India- SEBI And WhatsApp Leaks: Every Link In The Chain Matters.
Legal News & Analysis - Asia Pacific - India - Regulatory & Compliance.
24 June 2020
“The most valuable commodity I know of is information.”
– Gordon Gekko, Wall Street
Over the past few weeks, the Securities and Exchange Board of India (SEBI) has passed three orders (SEBI Orders) in the infamous ‘WhatsApp leak’ saga that has been in the news since November 2017. Holding the impugned perpetrators guilty of violating insider trading regulations, the regulator has taken significant steps in pushing the boundaries of the concepts of insider, UPSI and insider trading.
The ‘Market Chatter’ group – A brief history
WhatsApp groups are ubiquitous – just look at your phone. That WhatsApp groups (and other encrypted devices, applications and features) have been, and continue to be, used for illegal activities is a foregone conclusion, and securities regulators across the world have recognised market manipulation due to leakage of sensitive information as a real threat. During November 2017, SEBI took note of articles in mainstream media alleging circulation of unpublished price sensitive information (UPSI) on various private WhatsApp groups, including a ‘Market Chatter’ group, about certain companies ahead of their official announcements on stock exchanges.
Acting promptly, the regulator brought market operators, brokerage firms, auditors, analysts, investment advisors and company executives under the scanner. Interim orders were passed against several major companies whose UPSI was purportedly leaked, with the regulator seeking to take a tough stand on companies that failed to fix individual responsibility for any leaks. SEBI directed such companies to conduct internal investigations to identify those guilty of the leak, take steps to check any recurrence, and to provide necessary details to SEBI. Unfortunately for the regulator, these companies came back with clean chits on any internal leaks, and SEBI has been unable to trace the original source.
Notwithstanding, SEBI continued with its enquiry process, conducting a search and seizure operations involving 26 entities featuring in the ‘Market Chatter’ WhatsApp group, and seizing approximately 190 devices and records. After examining the WhatsApp chats extracted from the seized devices, the regulator found around 12 companies whose earnings data and other financial information got leaked on WhatsApp, out of which the leaks in relation to Ambuja Cements Limited, Bajaj Auto Limited and Bata Limited became the subject matter of the SEBI Orders.
The SEBI Orders – what is UPSI, who is an Insider and most importantly, the concept of ‘Heard on the Street’ (HOS)
The SEBI Orders have reanalysed the fundamental questions of ‘who is an insider’ and ‘what is UPSI’ with the peculiar set of facts in consideration. In answering these two questions, the regulator has laid specific emphasis on the following considerations:
The leaked information (revenue, PAT, date/ time of announcement of results), was exactly the same as the subsequent announcements, and the inability to trace the proof/ source of the leak within the subject companies is irrelevant in the determination of whether such information was UPSI;
There was no evidence suggesting that the information was based on market research which in turn was based on generally available information, and that such market research was accessible on a non-discriminatory basis to the public; and
Even though the accused were financially literate personnel who were associated with the securities market, they allowed themselves to be ‘an instrument in the chain of communication’ of sensitive information and did not raise an alarm when the information circulated by them matched the announced results accurately, regardless of the source.
Based on the above, and settled legal positions, the SEBI Orders have held that the accused in question were ‘insiders’ and the information in question was ‘UPSI’. For the regulator, it is the possession of information (and not source), and the nature of information (and not the manner in which the information reached the accused, or whether such information was used to trade) that mattered.
However, what also stands out in the orders is the regulator’s analysis of HOS v UPSI.
One of the primary contention of the accused in these cases was that the information in question was HOS – unsubstantiated gossip that is forwarded as speculation or rumours, which is common practice amongst analysts of brokerage houses, based on factors including financial modelling, management guidance, global factors and meetings with the management. The accused further contended that HOS is prevalent globally, and used by the entire trading and active investor community to plan trades.
Analysing the concept of HOS in the instant case, the SEBI Orders have noted that as opposed to HOS: (i) the information here was not generally available in the public domain, but was being circulated in a closed group; and (ii) the information was not shown to be arising from any market research or publicly available data. The regulator has further held that the accused, who are reasonably expected to be well acquainted with the working of the securities market and nature of sensitive information, cannot claim ignorance regarding the nature and materiality of information received and forwarded by them, and should have become suspicious regarding the source of such information once it closely matched subsequently announced results.
Technological and other challenges
While the SEBI Orders have found the accused to be guilty and have imposed a penalty, the issue is far from over. In the SEBI Orders, as well as in past press briefings, the regulator has expressed its inability to conduct an exhaustive inquiry in light of the end-to-end encryption based applications such as WhatsApp, where the source of a message or the entire chain of communication cannot be established. The issue is not limited to SEBI, or India either – in the past the U.S. Securities and Exchange Commission (SEC), as well as the Federal Bureau of Investigation (FBI) have expressed concerns over the usage of encrypted apps by Wall Street traders to hide illicit communication from internal compliance programs and regulators to disguise financial crimes.
