Chương II Thông tư 134/2017/TT-BTC: Hoạt động giao dịch chứng khoán trực tuyến

Chapter II

ONLINE SECURITIES TRANSACTIONS

Section 1. REQUIREMENTS FOR SERVICES, TECHNICAL INFRASTRUCTURE, SECURITY AND DATA STORAGE

Article 5. Service requirements

1. SE and VSD shall:

a) make and promulgate regulations on connection of online securities transaction system, procedures for breakdown handling, system backup and management of risks during online securities transactions in accordance with the Law on E-Transactions, Law on Cyberinformation Security, guiding documents and regulations of this Circular;

b) provide online securities transaction services in a public, equal, transparent, safe and effective manner for members using the same service.

2. Securities company providing online securities transaction services shall:

a) directly provide online securities transaction services for investors;

b) design a website with the domain name registered through Internet to provide online securities transaction services. Programs and applications used for online securities transaction shall be published or integrated on such website;

c) issue procedures for carrying out online securities services, including: procedures for daily operation, supervision and management; procedures for registration and cancellation of online securities transaction; procedures for handling breakdowns; procedures for data and system backup; procedures for control of risks during provision of online securities transaction services for investors and other procedures in accordance with the Law on E-Transactions, Law on Cyberinformation Security, guiding documents and regulations of this Circular. Responsibilities of entities adopting the procedures shall be specified.

d) provide personnel that have degrees or certificates of software administration, information system and security administration in order to manage and supervise operations of online securities transaction system to ensure continuity;

dd) put the provision and use of online securities transaction services by investors in a contract or clause of the contract for opening a securities transaction account, specifying methods of carrying out online securities transactions, risks incurred during online securities transactions, which are specified in Clause 1, Article 15 of this Circular, responsibilities of each party for compensation for risks and other responsibilities related to online securities transactions;

e) record information on investor’s transaction request in online securities transaction system. Such information shall be stored so that it may be retrieved by time, session, transaction results and investor’s account balance arising before and after the transaction;

g) report results of execution of transaction order to the investor after the order is matched in online securities transaction system.

3. Asset management companies and fund certificate distributors that provide online securities transaction services shall comply with the requirements specified in Points a, b, c, dd, e and g, Clause 2 of this Article.

Article 6. Requirements for technical infrastructure of online securities transaction system

1. Regarding a securities company providing online securities transaction services:

a) Online securities transaction system shall be physically separated from other business systems of the company to ensure cyberinformation security, reduce risks and avoid conflicts between systems;

b) Online securities transaction system shall be equipped with a dedicated server. Personal computer shall not be used as a server and it is not allowed to share other units or companies’ servers. There must be standby information technology equipment exclusively used for online securities transaction system;

c) The area where online securities transaction system is located shall comply with security, environment and safety requirements. To be specific, in the separate area, there must be access control magnetic locks or equivalent devices, video recording system, dedicated fire alarm and fighting system, air conditioning system, temperature and humidity monitoring system, uninterruptible power supply, dedicated backup generators, lightning protection system;

d) The company may rent space for online securities transaction system in data centers. These data centers shall comply with regulations on data center operations. The online securities transaction system located in a data center shall have solutions for preventing unauthorized access and exploitation of data;

dd) Online securities transaction system shall integrate solutions where digital certificates or digital signatures of certification authorities are used and other authentication solutions (if any) as prescribed in Points a and c, Clause 1, Article 8 of this Circular;

e) When carrying out transactions over the telephone, there must be a telephone system that has call recording, management and search functions. There must be alternative transaction method. All calls for order placement by investors shall be recorded and stored in a manner that ensures information and data security;

g) Technical or management measures shall be adopted in order to set limits on securities purchase and sale by investors involved in online securities transaction services. These limits shall be disclosed to investors through online securities transaction page and procedures for approving adjustments to such limits must be available.

2. Asset management companies and fund certificate distributors that provide online securities transaction services shall comply with the requirements specified in Points a, b and e, Clauses 1 and 3 of this Article.

3. SE, VSD and online securities transaction service providers shall formulate an alternative plan used for online securities transaction system and adopt an alternative transaction method in case online securities transaction system has breakdowns.

