation. If it were mere confirmation of existence of the SDD, it is not conceivable that the answer to the question will be in the negative, and therefore, the confirmation itself becomes meaningless. Thus, while this point is not a generic confirmation of all the requirements with respect to SDD, it is surely such maintenance of SDD as meets the requirements thereof.

2. Control exists as to who can access the SDD 

The certifying professional is expected to give confirmation of the existence of controls on access. The access can be controlled mostly through an SOP or board/AC instruction. Controls are both a matter of assertion and implementation – that is to say, there has to be a formal existence of control by way of an internal mandate, and that control must be observed too. The certifying professional should get a  copy of the internal control mandate, and should see whether the access is controlled through technology.

3. All the UPSI disseminated in the previous quarter have been captured in the Database:

By far, this is the most important, and relatively daunting part of the certification process. The assurance here includes the following most important things:

  1. What all UPSI “germinated” during the preceding quarter?
  2. Were such UPSI shared, internally or externally?
  3. If yes, whether such sharing of UPSI has been captured in the database?
  4. Whether such capturing in the database is done within the timeframe permitted by the internal control mechanism.

Before getting into details of the above, it is important to understand the meaning of the term “disseminated”. Dissemination to whom? Dissemination to the exchanges or public, or dissemination internal or externally, before the information becomes public? UPSI clearly refers to unpublished information. Once an information is published, it ceases to be UPSI. Dissemination, therefore, cannot be referring to public dissemination. There is no question of capturing public dissemination as a part of the SDD. SDD needs to capture internal or external sharing of information before it is published. 

There is yet another reason why the word “dissemination” cannot mean public dissemination. An UPSI may die down, and may not result in a public disclosure. It cannot be argued that such information, shared but not eventually going to public as the information itself has died down, does not require to be captured in the SDD.

We have earlier discussed when is an UPSI said to have been “germinated”.  For a certifying professional, to come to a finding whether there were UPSI germinating in a quarter or not will be difficult, particularly if the UPSI in question did not result in an eventual public dissemination. However, most UPSI  that gets germinated will either result into a “fruition”, or will die down. If there is a fruition, it may be possible to backtrack the germination, even though the fruition may take substantial time. However, for such UPSI which died down and did not result into any dissemination, the role of certifying professional extends to assessing the potential sources from UPSI may commonly result (for instance, litigation, acquisition or restructuring, senior management changes, major contracts, major expansion proposals, etc), and getting confirmation for the existence of such UPSI items.

When it comes to sharing of UPSI, most sharing will happen through emails. Depending on the UPSI in question, the likely persons within the organisation or outside may be identified.

Once the above two items have been tracked, tracking the third and fourth sub-items is consequential.

4. The system has captured nature of UPSI along with date and time:

It is important to note that what is to be entered in the SDD is the “nature of UPSI” and not the UPSI itself. “Nature” does not have to be specific so as to become a pointer to the actual information. For instance, “financials” are shared with the auditor. “Tax issues” may be shared with the tax consultant. “Expansion plans” may be shared with advisers, etc.

The date and time referred to seem to be the date and time of sharing the information, and not that of the UPSI itself.

5. The database has been maintained internally and an audit trail is maintained

What is the meaning of “internal” maintenance? The meaning, in our view, is that the maintenance of the SDD is neither outsourced, nor is it accessible to any person other than the one(s) authorised by the board/AC. Cloud maintenance, provided the access is controlled, does not mean the database is not maintained internally.

Audit trail should have been maintained. The certifying professional will get to know about the audit trail if at all there is any edits in the information. 

6. The database is non-tamperable and has the capability to maintain the records for 8 years.

This is a factual matter. As regards the capability to maintain records for 8 years, it seems that the system should have adequate free storage space.

No storage system is good unless there is a backup and recovery mechanism also. Hence, while certifying the above point, the certifying professional should also ensure that there is an automated or manual back up process. Generally back ups should be at least on n+1 basis.

7. Number of material events required to captured, and those captured:

The idea of this confirmation is that all such UPSI, which arose during the quarter and were shared internally or externally, has been captured in the SDD.

8. Lapses and remedial action

SDD, like PIT controls in general, is a process of evolution. Entities learn to make their control effective as breaches, exceptions or deviations are noted. It is neither the intent nor is it practical to expect that there will be no lapses in SDD maintenance. Sometimes, information may be shared without the compliance officer coming to know. Sometimes, an information may not have been tagged as being UPSI, whereas it is price sensitive.Hence, merely because exceptions have been noted does not mean there is a case of non-compliance. In fact course correction is important, and companies should not hesitate to put on record improvisation made by them.

Correlation between sharing of UPSI, entering into the SDD, and trading window closure?

Logically, if there is an internal sharing of UPSI, and the recipient is a DP, the action should also result into trading window closure for such DP with whom the information has been shared.

Format of certificate

If a practising professional giving the certificate, can he add or attach a report, giving the basis of his certification? It is notable that the compliance certificate is a certificate, and not a “report”. Reports typically are addressed to a particular body and provide liberty to the reporting professional to report in affirmative or negative manner, or write reservations, disclaimers, opinion withheld, etc. The certificate under discussion is a “certificate”, which is mostly succinct and in a pre-specified format.

However, in our view, it is possible to attach a note or basis statement, giving the basis of certification, giving reservations, if any, etc. In the language of the Certificate itself, as specified by the stock exchange, one may say, “in terms of our Note of even date”, and then annex the Note.

The language of the Note may say that Certificate has been given on the basis of documents, registers, records of emails, access to the SDD and other information provided by the Company including information disseminated on the stock exchanges, and based on such checking of facts, information or developments relating to the Company as were available on perusal of records and financial statements. The certifying professional may also add that the professional did not seek access to any UPSI, and that no such UPSI was shared with the certifying professional.

Our PIT Resource Centre can be accessed here

You might also like
Structured Digital Database under PIT Regulations: Preparing for the Compliance Certificate (Presentation)
Workshop on Structured Digital Database for Insider Trading: Preparing for the Compliance Certificate
SEBI automates continual disclosures under PIT and SAST regulations
FAQs on Structured Digital Database
Workshop on Structured Digital Database for Insider Trading: Preparing for the Compliance Certificate
Introduction to SEBI (Prohibition of Insider Trading) Regulations
Recent regulatory developments for listed entities - critical changes under LODR and PIT Regulations
BSE & NSE simplify the compliance certificate format for Structured Digital Database (SDD), allows PCS certification
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *