Employees and third-party vendors of market intermediaries and even market infrastructure institutions (MIIs) seem to be earning well from a thriving, illegal business of selling investors’ personal and trading data.
They are said to be selling it to database sellers, who then sell it to illegal investment advisories and portfolio management services (PMSes), tipsters, unregistered algo sellers, stock-market training schools and so on.
This arrangement makes it possible for anyone to buy, for as low as Rs 3, details like name, trading capital, trading segment phone number and email IDs of another. For Rs 20, anyone can even get similar details of high net-worth individual (HNIs) or ultra net-worth individual (UHNIs).
Market insiders and Moneycontrol’s conversations with these database sellers revealed how easy it was to source any kind of data that is spliced or diced to the buyer’s requirements.
Story continues below Advertisement
More worryingly, it is possible for illegal, unregistered businesses–who offer investment advice, tips and PMS–to target less sophisticated investors in the market.
Moneycontrol‘s investigations also revealed how impossible it was for the end-user/investor to protect themselves from this breach of privacy and hold anyone accountable for it.
Robbed of privacy
Story continues below Advertisement
Varun (name changed) pursued a complaint against a listed broker through the SCORES platform, after he kept getting calls from people selling trading software and from those selling tips within days of registering with the broker.
SCORES is the acronym for Sebi Complaints Redress System.
He said that he did his very first transaction with the broker on August 16, and from August 18 onwards, he started getting calls from various businesses. The callers said that he had signed up for it when he bought the services of the broker but he clearly remembered not having chosen such an option.
“There was a strong co-relation between my F&O transactions and the frequency of the calls. If I did an F&O transaction, they would call within a week. If I didn’t, they rarely did… nearly zero percent probability that they would,” he told Moneycontrol. He added that the businesses not only sell F&O recommendations but also recommendations for the cash and forex segments as well.
He was shocked to discover the details they had about him. They knew the segments he traded in, the exact indices and his full name as per the Know Your Customer (KYC) documents.
The callers even seem to be tracking his trading behaviour, even if he switches brokerages.
In fact, when he stopped trading in the F&O segment through the listed brokerage a few months ago and started trading in the cash segment through a leading online brokerage, the calls were related to cash-segment recommendations.
Leaks across the system
A senior executive at a brokerage told Moneycontrol that brokerages do not sell such data but “brokerages could leak, just as exchanges could leak”. Moneycontrol wrote to the two leading exchanges for their comments and this article will be updated if and when they respond.
“There are various entities–such as brokerages, KYC Registration Authorities (KRAs), depositories and exchanges–involved i reaching these financial services to investors. The data could leak through employees or vendors of any of these entities, even vendors of exchanges,” he said.
He said that these leakages have started happening with more frequency recently, with the regulator asking intermediaries and MIIs to inform investors of every change in their account.
“Many brokerages and even the exchanges don’t have the capacity to send such a volume of messages. Therefore, they take the services of third-party vendors. Very often, these vendors sell the data forward,” he said.
Five years ago, Zerodha’s Chief Technology Office, Kailash Nadh, had posted about the data leakage on a Reddit thread. He said that, after working with regulators, exchanges and telcos and an elaborate investigation, they found leaks to be originating from the telcos and SMS gateways.
At the telcos, the leaks were happening specifically from departments that handle their corporate landline connections from which they call their customers. On the SMS gateways, he wrote that they harvest and leak numbers, and therefore they changed their gateway multiple times.
Employees as sellers
Insiders said that employees of market intermediaries sell data, too. This became further evident from a conversation this reporter had with a database seller.
Moneycontrol spoke to him as an interested buyer and cited a previous experience of buying such a database and finding various numbers inactive. Moneycontrol had indeed bought a database–which had names, contact details and annual trading capital of investors–of lower value to see what kind of details can be got most easily.
This particular vendor assured Moneycontrol that they were sourcing high-quality data–contact and trading details of HNIs and UHNIs for Rs 20 a piece–from the “very top” of a listed brokerage.
When we pressed for details, he gave the name of the brokerage and names of its branch head and team leaders who actually do the selling.
Legal experts told Moneycontrol that market intermediaries and MIIs are required to ensure that their associates and employees also maintain client confidentiality.
Also read: MC Exclusive| API norms: How Sebi plans to crack down on unregulated algo sellers, illegal PMS
Who is responsible?
Smrithi Nair, Partner at Juris Corp, a law firm, said: “Market intermediaries are required to maintain confidentiality of client data and have to take client consent before sharing it. While it is not explicitly stated, these regulations imply that the intermediaries have to ensure that their employees too abide by that. Their employees are like their principle agents and therefore the brokers can be held liable for their employees’ actions.”
Manendra Singh, Partner at ELP Law, pointed to SEBI’s Guidelines for MIIs regarding Cyber security and Cyber resilience as an example.
He said that these guidelines require MIIs to maintain offline, encrypted backups of data and to regularly test these backups at least on a quarterly basis to ensure confidentiality, integrity and availability. “This will clearly require its employees and vendors as well to adhere to these statutory obligations,” he said.
Singh said that outsourcing guidelines given to intermediaries and clearing corporations require the service provider/ outsourcing agency to protect the exchange’s proprietary, member-related and potentially market-sensitive information and software from unauthorised usage.
Nair and Singh said that these requirements can be built into the contracts these entities sign with their employees/vendors.
Nair, who advises exchanges and clearing corporations, said, “Brokers and other intermediaries have to ensure that these confidentiality clauses are included in their service agreements.”
Impossible to get redress
It isn’t easy for investors to get redress.
Varun filed a complaint with the broker but they said that they never sell customer information. They asked him to email the details of his complaint but sent him email IDs that were meant only to send mails (such as [email protected]) and not to receive them.
When he kept receiving such marketing messages, he filed his complaint on SCORES.
He said that the exchange responded 24 days after he registered his complaint, though the exchange was required to do so only after seven days. A month later, the brokerage contacted him and denied any hand in selling his information.
Their solution to his problem was “to ignore” the calls and messages.
Though he continued to take complaint forward through the SCORES platform, the process ended with the exchange official and the brokerage asking for “solid proof” linking the sale to the brokerage.
“The exchange official said that she has received many complaints saying that the broker has sold the details but she can’t do anything about these complaints without necessary proof,” Varun told Moneycontrol. Finally, the exchange official and the brokerage official asked Varun to approach the cyber cell.
The SCORES platform registered his complaint as resolved but he continues to get these calls.
ELP Law’s Singh said that, for remedies against MIIs, the regulator can definitely question such breaches.