India’s Proposed Power Market Coupling: Manipulation Vulnerabilities, Attack Surfaces & Structural Governance Gaps

1. India’s Power Exchange Landscape: The Starting Point

Before examining coupling, we must understand the market it is being applied to. India’s power exchange ecosystem is characterised by extreme concentration.

Three exchanges currently operate: India Energy Exchange (IEX), Power Exchange India Ltd (PXIL), and Hindustan Power Exchange (HPX). IEX commands approximately 99% of Day-Ahead Market (DAM) and Real-Time Market (RTM) volumes, with PXIL accounting for roughly 1% and HPX still building presence.

The deeper structural reality is that exchange-traded electricity represents a thin slice of India’s total power economy. DAM accounts for less than 4% of total electricity transactions, RTM less than 1–2%, and the entire short-term market segment (all types combined) approximately 13%. Bilateral contracts and long-term Power Purchase Agreements still dominate at around 87%.

WHY THIS MATTERS FOR COUPLING

Market coupling is a mechanism optimiser — it maximises efficiency within the market that already exists. It cannot create depth that isn’t there. When one exchange holds 99% of volume, the aggregated bid curve from coupling is nearly identical to IEX’s own curve. There is almost no price fragmentation to arbitrage away, and the mathematical welfare gain is constrained to near-zero. The Grid India Shadow Pilot (January 2025) confirmed this: DAM welfare gain = 0.059% of turnover; RTM = 0.042%. 

2. What CERC is Proposing — The April 2026 Draft

The Draft PMR Second Amendment Regulations, 2026, notified on April 17, 2026, make four substantive changes:

• Regulation 38: Grid India (Grid Controller of India Limited) is designated the sole, permanent MCO, replacing the round-robin model set out in the July 2025 order.

• Regulation 39: Scope covers DAM and RTM, with commencement dates to be notified separately. Other segments may be added by further notification.

• Regulations 39A & 39B: Uniform bid format across all exchanges; bids transmitted via secured, encrypted channels; price discovery on the principle of economic surplus maximisation; market splitting for congestion.

• Regulation 39C: Grid India must formulate the Power Market Coupling Procedure (PMCP) within 6 months of notification, subject to Commission approval.

 The PMCP is the true operational rulebook: it will specify the coupling algorithm, bid formats, encryption protocols, settlement procedures, congestion contingencies, and MCO charges. Yet the draft is silent on whether the PMCP itself will be published for public consultation before Commission approval — a critical procedural gap.

3. The Shadow Pilot: Do the Numbers Justify the Reform?

Grid India conducted a shadow pilot simulating market coupling in parallel with actual exchange-based price discovery, using real bid data from all three exchanges across two phases: a 4-month pilot and a 29-month analysis.

• 0.059% DAM welfare gain as % of turnover

• 0.042% RTM welfare gain as % of turnover

• ₹38 Cr DAM absolute gain (4-month pilot)

• ₹0.72 Cr RTM absolute gain (4-month pilot)

These numbers need to be contextualised against implementation costs. Grid India’s MCO infrastructure (IT platform, algorithm development, cybersecurity, staffing) is estimated to require ₹30–55 crore in one-time capital expenditure and ₹18–32 crore per year in operating expenditure. The shadow pilot’s annualised DAM welfare gain of approximately ₹114 crore per year provides a thin margin — and that margin is further eroded by the December 2025 CERC staff paper proposing a reduction in exchange transaction fees from 2 paise to 1.5 paise per unit, which could create a net cost increase for market participants that exceeds the welfare gain.

 The 29-month dataset reportedly shows even smaller relative gains than the 4-month period. These two datasets have never been publicly reconciled by CERC — a transparency deficit that is difficult to justify for a structural reform of this magnitude.

4. Europe’s SDAC vs India’s Proposed Design — A Governance Gap Analysis

Europe’s Single Day-Ahead Coupling (SDAC) is the world’s most mature electricity market coupling framework. It couples 25+ countries across 10+ exchanges using EUPHEMIA, a publicly documented price discovery algorithm jointly governed by a consortium of power exchanges. A structured comparison across five dimensions reveals the scale of India’s governance gaps.

The central structural problem is that SDAC’s architecture is built on one principle: no single entity should simultaneously hold the information and the incentive to misuse it. EUPHEMIA is jointly owned by a consortium of power exchanges. Congestion inputs come from legally separate Transmission System Operators (TSOs). Ancillary procurement is handled by those same independent TSOs. No TSO has access to pre-clearing DAM bid data from exchanges.

