Back to Rules & Regulations Main

Internet Trading Guidelines, 2005

1)   Short Title and Scope: - (1) These Guidelines are called the Internet Trading
Guidelines, 2005.

(2) The scope of the Guidelines extends to all internet trading service providers.  The Guidelines shall not apply to proprietary trade networks or private trading networks operated between a Stock or Commodity Exchange and its members.

2)   Definitions: - (1) In these Guidelines, unless there is anything repugnant in the subject or context,

(a)      "Advanced Electronic Signature" has the same meaning as given in section 2(1)(e) of the Electronic Transactions Ordinance, 2002;

(b)      "broker" means any broker registered with the Commission under .

Broker   and   Agents   Registration   Rules,   2001    or   under   the    

Commodity Exchange and Future Contracts Rules, 2004;

(c)             "Commission" has the same meaning as given in section 2(2)(g) of the Securities and Exchange Commission of Pakistan Act, 1997;

(d)             "Commodity Exchange" has the same meaning as given in section 2(l)(cc) of the Securities & Exchange Ordinance, 1969;

(e)             "Electronic Signature" has the same meaning as given in section 2(l)(n) of the Electronic Transactions Ordinance, 2002;

(f)              "Internet  trading  service  provider"  means  any  person  offering trading   service   in   securities  through   the   internet  under  these Guidelines;

(g)              "person" has the same meaning as given in section 2(1 )(j) of the Securities and Exchange Ordinance, 1969;                                                     (h)       "Securities or Security" has the same meaning as given in section

                                                   2(1)(1) of the Securities and Exchange Ordinance, 1969; and

(i)        "Stock or Commodity Exchange" means:

(i)        any Stock Exchange defined under section 2(1 )(m) of the Securities and Exchange Ordinance, 1969

(ii)       any Commodity Exchange defined under clause 2(l)(cc) of the Securities and Exchange Ordinance, 1969; and

(2) All other words and expressions used but not defined in these Guidelines shall have the same meanings as are assigned to them in the Companies Ordinance, 1984 (XLVII of 1984), the Securities and Exchange Ordinance, 1969 (XVII of 1969) and the Securities and Exchange Commission of Pakistan Act, 1997(XLII of 1997).

3) Commencement of Service: - (1) Prior to commencement of service every internet trading service provider shall submit details to the Commission of the service to be provided.

(2)   Prior to commencement of service every internet trading service provider shall demonstrate its ability to provide the service under these Guidelines.

(3)   Prior to commencement every internet trading service provider shall have the systems, controls and procedures of the internet trading service audited independently by an audit firm approved by the Commission.

(4)   All existing internet trading service providers shall comply with these Guidelines within six weeks of the date of issue of these Guidelines.

4) Service Requirements:- Every internet trading service provider shall ensure that satisfactory arrangements are in place to:

(1) ensure confidentiality of information in such a way that information is only accessible to an authorized person or system; and in particular that satisfactory measures are in place to prevent:

(a)   unwanted disclosure of inter alia  personal data, transactions, activity and presence on the internet;

(b)   misappropriation of IDs;

(c)   impersonation, leading to unauthorised (illegal) transactions;

(d)   unauthorised usage and inability to detect such malpractices in a timely fashion and/or identify the perpetrator;

(e)   attacks from third parties designed to interrupt the service or aimed at the service becoming an agent for an attack against another web site;

(f)    analysis of data by unauthorized third parties.

(2)  safeguard the integrity of the service including controls to prevent:

(a) non-compliance with laws, rules, regulations and Guidelines issued by the Commission, leading to illegal transactions, fraud or malpractice;


 

 

(b) presentation of incorrect data, whether unintentionally or malevolently;

-   (c) false presentation, or the use of incomplete information for transactions;

(d)   manipulation of data;

(e)   viruses, leading to inter aha loss of data, unauthorized access to or manipulation of data, unavailability or threat of unavailability of systems;

(f)    cyber  extortion,  selling  or  provision  of data  stolen  from  (or illegally obtained from) service providers.

(3)  ensure the availability of the service in the event that:

(a)   the site is not reachable, and that there is no possibility to trade, or to get or give information; or

(b)   that parts of the site are not reachable either through a denial of service attack or lack of capacity; or

(c)   that the provider of the service is unable to give timely access to the site or parts of the site.

