The market regulator has proposed linking trading accounts with SIM cards and making biometric authentication mandatory to enhance security in online trading and protect investors from unauthorized transactions.
The Securities and Exchange Board of India (Sebi) acknowledged that with the rapid evolution of technology and the increasing use of web-based and mobile platforms for trading, incidents of hacking, identity theft, and fraud have become more frequent. The regulator flagged a rise in cases of unauthorized access to accounts, SIM card spoofing to divert one-time passwords (OTPs), and other security breaches.
The regulator set up a working group to address these issues and came out with a consultation paper seeking a multi-faceted framework to improve the security of trading accounts through advanced authentication measures.
Proposed security framework
One key proposal is to introduce a SIM-binding mechanism, similar to the one used in Unified Payments Interface (UPI) transactions, which will link a mobile number, device, and the unique client code (UCC) for secure access.
A mobile device will be linked to the UCC of the investor. To log into the trading account, the system will require that the mobile device is registered and hard-bound with the SIM. This will act as the primary security layer for accessing accounts, according to Sebi.
The proposed framework mandates biometric authentication (including fingerprint or facial recognition) for logging into the trading application. This step will ensure that only authorized users can access the accounts.
Sebi also proposed that investors will be able to access their accounts from multiple devices, but the login will require proximity-based authentication, with an active session on only one device at a time. A QR code-based, time-sensitive authentication will be used for verifying access from other devices, like desktops or laptops.
Investors will have more control over their accounts, with options to temporarily lock their accounts, monitor active sessions, and control trade parameters like volume, price band, and more.
The framework will also allow family members to operate multiple UCCs under a single mobile device, with the necessary authorization in place.
The proposed security measures aim to provide a more secure and user-friendly experience for investors. By linking the trading account to a registered mobile device, investors can rest assured that only authorized users will be able to execute trades.
Phased implementation
The new security framework will be implemented in phases, beginning with the top 10 qualified stockbrokers (QSBs). Investors will have the option to opt into the secure authentication system on a voluntary basis at first. However, in the future, it will be made mandatory to access trading accounts.
The market regulator has invited public comments on the proposals by 11 March.