 India’s April 2026 draft violates this principle across all four critical functions, concentrating them inside Grid India.

 5. The Seven Attack Vectors — A Structured Market Rigging Analysis

Market coupling does not create manipulation from scratch — it inherits the existing manipulation landscape of India’s power exchanges, amplifies several risks, and introduces one genuinely new risk. Each of the seven attack vectors mapped below corresponds to a real actor with real incentives in India’s proposed architecture.

5.1  Vector 01 — Bid Manipulation (Risk: HIGH)

Bid manipulation is the most accessible attack vector, requiring no insider access — only market power. With IEX holding ~99% of DAM volume, India’s coupled market has no meaningful dilution mechanism. A dominant generator submitting a sell bid just below the demand curve peak can shift the clearing price upward while remaining cleared. A collusive generator-Discom pair can coordinate bids to inflate the Market Clearing Price and settle the difference privately off-exchange.

A numerical example illustrates the stakes. In a representative DAM session with 950 MW of demand, honest bidding by Generator G3 (400 MW capacity) at ₹5.00/kWh yields revenue of ₹7,50,000 for that hour. By shading the bid to ₹5.45/kWh — still inside the demand curve — G3’s revenue rises to ₹8,17,500: a gain of ₹67,500 in a single hour. Scaled across multiple sessions and counterparties, the rent extraction becomes material.

The derivative market amplifies this further. IEX DAM futures settle on monthly Weighted Average Clearing Price (WACP), which dilutes a single-hour manipulation across 720 settlement hours. But mark-to-market (MTM) valuation responds to the spot price of the manipulated hour directly. A position of 10,000 lots (at 5,000 kWh per lot) on an MTM date yields ₹2.25 crore from a ₹0.45/kWh price movement — while the WACP impact remains at ₹31,250, below most audit thresholds.

 REQUIRED SAFEGUARDS

Bid price caps and offer curve shape restrictions  |  Algorithmic cross-session bid pattern surveillance  |  Enhanced monitoring when one exchange exceeds 80% share  |  Cross-participant correlation analysis to detect coordinated bids

 5.2  Vector 02 — Algorithm Insider Leak (Risk: CRITICAL)

The coupling algorithm is the black box at the heart of market coupling. An insider who knows its exact objective function, tie-breaking rules, market-splitting thresholds, and block bid processing logic can reverse-engineer the optimal bid shape for any supply scenario. Unlike a regulatory leak — which is a one-time event — algorithm insider knowledge is exploitable every single session throughout the algorithm’s operational life.

What the algorithm contains is commercially explosive: it reveals exactly how buyer and seller surplus is weighted; how near-degenerate cases (multiple near-equal prices) are resolved; what congestion level triggers a market split; and how complex bid types are processed at the margin. An insider can sell this strategy to large market participants before the algorithm is publicly certified, creating a sustained and structurally invisible rent.

India’s draft regulation does not mandate public documentation of the algorithm specification. EUPHEMIA, by contrast, is publicly documented: any researcher can verify clearing outcomes against the published specification. This transparency is the principal safeguard against algorithm insider exploitation.

 REQUIRED SAFEGUARDS

Algorithm publicly documented before go-live (as EUPHEMIA is in Europe)  |  Independent audit by ring-fenced auditor with 2-year energy market cooling-off period  |  Cryptographically signed version control — any change triggers immediate re-audit  |  Monthly review of all access logs to algorithm code and parameters

 5.3  Vector 03 — Pre-Clearing Data Leak (Risk: CRITICAL)

This is the only genuinely new risk created by market coupling — and the most structurally embedded. Today, no single entity receives the complete aggregated bid data from all three exchanges before market clearing. The MCO creates this information for the first time. As MCO, Grid India’s cell officers will receive every buy bid, every sell bid, every price-volume pair from all three exchanges, before the clearing price is computed — every single session.

The leak mechanisms are multiple. An MCO officer who observes that aggregate demand significantly exceeds supply can tip off a trading desk before the clearing price is announced. Grid India’s ancillary procurement team, aware of generator supply bids, can exploit knowledge of which generators are long when adjusting ancillary service procurement. A generator’s representative who cultivates a relationship with MCO cell staff can receive informal market intelligence that informs their RTM rebidding strategy.

The SEBI October 2025 interim order provides a real-world analogue: CERC officers allegedly leaked the impending market coupling regulatory order before public announcement, enabling ₹173 crore in alleged insider trades of IEX shares. The operational MCO creates this information asymmetry not once, but every session.

