1. INTRODUCTION
In today's era when data is known as the new oil,1 the Securities Exchange Board of India (“SEBI”) has taken a significant step to transform and update the process of sharing financial market data with the proposed draft “Policy for Sharing Data for the Purpose of Research / Analysis” (“New Draft Policy”).2 The New Draft Policy seeks to not only address the limitations of SEBI's older Data Sharing Policy, 2018 (“2018 Policy”),3 but also attempts to come closer to the Digital Personal Data Protection Act (DPDPA), 2023, in terms of compliance.4
The journey towards the New Draft Policy began with SEBI's 2018 Policy, which sought to bring some semblance of structure to data sharing by SEBI in Indian financial markets with research/educational organisations and regulated entities for conducting research/ analytics, and academic studies. Under the 2018 Policy, only historical data (two years or older) is permitted to be shared and that too in an anonymised manner, to protect individual privacy as well as market-sensitive information. The data seekers are required to fill up a detailed data seeking request form with respect to any information desired along with the associated purposes and sign a comprehensive undertaking of confidentiality to ensure non-disclosure of information provided. Where the data of other authorities is concerned, it is incumbent upon SEBI to reach out to such other authorities and seek their approval and data prior to sharing any information with the data seeker. Once the purpose for which the data is sought is completed, the data seekers are mandatorily required to expunge the data and confirm the same to SEBI.
The 2018 Policy certainly introduced some key concepts like data anonymisation, non-disclosure, and adherence to sharing historical data. However, over the course of the development of financial markets and the increase in demand for new information, shortcomings were observed. The centralised approach - with SEBI being the primary data provider under the policy, created bottlenecks. The whole process was quite tedious and cumbersome, and the Market Infrastructure Institutions (“MIIs”) like stock exchanges, depositories and clearing corporations had limited autonomy in sharing their own data. Further, with rapid development in the field of data analysis, the need for real-time information remained rather insufficiently addressed.
2. KEY HIGHLIGHTS
With the objective of addressing these challenges, SEBI's Market Data Advisory Committee (MDAC) recommended a shift in the policy, which has now culminated into SEBI's consultation paper seeking public comments on the draft circular for “Policy for Sharing Data for the Purpose of Research / Analysis”. It is proposed under this consultation paper that SEBI should only disclose information which is under its direct ownership. The outcome would be in the form of the New Draft Policy, that will allow MIIs to set up their individual guidelines for data sharing, while observing compliance to the overarching principles as set up by SEBI. This approach will not only help in alleviating the burden on SEBI, but also accelerate data availability for researchers and analysts.
One of the key features proposed by the New Draft Policy is the ‘two-basket' approach to categorising the data, into shareable and non-shareable data. The first basket includes data which is publicly shareable, such as aggregate market statistics and anonymised data. For instance, this basket encompasses daily market information like Bhav Copy, trading statistics, and indices snapshots that are readily available on the websites of MIIs. It will also include transparent operational metrics like category-wise turnover data, the percentage of proprietary and client trades, and enforcement actions against members. Additionally, this basket can contain historical data sets that are too voluminous for regular website display, but still remain shareable – such as multi-year data on margins and volatility, historical trading data across all segments, and spot and futures prices beyond thirty days.
The second basket contains non-public and sensitive information where protections/restrictions need to be strictly and explicitly called out. This will include confidential data like PAN-wise trade information, unique client code details, individual Know Your Customer (“KYC”) records, and specific holding details of entities or individuals. Other sensitive information in this basket may comprise clearing member-specific delivery information, payment default records, client-wise position data and confidential details about depository participants and registrar and transfer agents. Such data requires stringent protection due to its potential impact on individual privacy and market integrity, and cannot be publicly shared.
This clear delineation will address one of the main challenges in data sharing: determining what data can be shared and what cannot be shared. MIIs are mandatorily required to share for approval, within sixty days from the issuance of the New Draft Policy, their data lists for shareable and non-sharable data with SEBI and also make the sample files available on their websites, thus, promoting transparency and ease of access. Another feature of the New Draft Policy is that while it maintains a provision for sharing of data, free of cost (up to 2 GB), the New Draft Policy will allow MIIs to charge a cost for high-volume (beyond 2 GB) and/or processed data requests (structured or value-added information). It is important to highlight that the New Draft Policy is specifically applicable only in the context of data sharing for research purposes, and it explicitly excludes from its scope any data to be shared for commercial purposes.
The alignment of the New Draft Policy with the data protection laws of the country is noteworthy. As per the New Draft Policy, MIIs will be required to have their own data sharing policy in place with a focus on guidelines for data collection, processing, storage, dissemination and sharing. Further, with an emphasis on the principles of data minimization, purpose limitation, and robust security measures, SEBI has ensured that the data sharing practices in the financial sector are in harmony with the broader data governance framework in the country. While promoting access to data is a key focus of the New Draft Policy, equal weightage is given to the requirement of responsible data handling and safeguarding of sensitive information. The balanced approach clearly resonates with the dual objectives of DPDPA i.e., protection of personal data and the promotion of digital economy. This alignment is especially important in an age where data security and privacy have become global concerns.5
3. IMPACT ON STAKEHOLDERS
For researchers and analysts, the New Draft Policy creates exciting opportunities. The potential access to more granular market data would encourage more insightful, analytical and innovative research. For regulators, this could play a role in enhancing the efficiency of the market by improving policy decisions. However, greater responsibility will come in with greater access. The increased access would require researchers to be vigilant about data protection and be compliant with stringent ethical considerations in their use of market data.