Article 7. Information security and data storage by online securities transaction service providers

1. Website and electronic mail system of online securities transaction service providers shall be certified by digital certificates.

2. Online securities transaction system shall be set up to prevent unauthorized access to internal business system through online transaction. System privileges shall be granted to specialized divisions that may present a potential conflict of interest according to internal control procedures.

3. Before being put into operation, application software shall be checked, vulnerability scanned and reported in writing. The environment where online securities transaction software system operates shall be separated from test environment and software development environment. Cyberinformation security risk to online securities transaction system shall be assessed once a year.

4. The online securities transaction system shall have technical solutions for ensuring cyberinformation and data security.

5. Electronic documents, orders and data, and recorded calls for order placement by clients, including cancellation orders shall be retained for at least ten (10) years in their original form.

6. Information about online transaction service users, transaction orders and information exchanged in the system must be coded on lines and at application level, and secured in accordance with regulations of law except for request from a competent authority.

Article 8. Authentication

1. Authentication solutions applied to online securities transaction shall be adopted in a manner that ensures minimum safety equivalent to the multi-factor authentication solution, including:

a) Two-factor authentication solution,

b) Digital certificate solution;

c) Other authentication solutions permitted by law and in accordance with regulations of the competent authority.

2. When placing an order over the telephone, the investor shall use the order placement telephone number and provide transaction account number and information certified as prescribed in Point a, Clause 1 of this Article. The transaction shall only be carried out if information provided by the investor matches information registered and stored in the online securities transaction system.

3. The investor may select the authentication method offered by online securities transaction service provider when applying for online securities transaction services and may reapply for authentication method.

Article 9. Electronic orders

1. An electronic order includes at least order number, order type, number of the account whose holder places an order, transaction method, securities code or name, number and price of transactions, transaction time and date, order placement device, media access control address of the order placement device or other identification information ensuring uniqueness of the order placement device.

2. The cancellation order shall include order number, volume of cancelled order and confirmation of cancellation order.

3. An electronic order shall be signed with a digital signature or logically attached and combined with the investor's certified information according to Article 8 of this Circular before being sent to the system.

4. The electronic order used for fund certificate transaction shall include all information according to regulations on fund certificate transaction and comply with Clause 3 of this Article.

Section 2. APPLICATION AND REVOCATION OF WRITTEN APPROVAL FOR PROVISION OF ONLINE SECURITIES TRANSACTION SERVICES

Article 10. Applicants for provision of online securities transaction services

The applicant for provision of online securities transaction services is a securities company affiliated to SE, has been connected to SE’s transaction system and shall not:

1. be under dissolution or bankruptcy process, have its operation or transaction suspended to terminate membership status at SE.

2. have its brokerage operation terminated or be following the procedures for terminating brokerage operation.

3. be under control or special control.

4. Other cases where its operation is terminated in accordance with regulations of law.

Article 11. Applications for provision of online securities transaction services

An application for provision of online securities transaction services includes:

1. The application form in Appendix 01 hereof.

2. List of name and profiles of experts in management of online securities transaction system made using Appendix 02 hereof.

3. A report on design of online securities transaction system made using Appendix 03 hereof.

4. Certified true copies of SE’s written approval and record on inspection of online securities transaction system of transaction members.

Article 12. Procedures for approving provision of online securities transaction services

The securities company shall make an application as prescribed in Article 11 of this Circular and submit it to SSC through SSC’s online public service system or in person or through public postal services.

1. Within five (05) working days since receipt of the application prescribed in Article 11 of this Circular, in case of revision to the application, SSC shall submit a written request for revision or provide explanation for invalid application in writing.

2. Within ten (10) working days since receipt of the written request sent by SSC, the securities company shall complete and submit the application to SSC. After expiry of such time limit, if the securities company fails to complete the application upon request, SSC may refuse to grant approval.

3. Within twenty (20) working days since receipt of a satisfactory application, SSC shall consider granting approval for provision of online securities transaction services to the securities company. In case of refusal, SSC shall provide explanation in writing.

Article 13. Revocation of decision on approval and suspension of online securities transaction services

1. In the cases where a securities company has its operation suspended or brokerage operation terminated or its entire operation shut down, it shall suspend online transaction services until such situations are handled.