Critically, pre-clearing MCO bid data is not currently classified as Unpublished Price Sensitive Information (UPSI) under SEBI’s framework. This is the most robust information control designation available under Indian securities law, and its absence from the MCO data architecture is a consequential gap.

REQUIRED SAFEGUARDS

Pre-clearing data formally classified as UPSI under SEBI framework  |  Real-time access logs reviewed monthly by independent audit committee  |  MCO cell staff prohibited from trading electricity securities — tenure plus 6 months post-employment  |  Technical Chinese wall between MCO function and ancillary services procurement — separate IT systems, separate credentials  |  SEBI-CERC formal MOU on information sharing protocols 5.4  Vector 04 — Timing / Latency Attack (Risk: MEDIUM)

The PMCP will define bid submission deadlines for each coupling session. Any provision allowing ‘technical exceptions’ or human override of those deadlines creates a front-running vector. If Exchange C can delay transmitting its bids by 3–5 minutes after Exchanges A and B have submitted, it effectively sees the preliminary aggregate curve before inserting its own bids — a structural equivalent of front-running.

The effective MCO computation window for DAM is estimated at 5–15 minutes; for RTM it is under 1–2 minutes. Hard, hardware-timestamped bid collection deadlines — with zero human override capability and automatic rejection of late bids — are a non-negotiable PMCP requirement. This is a design choice, not a policy preference.

 5.5  Vector 05 — Congestion Gaming (Risk: HIGH)

This is India’s most country-specific manipulation risk, arising from a structural feature unique to the proposed architecture. When transmission corridors are congested, the coupling algorithm applies ‘market splitting’ — different price zones receive different clearing prices. The entity that declares congestion therefore directly influences price outcomes.

In Europe’s SDAC, Transmission System Operators (TSOs) provide grid capacity inputs. TSOs are legally separate from both the power exchanges and the EUPHEMIA MCO infrastructure. In India, Grid India’s NLDC declares inter-regional corridor congestion, and Grid India’s MCO uses that declaration as the algorithm input for market splitting. Both functions sit inside the same organisation, under the same management chain, with no external check before the input is used.

A generator in a surplus region benefits when a corridor is declared congested: their zone receives, illustratively, ₹8/kWh instead of ₹5/kWh. Without congestion, both zones clear at ₹5.50/kWh. The incentive for a generator to lobby NLDC for a congestion declaration — and for NLDC to accommodate that lobby without institutional separation from the MCO — is structural.

 REQUIRED SAFEGUARDS

Grid capacity inputs independently verified — not solely NLDC’s discretion  |  Congestion declarations: documented, auditable methodology published in advance  |  Separate governance protocol between NLDC and MCO functions within Grid India  |  European FBMC (Flow-Based Market Coupling) governance studied as a structural model

 5.6  Vector 06 — Algorithm Parameter Drift (Risk: HIGH)

Regulation 39D requires an algorithm audit before go-live and every two years thereafter. Between audit cycles, Grid India’s MCO technical team can adjust algorithm parameters. This creates what may be called the ‘slow poison’ attack: a subtle change to a tie-breaking rule creates a consistent 0.3–0.5% price bias in one direction — systematically favouring the sell-side or buy-side across all sessions.

No single session looks anomalous. The bias only emerges in statistical analysis across hundreds of sessions, potentially months after the manipulation commenced. The MCO technical team, or a market participant with whom they collude, quietly extracts rents until the next biennial audit cycle.

Coupling amplifies this risk relative to today’s structure: currently, each exchange runs its own algorithm; if IEX’s algorithm drifts, it affects only IEX volume. Under coupling, one MCO algorithm sets the price for 100% of coupled market volume. Drift in one algorithm affects the entire market.

 REQUIRED SAFEGUARDS

Cryptographically signed version control — any parameter change triggers mandatory immediate re-audit  |  Algorithm publicly documented — independent researchers can benchmark outputs against specification  |  Automated daily comparison of actual vs model-predicted prices: drift beyond tolerance triggers investigation

 5.7  Vector 07 — Regulatory Notification Leak (Risk: CRITICAL)

This is the only attack vector that has already been alleged in the real world. SEBI’s October 2025 interim order found that CERC Economics Division officers allegedly leaked the impending market coupling order before public announcement. This information was allegedly used to trade IEX shares for a profit of ₹173 crore. SEBI’s full investigation is ongoing.

