What action should Sebi take in NSE algo trading case
For months, the National Stock Exchange of India Ltd (NSE) had dismissed allegations that one of its trading members had unfair access to its market data and trading systems. It even slapped a defamation case against Moneylife magazine, when it wrote on these allegations citing a whistleblower’s letter.
But now, the Securities and Exchange Board of India’s (Sebi’s) technical advisory committee has found evidence that NSE violated norms of fair access and allowed some brokers to benefit. Worse, it has said the exchange didn’t provide adequate details to the team investigating the allegations. In Sebi’s book, NSE’s actions would suggest a cover-up. See http://bit.ly/1WlT5z4 for Mint’s report on the committee’s observations.
The charges are serious and the committee has recommended that Sebi initiate immediate action for lapses on the part of NSE. It hasn’t spelt out what action Sebi should take. Among the penalties or strictures that Sebi imposes on NSE, one important aspect will be to appoint an independent technology consultant at the exchange’s expense, but one that reports directly to the regulator.
For perspective, the committee said that OPG Securities, a trading member, gained by exploiting loopholes in the exchange’s architecture for dissemination of market data, and that these gains were whittled away when the exchange introduced a new way to disseminating data. It also said that the exchange violated its own policy by allowing a non-ISP (Internet service provider) to lay fibre in its premises for trading members. In doing so, the committee affirmed each of the two broad allegations made by the whistleblower.
It’s quite likely that NSE will dismiss the committee’s findings. But it must be noted that Sebi’s technical advisory committee enlisted the services of a professor of computer science from the Indian Institute of Technology, Bombay, and the team appears to have done an exhaustive study of the exchange’s data. However strong NSE’s arguments might be, it’s unlikely the regulator will go against its own findings. From the exchange’s perspective, if it has nothing to hide, it should welcome a proposal to appoint an independent consultant.
Another possibility is that NSE was and continues to be genuinely deluded about the robustness of its trading systems. The committee noted that when Sebi requested NSE to investigate the matter, the exchange claimed that its architecture could not be and had not been misused. This raises questions about competence, although neither market participants nor officials at the regulator think this is the issue at hand.
The third possibility, of course, is that NSE knew but chose to cover up. This is the worst case scenario, since public trust is the most essential commodity in the running of an exchange. A cover-up, it is said, is worse than the crime itself. If a handful of employees connived with trading members and provided them unfair access, it makes sense to make this public. It’s far worse when the matter becomes public as a result of a Sebi investigation.
But irrespective of whether there was a cover-up, or whether NSE was naive about the vulnerabilities in its trading architecture, it makes immense sense for Sebi to appoint an independent technology consultant for NSE, to study vulnerabilities in the exchange’s system and suggest changes to the regulator.
After all, if a domestic trading firm can exploit vulnerabilities in NSE’s trading system, what stops a sophisticated hacker from bringing India’s entire stock market to its knees. If this thought seems too far-fetched, look no further than the recent theft in Bangladesh’s central bank by hackers. News reports suggest FireEye Inc.’s Mandiant forensics division has been brought in to investigate the cyber theft.
Regulators such as the US Securities and Exchange Commission (SEC) have used domain consultants as part of its action against misconduct. For instance, when Bank of America settled with the SEC for alleged inadequate disclosures, it agreed to a $150 million fine, besides agreeing to hire independent consultants to audit its disclosure practices. Sebi, too, can consider firms such as FireEye’s Mandiant or Kroll Inc., a corporate investigations and risk consulting firm, for the independent audit.
The technical advisory committee has recommended that the aspect of collusion between NSE officials and the errant trading member should be investigated. The independent consultant should also investigate whether the loopholes in NSE’s systems became apparent internally, and whether there were attempts at a cover-up when the exchange received complaints. After all, the alleged collusion involved officials in the exchange’s data centre; whereas a cover-up would typically involve top officials—a far more serious matter.
Of course, the audit could also include checks on the robustness of the trading architecture, both from the perspective of fair and equal access to all, and cyber security.
The exercise will make sense only if the consultant reports directly to Sebi, and when the exchange has to compulsorily implement each of the consultant’s recommendations. Sebi could be tempted to summarily announce some additional checks and balances in the algorithmic trading space. But this won’t solve the problem at hand. It needs to dig deeper; the help of an expert is imperative.