The ‘demat scam’ is off the front pages and media attention is focussed on the spiralling Sensex. The Securities and Exchange Board of India (Sebi) has smartly handed over responsibility for chasing the ‘fraud’ and ‘impersonation’ involved in opening tens of thousand demat accounts to the Central Bureau of Investigation (CBI). Simultaneously, Sebi has started a more detailed probe into systemic issues that prevented the detection of the multiple account fraud, as well as gaps in information processing, auditing, inspection and scrutiny that were detected and exploited by a cabal of disparate individuals.
The dematerialisation and automation of trading and capital market processes has played a big role in the rapid growth of India’s capital market over the past decade. But mandatory dematerialisation (as against immobilisation of shares, as was preferred by the US) comes with enormous responsibility, since these automated systems now hold all the evidence of people’s investments. The primary responsibility of running a secure depository system and water-tight audit trails and inspections to ensure data safety vests primarily with Sebi. After all the depositories are merely regulated entities.
The good news, if one can call it that, from the demat scam is that it served as a loud and timely warning to check depository systems and processes before more serious damage occurred. Although Roopalben Panchal and Purshottam Budhwani’s demat accounts captured the public imagination, the main damage was a loss of reputation for the players involved. The financial loss is notional and spread across thousands of potential investors.
What needs to be fixed to eliminate systemic risks? A market insider writes to me saying, “In order to perform the type of data quality assessment required to verify and remediate NSDL master data, Sebi must develop an objective method of utilising tools and techniques to assess NSDL/ CDSL enterprise systems holistically and aggregate the results into a meaningful summary.” This complicated piece of jargon means that there are well established, international security systems that lay down an automated drill to validate the source of data coming into the depository, including the date and code. These can be presented through flow diagrams to detect systemic holes.
The drill includes a check for structural integrity of the system, compliance with legal and business rules and testing to check the integrity of information that is transmitted to depository participants (DPs) and other depositories. Several of these checks are already in place, but our source says that “there are severe problems in data transfer and validation between various systems,” because “systemic checks of various data fields were not proper.” This led to the IPO scam and it will require the re-working of certain key software in order to allow it to weed out multiple accounts, both at the creation level and again at the allotment level.
• The demat scam was a loud and timely warning on what needs fixing
• There are established systems to validate the source of depository data
• The system has to also be reconfigured to allow multiple fraud checks
Apart from correcting systemic issues, Sebi needs to put in place a “joint interface for live and simultaneous surveillance of both depositories” by the regulator. This can probably be addressed by the comprehensive Integrated Market Surveillance System (IMSS) that has been ordered by Sebi. This Australian system allows the monitoring of market activities across various stock exchanges and market segments (including both equities and derivatives). Under the memorandum of understanding signed in May last year, it was to have been in place this month. The System envisages integration of data available from stock exchanges (cash and derivatives segments), Clearing Corporation and depositories into a single Integrated Market Surveillance System. The IMSS is expected to generate alerts that will help SebiI to identify and detect serious violations such as market manipulations, insider trading and other types of frauds that undermine market integrity. Informed sources say that the physical infrastructure of depositories may also have to be upgraded in order to allow larger data processing involved in cross-systems analysis as the number of entities increase, and the databases structured to become more understandable to regulators.
Finally, there is the finance ministry plan to fix the multiple account issue in the near future, by making it mandatory to quote Permanent Account Numbers (PAN) for all investments. There are several issues with this. Sources say that PAN is an important, but non-mandatory, field in depository systems today, with no cross-verification with the income tax, UTISL or TIN database. Once the PAN number is made mandatory, the depository system has to be re-configured to incorporate PAN as a mandatory field and to allow multiple points of validation for quick detection of fraud.
The bigger problem is the sanctity of PAN numbers themselves. The income tax department has now admitted to at least a million duplicate/fake PAN numbers. My sources believe the number is much larger. The finance ministry’s solution of preventing demat fraud by making PAN numbers mandatory would become meaningless unless this problem is thoroughly corrected by incorporating ‘dedupe’ software or similar tools.
Also, instead of internal investigations by the IT department into the issue of duplicate or fake PAN cards, the government needs to order a security and systems audit through competent people in the National Informatics Centre or security experts from outside. Once the PAN card issuance is fully secure and fraud-free, security experts must be asked to certify its integration into the depository system in order to make the PAN number meaningful. The PAN can and must then evolve as the unique identification number for all business, banking and investment transactions.