The April 2026 draft recreates this risk by deferring the coupling commencement date to a separate future notification. That future notification will be price-sensitive information for IEX and other listed entities. Every future notification in the coupling rollout — segment additions, MCO charge revisions, PMCP amendments — will be a new price-sensitive event.

APTEL directed CERC on February 13, 2026 to keep the implicated officers away from the regulation-making exercise on market coupling until SEBI’s investigation concludes. The April 17, 2026 draft is completely silent on whether this direction has been complied with. Stakeholders have no way to verify compliance without a public statement from CERC. The absence of that statement is conspicuous.

REQUIRED SAFEGUARDS

Same recusal protocols for every future notification — not just the main regulation  |  Formal SEBI-CERC MOU: all regulatory decisions affecting listed entities trigger UPSI controls  |  Officers with notification access: mandatory security freeze on relevant holdings  |  CERC to publicly confirm compliance with APTEL’s recusal direction 

6. The Structural Root Cause: Four Functions in One Organisation

The seven attack vectors share a single structural root cause. In Europe’s SDAC, four critical functions are distributed across independent regulated entities: pre-clearing bid data is managed through a firewalled shared platform; the algorithm is jointly owned by a consortium; congestion declarations come from legally separate TSOs; and ancillary procurement is handled by those same independent TSOs.

India’s April 2026 draft concentrates all four inside Grid India. The internal MCO cell is an administrative arrangement, not institutional separation. An internal policy document does not create the information barrier that structural independence provides.

7. The Complete Safeguard Framework

Every attack vector identified has a known countermeasure. The question is whether the PMCP and the regulatory framework will implement them. The following six-category framework represents the minimum safeguard architecture that must be in place before the first coupling session goes live.

 Algorithm Integrity

•        Algorithm publicly documented before go-live — not a trade secret

•        Cryptographically signed version control — any change triggers mandatory re-audit

•        Independent auditors with a 2-year energy market cooling-off period

•        Automated daily price monitoring: drift beyond tolerance triggers investigation

 Data Access Controls

•        Pre-clearing bid data formally classified as UPSI under SEBI framework

•        Real-time access logging — independent monthly review

•        MCO cell staff: prohibited from trading electricity securities — tenure plus 6 months post-employment

•        SEBI-CERC formal MOU on information sharing protocols

 Grid India Structural Separation

•        Enforceable information barrier between MCO cell and NLDC / ancillary procurement

•        Separate IT systems and credentials — not just a policy document

•        Formal legal opinion from CERC on Section 27(2) Electricity Act compatibility

•        Congestion capacity inputs independently verified — not solely NLDC’s discretion

 Operational Procedure Controls

•        Hard, hardware-timestamped bid deadlines — absolute, zero human override

•        Congestion declarations: documented, auditable methodology published in advance

•        Any PMCP deviation: mandatory immediate reporting to the Commission

•        PMCP to be published for 30-day public comment before Commission approval

 Regulatory Process Integrity

•        Same recusal protocols for the commencement notification as for the main regulations

•        Officers with access to notification timing: mandatory security freeze on holdings

•        CERC to publicly confirm APTEL recusal compliance

•        IEX share: monitor for unusual price movements ahead of all future coupling notifications

 Market Surveillance

•        Bid pattern surveillance: algorithmic cross-session anomaly detection

•        Concentration monitoring: enhanced bid scrutiny if one exchange exceeds 80%

•        Cross-participant correlation analysis to detect coordinated manipulation

•        Annual independent market integrity audit covering all seven attack vectors

 8. Five Immediate Regulatory Actions Required

The April 2026 draft is a genuine improvement over the July 2025 order — it abandoned the conflicted round-robin model, adopted staged implementation, mandated an algorithm audit, and opened a public comment window. These are meaningful corrections. But five gaps remain that the final regulations and the PMCP process must address.

 1. Formal Legal Opinion on Section 27(2)

Section 27(2) of the Electricity Act 2003 prohibits NLDC from trading in electricity. The MCO role does not technically constitute trading, but Grid India’s simultaneous access to pre-clearing data and ancillary procurement functions directly engages the provision’s purpose. CERC should obtain and publish a formal legal opinion before the regulations are finalised.

 2. Public Confirmation of APTEL Recusal Compliance

APTEL’s February 13, 2026 direction requires CERC to keep implicated officers away from coupling regulation-making until SEBI’s investigation concludes. The April 17 draft is silent. CERC should issue a public statement confirming compliance.

