Every great corporate fraud in India has a quiet prologue: someone inside the company knew, and either had nowhere safe to speak or was punished for speaking. Regulation 22 of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 is the structural answer to that recurring tragedy. In two deceptively short sub-regulations it compels every listed entity to build a vigil mechanism through which directors and employees can report genuine concerns, and it surrounds that channel with two non-negotiable guarantees: adequate safeguards against victimisation, and direct access to the chairperson of the audit committee in appropriate or exceptional cases. For the judiciary and CLAT-PG aspirant, Regulation 22 is a compact but heavily tested provision that sits at the intersection of corporate governance, statutory company law and constitutional free-speech jurisprudence. This chapter unpacks the text, the legislative lineage in Section 177 of the Companies Act, 2013, the disclosure architecture, and the case law that gives the bare words their bite.
Why the vigil mechanism exists: the governance backstory
Regulation 22 cannot be understood in a doctrinal vacuum; it is a regulatory scar left by scandal. The collapse of Satyam Computer Services in January 2009, when its chairman Ramalinga Raju confessed in a letter to the Securities and Exchange Board of India and the stock exchanges that the company's books had been falsified to the tune of thousands of crores, exposed a brutal truth: the firm's board, its audit committee and its statutory auditors had all failed, and there was no protected internal channel through which an honest insider could have raised an alarm without being crushed. Indian corporate governance reform after Satyam was driven by the recognition that disclosure obligations and independent directors are necessary but insufficient unless the people closest to wrongdoing have a safe route to report it.
The vigil mechanism is therefore best read as an early-warning system. Where the rest of the SEBI LODR framework — discussed in our note on the principles governing disclosures — operates after information has crystallised into something disclosable, Regulation 22 operates upstream, at the moment a concern is first felt by someone inside the organisation. It converts private knowledge of misconduct into an institutional signal that the audit committee is bound to act upon. That is why the provision is mandatory for all listed entities and is not diluted to a comply-or-explain norm.
The bare text of Regulation 22
The operative core of Regulation 22 is short and should be committed to memory. Sub-regulation (1) provides that "the listed entity shall formulate a vigil mechanism for directors and employees to report genuine concerns." Sub-regulation (2) provides that "the vigil mechanism shall provide for adequate safeguards against victimization of director(s) or employee(s) or any other person who avail the mechanism and also provide for direct access to the chairperson of the audit committee in appropriate or exceptional cases."
Three textual features deserve attention. First, the verb is shall — formulation is a positive, mandatory duty, not a discretionary best practice. Second, the class of persons who may report is defined as "directors and employees," while the class protected against victimisation is broader, extending to "any other person who avail the mechanism." The asymmetry is deliberate: the protective umbrella is wider than the reporting class so that a complaint routed through, for example, a contractor or an ex-employee is not left exposed. Third, the phrase "genuine concerns" imports a good-faith threshold without requiring the complainant to prove the allegation; the mechanism must engage even where the concern ultimately proves unfounded, provided it is genuinely held.
Statutory lineage: Section 177(9) and (10) of the Companies Act, 2013
Regulation 22 does not float free of company law; it is the listing-regulation mirror of Section 177(9) and (10) of the Companies Act, 2013. Section 177(9) requires every listed company, and such other prescribed classes of companies, to establish a vigil mechanism for directors and employees to report genuine concerns in the manner prescribed. Section 177(10) is the safeguard limb, mandating that the vigil mechanism provide for adequate safeguards against victimisation of persons who use the mechanism and make provision for direct access to the chairperson of the audit committee in appropriate or exceptional cases. The textual overlap with Regulation 22 is near-verbatim and is intentional: SEBI and the Ministry of Corporate Affairs deliberately harmonised the listing and statutory regimes so that a listed company complies with one when it complies with the other.
The classes of companies required to establish a vigil mechanism are fixed by Rule 7 of the Companies (Meetings of Board and its Powers) Rules, 2014, which extends the obligation beyond listed companies to companies that accept deposits from the public and companies that have borrowed money from banks and public financial institutions in excess of fifty crore rupees. Where a company is required to constitute an audit committee, Rule 7 channels the operation of the vigil mechanism through that committee, dovetailing precisely with the role explained in our chapter on the audit committee. The result is a layered architecture: the Companies Act sets the baseline, the Rules define the perimeter, and Regulation 22 imposes the obligation on the listed-entity universe that SEBI directly polices.
The safeguard against victimisation
The heart of Regulation 22(2) is the protection against victimisation, because a reporting channel without protection is worse than useless — it is a trap that identifies dissenters and exposes them to retaliation. The regulation does not enumerate what counts as victimisation, leaving the listed entity to operationalise the safeguard through its whistle-blower policy. In practice, protection extends to shielding the complainant from dismissal, demotion, suspension, transfer, denial of promotion, harassment and any other detriment causally connected to having raised the concern. A well-drafted policy will reverse the evidentiary burden in disputed cases, requiring the company to demonstrate that any adverse action taken against a complainant was for reasons unconnected with the disclosure.
