It is just over a decade since the setting up of the automated National Stock Exchange (NSE) led to a paradigm shift in the Indian capital market; and eight years since we opted for dematerialisation of shares. Together, they ensured the switch to paper-less trading and propelled a dramatic increase in trading volumes and growth. The conversion of the Bombay Stock Exchange (BSE) into a modern, national bourse completed the change in profile of India’s capital market.
Ten years later, the strongest message emanating from the Securities and Exchange Board of India’s (Sebi) sweeping 252-page report on the ‘demat scam’ is the need to take stock again. Our frontline capital market intermediaries have done a commendable job in leading the reform process and transforming our markets, but Sebi’s investigation points to the need for another round of action and a re-examination of systems, processes, accountability, statutory provisions and dependence on IT vendors.
We need to look beyond the cornering of allotment in 23 Initial Public Offerings (IPOs) through tens of thousand fictitious demat accounts. Although these details occupy over 210 pages of the Sebi report, the more frightening systemic issues are raised by a special investigation of the National Securities Depository Ltd (NSDL).
Probably, for the first time, Sebi has ordered an independent audit of NSDL that was conducted by iSec Services Pvt Ltd, a firm that combines expertise in IT Security and systems audit with investigation skills of the police. The findings reveal that quick-fix solution like reintroducing Unique Identification Numbers (UIN)—with or without biometrics—will not address the grave systemic deficiencies exposed by the audit.
At first reading, Sebi’s order accusing depositories of ‘‘contributory negligence’’ and ‘‘grave management lapses’’ seems rather harsh, but the detailed elaboration of issues is positively alarming. The report exposes in detail the absence of ‘‘adequate controls, systems and procedures for monitoring and evaluating’’ compliance with statutory requirements and to supervise Depository Participants (DPs) appropriately.
Data security lapses highlighted by the audit need discussion at the highest level since the Finance Ministry is pushing all Indians into e-filing of tax returns and they too are to be handled largely by NSDL. iSec has pointed to specific flaws in the data integrity and logical security of the demat system, exposing the fact that perfect audit trails touted by the depository, are killed by deliberation corruption of data.
NSDL officials have packed the database with dummy dates (0001-01-01) for the period prior to 16/4/1999. Account activation dates were added into the depository system only after July 2, 2005, and all dates prior to that are stuffed with numbers such as 9999-12-31. The birth dates of minor nominees have been filed as 0001-01-01. There are also other fields where ‘junk data’ has been entered into the database.
Then there is the issue of lax internal procedures. iSec points out that there are no byelaws for internal monitoring and review of processes. And the ‘‘callous attitude’’ towards statutory compliances led to the creation of multiple demat accounts.
‘Errors’ in opening demat accounts were noted as far back as 2003 and continued to crop up repeatedly, yet DPs were let off with penalties of Rs 500 to Rs 1000. In contrast, NSDL levied a hefty fine going up to Rs 3.5 lakh for not employing certified employees. The priorities were clearly wrong. This, combined with a cursory and cheery culture of inspections, set the stage for serious mischief. Given the state of affairs we are lucky that the damage and financial losses were not considerably worse.
Sebi says that NSDL’s DP inspections last for just a day and are called ‘‘visits’’, which are followed by a ‘‘sign off’’ report. This breezy informality does not mention bye laws under which the ‘‘visit’’ is carried out and make the process of initiating penal action difficult. Inspections are also riddled with errors and hence unreliable. NSDL officials often permitted DP (Depository Participant) registration without even a physical inspection. Further, “In NSDL there are no byelaws for internal controls or standard procedures for auditing, reviewing and monitoring” DPs. Many of the problems flow from here.
The Karvy group of intermediaries, which has come in for a special drubbing in the IPO scam investigation, is a prime example of lax oversight by the depository. The special audit reveals that Karvy employed ‘agents’ to open depository accounts when there was no sanction for such agents. These were entrusted the job of opening new accounts and often bypassed the tedium of verifying addresses and identities. NSDL’s six monthly inspection never detected their existence and allowed tens of thousand accounts to be opened.
These findings are so serious that they need to be addressed at a policy level. India has adopted a separate depositories’ legislation that is obviously aimed at providing a measure of independence to depositories. While share depositories are the only market intermediary to have their own statute, NSDL has always claimed that supervision of DPs is entirely the responsibility of Sebi and it has no self-regulatory function either. At the same time, NSDL apparently considers itself free and independent enough to enter other businesses without permission from the market regulator and now it seems, without adequate internal preparedness.
This is a recipe for continuing chaos not only in connection with the capital market but also the Income Tax data that has now been entrusted to NSDL. The confusion in role, responsibility and accountability is a serious policy matter that cannot be hammered out through appeals to the Securities Appellate Tribunal, nor can it be decided by NSDL’s promoters. It is an issue that must be urgently debated by the Standing Committee of Parliament leading to swift and appropriate statutory changes.