 

(4)   ensure that satisfactory alternative arrangements and contingency plans are in place to ensure that business can continue in the event of a large- scale disruption (Disaster Recovery Planning/Business Continuity Planning);

(5)   ensure that the identity of the person or system accessing the service is properly verified by the use of PINs, passwords, electronic signatures or such other approved mechanism  so as to exclude unauthorized access;

(6)   ensure that satisfactory arrangements are in place so that a broker can at all times uniquely identify each and every order during the different stages of processing;

(7)   ensure that orders placed through its systems are fairly allocated in accordance with the rules of the relevant Stock or Commodity Exchange;

(8)  ensure that there is an effective audit trail to address risks arising from:

(a)   the opening, modification or closing of a client account;

(b)   any transaction with significant financial consequences;

(c)   any authorisation granted lo a customer to exceed a limit;


 

 

(d) any granting, modification or revocation of systems access rights or privileges.

5)   Service Agreement/Arrangement:- Every internet trading service provider shall :

"(a), have an agreement with clients to whom it offers an internet trading service that contains appropriate and prominent risk disclosures highlighting the risks associated with internet transactions;

(b) have appropriate arrangements in place to assess a client's suitability to undertake securities transactions via the internet;

(e) have appropriate arrangements in place to approve a client's account for day trading;

 (ifl) have adequate risk management systems for controlling exposure to internet clients and in particular for monitoring margin trading;

:(^e) have an adequate number of suitably qualified staff to control and monitor transactions and render clients services in accordance with the rules and Guidelines;

(�) either have suitably qualified staff to operate and maintain the systems used for internet trading services or have an irrevocable agreement with a suitably qualified third party service provider for the operation and maintenance of those systems;

(g) be responsible for settlement of each and every trade executed through the internet trading service.

6)   Requirements by the Exchanges: - A Stock or Commodity Exchange may specify its own requirements, in addition to these Guidelines, for allowing an internet trading service provider to continue its business.

7)   Client Identity:- Every internet trading service provider shall submit to the Commission the details as to how it will satisfy itself as to the true identity of a person opening an account and what measures it intends to take to ensure that the account will be maintained and operated by the person opening the account.

8) Security of Data:-. (1) To reduce the risk of third party interception of information sent between a client's computer and the system of an internet trading service provider, every internet trading service provider is required to use some form of encryption.

 

 

(a)               The encryption shall apply not only to orders being entered but to any communication with clients that contains confidential information.

(b)               Every internet trading service provider is also required to use a firewall to prevent intrusions by unauthorized persons (e.g., a cracker or hacker, who may obtain unauthorized access to a computer system by bypassing passwords or otherwise breaching computer security).

(c)               Every internet trading service provider shall ensure that its system shall be configurable to allow auto-logoff in case of inactivity of the trading terminal and the trading website.

(d)               Every internet trading service provider shall demonstrate that they have in place a written security policy based on or containing these Guidelines as part of their security policy.

 

9)             Operational Capacity: - Every internet trading service provider shall ensure
that its operational capacity is re-evaluated at regular intervals and every internet trading service provider shall give the Commission details of the procedures for undertaking such an evaluation, the time at which such an evaluation will be undertaken, and a copy of the results of such evaluation.

10)  Systems Modification: - Every internet trading service provider is required to submit to the Commission, in advance, with  information relating to any significant changes to its systems or any changes to the functionality of its systems identifying the areas and the reasons for the change.

lpPeriodic Audit: - (1) Every internet trading service provider shall ensure that its systems, controls and procedures are audited independently by an audit firm approved by the Commission once every financial year.

(2) Every internet trading service provider shall submit report of the audilor to the Commission within four months of the date of the close of its financial year.

12) Customer Information:- (1) Every internet trading service provider shall ensure that its system shall provide the following information in plain English or Urdu language and in an easily accessible form:

(a)               a basic explanation of securities trading; including definitions of common terms used on the trading screen;

(b)               a general statement and information regarding the manner in which orders are accepted, processed, settled and cleared via the internet;


 

 

(c)               disclosure about the risks of securities trading, including the risk of systems outages and failures and any alternative means of placing orders;

(d)               disclosure about the risks involved in trading securities in a margin account;

(e)               procedures to cancel pending orders during a system failure;

(f)                a glossary explaining key investment terms and concepts such as;

(i) the differences between the various types of orders that may be placed {e.g., a market order, a limit order);

(ii) notice that a market order may be executed at a price higher or lower than the quote displayed on the website at the time of order entry;

(iii) an explanation of how the customer's orders are executed;

(iv) any situations in which customers may not receive an execution;

(v) any restrictions on the types of orders that customers can place; and

(vi)      how market volatility can affect customers' orders.

(g)       the rules and Guidelines affecting inter alia client broker relationship, arbitration rules, investor protection rules.

(h) a hyperlink to the website/page on the website of the relevant Stock or Commodity Exchange displaying rules/Guidelines/circulars; and

(i) a 'Terms of Use" policy document which includes proper and fair disclaimers.

(2) Every internet trading service provider shall ensure that its ticker/quote/order book displayed will display the time stamp as well as the source of such information against the given information.

