The Tokyo Stock Exchange (hereinafter, the "TSE") has imposed disciplinary action (censure) against SBI Securities Co., Ltd. (hereinafter, the "Company") pursuant to Rule 34, Paragraph 1, Item 8 of the Trading Participant Regulations.
Additionally, the TSE has requested the submission of a business improvement report pursuant to the provisions of Rule 19 of the Trading Participant Regulations. The business improvement report shall include:
(1) Investigation of the reason for the tolerance and normalization of inappropriate system risk management supervision systems and frameworks and clarification of the locus of responsibility, in addition to reviewing the management supervision systems and frameworks
(2) Construction of an effective system risk management system and framework through verification of past cases of glitches including those where processing was not executed according to management standards related to glitches, and classification of foreseen cases and countermeasures, etc.
(3) Reminding officers and employees about the importance of system management, and take efforts such as reviewing internal rules and business procedures, and also conducting training, etc. in order to ensure proper business operation
(4) Responding appropriately to past recommendations in external system audits. In addition, improvement of the system for the proper functioning of the internal audit division and proper execution of external system audit, in order to appropriately verify the effectiveness of system risk management as a whole including measures taken based on such past recommendations.
Outline of Violation
Situation deemed to have insufficient supervision of electronic information processing system for financial instruments business
The company professes that system risk management is conducted based on company rules. However, verification of system risk management systems and frameworks in the company during an inspection conducted by the Securities and Exchange Surveillance Commission with a reference date of August 24, 2009, revealed that, 3 or more out of 4 cases of system glitches failed to be handled under system risk management. Therefore, the situation was deemed as essentially equivalent to one where no system risk management was in place. In addition, deficiencies were found in execution regarding cases which were included as risk management items by the company, and it was deemed that there were inadequacies in the internal rules, etc.
This issue arose due to company management, without a proper understanding of actual business operations, leaving system risk management to certain personnel and contracted third parties, as well as officers' and employees' lack of awareness of system risk being an issue to be addressed by the company as a whole.
1. Numerous system glitches failed to be handled under system risk management
The company performed risk management for 188 cases of system glitches based on the internal rule "System Operation Management Standard" (hereafter "management standard") during the period from April 2008 to the inspection reference date.
However, verification of system glitches in the company revealed at least 592 cases other than those handled above. Thus it was acknowledged that there were cases which failed to be handled under risk management. In addition, due to the fact that there was no record or report of these 592 cases as specified in the management standard, it was acknowledged that the related departments and management were not aware of the fact that system glitches had occurred.
Furthermore, it was acknowledged that 33 of the 592 system glitches disrupted customer transactions, causing customer login failure and interrupting order acceptance and placement.
2. Deficiency in security measures
Verification of the implementation status of risk management regarding the 188 system glitches mentioned above in 1. revealed that there were the following deficiencies in security measures in the quality maintenance, etc. of system development and operation.
(1) There are deficiencies in the forms for reporting and recording system glitches, and there is a lack of clarity in the identification of the cause of each system glitch as well as the implementation status, etc. of measures in response to results of analysis. In addition, there is no regular consolidation and analysis of glitches as well as measures to prevent reoccurrence.
(2) As a result of a failure to perform continuous management (until a glitch is finally resolved) and closure of unresolved glitches, there are unresolved glitches which have remained open under risk management over a long period of time. Furthermore, due to insufficient measures taken to prevent reoccurrence, system glitches displaying similar phenomena continue to occur.
3. Insufficient improvement measures based on recommendations in system audit, etc.
It was acknowledged that, for a long period of time, there were no improvements in response to recommendations in system audit outsourced to external audit institutions. In addition, as a result of insufficient improvements, glitches due to failure to handle under risk management and deficiencies in glitch management constantly occurred.
Furthermore, the company's audit department failed, in its auditing, to verify whether the business operations were conducted in accordance with the management standard. It was deemed that the company failed to ensure effectiveness of system audit.
4. Inadequacies in rules, etc. for system risk management
It was found that the company did not establish a basic policy for system risk management, and failed to specify the location and types of risk which should be managed. As such, there was deficiency in establishing appropriate rules, etc. regarding system risk management.
5. Occurrence of system glitches which significantly affect customer transactions
It was acknowledged that there have been system glitches that have a large adverse effect on customer transactions causing problems such as customer login failure and interruption of order acceptance and placement. In addition, out of these system glitches, due to the occurrence of cases which were not handled under system risk management as well as the lack of sufficient understanding the actual effect of such glitches on customers, it was deemed that there is a problem from the viewpoint of investor protection.
The above is acknowledged to be a 'situation deemed to be an insufficient management of the electronic information processing system relating to financial instruments business, etc.' as defined in Article 123, Paragraph 1, Item 14 of the Cabinet Office Ordinance on the Financial Instruments Business based upon Article 40, Item 2 of the Financial Instruments and Exchange Act.
SBI Securities is expected, as a major on-line securities company, to have adequate systems and frameworks in place for development and operation of durable systems and appropriate measures in response to system glitches. In light of the above events, efforts at improving operations are deemed necessary.