Nearly seven years after the National Stock Exchange (NSE) co-location (COLO) scam came to light, market regulator SEBI now wants the MD, CEO and chief technology officer (CTO) of exchanges to certify that the COLO trading grid and its linkage provide fair equitable, transparent and non-discriminatory treatment to all the market participants. COLO trading came under heavy criticism on the grounds that they provide unfair advantage to those who can afford to lease space at the server farm inside an exchange premise. Multiple investigations into the NSE COLO scam had revealed the systems were prone to manipulation and had inherent flaws. Investigations revealed that in 2010, when COLO trading was launched by NSE, it lacked essential safeguards, and SEBI failed to give neither a certificate of approval nor disapproval. Also, when the scam came to light, NSE was asked to appoint forensic auditors to conduct a probe. However, SEBI has now come out with a comprehensive framework with regard to audit of technology systems of exchanges and other essential market infrastructure institutions (MIIs) such as depositories and clearing corporations. The framework attempts to put the onus on the MD, CEO and CTO of exchanges for failure or any mishap in technology or systems on the senior management of exchanges. Investigations that followed the NSE COLO scam have struggled to put the blame on the management or the board of the exchange, with all of them claiming ignorance or passing the responsibility on others. NSE’s former MD and CEO, Chitra Ramkrishna, was arrested by the CBI in February in relation to a complaint it had filed in 2018 into the COLO scam. CBI will soon file a chargesheet against her. SEBI framework now envisages responsibility on the MD, CEO and CTO. Before the current circular of SEBI, the norms regarding appointment of auditor for the technology systems were not well defined, said experts. There is a view that SEBI too should shoulder the responsibility if things go wrong at MIIs, since the regulator plays an active role in the appointment of senior management personnel. SEBI’s new framework says that audits have to be conducted according to the terms of reference (TOR) and guidelines issued by SEBI, and the governing board of MIIs will appoint the auditors. SEBI has also prescribed Auditor Selection Norms and TOR. SEBI has prescribed that a auditor can perform a maximum of three successive audits, and a re-appointment can happen only after a cooling-off period of two years. During the cooling-off period, the incoming auditor cannot be the one related to the earlier auditor or the firm having common partners. Audit should be done every year. Those MIIs, whose systems have been identified as a protected system by National Critical Information Infrastructure Protection Centre (NCIIPC), the audit should be conducted every six months. Auditors should provide evidence that should be specified in the audit report while reporting/ closing an issue. SEBI has also asked exchanges to frame a policy for data protection and access sharing. Major lapse at NSE was that key data was shared with unauthorised persons who misused it for trading software purposes. Observations and suggestions made by the auditor, specific corrective action as deemed fit, should be taken by the MIIs and the management has to provide its comments on the audit observations. The audit report, along with the comments of management, has to be placed before the board of MIIs. The follow-on audit has to be completed within one month of the corrective actions taken by the MII. After the follow-on audit, the MII shall submit a report to SEBI within 1 month from the date of completion of the follow-on audit. SEBI has suggested several such norms regarding the appointment and selection of auditor and policies that have to be considered during the audit.