Is there scope for arbitrage between internet-based trading and regular stock market transactions due to inadequate regulation? Market experts think so. That is because the regulator applies traditional supervision systems and strict location rules even for terminals and V-Sats installed by branch offices and broker franchisees, but has far fewer rules and restrictions for Net-based trading. Net-based trading is now a significant 10% of market turnover, but follows the same rules and system requirements that applied when volumes were not significant enough to warrant closer scrutiny. On May 10, the National Stock Exchange (NSE) asked brokers to get a systems audit done for their internet trading applications. This was after various complaints, including some sent on by this newspaper, revealed transactions were occasionally being done at rates other than those punched by investors. These pertained to internet-based trades and though the system errors were rare, it was a troublesome development.
The complainants initially met with disbelief. But after a long battle, both brokerage firms and the NSE admitted there could be systemic issues involved. Finally, all genuine complainants were compensated and a six-monthly systemic audit of all brokers was ordered. A second warning was sounded when the Ujjain police arrested employees of a franchisee of a large brokerage firm, for duping investors of Rs 24 lakh by misusing their log-in names and passwords. These employees, including the franchisee’s son, had exploited the fact that most investors do not protect themselves by changing the initial password and identity issued to them. The probe exposed the vulnerability of internet-based traders to fraud and the need for better systems.
The systems audit ordered by NSE will provide the first set of data on the quality of systems and protection at the broker end. The circular says: “The audit shall be conducted for the purpose of identifying the system inadequacies/deficiencies, if any, based on compliance requirements and the implications of such inadequacies.”
Accordingly, a leading brokerage firm with nationwide operations roped in an eminently qualified IT consultant to conduct its systems audit. He paints a worrying picture of the situation and how brokers are complying with the NSE circular. For instance, the circular expects brokers to have an elaborate operating system. It also expects network management and controls, adequacy of application security commensurate with operation size, adequacy of input, processing and output controls, user management and password policy, disaster management and back-up systems and procedures, change management and version controls, security features such as access control network firewalls, virus protection and, finally, documentation of system processes.
• Net-based trading firms seem to have very inadequate investor protection
• The systems audit ordered by NSE may turn out to be only a formal exercise
• Sebi needs to examine if market rules are geared for growth of Net trading
The first systems audit, to be certified by a qualified IT professional, was to be done by the end of July. But our source in the IT certification business says even the said large broker with a nationwide branch network has grossly inadequate systems for investor protection. He says: “The server room is almost a ‘mantrap,’ with no room to see or do anything. There are no policies for password and user management,” making the system ripe for exploitation. There was no provision for disaster recovery or the business continuity plan that NSE seemed to expect.
When he questioned the management, he was told the systems were probably on par with those of all other brokerage outfits that offered Net-based trading. The firm also advised him not to ask too many questions, or turn overly meticulous about certifying the requirements specified in the NSE circular. All that was expected, he was told, was perfunctory audit that could be wrapped up in a couple of days, to allow the firm to comply with the NSE diktat by the July deadline. The consultant refused to oblige and walked out of the assignment. He says most firms will simply cook the systems audit, getting themselves quick certificates. After all, why would IT consultants lose a business opportunity?
Unlike the annual accounts audited by chartered accountants, systems audits will not be in the public domain. There is no industry structure where a lack of due diligence would affect the consultant’s reputation. The NSE says it will study all audit reports received until July 31, and the overall quality of broker systems and infrastructure claimed. If it finds the audit or systems are not up to the mark, it may either randomly pick some cases for detailed inquiry or decide to inspect all broker systems for Net trading.
The NSE, as the largest stock exchange, has indeed made a commendable beginning in assessing the adequacy of systems for internet-based trading after the issue was brought to its notice. But it appears to me that the Securities and Exchange Board of India (Sebi) must really take charge here. And examine the larger issue of whether stock market rules and procedures are geared for the growth of internet-based trading. With each passing day, individual investors are getting access to faster and better broadband networks and internet connectivity. This will only increase the volume of Net-based trading, especially from investors who travel frequently and are difficult to pin in terms of geographical location.
Sebi needs to dovetail rules applicable to these investors with the rather exacting demands it makes from regular traders on registering their geographical location. In fact, the regulator ought to be thinking ahead and preparing for a time when savvy investors with large portfolios would want to even bypass brokers and get direct access to trading screens, so long as they can provide adequate margins and a direct debit to bank and depository accounts.