Insider Trading Compliance: Why SEBI Is Scrutinizing Structured Digital Database Failures

For years, many companies treated insider-trading controls as a checklist exercise: circulate a policy, close the trading window, collect pre-clearances, and assume the job was done. That approach is no longer safe. SEBI’s current regulatory approach, reflected in the PIT Regulations, FAQs, and exchange circulars, emphasizes demonstrable compliance through records, controls, accountability, and auditability. The Structured Digital Database, or SDD, sits at the centre of that expectation.

The reason this matters now is simple. SEBI is no longer looking only at whether a person traded after receiving UPSI. It is also looking at whether the organisation had a reliable system to record how UPSI moved, who accessed it, and whether the internal control environment was strong enough to prevent misuse. That shift is reflected in recent enforcement and compliance actions where deficiencies relating to SDD maintenance, compliance oversight, and code-of-conduct implementation have been examined by SEBI,as well as a later settlement reported by Reuters involving SDD allegations.

What the Structured Digital Database is really for

The SDD is intended to function as a demonstrable control and audit mechanism rather than a mere documentary formality. SEBI’s FAQs say it must contain the nature of the UPSI, the names of the persons who shared it, and the names of the persons with whom it was shared, along with PAN or another authorised unique identifier where applicable. The same FAQs clarify that the requirement applies not only to listed companies, but also to intermediaries and fiduciaries that handle UPSI of listed companies in the course of business.

That is why the SDD functions as a trail of responsibility. If a piece of information moved from the CFO’s office to lawyers, bankers, consultants, promoters, or another internal team, the database is supposed to show the path. In an insider-trading investigation, that trail matters as much as the eventual trade itself.

Where companies usually go wrong

Most SDD failures do not begin with a deliberate attempt to break the law. They begin with process shortcuts. A business discussion happens in a meeting, a deal note gets circulated on email, a banker asks for numbers, or an external advisor receives draft financials. By the time the compliance team is informed, the trail is already incomplete.

SEBI’s FAQs make clear that the SDD has to be maintained internally, with adequate internal controls, and that it is not supposed to be outsourced in a way that gives the vendor access to the records. The FAQs also say the Board is solely accountable for SDD maintained on cloud or through any other method, and the Board and compliance officer must ensure confidentiality, integrity, and security of the data and logs.

That is an important point for founders and CFOs who rely heavily on software vendors. A tool may be useful, but if the system is designed in a way that third parties can see or manipulate the underlying SDD records, the control may fail the regulatory test. The regulation is about ownership, access, and auditability, not convenience.

Another common weakness is incomplete data capture. If the database merely says “fundraising discussion” without recording who shared the UPSI and with whom it was shared, the trail is weak. SEBI’s own FAQs require the nature of the UPSI and the identities of both sides of the transmission.

Why this is not only a listed-company problem

Many founders still think insider-trading controls matter only after an IPO. That is not entirely true. Once a company becomes listed, or once it starts working with listed-entity information through bankers, lawyers, auditors, or other fiduciaries, the SDD question becomes real very quickly. SEBI’s FAQs specifically extend the SDD requirement to intermediaries and fiduciaries handling listed-company UPSI in the course of business.

There is also a broader point about who counts as an insider. SEBI’s FAQs say that even a person who is not a designated person can still be an insider if they are in possession of or have access to UPSI. In practical terms, this means that a founder, investor, advisor, consultant, or senior executive cannot rely on job title alone. Access to UPSI brings obligations with it.

For a mid-sized company, that can be a painful surprise. The business may believe it has “good people” and “clean intentions,” but SEBI’s framework is designed around control failure, not just bad intent. That is why the compliance architecture matters even in businesses that have never had a headline-grabbing trading issue.

What SEBI appears to be flagging more aggressively

The recent enforcement pattern shows a clear theme: SEBI is not waiting for a perfect insider-trading scandal before acting. It is willing to question whether the company maintained the basic infrastructure required to monitor UPSI. In the April 2025 order, the regulator recorded that the noticee had failed to maintain SDD, had not designated a compliance officer, and had not adopted the code of conduct under the PIT framework. The order also notes that the SDD requirement has been in place since July 2020.

That matters because it changes the risk conversation. Companies often think of insider-trading compliance as event-driven: a suspicious trade, a tip-off, a market rumour. SEBI’s current posture suggests the failure to build and maintain the system itself can be enough to attract scrutiny.

The BofA Securities India settlement reported by Reuters reinforces the same point. The issue was not just trading behaviour in isolation; it also included the allegation that the firm did not maintain the required SDD. That is a reminder that SEBI is increasingly reading insider-trading compliance through the lens of records and controls, not only through the lens of trades.

What founders, CFOs, and boards should do differently

The first step is to stop treating SDD as a compliance afterthought. It should be embedded into the deal and disclosure workflow. If UPSI is shared in a board meeting, a diligence call, a transaction discussion, or a consultation with external advisors, the SDD entry should happen as part of the same control sequence, not weeks later when someone “gets time.” SEBI’s FAQs are clear that the record has to be updated when information is transmitted, and the database must preserve records for eight years.

The second step is to map your real information flow. In many companies, UPSI does not move in a straight line. It moves through finance, legal, business heads, promoters, advisors, and sometimes group entities. If the map is not clear, the database will never be complete. That is especially true in fundraising, restructuring, acquisition, debt placement, and strategic partnership situations.

The third step is to strengthen maker-checker discipline. One person should not be left to both decide what is UPSI and maintain the only record of it. The compliance officer should operate within a documented maker-checker and escalation framework rather than relying solely on system access controls.  The Board also needs visibility, because SEBI’s FAQs make clear that accountability does not disappear when technology is involved.

The fourth step is to treat vendor software carefully. A tool can help, but the control objective is internal ownership with restricted access. If the architecture permits unrestricted third-party visibility or alteration rights over SDD records, the control framework may not satisfy SEBI’s expectations regarding confidentiality, integrity, and auditability. 

The practical lesson

The real lesson from SEBI’s recent posture is not that every company will face an insider-trading case. It is that companies can no longer assume that policy language is enough. A well-drafted code of conduct without a disciplined SDD is weak. A trading window without record integrity is weak. A compliance officer without process ownership is weak.

For founders and CFOs, this is ultimately a governance issue. For listed companies, it is a regulatory issue. For intermediaries and fiduciaries, it is a professional risk issue. In all three cases, the common denominator is the same: if UPSI moves, it must be captured, controlled, and explainable. That is the standard SEBI is now expecting.