Explained: The co-location scam, its alleged link to former Mumbai police chief Sanjay Pandey

One of the angles being investigated is how an audit company incorporated in 2001 and linked to Sanjay Pandey did not red-flag that the NSE servers were compromised. This had allegedly allowed one of the trading companies to get unfair access to the system, leading to windfall profits. The IT firm had conducted security audits at the NSE from 2010 to 2015.

What is co-location?

Co-location is a data centre facility where third parties can lease space for servers and other computer hardware. They provide infrastructure like power supply, bandwidth and cooling for setting up servers and storage of data. Customers usually rent out space by rack, cabinet, cage or room.

The NSE introduced co-location facilities in 2009 and offered traders/brokers to place their servers within NSE’s data centre for a fee. By being in close proximity to the stock exchange servers, traders/brokers would have faster access to the price feed and the execution of trades, due to the low latency connectivity.

What is the NSE co-location case?

In January 2015, a whistleblower wrote a complaint to the Securities and Exchange Board of India (SEBI), alleging that some brokers who leased space at the NSE co-location facility, were able to log into the NSE systems with better hardware specifications while engaging in algorithmic trading. This allowed them unfair access from the period of 2012-2014, as the hardware specifications gave them a split second advantage in accessing the price feed.

A miniscule difference in time can lead to huge gains for a trader. At that time NSE used to disseminate information through unicast, which is a single, direct request sent from one host to another, with only those hosts interacting over the route.

Following the complaints by the whistleblower, SEBI formed an expert committee under the guidance of its Technical Advisory Committee (TAC) to examine the allegations against NSE. It found that stock brokers at NSE’s co-location facility were given preferential access, as they could log onto multiple dissemination servers through the multiple IP’s assigned to them.

The committee also found that NSE followed a static mapping process for allocating members’ IPs to dissemination servers due to which a few brokers were able to log on to the fastest dissemination servers. At least 15 brokers were identified by SEBI for having preferential access.

Why is Sanjay Pandey being investigated?

Established in 2001, iSec Services Pvt Ltd was one the IT companies that conducted security audits at NSE from 2010 to 2015, when the co-location scam supposedly took place. The CBI has been investigating the company because it believed that the security audit firm should have been able to detect breaches in the NSE system when the scam occurred.

Sources close to iSec told The Indian Express on July 3, that the company was merely responsible for conducting audits of the devices used by the brokers who were using the co-location facility provided by the NSE, to check if they had proper Internet connection, firewall facility, among other technical aspects. A source had said, “iSec did not have any access to the NSE servers, so there was no way they could detect that the system had been compromised and a co-location scam was underway.”

When the firm, iSec Services Pvt Ltd, was incorporated in March 2001, Pandey was not in police service as he had resigned, but the same had not been accepted by the government.

He quit the firm’s directorship in May 2006, after which his mother Santosh and son Armaan became directors in the company.

Pandey’s stint as Mumbai police chief

On February 19, Sanjay Pandey, was appointed Mumbai Police Commissioner by the former Maha Vikas Aghadi government, four months before his retirement.

During his tenure, cases were registered against BJP leaders like Kirit Somaiya, Mohit Kamboj, Narayan Rane and Independent MLA Ravi Rana – who was vocal against the Shiv Sena. As a result, BJP politicians had accused Pandey of targeting its leaders at the behest of the MVA government, which he denied.

Mohit Kamboj, a BJP leader against whom an FIR was registered in connection with a case of bank fraud, had suggested that Pandey could face action after his retirement on June 30. Soon after recording his statement with police last month, Kamboj had said: “While the 1st (June 1) belongs to the person who registered this case against me, the 30th (June 30) will belong to us.”

Newsletter | Click to get the day’s best explainers in your inbox

Key arrests in co-location case

Earlier in February, the CBI had arrested Chitra Ramkrishna, former CEO and MD of National Stock Exchange (NSE) in connection with the case. The following month, Anand Subramanian, the former COO of NSE was also arrested for his alleged involvement.

On February 11, Ramkrishna was fined Rs 3 crore by the SEBI for the illegal appointment of Subramanian. It also indicted Ramkrishna for allegedly sharing confidential information with a “Himalayan yogi”.