 3. Full Shadow Pilot Dataset and Cost-Benefit Analysis

The comprehensive 29-month dataset and a transparent cost-benefit analysis comparing welfare gains against implementation costs must be published before the regulations are finalised. For a structural reform of this magnitude, stakeholders are entitled to the complete evidentiary basis.

 4. PMCP as a Public Consultation Process

The PMCP draft must be published for a minimum 30-day public comment period before Commission approval. The PMCP defines the algorithm, settlement procedures, contingency protocols, and MCO charges — these are the substance of market coupling, not technical footnotes. Power exchanges, distribution companies, generators, and traders have a legitimate interest in commenting on them.

 5. Market Deepening as a Precondition, Not an Afterthought

The reforms needed to deepen India’s exchange market — wider participation, genuine multi-exchange competition, revisiting bilateral contract volumes — must accompany coupling, not be assumed to follow from it. CERC should publish explicit market depth thresholds as pre-conditions for each new coupling segment.

9. Algorithm Integrity: Why Code Hashing Is Necessary But Not Sufficient

One safeguard increasingly discussed in market coupling architecture is cryptographic hashing of source code. Hashing greatly improves integrity assurance: if the deployed code’s hash differs from the audited version, unauthorised modification becomes immediately detectable. This is genuinely valuable and should be mandatory.

However, hash-based verification does not fully eliminate the possibility of parameter drift, behavioural drift, or economically distortive market outcomes. The core principle, which regulators must internalise, is this: identical source code does not guarantee identical market outcomes.

THE CRITICAL DISTINCTION

Hash-based code integrity verification addresses unauthorised code modification, but does not by itself guarantee invariance of market outcomes. Operational parameters, solver configurations, input-data conditioning, and runtime environments may all materially influence clearing results even while the certified source-code hash remains completely unchanged. Algorithm integrity is broader than source-code immutability.

 9.1  Six Pathways Through Which Drift Occurs Without Code Change

In production-grade market infrastructure, market behaviour is influenced not only by the executable algorithm but by the broader computational ecosystem surrounding it. Drift can emerge through six distinct pathways even when the source-code hash is perfectly unchanged.

 Pathway 1 — External Configuration Parameters

Most industrial systems separate executable code from runtime configuration. Critical market variables — congestion thresholds, solver timeout limits, bid truncation rules, reserve margins, penalty coefficients, transmission derating assumptions, fallback priorities, and optimisation tolerances — often reside in external configuration files, databases, APIs, environment variables, or operator-controlled dashboards. The application binary may remain completely unchanged while market outcomes shift materially because the runtime configuration environment has evolved. This is the most consequential and operationally common source of drift.

 Pathway 2 — Input-Data Conditioning and Preprocessing

Even where the algorithm itself is unchanged, upstream treatment of data can materially influence outcomes. Bid normalisation logic, timestamp handling, duplicate filtering, treatment of erroneous bids, congestion-feed processing, transmission availability calculations, and validation filters can all alter effective market behaviour before the optimisation engine begins computation. In practical operations, preprocessing modifications are among the least visible sources of behavioural drift.

 Pathway 3 — Optimisation Solver Behaviour

Most advanced market coupling systems rely on industrial optimisation engines such as CPLEX or Gurobi. The same mathematical formulation can generate different outcomes depending on convergence tolerances, branch-and-bound heuristics, floating-point precision handling, runtime cutoffs, or parallelisation settings. The source code may hash identically while solver configurations produce economically different clearing outcomes.

 Pathway 4 — Dependency and Runtime-Environment Changes

Even where application code remains frozen, changes in compilers, optimisation libraries, numerical libraries, operating-system patches, or hardware-level floating-point implementations can influence computational behaviour. This phenomenon is well-recognised in financial exchanges and high-frequency trading systems where numerical determinism is critically important.

 Pathway 5 — Operational Overrides and Emergency Controls

Many market systems include fallback dispatch logic, emergency flags, manual congestion interventions, operator override modes, or contingency controls. These mechanisms may not reside within the hashed executable environment and can therefore materially alter operational behaviour without changing the application hash itself.

Pathway 6 — Model Drift Without Technical Code Drift

Even absent manipulation, changing market conditions can alter the economic implications of previously neutral parameters. A congestion penalty calibrated for a low-renewable system with limited exchange participation may behave very differently under conditions of high renewable variability, concentrated liquidity, battery participation, or changing transmission patterns. The code remains unchanged while the economic behaviour of the market evolves materially over time.