2. A securities company shall have its decision on approval for provision of online securities transaction services revoked in the following cases:

a) The company has applied for termination of securities brokerage operation and granted approval by SSC;

b) The company has its securities brokerage terminated;

c) The company has its membership status at SE terminated;

d) The company is merged, fully divided or consolidated;

dd) The company is dissolved, goes bankrupt or has its establishment and operation licenses revoked;

e) The company fails to maintain satisfaction of or satisfy regulations specified in Clause 2 Article 5, Clauses 1 and 3 Article 6, Article 7, Clause 1 Article 8 and Clause 3 Article 9 of this Circular;

g) The application for provision of online securities transaction services contains untrue information;

h) Other cases where any management authority makes a request or the company voluntarily submits an application for termination of online securities transaction services.

3. The securities company whose decision on approval for provision of online securities transaction services is revoked as prescribed in Points b, c, e and g, Clause 2 of this Article may reapply for provision of online securities transaction services.

4. The securities company whose decision on approval for provision of online securities transaction services is revoked as prescribed in Clause 2 of this Article shall maintain the duration of storage of data of online securities transaction system to fulfill obligations in accordance with regulations of law.

5. The procedures for revoking the decision on approval for provision of online securities transaction services shall be completed under the guidance of SSC.

Section 3. REPORTING AND PUBLISHING INFORMATION RELATING TO ONLINE SECURITIES TRANSACTION

Article 14. Reporting online securities transaction

1. The securities company granted approval for provision of online securities transaction services shall submit the following reports to SSC:

a) Annual report on online securities transaction system made using Appendix 04 hereof. It shall be submitted within thirty (30) days from the end of the year;

b) Report enclosed with relevant documents about upgrade or changes to online securities transaction system: changes to core system or transaction methods, changes of information technology personnel, changes to place where the system is installed, made using Appendix 08 hereof. The report shall be submitted within seven (07) working days after the securities company upgrades or changes the system.

2. SE shall submit the following reports to SSC:

a) Annual report on online securities transaction system made using Appendix 05 hereof. It shall be submitted within thirty (30) days from the end of the year;

b) Report on changes to regulations on technology standards applied to transaction members of SE. The report shall be submitted within seven (07) working days after changes are made.

3. VSD shall submit an annual report on online securities transaction, which is made using Appendix 06 hereof within thirty (30) days from the end of the year to SSC.4. Within twenty-four (24) hours since the occurrence of serious breakdowns in online securities transaction system, SE, VSD and securities company shall submit a report made using Appendix 07 hereof.

5. Asset management companies and fund certificate distributors shall send SSC the documents mentioned in Clause 3, Article 11 of this Circular at least five (05) working days before the day on which online securities transaction services are provided for investors, submit an annual report on online securities transaction, made using Appendix 04 hereof within thirty (30) days from the end of the year.

6. The report shall be submitted electronically through an electronic information exchange system under the guidance of SSC.

Article 15. Publishing information relating to online securities transaction

1. Regulations on online securities transaction services and risks that may be incurred during investor’s online securities transaction shall be published on securities company's, asset management company’s and fund certificate distributor’s official website and application software serving provision of online securities transaction services for investors. Risks that may be incurred include:

a) Upon transmission over the Internet, transaction order may be suspended, delayed or data errors may occur;

b) The identification of organizations or investors may be incorrect or security errors may occur;

c) Price and other securities information may be incorrect or contain errors;

d) Risks that may be incurred during adoption of methods of authenticating order placement by investors.

dd) Other risks that a competent authority, securities company, asset management company or fund certificate distributor finds that they are necessary for disclosure.

2. SE shall publish its regulations on electronic transaction on securities market and documents on electronic transaction on its website.

3. VSD shall publish the list of products and online securities transaction services that are allowed to be provided, its regulations on electronic transaction on securities market and documents on electronic transaction on its website.

4. SSC shall publish the list of securities companies licensed to provide online securities transaction services, procedures, regulations on applications for provision of online securities transaction services and the list of securities companies whose decision on approval for provision of online securities transaction services is revoked on its website.