Firms to approach forensic experts for curbing instances of insider trading

Recent regulatory action has prompted a host of top listed firms to approach forensic auditors to curb instances of insider trading within their organisations. 

The misuse of unpublished price sensitive information, or UPSI, came into the limelight after financial results of companies circulated through WhatsApp messages caught the attention of market regulator Securities and Exchange Board of India late last year. The regulator has gone to the extent of vetting social media to ascertain wrongdoing, and may soon come out with guidelines to help companies better tackle the menace. 

“The number of companies approaching us to track and mitigate insider trading has tripled in the past one year,” said Arpinder Singh, partner & head- India & emerging markets, Fraud Investigation & Dispute Services, EY.

These could be companies embroiled in alleged insider trading issues as well as those looking to improve governance standards. Corporates with a global presence or significant private equity investment, and firms gearing up for listing are also queuing up.

India has not had a strong compliance mechanism around insider trading, historically. This is in stark contrast to developed countries such as the US where federal courts have gone to the extent of upholding use of wiretap evidence in recent insider trading prosecutions. Employee-related cases, in particular, have not drawn adequate attention. Until now. 

Uppermost on the agenda is preventing the leakage of financial results. This is used by employees to trade from own account, through kith and kin or through brokers. Brokers, in turn, could trade through their own account or pass on the information to other clients. 

Companies are evaluating mechanisms such as IP-based controls and data encryption to prevent such leaks. Identifying teams privy to insider information and monitoring them by obtaining periodic non-disclosure undertaking, reviewing their assets and trading accounts is another control mechanism.

Concerned employees could be asked to back up their mobile and desktop data to ensure a visible audit trail.  Disabling USB devices, controlling the printing of sensitive documents, and monitoring information exchange over non-company emails are other measures.

“Forming an internal online repository will help establish an audit trail and minimise information leak. Dummy entries for key financial figures can be used after the financial results are initially prepared, and reversed just prior to the formal announcement of the results,” said Nikhil Bedi, head of Deloitte’s forensic practice in India.

Insider information is not restricted to financial results alone. It can relate to information related to impending business transactions such mergers and acquisitions or organizational changes such as the restructuring of senior management or resignation of key personnel. 

The news of a major impending financial restructuring of a company, for instance, was leaked shortly after a confidential board meeting. The leaked information was used by minority shareholders to ask for changes to the restructuring by putting pressure on the stock price and making public announcements, among other things. This destabilised the restructuring process at the company.  

Forensic investigations are now being initiated weeks or even months after the insider information is misused. In such cases, a sudden improvement in an employee’s lifestyle may be an indication of benefit from illegal trades, said experts. However, unless a trail of money can be identified, it may be challenging to prove that someone accessed Insider information and traded on it.

“Forensic auditors cannot ensure that insider information is not leaked as we are brought in after an event has occurred,” says Reshmi Khurana, managing director and head of South Asia, Kroll. “Our role is to investigate weaknesses in people, IT systems and processes at a company that can lead to a leak in insider information. But deterrence can be best achieved by prosecuting and punishing insider trading.”

As per Sebi, a penalty of Rs 1-250 million, or three times the amount of profits made out of insider trading, whichever is higher, can be levied for insider trading. It is also punishable with a prison term of up to 10 years.

Five red flags

• In addition to external attacks towards attempts of data thefts, companies are exposed to: 
   
• Eavesdropping: Team member overhearing conversations and privy to UPSI information, especially in an open office setting with unrestricted access. 
• Espionage: A mole in the team is placed by competition. Inadequate background checks of outsourced staff or company staff make this a possibility
• Extended teams: Outsourced vendors, IT services providers, etc. They may have access to inside information but not covered through PIT as defined by the companies 
• Emails: Emails to junior staff, raising possibility of information leakage 
• Ever connected: Use of online applications which are encrypted and cannot be monitored by companies
• Source: KPMG Assocham Report, March 2018