The impact of the New Draft Policy on MIIs cannot be overstated. The stock exchanges, depositories, and clearing corporations would now be more proactive in the data sharing ecosystem. One potential outcome of this could be the establishment of specialised data products and machine learning, leading to the generation of more revenue. However, this equally loads these institutions with sufficient expectations to develop appropriate data governance frameworks and practice conformity to the SEBI guidelines, and the data protection laws. To resolve this problem, SEBI should offer comprehensive guidelines and possibly a step-by-step action plan to help MIIs to build the required frameworks and technologies for adherence to the policy framework.
Another industry which can be greatly affected are Credit Rating Agencies (“CRAs”). Access to broader data sources could improve their capacity to evaluate market risks and performances of the companies. This would imply that more accurate and timely ratings could be provided, benefiting the investors as well as the market as a whole. Nonetheless, CRAs will have to proceed with caution as far as incorporation of data into their methods of evaluation is concerned, to make sure that they comply with the requirements of confidentiality and evolving data protection legislation.
Looking from the retail investors perspective, while the benefits in the short run may appear to be limited, they could be substantial in the long run. Improved market research and analysis has the potential to provide improved investment products, more transparent markets and, possibly, better returns. In addition, as market analysis becomes more refined, retail investors could get more insights into the market, which has traditionally been the domain of institutional investors.
4. CHALLENGES
The road to successful implementation of the New Draft Policy faces several challenges which demand careful consideration. The technical infrastructure alone needed to support this policy, specifically for smaller MIIs, could be substantial. The adoption of severe standards in this regard may be premature for the MIIs and thus, a phased approach will be appropriate to allow these institutions to build the necessary infrastructure requirements and observe adherence to the required protocols. This becomes even more important given the rapid evolution of technology in today's digital age, which necessitates regular reviews and updates of policy.
There is also the ever-present problem of data elimination: how to make sure that even when data has been anonymised, it is truly beyond recognition, because data can always be re-identified using newer methods of data analysis. While the New Draft Policy introduces broad guiding principles for data sharing, it deviates from the comprehensive, prescription-based model of the 2018 Policy and its effectiveness will ultimately depend upon its execution in the real world. To this extent, MIIs have been given complete discretion for developing their own data-sharing frameworks. This flexibility raises important questions about standardisation and oversight. It would be prudent for SEBI to establish base-level compliance standards that all MIIs must follow, and to clearly delineate its supervisory role in the data-sharing ecosystem.
This ties in directly with a more deep-rooted challenge which lies in the prevalent institutional culture surrounding compliance. Take, for instance, the financial services sector – where, despite the existence of explicit restrictions on information sharing, employees of regulated entities, are often found circumventing these restrictions through verbal communications while still avoiding written records. This points to a concerning gap between policy intention and the actual practice. To help bridge this divide, there is a need for organisations to move beyond viewing compliance as a mere checkbox exercise and invest towards comprehensive sensitisation programs. Regular training sessions similar to compliance programs in place for Anti-Money Laundering (AML) and KYC protocols can help employees in understanding why data protection matters, rather than seeing it more like a bureaucratic hindrance. Given that the proof of the pudding is in the compliance budget - meaningful change in data protection and privacy can only come through robust compliance mechanisms.
One of the key strengths of the 2018 Policy, which should also be followed in the policy framework that each of the MIIs may end up adopting should the New Draft Policy become effective, is an emphasis on ethical practices to be followed by researchers and analysts while handling market data. The 2018 Policy empowers SEBI with investigative authority to monitor the adherence of those seeking data to strict confidentiality norms and also verify that data usage in reality aligns with the purpose it was actually approved for. For example, if a researcher receives market data for studying trading patterns but is then found using it for commercial purposes, SEBI can initiate appropriate legal action against them. These safeguards are crucial given the unique position of MIIs. Unlike SEBI, which is a statutory body, MIIs are not. They operate with profit motives and may have an incentive to monetise data inappropriately. The introduction of audit rights can serve as an important checkpoint, ensuring that the protective framework is robust and also effectively prevents any potential data misuse scenarios, such as the unauthorized reselling of market data or any sharing of confidential information related to trading.
5. CONCLUSION
SEBI's New Draft Policy for data sharing will be a major step towards the development of India's approach to financial market data. The legislative intent is clear: to enhance the amount of data available for analysis while proactively ensuring compliance with the DPDPA, even before it has come into effect. The focus is to promote data democratization, data privacy and data accountability, all at once. As this policy moves from the stage of proposal to implementation, with effective compliance mechanisms in place, it will have a significant role to play in shaping the Indian financial market as well as data governance practices.
The New Draft Policy may end up setting a benchmark for other sectors and regulators. Public comments and suggestions on the New Draft Policy have been received and we can expect a roll out in the coming weeks.6
Footnotes
1. Times of India, Data is the new oil, learn to mine it for a resilient career, available here.
2. SEBI, Draft circular for “Policy for Sharing Data for the Purpose of Research / Analysis”, dated October 8, 2024, SEBI/HO/DEPA/SRG/CIR/2024/XX, available here.
3. SEBI, Guidelines For Seeking Data, dated October 17, 2019, Version 2, available here.
4. The Digital Personal Data Protection Act, 2023, available here.
5. As evidenced by the ever-increasing data breaches. Please see here and here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.