Sanjay Pandey, the ex-Mumbai Police Commissioner, was arrested and is currently in Enforcement Directorate's (ED) custody because his firm iSec Services did three wrong deeds. iSec tapped NSE's phone lines illegally, failed to throw red flags in their system audits, and broke SEBI guidelines, which caused losses to the NSE.
Some context: After the CBI registered a case against the NSE trio, ie Chitra Ramkrishna, Ravi Narain (both ex CEOs and MDs), and Sanjay Pandey for illegally tapping phones at NSE, the ED too, filed a money laundering case against them. After getting the custody of Chitra Ramkrishna, the ED now has Sanjay Pandey in its custody for 9 days.
Why? Sanjay Pandey's company iSec Services was hired for a long time to conduct system audits of brokerage firms. During the co-location scam, some brokerage firms made ridiculous profits when NSE servers became compromised. A good system audit ideally should have thrown red flags, but Pandey's system audit never did that.
Now, who is Sanjay Pandey? Pandey is a 1986 batch Indian Police Service (IPS) officer and is known for his role in controlling Mumbai's 1992-93 riots and bringing the situation under control as Mumbai's Deputy Commissioner of Police. He resigned from his post in 2001 and withdrew it in 2002. But, weirdly, his resignation was accepted in 2003 and he moved the court against this acceptance.
Post his resignation from the IPS, he established an IT firm called iSec Services Pvt Ltd to conduct security audits.
In 2005, he returned to service to avail of the VRS benefit that is available at the end of 20 years of service. But, since he neither got VRS nor got posted anywhere, he moved the court again, only to return to service in 2011.
In February 2022, he was appointed as the Mumbai Police Commissioner by the Maha Vikas Aghadi govt. On June 30, 2022, Pandey retired from service.
His role in the NSE scam: The CBI probe found that 2 brokerage firms (Shaastra Securities and SMC Global Securities) made a lot of profits because they had preferential access to NSE's data since they used NSE's co-location facilities. Both firms had hired Pandey's firm iSec Services to audit their systems, but iSec did a shoddy job.
iSec Services is also being accused by the CBI of breaking SEBI's system audit guidelines and illegally tapping NSE's phone lines.
So, when the NSE launched co-location facilities in 2009, it basically provided a server rental facility that allowed traders and stock brokers to place their servers within NSE’s data center for a fee. The brokers who use this co-location facility are termed as ''high risk'' since they get to use better hardware and can access market data faster than the other brokers, thus giving them a split-second advantage. A split-second advantage can give crores of benefits to brokers. So, as per the SEBI guidelines, these brokers are required to get their computer systems audited every 6 months.
Also, since auditors are the ones who can find loopholes in the IT systems, SEBI guidelines say that high-risk brokers can only have one auditor for three successive audits ie for 1.5 years. This is done because an auditor and a client can also be accomplices in fraud and a frequent rotation in auditors will help authorities like SEBI to catch hold of frauds.
How did iSec do this: iSec broke SEBI's guidelines by auditing the systems of Shaastra Securities for over 6 years and SMC Global's systems for 3 years. SEBI only permits 1.5 years of continuous audit.
iSec apparently got the systems audited by its own employee who was an uncertified professional, which again breaks SEBI guidelines. If that was not enough, iSec window dressed the records, hired a small brokerage firm on paper, paid them Rs 5,000, and got a clean chit report signed by this small firm.
As per the CBI, iSec was the company that was responsible for tapping phone lines to snoop on NSE's employees. Masterminded by Chitra Ramkrishna, NSE's books showed that NSE entered into a Rs 4.5 crore contract with iSec for ''periodic study of cyber vulnerabilities''. But the CBI probe found that instead of providing this service, iSec tapped NSE's 4 primary telephone lines and snooped on specific employees, who were shortlisted by Chitra Ramkrishna.