Jun 9, 2026

A Fair Market Is One the Regulator Can Replay

The market is a machine.

Not metaphorically. Literally.

Orders enter through broker systems. They pass through APIs, OMS layers, RMS checks, vendor gateways, leased lines, exchange gateways, matching engines, market-data feeds, drop-copy channels, and audit logs. Somewhere in that path, a retail investor clicks buy. Somewhere else, a strategy modifies an order in microseconds.

If the machine is fair, every participant gets the access they are supposed to get.

If the machine is unfair, the unfairness will not always look like a man in a room doing a shady deal. It may look like latency. Or logging. Or an API bypass. Or an audit certificate. Or a “temporary” technical glitch that nobody outside the system can really reconstruct.

That is the problem.

India does not need less exchange expertise. NSE and BSE understand their own systems better than almost anyone else. That expertise is useful.

But India needs less exchange-controlled evidence.

Exchange = operator + first sensor
SEBI = independent truth owner

That should be the model.

Right now, too much of Indian market supervision still feels like this:

broker system
  -> auditor certificate
  -> exchange workflow
  -> SEBI oversight

The model we should move toward is:

broker system
  -> tamper-evident event stream
  -> SEBI-owned market replay layer
  -> exchange alerts + SEBI enforcement

That difference matters.

The compliance ritual

A few years ago, I worked on trading-platform systems for an Indian broker. Part of the job was making systems compliant for exchange approval and audit.

There were third-party auditors. There were checklists. There were portal submissions. There were controls around order placement, risk checks, logs, APIs, disaster recovery, algorithmic trading, and system audits.

On paper, it looked serious.

From my engineering vantage point, it often felt less like adversarial verification and more like a compliance ritual.

That is an experience, not a legal finding. I am not saying my employer, the auditors, NSE, BSE, or SEBI did anything wrong. I am saying something narrower:

the incentive design is weak

The broker needs approval. The auditor is economically tied to the certification market. The exchange receives the audit report and controls important market-access workflows. SEBI sits above the system, but a lot of first-line evidence and operational judgment still flows through the exchange.

That should bother us.

Not because Indian markets are uniquely bad. But because this is the exact class of conflict serious market regulators around the world have had to manage: commercial market operators also performing regulatory functions.

How the chain works

The Indian supervision chain roughly looks like this:

SEBI
  -> statutory regulator
  -> frames regulations and circulars
  -> oversees exchanges, brokers, clearing corporations, depositories
  -> can inspect and enforce

NSE/BSE
  -> operate trading venues
  -> supervise trading members at the first line
  -> collect system audit reports
  -> approve or monitor broker trading facilities
  -> monitor technology parameters
  -> penalise, restrict, or escalate

Third-party auditors
  -> audit broker systems
  -> certify compliance against exchange/SEBI requirements

Brokers and vendors
  -> build and run the actual trading technology

SEBI’s Market Regulation Department says it supervises Market Infrastructure Institutions such as stock exchanges, clearing corporations, and depositories.¹

NSE’s own compliance page says trading members submit system audit reports through NSE ENIT. It also says algorithmic trading facilities have to be audited by exchange-empanelled system auditors.²

NSE also has empanelment surfaces for trading-technology vendors and algo providers.³

So yes, SEBI is the top regulator.

But exchanges remain deeply embedded in first-line supervision.

That is the part worth questioning.

The conflict is structural

An exchange is not just a referee.

It is a commercial institution.

It earns from market activity. It sells access, connectivity, data, colocation, and trading infrastructure. Its largest brokers and high-volume participants matter commercially. At the same time, the exchange is expected to supervise those participants.

That creates a structural conflict.

commercial exchange
  earns from trading activity
  supervises trading members
  approves or monitors broker technology
  receives audit reports
  controls important technical evidence

This does not prove corruption.

A conflict of interest is not a scam.

But a market should not depend on institutional virtue. The design should survive bad incentives.

The question is not:

Are NSE and BSE good institutions?

The question is:

Should any commercial exchange be the primary judge of broker technology,
member compliance, and exchange-access fairness?

My answer is no.

The exchange should be a first sensor. It should not be the final source of truth.

SEBI is not asleep

This is the part where the easy rant fails.

