This post is authored by Yash Sharan and Akanksha Sharan, 2nd year BA LLB (Hons.) students at HNLU, Raipur.

1. INTRODUCTION

On 31 January 2025, the Securities and Exchange Board of India (“SEBI”) issued a Circular proffering a framework for Monitoring and Supervision of System Audit of Stock Brokers (“SBs”) through Technology-Based Measures. This comes as a move to strengthen the regulation of stock market, especially in an era where the stock market transactions are continuously being digitised. It comes after a Consultation Paper issued on December 3, 2024, to receive the public’s input. The Circular aims to ameliorate accountability, transparency, and compliance in stock broker operations by employing technology in regulatory oversight.  Thus, it become imperative to analyse this circular and highlight SEBI’s reforms that seek to overhaul the regulation of stock market trading and align India with global standards.

Through this article, the author delves into the intricacies of the circular in three parts. Firstly, it discusses the major terms and tenets of the Circular and the changes it aims to bring. Secondly, it underscores the shortcomings and hurdles of the Circular. Thirdly, it also puts forth authors’ suggestions to resolve these roadblocks. Lastly, the article concludes with a summary and a way forward for moving upward and ahead.

2. THE WATCHDOG GOES DIGITAL: UNPACKING SEBI’S REFORMS IN THE CIRCULAR

Exercising the statutory powers under  Section 11 of the SEBI Act, 1992,  SEBI has introduced a comprehensive regulatory framework with a view to improve the monitoring and supervision of the system audits of stock brokers. System audits mandated by SEBI to make sure of cybersecurity and operational resilience for market players. These audits are conducted periodically and are used to identify risks and penalties for players who do not comply with the rules.

In this regard, this initiative is in line with SEBI’s broader aim  to protect the interest of investors and maintain integrity of the market as well as  Regulation 26 of the SEBI (Stock Brokers and Sub Brokers) Regulations, 1992, which provides stock brokers to have robust risk management systems. SEBI extends its oversight to brokers to cover systemic risks generated by technology failure in trading infrastructure, indicating that it is increasingly looking at technological governance in capital markets.

Firstly, the Circular has a provision of Web-Based Monitoring Platform for Audit Oversight that requires stock exchanges to set up an online platform within six months to monitor and track process for the entire audit process of stock brokers. This measure helps in complete execution of audits and minimising the risk of regulatory loophole. SEBI’s approach is in line with the global standards, such as  Financial Industry Regulatory Authority (“FINRA”) in the United States that has brought the  Consolidated Audit Trail (“CAT”) to monitor broker-dealer activities and detect irregularities. FINRA’s CAT is observed to have enhanced transparency. SEBI is seen trying to bring in a similar framework to increase transparency, curb manipulations in the market and to ensure real time compliance monitoring. Additionally, this digital initiative is in line with  Regulation 7 of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015, which mandates market intermediaries to make accurate financial disclosures.

Secondly, the Geo Location Tracking of Auditors is another important enhancement which mandates the auditors to authenticate the presence of at the brokerage firms by geo tracking and one time password (“OTP”) based logins. The elimination of the risk of remote, potentially manipulated audits improves the reliability of audit. However, this provision clashes with  Section 43A of the Information Technology Act, 2000, which requires organisations to adopt reasonable security practices for the protection of sensitive data. Moreover, the  Digital Personal Data Protection Act, 2023 also creates stricter requirements regarding location tracking. Back 2017, the Supreme Court in   K.S. Puttaswamy v. Union of India affirmed the right to privacy as a fundamental right, and SEBI must provide for safeguards to stop such geo tracking data from being abused and used without consent.

Thirdly, in order to improve the uniformity and credibility of audit processes, SEBI has formulated Standardised Audit Reporting Mechanism. Now, auditors must use a uniform reporting template that is accessible on the web-based monitoring platform. This provision is in line with  Section 12A of the SEBI Act, 1992 that prohibits fraudulent and unfair trade practices, and  Clause 49 of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 that calls for standardized disclosures to reduce differences in reporting. The reason for this change followed the high-profile regulatory failures, one of them being the  Karvy Stock Broking case in which client securities worth ₹2,000 crore were not recognised by auditors because of inconsistent auditing standards. The Previous auditing methods used  multiple inconsistent documentation systems while employing non-uniform risk assessment procedures  incapable to detect off-balance- sheet irregularities. Financial reporting through the new template stops financial fraud because it provides a uniform system of documentation while separating pledged assets from unpledged assets and requires standardized verification methods that block improper liability hiding.

Along with that,  Auditor Empanelment and Rotation Rules (Regulation), have brought in a significant reform allowing an auditor to have a tenure of three consecutive years with any one brokerage firm but with a cooling off period of two years thereafter. This ensures that auditor-broker associations do not last for long enough that auditor bias or compromised audits can occur. The case of  Sahara India Real Estate Corp Ltd. v. SEBI vividly highlighted the risks associated with a lack of independent audit of affairs, which came to be epitomised by inferences for which a company for active investing could be legitimately held to account. The new policy of SEBI is in line with  Section 139 of Companies Act, 2013 that prescribes auditor rotation to avoid conflict of interest. In addition, it is also important for SEBI to be the independent, periodically rotated auditor of the entity as was upheld by the Supreme Court’s ruling in  Price Waterhouse v. SEBI.

This is a paradigm shift which represents the new framework of SEBI’s regulatory approach from periodic audits to continuous, technology driven supervision. The compliance embedded in an ecosystem of the digital helps to mitigate cyber vulnerabilities and ensures the protection of the investors, which becomes a standard of employment of law, technology and financial governance in the Indian capital markets.

