CBI probes NSE scam starring Chitra Ramkrishna. Here's what they found

Former National Stock Exchange (NSE) chief Chitra Ramkrishna's custody has been extended by 4 days as new findings emerged in the NSE co-location scam. The CBI probe has found that between 2009 and 2017, she had illegally ordered certain phone lines to be tapped and had also managed to avoid SEBI's mandatory system audit regulations.  

1. SOME BACKGROUND 

Chitra Ramkrishna was the MD of India's largest stock exchange ie the NSE from 2009 to 2013. She was a Director and CEO of NSE from 2013 to 2016 and found the national limelight when her ridiculous acts came out. She gave away crucial, time-sensitive NSE data to strangers and a Himalayan 'yogi', as she worshipped him. She also strategically appointed Anand Subramanian as the Chief Strategy Officer without any records, as if out of thin air. Anand was privately hired at an extravagant cost to NSE and wasn't even qualified for the job. Also, here's the twist: He is rumored to be the Himalayan yogi.

SEBI and CBI have launched their individual investigations, imposed penalties and fines and have even arrested Chitra and her support gang: Ravi Narain (another former MD), and Anand Subramanian.       

2. THE PHONE TAPPING & SYSTEM AUDIT FINDINGS 

The CBI probe in the complex NSE matters found two issues in two main matters:

1. The phone tapping that was ordered by Chitra Ramakrishna on some select employees.
2. The system audit issue   

1. The phone tapping: Chitra identified officers from 3 main departments ie. market watch, market surveillance, and risk management. These officers had access to critical online information and access to real-time online databases. Once shortlisted, she ordered their phones to be tapped. 

• Chitra ordered illegal tapping of 4 MTNL Primary Rate Interface (PRI) lines in NSE without seeking permission of any competent authority. Each of these PRI lines supports 30 telephone connections each, so 120 phone connections in total. This was done from March 2009 to February 2017.   
• After Chitra identified which connections to tap out of the 120 phone connections, the numbers were passed to the then Vice President of NSE, Ravi Varanasi.
• Ravi Varanasi then passed on these numbers to Mahesh Haldipur, who was the (Head) Premises at the time. (He was also the NSE spokesperson in 2015)

• A phone tapping company called iSec Services was hired by NSE to actually do the task. Mahesh Haldipur passed these numbers to the Head of iSec Services.
• An employee at iSec Securities was given the task of tapping the phone lines and submitting the resulting reports. The employee would submit these reports titled ''Monitoring report for call logs''. Once NSE received these reports, iSec was paid. 
• But did this not show up in the expenses of NSE? How was it shown in the books? Though NSE paid iSec to stoop on its employees, it window dressed this long-standing agreement under the pretense of ''Periodic study of cyber vulnerabilities'' and paid iSec Services about Rs 4.5 crore for this contract. 

(Btw, illegal phone tapping is a crime in India and the offender can suffer 3 years of imprisonment if convicted)   

2. The system audit: First, understand what is co-location. The NSE launched co-location facilities in 2009, which was basically a server rental facility to help traders and brokers. Brokers and brokerage firms could establish their IT servers on NSE's data centers and NSE would charge a fee for the same.

• Now as per SEBI rules and guidelines, brokers that use co-location facilities (like that provided by NSE) are ''high-risk'' and are mandatorily required to get their systems audited every 6 months. As per SEBI's rules, the same auditor can only perform 3 consecutive audits, meaning auditors have to change after every 1.5 years. 

• Now as per the CBI, two brokerage firms - SMC Global Securities Ltd and Shaastra Securities Trading Pvt Ltd have violated these audit guidelines. These 2 brokerage firms are the same firms that have been accused of having received preferential access to NSE's data and causing huge losses to NSE. And somehow iSec is involved here too. Here's how: 
• iSec audited the systems of Shaastra Securities Trading Ltd between April 2013 and March 2019, ie for 6 years! iSec also audited SMC Global's systems between October 2012 and September 2015. How? 
• Systems audit requires a certified professional to visit the cyber premises, test processes and submit final reports. But in the cases of SMC Global and Shaastra, the systems audit was carried out by an uncertified professional, who was an employee of iSec Services. Once the report was created, the report was printed on the letterhead of another unrelated small-time brokerage firm and signed by a System Auditor from this small-time brokerage firm. For a mere fee of Rs 5000. The actual system auditor of this small-time brokerage firm never visited the premises of these 2 brokerage firms. 
• Though NSE's books mentioned that a small brokerage firm was hired for system audits, in reality, the bills were raised and paid to iSec. Any guesses on what iSec's bill amount was? A massive 8 crore. 
• But how did this come to light? The system audit certificate was issued on a date before the iSec employees visited the premises for the actual system audit. Lol.