SEBI is not blind to conflict risk. Its MII governance material talks about separation between regulatory and business functions, autonomy for regulatory departments, independent committees, and conflict handling.⁴

SEBI’s December 2025 MII governance circular goes further. It frames exchanges, clearing corporations, and depositories as public-interest infrastructure and strengthens governance around Executive Directors, Public Interest Directors, statutory committees, and reporting lines for key roles like CTO, CISO, Compliance Officer, and Chief Risk Officer.⁵

That matters.

SEBI is also treating broker technology as market infrastructure. Its January 2026 technical-glitch framework covers broker electronic trading systems, including hardware, software, networks, outsourced third-party systems, order placement, modification, cancellation, execution, confirmations, margins, collateral, funds views, and related functions.⁶

That also matters.

And then there is LAMA: the API-based Logging and Monitoring Mechanism. SEBI’s stock-broker master circular describes LAMA as a mechanism between stock exchanges and specified brokers’ trading systems, where exchanges monitor key parameters through an API gateway to assess system health.⁷

Good direction.

India is moving from:

paper compliance
  -> technology monitoring

But it has not yet moved far enough:

technology monitoring
  -> regulator-owned reconstruction

That is the missing jump.

Governance separation is not evidence separation

Better exchange committees reduce governance risk.

They do not change who controls the truth.

better exchange governance
  -> reduces internal conflict

SEBI-owned replay layer
  -> changes evidence power

If LAMA telemetry goes to exchanges, system audit reports go to exchanges, algo audit workflows run through exchange-empanelled auditors, vendor oversight depends on exchange empanelment, and first-line findings are filtered through exchange processes, then SEBI may supervise the system without owning the raw truth layer.

That is not enough for modern electronic markets.

Modern unfairness can be boringly technical:

unfair access to exchange infrastructure
latency asymmetry
broker API abuse
algo misclassification
market-data asymmetry
vendor-level manipulation
risk-check bypass
log tampering
selective outage impact
preferential connectivity
hidden manual intervention

You do not investigate that with screenshots and certificates.

You investigate it with replay.

The co-location warning

India has already seen why this matters.

The NSE co-location matter is the obvious warning. In its April 2019 order, SEBI dealt with unfair access concerns in NSE’s co-location facility and ordered disgorgement of profits from co-location operations during the relevant period, among other directions.⁸

Moneylife and Sucheta Dalal were central public voices in bringing attention to the issue. Moneylife published whistleblower material in 2015 alleging manipulation concerns in NSE’s systems.⁹

Jayanth Varma also publicly argued for greater disclosure around the NSE probe, according to Business Standard.¹⁰

The point is not that every exchange process is compromised.

The point is not to re-litigate that case here.

The point is simpler:

When market fairness depends on technical access,
opaque infrastructure becomes a regulatory risk.

If the exchange controls both access and much of the evidence about access, public trust depends too heavily on the exchange’s own account of what happened.

That is bad architecture.

Other countries made different choices

Exchange-led supervision is not inevitable.

Other countries have solved the conflict differently.

Model	Example	What it does	Lesson for India
Regulator-led surveillance	Australia	ASIC took real-time market supervision from ASX in 2010	Reduce the conflict where an exchange supervises the market it profits from
Independent broker SRO	US / Canada	FINRA and CIRO supervise brokers or market participants under public-regulator oversight	Broker supervision need not sit fully inside exchanges
Public audit trail	United States	SEC Rule 613 created the Consolidated Audit Trail model	Regulator should reconstruct order lifecycle across venues
Exchange-group regulatory arm	Japan	JPX has a separate regulatory entity inside the exchange group	Better than pure business-line supervision, but still group-linked
Co-regulation with oversight	UK / EU	Exchanges remain frontline, public regulators supervise heavily	Works only if regulator has strong data access and enforcement power

Australia is the cleanest model for the specific conflict I worry about. ASIC says it assumed responsibility for real-time supervision of trading on Australian domestic licensed markets from ASX on 1 August 2010.¹¹ ASIC now describes market supervision as part of its role over licensed markets and participants.¹²

The United States takes a different route. It still uses self-regulatory organizations, but broker-dealer supervision is heavily associated with FINRA, a government-authorized not-for-profit overseen by the SEC.¹³ The SEC’s Division of Trading and Markets regulates major market participants, including broker-dealers, exchanges, and SROs.¹⁴

The US also created the Consolidated Audit Trail under SEC Rule 613 to track order lifecycle information across markets.¹⁵

Canada has CIRO, a national self-regulatory organization overseeing investment dealers, mutual fund dealers, and trading activity on Canadian marketplaces.¹⁶

The UK and EU retain exchange monitoring duties, but with explicit requirements around systems, conflicts, monitoring, and reporting to public authorities.¹⁷¹⁸

Japan has a separated exchange-group regulatory entity, Japan Exchange Regulation.¹⁹

None of this is perfect.