 9.2  A Practical Illustration: The Solver Runtime Example

The following scenario makes these abstract pathways concrete. Suppose the MCO software undergoes independent audit on 1 January. The auditor reviews the source code, validates the algorithmic logic, and generates a cryptographic hash:

CERTIFIED VERSION

Hash = ABC123 Maximum solver runtime: 30 seconds (configured in operator control panel — outside hashed code)

During periods of heavy market activity, an operator reduces the maximum solver runtime from 30 seconds to 15 seconds to accelerate clearing timelines. No source-code modification occurs. The cryptographic hash remains perfectly identical: ABC123 = ABC123.

Economically, however, market behaviour changes materially. A shorter runtime causes the optimisation engine to terminate before exploring the full feasible solution space. Some complex bid combinations are not fully optimised. Different block bids may clear. Congestion handling outcomes change. Market Clearing Price shifts. Certain exchanges or participants may systematically lose under congested conditions.

The June audit again validates the source code and confirms: Hash = ABC123. Technically, the conclusion is ‘certified algorithm unchanged.’ Yet between January and June, the operational behaviour of the market evolved materially because runtime configuration changed after hashing but before the next audit cycle.

 THE LAYPERSON ANALOGY

A bank locker securely protects the recipe book. However, someone can change the oven temperature written on a sticky note beside the oven. The recipe itself remains unchanged. The cooking conditions change. The final cake changes. Similarly: the hashed source code remains unchanged, but runtime conditions evolve, and market outcomes drift.

 9.3  What Comprehensive Algorithm Governance Requires

Mature market infrastructures rely on a much wider governance framework than source-code hashing alone. The following components are required for genuine algorithm integrity:

•        Configuration governance: all runtime parameters version-controlled with audit trails identical to source code

•        Deterministic replay capability: any historical clearing session reproducible exactly from logged inputs

•        Version-controlled datasets: input data and pre-processing logic archived alongside code snapshots

•        Reproducible clearing environments: container or VM snapshots capturing the complete computational environment at each audit point

•        Runtime parameter audit trails: every parameter change logged with timestamp, authorisation, and business justification

•        Independent validation systems: shadow MCO run by an independent party replicating every live session

•        Continuous shadow simulations: automated daily comparison of actual vs model-predicted clearing prices

•        Automated anomaly detection: statistical drift beyond tolerance triggers regulatory investigation without waiting for next biennial audit

 In electricity market design, governance of the computational ecosystem matters as much as governance of the algorithm itself. As market coupling increasingly centralises price discovery into a single computational architecture, preserving confidence in the integrity of that ecosystem becomes one of the defining regulatory challenges of India’s power sector reform.

 10. Six Numerical Examples of Manipulation Risk

Abstract governance arguments become concrete when quantified. The following six examples translate each major manipulation vector into rupee terms, demonstrating that even apparently small distortions can generate material economic transfers at the scale of India’s electricity market.

Conclusion: Market Coupling is vulnerable to Rigging — But It Doesn’t Have to Be

Every attack vector identified in this analysis has a known countermeasure. The six numerical examples make the stakes concrete: ₹14 crore per year from a single mid-sized generator’s bid shading; ₹37.5 crore from strategic congestion declarations; ₹240 crore from a 0.4% parameter drift across the coupled market; ₹200 crore from a configuration file change that leaves the source-code hash completely untouched. These are not theoretical risks — they are computable, attributable, and preventable.

The deeper lesson from the algorithm integrity analysis is equally important: source-code hashing, while necessary, is not sufficient. Governance must extend to the entire computational ecosystem — runtime parameters, solver configurations, pre-processing logic, and dependency libraries. A biennial audit of only the executable hash leaves a 24-month window during which hundreds of crores in cumulative drift could occur undetected.

The question is not whether India should pursue market coupling — the concept is sound, and Europe’s SDAC proves that when pre-conditions are met, coupling delivers real and sustained welfare gains. The question is whether India will build the governance architecture that makes coupling trustworthy before it goes live.

The April 2026 draft’s 6-month PMCP window is the opportunity. Use it to implement the algorithmic, structural, and surveillance safeguards described here — not just to write the operational sequence of events. The PMCP is the last best vehicle for getting this right.

THE BOTTOM LINE

3 CRITICAL risks are structurally embedded or already alleged.  |  The internal MCO cell is not a sufficient safeguard — administrative separation within one organisation does not create institutional independence.  |  The PMCP is the key vehicle — but it must be published for public comment, including from security researchers and market integrity experts.  | Sequencing is everything: build the market first — then coupling delivers real value.