The shift to new technologies is not unexpected. Before encrypted apps and social media, encrypted text messages and burner phones have been used by perpetrators with great resourcefulness to undertake insider trading. With app developers launching new features – encryption, self-destructive messages, timed secret chats – at a breakneck speed, and with the rapid expansion of online social networks, these challenges are bound to increase both in number and complexity in the times to come. Here, it does not help that under law, SEBI currently lacks key surveillance tools such as phone tapping, which makes it increasingly difficult for the regulator to close investigative loops.
Is there a solution?
Technological advances and complexities will remain inevitable hurdles for the regulator. However, given that the disclosure of UPSI violates the rule of parity of information and perpetuates information asymmetry, the need of the hour will be to take the challenges head-on. On its part, the regulator has been proactive and pragmatic. Over the past two years, there have already been instances where insider trading violations over social media and matrimonial websites have been indicted. In terms of future initiatives, given the ineffectiveness of structured data analysis, SEBI has recently been on the lookout to acquire technology for unstructured data analysis in order to curb market manipulation. The regulator has also planned a data lake project to augment analytical capabilities.
The amendments introduced pursuant to the SEBI (Prohibition of Insider Trading)(Amendment) Regulations, 2018 were a major step towards curbing leakage of UPSI. These were aimed at strengthening internal controls, maintenance of database of persons involved in generating or having access to UPSI, instituting internal processes for inquiry into leakages of UPSI and protection of whistle blowers. Taking a cue from international regulators (e.g. the SEC and the UK’s Financial Conduct Authority), SEBI may also consider undertaking its own version of ‘exam sweeps’ on listed companies and intermediaries to attack the issue at the source, and issue guidance and warnings to companies specifically in relation to usage of electronic messaging apps. On its part, for example, the SEC has witnessed an uptick in enforcement actions in relation to insider trading after the implementation of the Consolidated Audit Trail system as well as increased reliance on whistleblower tips.
However, while the regulator can provide a framework, ensure monitoring and take actions against non-compliances, the implementation of these measures remains the primary responsibility of companies. Internationally, in the past few years, some investment banks and other financial services firms have barred their employees from using encrypted messaging services altogether. Many institutions have forbidden the use of personal mobile devices for work purposes .
From a housekeeping and hygiene perspective, companies may also relook at information sharing frameworks with shareholders, especially private equity investors who are closely involved in protecting their economic interests in portfolio companies. Often, such information sharing (especially in the case of companies which are not listed or to be listed) is both through formal (e.g. email correspondence) and informal (e.g. WhatsApp groups) means, sometimes without even any proverbial ‘Chinese walls’ in place, and the information being provided can be quite extensive in nature. Internal reporting structures within companies may also at times expose unsuspecting middlemen and junior employees to information which could potentially be UPSI.
Hence, while the regulator is doing all that it can, in the background of the SEBI Orders, it may be a good time for all stakeholders to take a step back and relook at the bigger picture. This will allow them to ensure that the robustness of internal controls is not just empty rhetoric, but something which can complement the regulator’s efforts to safeguard the interest of investors and the integrity of the securities market. It is implied in the SEBI Orders – all constituents are expected to play their part in this fight.
For further information, please contact:
Rohan Banerjee, Partner, Cyril Amarchand Mangaldas
 https://www.sebi.gov.in/enforcement/orders/apr-2020/adjudication-order-in-respect-of-neeraj-kumar-agarwal-and-shruti-vishal-vora-in-the-matter-of-circulation-of-upsi-through-whatsapp-messages-in-the-scrip-of-ambuja-cements-ltd-_46613.html, https://www.sebi.gov.in/enforcement/orders/apr-2020/adjudication-order-in-respect-of-neeraj-kumar-agarwal-and-shruti-vishal-vora-in-the-matter-of-circulation-of-upsi-through-whatsapp-messages-in-the-scrip-of-bajaj-auto-limited_46611.html and https://www.sebi.gov.in/enforcement/orders/jun-2020/adjudication-order-in-respect-of-ms-shruti-vora-in-the-matter-of-circulation-of-upsi-through-whatsapp-messages-with-respect-to-bata-limited_46777.html
 To contrast the treatment accorded to the recipient of UPSI, as well as the standard applied to gauge “general availability” of information, see orders passed by SEBI in the matter of Manappuram Finance. See https://www.businesstoday.in/opinion/columns/whatsapp-leaks-case-sebi-investigation-may-yield-little-result-insider-trading/story/403510.html
 In its report dated August 8, 2018, the SEBI Committee on Fair Market Conduct recommended that SEBI may seek direct power to intercept calls but ensure proper checks and balances for the use of power. The committee further recommended that the power to intercept conversation may be equivalent to powers given to other regulatory agencies, such as the Central Board of Direct Taxes, to deal with economic offences