The Tokyo Stock Exchange (hereinafter, the "TSE") has imposed disciplinary action (censure) against SBI Securities Co., Ltd. (hereinafter, the "Company") pursuant to Rule 34, Paragraph 1, Item 8 of the Trading Participant Regulations.
Additionally, the TSE has requested the submission of a business improvement report pursuant to the provisions of Rule 19 of the Trading Participant Regulations. The business improvement report shall include:
Outline of Violation
Situation deemed to have insufficient supervision of electronic information processing system for financial instruments business
The company professes that system risk management is conducted based on company rules. However, verification of system risk management systems and frameworks in the company during an inspection conducted by the Securities and Exchange Surveillance Commission with a reference date of August 24, 2009, revealed that, 3 or more out of 4 cases of system glitches failed to be handled under system risk management. Therefore, the situation was deemed as essentially equivalent to one where no system risk management was in place. In addition, deficiencies were found in execution regarding cases which were included as risk management items by the company, and it was deemed that there were inadequacies in the internal rules, etc.
This issue arose due to company management, without a proper understanding of actual business operations, leaving system risk management to certain personnel and contracted third parties, as well as officers' and employees' lack of awareness of system risk being an issue to be addressed by the company as a whole.
1. Numerous system glitches failed to be handled under system risk management
The company performed risk management for 188 cases of system glitches based on the internal rule "System Operation Management Standard" (hereafter "management standard") during the period from April 2008 to the inspection reference date.
However, verification of system glitches in the company revealed at least 592 cases other than those handled above. Thus it was acknowledged that there were cases which failed to be handled under risk management. In addition, due to the fact that there was no record or report of these 592 cases as specified in the management standard, it was acknowledged that the related departments and management were not aware of the fact that system glitches had occurred.
Furthermore, it was acknowledged that 33 of the 592 system glitches disrupted customer transactions, causing customer login failure and interrupting order acceptance and placement, .
2. Deficiency in security measures
Verification of the implementation status of risk management regarding the 188 system glitches mentioned above in 1. revealed that there were the following deficiencies in security measures in the quality maintenance, etc. of system development and operation.
3. Insufficient improvement measures based on recommendations in system audit, etc.
It was acknowledged that, for a long period of time, there were no improvements in response to recommendations in system audit outsourced to external audit institutions. In addition, as a result of insufficient improvements, glitches due to failure to handle under risk management and deficiencies in glitch management constantly occurred.
Furthermore, the company's audit department failed, in its auditing, to verify whether the business operations were conducted in accordance with the management standard. It was deemed that the company failed to ensure effectiveness of system audit.
4. Inadequacies in rules, etc. for system risk management
It was found that the company did not establish a basic policy for system risk management, and failed to specify the location and types of risk which should be managed. As such, there was deficiency in establishing appropriate rules, etc. regarding system risk management.
5. Occurrence of system glitches which significantly affect customer transactions
It was acknowledged that there have been system glitches that have a large adverse effect on customer transactions causing problems such as customer login failure and interruption of order acceptance and placement. In addition, out of these system glitches, due to the occurrence of cases which were not handled under system risk management as well as the lack of sufficient understanding the actual effect of such glitches on customers, it was deemed that there is a problem from the viewpoint of investor protection.
The above is acknowledged to be a 'situation deemed to be an insufficient management of the electronic information processing system relating to financial instruments business, etc.' as defined in Article 123, Paragraph 1, Item 14 of the Cabinet Office Ordinance on the Financial Instruments Business based upon Article 40, Item 2 of the Financial Instruments and Exchange Act.
SBI Securities is expected, as a major on-line securities company, to have adequate systems and frameworks in place for development and operation of durable systems and appropriate measures in response to system glitches. In light of the above events, efforts at improving operations are deemed necessary.