You are using an older browser version. Please use a supported version for the best MSN experience.

Sebi asks stock exchanges to strengthen system audits

LiveMint logoLiveMint 26-04-2017 Anirudh Laskar

Suspected irregularities in algorithmic trading at India’s largest bourse have prompted the markets regulator to order enhanced system audits at stock exchanges nationwide, two people aware of the development said.

The Securities and Exchange Board of India (Sebi) move aims to prevent misuse of algorithmic trading and ensure that no broker gets an unfair access to trading systems.

“Sebi wants to ensure that incidents like the one happened at NSE are not repeated in future. Sebi has asked exchanges to increase the scope of audits and submit the reports to Sebi with their observations and recommended changes in the exchange’s technology, co-location facilities, broker network, broker profiles, trading pattern, volume/concentration analysis and so on,” said the first person.

Sebi also asked them to proactively adopt systems for additional safeguards to protect the market integrity and ensure that all investors are treated equitably, the first of the two persons said.

An email sent to Sebi on Tuesday remained unanswered.

A forensic audit report by Deloitte, cited in NSE’s public offer documents in December, found that the bourse was lax in documenting matters related to its data dissemination systems during 2012-14. Deloitte said NSE didn’t have a specific policy and operating procedure for permitting entities that are not internet service providers to lay cables at its co-location facility then.

Abhijit Chakraborty, chief operating officer, strategy and development at Metropolitan Stock Exchange of India Ltd (MSEI), the country’s youngest stock exchange, said continuous evolution is necessary for any healthy ecosystem, and that MSEI will together with Sebi for any changes required. MSEI lays emphasis on IT governance with fair, transparent and equitable service offerings to all members, Chakraborty said.

“We have been doing internal and external audits and MSEI has been periodically and proactively updating Sebi with all the relevant documents and evidences and we can safely say that no major anomaly has been raised in any of our submission including any obligation or objection for unfair access,” Chakraborty added.

BSE Ltd, Asia’s oldest bourse, declined to comment.

Following certain allegations by whistleblowers in 2015, Sebi’s technical advisory committee had found that Delhi-based OPG Securities was able to log in consistently to NSE’s servers with better hardware specifications. Later, in December 2016, NSE, in its offer documents for a proposed public offering, cited the Deloitte report which said NSE’s algorithmic trading platform and co-location facility were prone to manipulation and allowed unfair access for some brokers. Algorithmic trading means using electronic systems to execute thousands of orders on the stock exchange in less than a second.

The agency also observed that the particular stock broker’s continuous access to the fall back or secondary server during the period from 10 December 2012 to 30 May 2014 may not have been possible without the knowledge of certain employees identified in the report, who did not take any action despite consistent connections to the fall back servers against protocol, it said.

Deloitte named 10 NSE employees (most of whom have left) who it said may have given these preferential treatment to some brokers.

Recently, accounting firm EY was appointed by NSE to conduct an additional audit in the matter.

According to the second person cited above, Sebi may review existing system audit norms after exchanges submit their reports, with the proposed enhanced scope of inspection in the backdrop of the NSE incident, said the second person.

Existing Sebi norms specify that the scope of the audit may be extended by the regulator, considering the changes which have taken place. In 2013, Sebi had reviewed the system audit norms for stock brokers, stating that technological advancements and various market events necessitated such a move.

System audits, typically, include audit of general controls for data centre facilities in terms of application access, maintenance access, physical access, environmental controls and so on. The auditor is required to mention in its findings any incidences of violations and corrective actions taken. Systems and processes with regards to software change controls, data communication, network controls, fallback mechanism, security controls, access rights/privileges, performance audit in terms of transaction volume, business continuity plans and IT systems are all included in the scope of system audits as per Sebi norms currently.

More From LiveMint

image beaconimage beaconimage beacon