Australia can still have exchange technology-governance failures. The US CAT has cost and privacy problems. Independent SROs can be captured. Internal exchange-group separation still leaves group-level conflict.

But the comparison proves the important thing:

India has design choices.

We are not stuck with an exchange-heavy evidence path because “that is how markets work.”

What experts actually say

The serious literature does not say self-regulation is always bad.

That would be too simple.

Self-regulation works because exchanges and market participants understand the machinery. They know the protocols, failure modes, trading patterns, and operational details. A distant regulator may not.

But self-regulation becomes dangerous when exchanges are commercial, competitive, demutualized, or dependent on the firms they supervise.

IOSCO has written about effective self-regulation and the conflicts created by exchange evolution.²⁰²¹ The SEC has examined conflicts in the US SRO model, especially as exchanges became more commercial and competitive.²² The World Bank has described different securities-market self-regulation models, including exchange SROs, independent SROs, and government regulator models.²³ CFA Institute has discussed the tension between self-regulatory expertise, investor protection, transparency, and public-regulator oversight.²⁴

The practical takeaway is boring and important:

exchange expertise is useful
exchange-controlled truth is dangerous

What SEBI is doing right

SEBI is doing real work here.

It is right to treat exchanges as public-interest infrastructure.

It is right to strengthen MII governance.

It is right to regulate broker technical glitches.

It is right to move broker supervision toward telemetry through LAMA.

It is right to make brokers responsible for outsourced and vendor-linked technology.

These are not cosmetic changes.

The problem is that they are still mostly mitigations inside an exchange-dependent architecture.

They reduce conflict.

They do not eliminate the evidence problem.

What is still wrong

The mistake is not that SEBI ignored the problem.

The mistake is that India is still solving too much of it inside the exchange-led workflow.

LAMA is not enough

Under the current model, LAMA is a mechanism between exchanges and specified brokers. Exchanges monitor the key parameters.⁷

Useful? Yes.

Sufficient? No.

The stronger model is:

broker telemetry
  -> SEBI-owned market integrity layer
  -> exchange gets operational alerts
  -> SEBI can independently replay events

Audit workflows are still too exchange-facing

NSE says system audit reports are uploaded through NSE ENIT, and algo facilities require exchange-empanelled system auditors.²

NSE’s 2025 technology-based system audit circular says exchanges are required to empanel system auditors, ensure auditor independence, impose cooling-off, de-empanel imprudent auditors, and refer issues to professional bodies or regulators.²⁵

NSE’s 2026 system-audit circular adds audit-plan registration, geo-location capture for physical visits, and management comments before submission completion.²⁶

These are improvements.

They also show the system is still trying to fix audit quality through exchange-run workflows.

I do not think that is enough.

Audit incentives are too soft

The broker wants approval. The auditor wants future work. The exchange wants compliant, functioning markets.

The pressure is toward closure.

The system needs stronger counter-pressure toward challenge.

Better design:

SEBI assigns auditor
broker pays central audit pool
auditor is paid by pool
auditor rotates
audit quality is scored
bad audits trigger liability

Vendor and algo oversight is still too indirect

SEBI’s retail algo framework makes brokers responsible for algo providers, and the exchange empanelment model gives exchanges an oversight role.⁷

That creates traceability.

But it still leaves a large fintech technology surface indirectly regulated.

OMS vendors, RMS vendors, API gateway providers, algo providers, market-data vendors, colocation infrastructure, and shared broker technology providers should face a more independent certification regime.

Public incident reporting is weak

When serious market-technology incidents happen, the public usually sees fragments:

circulars
outage notices
broker explanations
media reports
enforcement orders much later

That is not how trust is built.

For serious incidents, SEBI should publish reports that answer:

what happened
when it happened
who was affected
whether orders were delayed, rejected, or misrouted
whether any participant got unfair advantage
what evidence was used
what remediation was ordered
whether penalties were imposed

The model India should build

India should create a SEBI-owned Market Integrity Layer.

Call it whatever you want:

SEBI Market Integrity Layer
National Market Integrity Authority
Market Replay System

The name does not matter.

The architecture matters.

