On December 31, 2018, the Securities and Exchange Board of India (the “SEBI”) introduced several changes to the SEBI (Prohibition of Insider Trading Regulations), 2015 (the “Regulations”), which became effective on April 1, 2019. They were introduced pursuant to the report of the Committee on Fair Market Conduct which advocated for tighter norms to prevent insider trading. This update discusses the impact of the amendments to the Regulations.
Aspects of the Regulations targeted by the SEBI
The SEBI amended the Regulations to address the following key issues:
- While certain employees and other connected persons were required to make disclosures under the Regulations, the SEBI was not always able to establish the link between the insiders having access to unpublished price sensitive information (“UPSI”) and the persons trading by using such UPSI. As a result, many insider trading incidents slipped through the SEBI’s radar.
- While the Regulations permitted listed companies to communicate UPSI in furtherance of “legitimate purposes,” the exact meaning of this phrase was unclear. As a result, listed companies were not able to clearly identify the advisors with whom such information could be shared.
- Although the Regulations are fairly recent, the dynamic nature of the securities market and drafting ambiguities had created uncertainty among market participants with respect to certain provisions.
Changes to curb Insider Trading
- In order to track the flow of UPSI more effectively and to prevent insider trading transactions, the amended Regulations require “designated persons” (who must be determined by the board of directors or other analogous body (the “BOD”) of every listed company, fiduciary and intermediary (a “Market Entity”) on the basis of each person’s role, function and the access to UPSI that such role and function would provide and must include employees, employees of material subsidiaries of listed companies, promoters, senior level officers and support staff) to disclose the following information: (i) names of their educational institutions; (ii) names of their past employers; (iii) names, Permanent Account Numbers (issued by Indian tax authorities) or any other “identifier” authorized by law (“Legal Identifiers”), and phone numbers of their immediate relatives; and (iv) names, Legal Identifiers and phone numbers of persons with whom they share a material financial relationship (if a person receives a payment equivalent to at least 25% of the payer’s annual income during the immediately preceding twelve (12) months.)
By introducing the concept of “designated persons,” the SEBI has extended the disclosure obligations way beyond the erstwhile category of “employees and connected persons.” While the SEBI’s goal of tracking the flow of information is admirable, it does not account for several practical difficulties. For instance, Market Entities will need to constantly update their databases to keep the information relevant, notwithstanding the fact that tracking such changes may be a challenge in itself given the wide characterization.
By demanding such broad and indiscriminate disclosures, the SEBI has increased the compliance burden on all Market Entities, while the measure itself may prove to be of little benefit.
- Each listed, or proposed to be listed, company is required to maintain a digital database containing the names and Legal Identifiers of all persons or entities who receive the company’s UPSI.
Every listed or to be listed company has to maintain a digital database, and every person or entity who receives such a company’s UPSI has to give his/her personal details to the company regardless of the remoteness of his/her relationship with the company. In our view, the SEBI appears to be overreaching in its data collection diktats, which are in sharp contrast to practices in countries like the US, where the law focuses on post-incident enforcement more than pre-incident data gathering.
Further, in case of non-residents, global data privacy laws may also impact the SEBI’s data collection initiative. For instance, under the EU’s General Data Protection Regulation, persons residing in the EU will have to expressly consent to the disclosure of their personal information with Indian companies and the relevant Indian authorities. It is unclear whether the amended Regulations will prevail over EU regulations if consent is not forthcoming.
- All Market Entities are required to formulate a revised model code of conduct as specified under Schedule B and Schedule C of the Regulations.
- The Chief Executive Officer, Managing Director or any other analogous person of the Market Entity is required to institute an effective system of internal controls, which ensures that: (i) employees with access to UPSI are identified as designated persons; (ii) the UPSI’s confidentiality is maintained as required by the Regulations; (iii) adequate restrictions are placed on communication of UPSI; (iv) a list of persons with access to UPSI is created; and (v) a periodic review is conducted to evaluate the internal controls.
Additionally, audit committees must review the adequacy of the Market Entity’s internal controls and their compliance with the Regulations at least once every financial year. In addition, every company is required to formulate whistleblower policies and policies to conduct inquiries into leaks of UPSI.
In delegating the responsibility of ensuring compliance with the Regulations to the Market Entities, the SEBI has succeeded in creating a chain of accountability. However, it remains to be seen whether the Market Entities will adequately enforce the requirements of the Regulations.
Information sharing for “legitimate purposes”
The SEBI has allowed the BOD of the Market Entities to define their own policy to determine “legitimate purposes.” Additionally, the SEBI has provided an indicative list of persons with whom the UPSI can be shared which includes partners, collaborators, lenders, customers, suppliers, merchant bankers, legal advisors, auditors and insolvency professionals, as long as the sharing of UPSI is not carried out to evade or circumvent the prohibitions of the Regulations. Apart from sharing information for legitimate purposes, listed companies can only share UPSI if the BOD believes such sharing of UPSI is in the best interests of the company and the information shared is made publicly available within two (2) days.
Recognizing that all information relating to material events may not necessarily be price sensitive, the SEBI has removed such information from the scope of UPSI. Further, if a person trades in the securities of a company while in possession of UPSI of that company, the amended Regulations create a presumption of guilt on such person. Lastly, the amended Regulations have permitted block deals between persons in possession of UPSI as long as both parties have made a conscious and informed trade decision.
In allowing the BOD to determine the scope of “designated persons” and “legitimate purposes”, in our view, the SEBI has recognized that determining the appropriate recipients of UPSI is necessarily a subjective decision best left to the BOD. In fact both, the Report of the Committee on Corporate Governance in October 2017 and the Report of the Committee on Fair Market Conduct in August 2018, had advocated for the delegation of such power to the BOD. In pairing this power with the duty to act in the best interests of the listed company, the SEBI has attempted to create a transparent but flexible framework for the disclosure of UPSI. Given this, in our view, the SEBI has brought considerable clarity to the Regulations and eased the doing of business in India.