Confidentiality is the practical engine of this safeguard. The Supreme Court underscored the importance of protecting those who expose institutional malfunction in Indirect Tax Practitioners' Association v. R.K. Jain, (2010) 8 SCC 281, where it described the respondent as a whistle-blower who had tried to highlight the malfunctioning of an important institution and held that there was no reason to silence such a person; the Court further held that truth should ordinarily be allowed as a defence in such matters. While that case arose in the contempt-of-court context rather than under corporate law, its protective philosophy — that good-faith exposure of wrongdoing in the public interest deserves shelter rather than sanction — is the jurisprudential bedrock on which the victimisation safeguard rests.
Direct access to the chairperson of the audit committee
The second mandatory feature of Regulation 22(2) is direct access to the chairperson of the audit committee in "appropriate or exceptional cases." This is a structural circuit-breaker. The ordinary reporting route runs through a designated officer — often a compliance officer, ethics officer or a vigil committee — but that route fails precisely when the wrongdoing implicates senior management or the very officers who staff the ordinary channel. The direct-access provision ensures that a complaint about the chief executive, the chief financial officer or the management as a whole can bypass the compromised intermediaries and land with an independent organ of the board.
The choice of the audit committee chairperson is not accidental. Under the SEBI LODR scheme the audit committee is dominated by independent directors and is chaired by an independent director, as detailed in our note on board of directors composition. Routing exceptional complaints to that office aligns the vigil mechanism with the most independent locus of authority within the company. The qualifier "appropriate or exceptional" prevents the direct-access channel from being abused as a routine bypass; it is reserved for cases where the ordinary route is unsafe, ineffective or itself implicated, preserving the integrity of both tiers.
What counts as a 'genuine concern'
The reporting trigger in Regulation 22(1) is a "genuine concern," a phrase that controls who may invoke the mechanism and what they may invoke it for. The standard is one of good faith, not certainty: the complainant must hold an honest belief that the conduct reported amounts to a violation, but is not required to have proof or even to be correct. This distinguishes a protected disclosure from a malicious or frivolous complaint. Most whistle-blower policies expressly carve out complaints made in bad faith, for personal grievance redressal unconnected to wrongdoing, or as a tactical response to legitimate disciplinary action, and permit the company to take action against demonstrably mala fide complainants.
The good-faith touchstone derives strong support from Manoj H. Mishra v. Union of India, a 2013 decision of the Supreme Court arising from the dismissal of an employee of the Kakrapar Atomic Power Project who had communicated safety concerns to the press. The Court drew a careful line: a person is accepted as a whistle-blower where the primary motive of the disclosure is the furtherance of the public good and the exposure of genuine wrongdoing, rather than self-publicity, personal vendetta or ulterior motive. The decision is doubly useful in examinations because it both protects genuine disclosure and cautions that the whistle-blower label cannot be claimed by every aggrieved employee — the motive and the public-interest character of the disclosure are decisive.
Disclosure: website and Board's Report obligations
A vigil mechanism that exists on paper but is unknown to those it is meant to serve is no mechanism at all. The SEBI LODR framework therefore couples Regulation 22 with mandatory disclosure. The details of establishment of the vigil mechanism must be disclosed on the listed entity's website, an obligation that flows through Regulation 46, which prescribes the mandatory contents of a listed entity's website and expressly includes details of the establishment of the vigil mechanism or whistle-blower policy. This transparency duty sits within the broader catalogue of website and continuous-disclosure obligations discussed in our chapter on the common obligations of listed entities.
In parallel, the statutory regime under the Companies Act, 2013 requires that details of the establishment of the vigil mechanism be disclosed in the Board's Report. The twin disclosure — on the website and in the Board's Report — serves two audiences: it informs employees and stakeholders that a protected channel exists and how to use it, and it gives the market and the regulator a verifiable record of compliance. Failure to disclose is itself a contravention, independent of any failure in the underlying mechanism, and can attract action under the enforcement provisions of the LODR Regulations and the Act.
Interaction with the audit committee's mandate
Regulation 22 is not a standalone island; it feeds directly into the functional mandate of the audit committee. Among the matters that the audit committee is required to review under the SEBI LODR scheme is the functioning of the whistle-blower mechanism. This converts the vigil mechanism from a passive complaint box into a supervised governance instrument: the committee must periodically satisfy itself that the mechanism is operational, that complaints are being received and disposed of, and that no complainant has been victimised. Where the committee finds the mechanism dormant or the disposal record suspiciously empty, that is itself a red flag warranting inquiry.