Broker OMS/RMS/API/algo/vendor systems
  -> signed event logs
  -> common order lifecycle IDs
  -> SEBI-owned consolidated audit trail

NSE/BSE
  -> gateway timestamps
  -> matching engine events
  -> order ack/cancel/modify/trade events
  -> market-data dissemination events
  -> first-line alerts

Independent auditor pool
  -> assigned by SEBI
  -> paid through central pool
  -> rotated
  -> scored
  -> liable for bad certification

SEBI / market integrity authority
  -> replay engine
  -> cross-market surveillance
  -> broker technology supervision
  -> vendor certification
  -> public incident reporting
  -> enforcement referral

The order lifecycle trail should cover:

broker
client or masked client identifier
dealer, if any
API key or session
algo ID and version
vendor system
OMS event
RMS decision
exchange gateway receipt
matching engine event
market-data dissemination timestamp
modify/cancel chain
execution chain
reject codes
kill-switch events
risk overrides
drop-copy reconciliation

Plain logs are not enough.

Logs should be hash-chained, signed, and periodically checkpointed with SEBI.

plain logs
  -> can be edited after the fact

signed hash-chained event streams
  -> edits become detectable

This is not exotic.

This is table stakes if software defines market fairness.

Protect the engineers

The first person to see the problem is often not a lawyer or a regulator.

It is an engineer.

The person who knows the log chain is broken. The person who knows a manual override exists. The person who knows the DR drill was theatre. The person who knows a vendor system can bypass a control. The person who knows the latency story does not match the data.

India needs explicit whistleblower protection for market-infrastructure technology issues.

Protected reporters should include:

broker engineers
exchange engineers
vendor engineers
SREs
cybersecurity teams
audit staff

Protected issues should include:

log tampering
bypassed RMS checks
unfair exchange access
market-data asymmetry
colocation/proximity unfairness
hidden manual overrides
audit manipulation
vendor backdoors
algo malfunction coverups

If the market is a machine, engineers are the people closest to the moving parts.

Do not leave them exposed.

The final stance

I do not want weaker Indian markets.

I want stronger ones.

India’s capital markets are too important to rely on certificates, portal uploads, and after-the-fact explanations.

A modern market needs independent reconstruction.

The fair market of the future is not the market with the thickest audit checklist.

It is the market where the regulator can replay what happened.

India should keep exchange expertise. Exchanges understand their systems and must remain first-line operators.

But the exchange should not be the final source of truth.

The reform India needs is:

from exchange-led compliance
to SEBI-owned market reconstruction

Until that happens, Indian markets may be efficient, liquid, and technologically impressive.

But they will remain more trust-based than they should be.

Footnotes

SEBI, Market Regulation Department overview. ↩
NSE, System Audit Compliances. ↩ ↩²
NSE, Empanelled Vendors of the Exchange; NSE, Empanelled Algo Providers. ↩
SEBI, MII governance note. ↩
SEBI, MII governance circular, Dec 12 2025. ↩
SEBI, Technical glitches framework, Jan 09 2026. ↩
SEBI, Master Circular for Stock Brokers, Jun 17 2025. ↩ ↩² ↩³
SEBI, NSE co-location order, Apr 30 2019. ↩
Moneylife, Blowing the whistle on manipulation in NSE, Jun 19 2015. ↩
Business Standard, SEBI should disclose documents related to NSE probe: expert, Jan 05 2017. ↩
ASIC, Fifth anniversary of ASIC market supervision. ↩
ASIC, Market supervision. ↩
FINRA, About FINRA. ↩
SEC, Division of Trading and Markets. ↩
SEC, Rule 613 Consolidated Audit Trail. ↩
CIRO, About CIRO. ↩
FCA Handbook, Recognised Investment Exchanges: systems and conflicts. ↩
ESMA, MiFID II Article 54: monitoring compliance with rules. ↩
Japan Exchange Group, Japan Exchange Regulation. ↩
IOSCO, Model for Effective Self-Regulation. ↩
IOSCO, Regulatory Issues Arising from Exchange Evolution. ↩
SEC, Concept Release Concerning Self-Regulation, Release No. 34-50700. ↩
World Bank, Self-Regulation in Securities Markets. ↩
CFA Institute, Self-Regulation in Today’s Securities Markets. ↩
NSE, Technology-based system audit circular INSP66456, Feb 03 2025. ↩
NSE, System audit circular INSP73850, Apr 22 2026. ↩