13) Duplicate orders: - Every internet trading service provider is required to ensure that its system has mechanisms to prevent executions of unintended duplicate orders.


 

 

14)      Independent assessment: - The Commission may employ technical experts to undertake an independent assessment of the operational capacity and security of a system.

15)  Order/Trade Confirmation: - (1) Every internet trading service provider shall ensure the trade confirmations and contract notes are sent to the client. Subject to the rules and regulations of the Stock or Commodity Exchange, these may be sent by email on condition that the broker:

 

(a)               notifies the Stock or Commodity Exchange concerned of the intention to use of electronic trade confirmations and/or contract notes one month in advance; and

(b)               obtains prior written consent from the clients concerned.

(2) Every internet trading service provider shall ensure that any trade confirmations and/or contract notes sent by email shall be digitally signed by Electronic Signature or Advanced Electronic Signature.

16) Outsourcing: - (1) Every internet trading service provider considering entering into outsourcing arrangements with a third party supplier of internet trading services shall ensure that they cannot contract out of their core functions and regulatory obligations.

(2) Every internet trading service provider when negotiating an outsourcing arrangement may, inter alia, consider the following:

(a)               notification and reporting requirements;

(b)               intellectual property and information ownership rights, confidentiality agreements and Chinese Walls;

(c)               the need for, and adequacy of, any guarantees or indemnities;

(d)               compliance with the internet trading service provider's own policies, for example on information security;

(e)               arrangements to ensure business continuity and the extent to which facilities that provide the outsourcing are or are not  available  to   provide  business  continuity   for  third parties;

(f)                approval process for changes to outsourcing arrangements; and

(g).      agreed conditions for terminating outsourcing arrangements.


 

 

(3)  Every internet trading service provider entering into outsourcing arrangements with a supplier of internet trading services shall enter into a service level agreement that includes:

(h)       qualitative and quantitative performance targets;

(i)        evaluation of performance, for example by third parties, internal audits, self certification; and

(j)         remedial action and escalation processes for dealing with inadequate performance.

(4)  Every internet trading service provider that enters into an outsourcing arrangement with a supplier of internet trading services shall have appropriate contingency arrangements in place in the event that the supplier of the service is unable to continue to provide a service.

17) Monthly reporting: - Every internet trading service provider shall provide monthly reports to the Commission on the reliability of the service. These reports must show:

(a)       number of users of the system as at the end of the month:

(i)        for Stock or Commodity Exchanges this is number of brokers;

(ii)       for brokers this is the number of clients.

(b)               daily   average   number   of   transactions   (of   all   types) processed by the system during the month and the highest number of transactions processed by the system on a single day during the month;

(c)               percentage of the scheduled time for availability for which the service was not available; and          '

(d)               reason for non-availability.

 

18)  Dispute Resolution: -      In case of any dispute arising between Broker and Broker, and Broker and Client, the matter will be resolved in accordance with the existing procedures of arbitration and dispute resolution of the Stock or Commodity Exchange.

19)       Cooperation with Commission:-   (1)   To   assist   the   Commission   in investigating instances of suspected market abuses such as insider trading and market manipulation, internet trading service providers shall provide full and prompt responses to all requests for information by the Commission.


 

 

(2) Every internet trading service provider shall ensure that information displayed on its website is kept in an accessible form for a minimum of twelve months.

Guidance Notes

 

Clause

Guidance Note

1

Scope

The scope of the Guidelines extends to trading through the Internet. The Guidelines do not apply-to proprietary trading networks or private trading networks operated between an exchange and its members. However, the Guidelines do apply if that trading service is Internet based and extends beyond the member to clients of the member. If in doubt, exchanges and/or their members should consult with the Commission.

3(1)

Prior to commencement of service every internet trading service provider shall submit details to the Commission of the service to be provided.

Internet trading service providers are required to provide details of the service to be offered and must demonstrate compliance with the Guidelines. The Commission will not prescribe what systems should be implemented for internet trading as this would tend to stifle innovation. Instead, the Commission will satisfy itself that the systems to be used have adequate controls and procedures in place to ensure confidentiality of information, integrity and availability of the service; together with contingency plans in the event of a loss of service.

Internet trading service providers should state details and/or examples of how the internet trading service provider is ensuring confidentiality of information; how the internet trading service provider is safeguarding the integrity of the service; what plans the internet trading service provider has for enabling clients to continue to trade in the event of a temporary loss of service; what plans the internet trading service provider has for coping with a disaster scenario such as loss of premises hosting the service etc.

3(3)

Prior  to   commencement   every internet trading service provider shall have the systems, controls and   procedures  of the   internet trading         service         audited independently by an audit firm approved by the Commission.

