External Auditor’s damning report on MCX
The Securities and Exchange Board of India (SEBI), as well as the Audit Committee of Multi Commodity Exchange of India Ltd. (MCX), asked auditors T R Chadha & Co LLP (TRC), to examine and report. A clinical look into the Audit report of TRC reveals startling observations:
- The three deliverables promised in the agreement were not given by the signatory Indira Gandhi Institute of Development Research (IGIDR), on whose behalf Susan Thomas signed.
- The Data that was shared by MCX to IGIDR for accomplishing the above did not need to be to the extent it was done (i. e. on a daily basis) when historical daily data would have sufficed.
Readers can make their own conclusions based on the facts presented below:
What were the deliverables?
The papers were to have dealt with the impact of Commodities Transaction Tax (CTT) on the Commodity Markets in India. The deliverables were as follows:
- Analytical Research Paper on the impact of CTT on growth and development of CTT
- Policy Round Table to discuss the relevant topics in the context of Indian Commodity Market
- Policy Paper the economic impact of Gold Futures on the gold market and its ecosystem in India
It is easily seen that for delivering the above three, one does not require any numerical data from MCX and the data that is available in the public domain is sufficient.
What was delivered?
No specific deliverables with concrete timelines were documented in the agreement dated August 29, 2016! The research topic was kept open and generic as to “studying issues of relevance to the commodities market”.
What was the purpose?
As per the media reports that appeared in Economic Times and The Hindu Business Line, MCX had provided tick-by-tick and real-time data to Susan through a dedicated pipeline. There are allegations that this was done mainly so that no audit trail will be available in the future.
The timeline of this data access is shown in Figure 1.
The report goes on to mention that the forensic auditor admitted that they were not provided the email backup from the MCX server for the persons mentioned in the whistleblower letter i. e. Paranjape, Shunmugam and the secretary to the MD & CEO.
As per the forensic report, there were numerous media reports naming misuse of data shared by the National Stock Exchange (NSE) with IGIDR but Mr. Paranjape and the Research Head of MCX Mr. V Shunmugam, both have denied having been aware of the media reports.
The agreement signed with IGIDR was not subjected to any vetting by the legal team as per the forensic audit report.
Chirag Anand was not an employee of IGIDR
Furthermore, as per the forensic report, Mr. Chirag Anand, who was the main coordinator from Dr. Susan Thomas was not an employee of IGIDR but has worked with the National Institute of Public Finance and Policy (NIPFP) with whom Dr. Ajay Shah is associated. The report also reveals that all the correspondence with Dr. Susan Thomas and her team were on their personal emails and the team members were not on the rolls of IGIDR. The report also reveals that there is a possibility of communication/ receipt of data and the uses of data by these individuals in their personal capacity. Because personal emails were used, the audit trail may be thrown off and IP tracing of the same may become difficult.
The forensic auditor has also revealed that data that was shared by MCX with IGIDR/ Researcher, on the face of it seems unnecessary to share on a daily basis and historical daily data on a periodic basis would have sufficed for the needs of the researcher. Moreover, no speciﬁc deliverables with concrete timelines have been documented and the research topic was kept open and generic. The report also reveals that none of the four purposes mentioned as uses by the researcher/ IGIDR, shared by MCX on a daily basis has been used, which indicates the possibility of use of the data for some other purposes.
And the penny drops!
The report goes on to state that certain data shared with IGIDR/ Researcher seems to have had price sensitive information/ live data and it seems that the researcher wants to gain access to data which would otherwise be not available to other traders. It was also found from the IIS logs of the FTP server that the data used to be retrieved by IGIDR around 9 AM, i. e. shortly before the opening of commodity markets and since data was shared prior to market hours and hence contains some of the live sensitive data, it might have resulted in being used for purposes not intended in the agreement.
The auditor has also revealed that the logs were not kept according to the company policy of keeping them for a period of three years. The details of data shared with IGIDR therefore not available for the entire period – it seems as though the server kept just the data of the last 7 to 10 days and overwrote the older data! This makes it difficult to verify if the data was masked before sending it to IGIDR!
Mr. Rahi Racharla has admitted that he was not aware of the masking policy. Similarly, Chandresh Bhatt, another officer named in the report has also said that he could not recollect if there is a data masking policy. The report also reveals that additional fields that were not required to be provided have been provided and there is an admission that no masking process was applied to these fields.
TRC report also reveals that only data relating to period from 31st Jul 2017 to 7th Dec 2017 was available on the FTP server (about 4 months out of the 12 months for which the agreement was signed) – and therefore could not find the exact nature of the data shared and cannot comment on the implications of the same.
NSE players being roped in?
In the initial mail dated Jun 9th, 2016, Dr. Thomas mentioned that her sister Sunita Thomas runs a software company which does work for a few security firms in algorithmic trading in BSE and NSE and that it would be useful for the MD & CEO to meet her and her partner (Krishna Dagli) and look for areas of co-operation.
Sunita Thomas, whose husband Suprabhat Lala was the chief of regulations and head of trading division at NSE during the period 2010-2013. Their role in NSE co-location scam is detailed in the PGurus post titled, “Who benefited from the HFT scam?”
These are the facts distilled from a 20 plus page report of TRC. You the reader can make your own judgment on whether this was similar to what happened in NSE or not…
A copy of the TRC audit report is shown below:
 Forensic auditors indicate IGIDR used data shared by MCX to develop an ‘algo-trading strategy’ – Apr 24, 2019, The Hindu Business Line
 Anatomy of a crime P4 – Who benefited from the HFT scam? Oct 4, 2017, PGurus.com