Guidelines for Business Continuity Plan (BCP) and Disaster Recovery (DR) of Qualified RTAs (QRTAs)
- Qualified RTAs (i.e. RTAs having more than 2 Crore folios) are systemically important institutions as they, inter-alia, provide infrastructure necessary for the smooth and uninterrupted functioning of the securities market. As part of the operational risk management, these QRTAs need to have high level of resiliency to provide essential facilities and perform systemically critical functions uninterruptedly in the securities market.
- In view of the above, based on consultation with Technical Advisory Committee (TAC) of SEBI, it has been decided to issue guidelines for strengthening overall resiliency, the procedures at / governance of QRTAs for handling disruption, augmentation of systems and practices to achieve better Recovery Time Objective (“RTO”) and Recovery Point Objective (“RPO”), and to improve overall preparedness by conducting periodic announced / unannounced drills. Hence, QRTAs are required to comply with the following framework for BCP and DR:
- Organizational Resilience and Documentation
3.1.QRTAs shall have in place Business Continuity Plan (BCP) and Disaster Recovery Site (DRS) so as to ensure continuity of operations, maintain data and transaction integrity.
3.2.The manpower deployed at DRS/Near Site (NS)shall have the same expertise as available at PDC in terms of knowledge/ awareness of various technological and procedural systems and processes relating to all operations such that DRS/NS can function at short notice, independently. QRTAs shall have sufficient number of trained staff at their DRS so as to have the capability of running live operations from DRS without involving staff of the PDC.
3.3.All QRTAs shall constitute an Incident and Response team (IRT)/ Crisis Management Team (CMT), which shall be chaired by the Managing Director (MD) of the QRTAor by the Chief Technology Officer (CTO), in case of non-availability of MD. IRT/ CMT shall be responsible for the actual declaration of disaster, invoking the BCP and shifting of operations from PDC to DRS whenever required. Details of roles, responsibilities and actions to be performed by employees, IRT/ CMT and support/outsourced staff in the event of any Disaster shall be defined and documented by the QRTA as part of BCP-DR Policy Document.
3.4.The Technology Committee of the QRTAs shall review the implementation of BCP-DR policy approved by the board of the QRTAon a quarterly basis.
Read More on SEBI