The audit of internet trading service provider's systems, controls and procedures must be conducted by a firm drawn from a panel selected by the Commission.

4(2)

(a)      presentation  of incorrect data, whether unintentionally or malevolently; (b)       false presentation, or the use  of incomplete   information

Concern has been expressed that delayed data might be interpreted as inaccurate or false data. The Commission will not take this view where data has been delayed due to exceptional circumstances.    However, the Commission will

 

 

for transactions;

expect internet trading service providers to be responsible for timeliness of distribution of data from its central systems and the Commission will in particular want internet trading service providers demonstrate that all clients accessing the systems are treated fairly and equally depending upon their method of access.

4(2)

(e) viruses, leading to inter alia loss of data, unauthorized access to    or    manipulation    of   data, unavailability     or     threat     of unavailability of systems;

The Commission will expect internet trading service providers to have effective anti-virus software in place and that this will be updated in accordance with the manufacturers' recommendations.

4(3)

ensure   the   availability   of the service in the event that:

(a) the site is not reachable, and that there is no possibility to trade,   or   to   get   or   give information; or

(b) that parts of the site are not reachable  either  through  a denial of service attack or lack of capacity; or

(c) that   the   provider   of   the service   is   unable   to   give timely access to the site or parts of the site.

The Commission will wish to see from the internet trading service provider what arrangements are in place for the temporary interruption in the service either because the site cannot be reached or that parts of the site cannot be reached or that there is a. degradation in timeliness of access to the site or parts of the site.

This could be a dedicated telephone help desk or other means of accepting orders from clients.

What is not acceptable is that the internet trading service provider does not have alternative arrangements in place.

The Commission will want to be satisfied that alternative arrangements are in place and that these have been notified to clients in advance.

5(a)

and 5(b)

have an agreement with clients to  whom   it  offers an   internet trading   service   that   contains appropriate and prominent risk disclosures     highlighting     the risks   associated   with   internet transactions;

have  appropriate  arrangements in   place   to   assess   a  client's suitability        to        undertake securities  transactions  via  the internet;

Brokers will be expected to have separate client agreement letters for those clients to whom it offers an internet trading service.

With online trading comes the increased popularity of day trading which can pose unique investor protection concerns. Individuals engaging in day trading activities often trade their accounts aggressively. However, the ability to engage effectively in day trading requires not only sufficient capital but also a sophisticated understanding of securities markets and trading techniques. Such investors should be made aware that the risk of loss of capital can be very high.

5(e)

have   an   adequate   number   of suitably     qualified     staff    to control and monitor transactions and   render  clients   services   in

The number and qualifications of the staff will vary according to the service being offered but clearly there must be staff employed or contracted on a permanent basis who have the business and

 

 

accordance with the rules and Guidelines;

technical skills to be able to operate the service on behalf of the internet trading service provider. This   would   include   staff   who   will   provide emergency cover and assistance in the event of a temporary interruption in the normal service.

8(1)

(a)The encryption should apply not only to orders being entered but to any communication with clients that contains confidential information.

Encryption should be such that it is designed to prevent     unauthorised     interception     of    the information by a third party during transmission using   an   encryption   and   electronic   signature system that ensures the authenticity, integrity and confidentiality of the information sent.

9

Every internet trading service provider shall ensure that its operational capacity is re-evaluated at regular intervals and every internet trading service provider shall give the Commission details of the procedures for undertaking such an evaluation, the time at which such an evaluation will be undertaken, and a copy of the results of such evaluation.

The   frequency   of   evaluation   of   operational capacity will depend upon a number of factors including the growth  rate of the service being provided by the internet trading service provider. If growth is rising faster than all expectations, operational capacity must the re-evaluated more frequently to ensure that the service can meet future growth. At minimum however, operational capacity should be reviewed on at least an annual basis.

10

Every internet trading service provider is required to submit to the Commission, in advance, with information relating to any significant changes to its systems or any changes to the functionality of its systems identifying the areas and the reasons for the change.

Rectification    of   software    defects    or    minor modifications to systems and software need not be notified but any major upgrades to systems and changes to the functionality of a system should be notified to the Commission in advance.

13

Every   internet   trading   service provider   is   required   to   ensure that its system has mechanisms to      prevent      executions      of unintended duplicate orders.

Duplicate orders can happen when reports of fills or order cancellations ate significantly delayed (by hours or even days) so that a customer may assume that his/her initial order was not executed. Duplicate   orders   have   resulted   in   customers placing unintended short sales or buying beyond their available funds.   Mechanisms to eliminate duplicate orders may include (but are not limited to): i)     the provision of trading status screens that provide information as to whether an order has been filled or is still pending; ii)   a "lock" on the securities, funds, or buying </span