3. THE COMPLIANCE CONUNDRUM: UNPACKING THE HIDDEN RISKS OF SEBI’S CIRCULAR AND PLAUSIBLE SOLUTIONS

While the Circular is a watershed reform and has profound implications on the Indian financial landscape, concerns persist over potential risks that could challenge its effectiveness. The Circular, while enhancing transparency, poses risks which this section elucidates on.

Firstly, the Circular is primarily based on the assumption that a standardised web portal that is controlled by exchanges will increase compliance and streamline audits. On the contrary, this particular approach might introduce a regulatory paradox where stock exchanges, being profit-driven entities, capture the entire mechanism. The problem lies in the absence of any independent oversight mechanism by SEBI over these stock exchanges, that are responsible for both audit supervision and market surveillance, resulting in the dilution of transparency. A relevant instance here is the  National Stock Exchange Co-Location Scandal, where unfair access to servers of the exchanges resulted in undue trading advantages. Thus, to resolve this roadblock, SEBI must establish an audit verification mechanism that independently verifies the integrity of audit reports. While SEBI has previously introduced measures such as the SCORES platform for investor grievance redressal and forensic audits for listed companies, its oversight on stock exchange audit remains limited. In contrast, global markets like the U.S. have implemented independent audit regulators such as the Public Company Accounting Oversight Board (PCAOB) to mitigate conflicts of interest. Adopting a similar framework, SEBI’s audit verification mechanism must be publicly verifiable, ensuring that audit reports are time – stamped before uploaded to SEBI’s system. This structure would prevent stock exchanges from inadvertently (or deliberately) altering audit findings ensuring that critical system vulnerabilities are disclosed without risk of institutional bias.

Secondly, the Circular incorporates a provision of appointment of auditors and their mandatory rotation triennially. This provision carries with it a jurisdictional dilemma in cross-border algorithmic trading systems. A plethora of high-frequency trading firms operating in India leverage proprietary trading software developed overseas, with core system audits performed by foreign IT security firms. The provision does not recognise the technical complexities as a trading system’s vulnerabilities may reside in offshore data centers or cloud-based processing hubs. The Circular fails to answer the imperative question that whether audits on an international level of trading algorithms comply with SEBI’s framework or whether firms are going to hit roadblocks primarily owing to licensing and nationality constraints.

To resolve this issue, SEBI can create a mechanism where trading firms that are using algorithms developed overseas can appoint global cybersecurity auditors that are pre-approved. They should be not be constrained to SEBI’s list of empanelled auditors. SEBI would be required to form an interoperable audit certification mechanism after collaborating with foreign financial regulators. If SEBI recognises foreign firms as eligible system auditors, it will also be making sure that algorithms developed in financial hubs such as New York, Hong Kong, Singapore are jurisdictionally compliant without disrupting global trading operations.

Thirdly, a pertinent issue is the conflict between SEBI’s geo-tagging mechanism with the independence of auditors. The Circular makes it mandatory that auditors physically verify  their presence at brokers’ premises through geo-tracking and OTP-based authentication. Contrary to the notion of financial audits, system audits need extensive off-site forensic testing, source code reviews, and vulnerability assessments—tasks that may not necessitate physical presence at a broker’s premises. Since SEBI has mandated geo-tagging, this may divert their focus from recognising systemic risks, which require off-site analysis. Instances of geo-tagging creating inefficiencies have been observed in other regulatory frameworks, such as tax audits, where rigid location-based verification has sometimes hindered comprehensive assessments. In contrast, jurisdictions like the U.S. and the EU have adopted hybrid audit models that incorporate remote approach, allowing for remote verification of audit processes while maintain physical inspections where necessary, thereby ensuring both oversight and effectiveness in identifying systemic vulnerabilities.  

To address this conflict, SEBI can proffer a hybrid model of ensuring compliance checks from deep forensic assessments. The system auditors need to be permitted to carry out off-site risk evaluations while maintaining a blockchain ledger of their audit activities. This ledger can only be accessible by SEBI and accredited exchanges, would ensure that auditors are transparently reporting their findings without the need for restrictive location-based authentication. SEBI has never integrated blockchain technology into its compliance audits till now. In addition, blockchain auditing has challenges include data privacy concerns, and regulatory adaptability for which existing frameworks, requiring legal clarity and technological infrastructure upgrades  Additionally, there are other concerns such as the lack of the technological infrastructure to comply with advanced system audits, centralised audit data storage, and geo-tracking auditors increase cybersecurity risks. The framework’s efficient enforcement and oversight may also be hampered by the need to ensure adherence to web portal deployment deadlines and possible auditor shortages brought on by strict eligibility and rotation requirements.

4. CONCLUDING REMARKS

SEBI’s system audit framework establishes important advancements for modern regulatory oversight but needs effective measures to tackle existing structural issues to become successful. The benefits of digital compliance monitoring and real-time monitoring in this framework may become hindered by the exchange-controlled oversight model together with strict geo-tracking requirements and limited methods of international audit sharing. Stock exchanges gain excessive power to control audits when they lack independent verification procedures because this creates potential conflicts of interest. The framework creates challenges because it does not establish auditing standards for algorithmic trading across international borders which weakens its capabilities to work with global trading standards. 

SEBI needs to adopt certain mechanisms as well as global cybersecurity accreditation systems to become an international financial governance leader and establish India as a leader in financial governance. These measures will convert the current static regulatory tool into an automated proactive protection system for financial and technological security. The structure will achieve superior robustness and increase investor trust in Indian capital markets by implementing decentralized regulatory models and self-verified processes.