The oversight role also dovetails with the audit committee's duty to review the company's financial statements and internal financial controls. A whistle-blower complaint alleging accounting manipulation or fraud is exactly the kind of information that should inform the committee's scrutiny of the accounts. The structural design — independent-director-led committee, direct access for exceptional complaints, and a standing review duty — is engineered so that the people best placed to detect fraud have both a channel to report it and an independent body obliged to act on it. The mechanics of the committee's composition and powers are treated fully in our dedicated note on the audit committee.
Relationship with the Whistle Blowers Protection Act, 2014
Aspirants often conflate the corporate vigil mechanism with the Whistle Blowers Protection Act, 2014, and the distinction is examinable. The 2014 Act is a public-sector instrument: it creates a mechanism for receiving complaints relating to disclosure of allegations of corruption or wilful misuse of power against public servants, and routes them through competent authorities. It does not govern private listed companies, and at the operative level its implementation has remained contested. Regulation 22, by contrast, is a private-law corporate-governance obligation enforced by SEBI through the listing regime, and operationalised through the company's own internal architecture.
The two regimes share a common philosophical core — protection of good-faith disclosers against retaliation and the channelling of disclosure to an independent authority — but they operate in distinct domains and through distinct enforcement machinery. For a listed company, the binding source of the vigil-mechanism obligation is Regulation 22 read with Section 177 of the Companies Act, not the 2014 Act. The constitutional underpinning common to both, however, is the recognition that exposing wrongdoing in the public interest is a protected exercise, a thread that runs from Indirect Tax Practitioners' Association v. R.K. Jain through the public-interest reasoning that informs whistle-blower jurisprudence generally.
Applicability and the high value debt listed entity expansion
Regulation 22 applies to every entity that has listed its specified securities — equity shares and convertible securities — on a recognised stock exchange, and forms part of the corporate-governance cluster of Regulations 17 to 27. The applicability map of the LODR Regulations is itself a tested topic, addressed in our note on the introduction, scope and definitions. The corporate-governance provisions historically applied to equity-listed entities, with relaxations for entities below specified paid-up capital and net-worth thresholds.
A significant expansion has been the extension of the corporate-governance regime, including the vigil mechanism, to High Value Debt Listed Entities — entities that have listed only non-convertible debt securities of a specified outstanding value. SEBI extended the timeline for compliance by such entities with Regulations 16 to 27 through successive amendments, recognising that large debt issuers wield economic significance comparable to equity issuers and should be subject to comparable governance discipline. The direction of travel is clear: the protective logic of the vigil mechanism is being extended across the listed universe rather than confined to equity issuers, and aspirants should track the applicability thresholds carefully because they shift with each amendment cycle.
Designing a compliant mechanism: the policy in practice
Compliance with Regulation 22 is achieved through a board-approved whistle-blower policy, and the markers of a defensible policy are now well settled in practice. The policy should define the scope of reportable conduct — typically fraud, accounting irregularities, violations of law, corruption, conflicts of interest, abuse of authority and breach of the company's code of conduct. It should specify multiple reporting channels, including a designated officer, a dedicated email address or hotline, and the protected direct-access route to the audit committee chairperson for exceptional cases. It should fix timelines for acknowledgement, investigation and disposal, and create a record-keeping discipline so that the audit committee's review under its mandate is meaningful.
Critically, the policy must operationalise the two statutory guarantees. Confidentiality of the complainant's identity should be the default, with disclosure permitted only where legally compelled. Anti-retaliation provisions should expressly prohibit detriment to complainants and create a redress route for any complainant who alleges victimisation. The policy should also address malicious complaints to prevent abuse, consistent with the motive-based reasoning in Manoj H. Mishra v. Union of India. A policy that ticks the formal boxes but lacks confidentiality protection, a credible independent route, or any anti-retaliation teeth is vulnerable to being characterised as a non-compliant sham, and the consequences of that are explored next.
Consequences of non-compliance and enforcement
Non-compliance with Regulation 22 attracts the enforcement machinery of the LODR Regulations. Stock exchanges, acting under SEBI's standard operating procedure for non-compliance, can impose monetary fines on a listed entity that fails to establish or disclose a vigil mechanism, and persistent default can escalate to freezing of promoter shareholding and, in extremity, suspension of trading. Beyond exchange-level penalties, SEBI retains its powers under the SEBI Act, 1992 to pass directions and impose penalties for contravention of the regulations, and a defective vigil mechanism that enables fraud to flourish can feed into far more serious enforcement under the fraud and insider-trading regimes.
The deeper point for the governance lawyer is that the failure of a vigil mechanism is rarely punished in isolation; it surfaces as the silent cause behind a larger collapse. The post-Satyam reforms that produced Regulation 22 reflect precisely this lesson — that the absence of a safe internal channel is not a technical lapse but a structural enabler of catastrophe. The provision's worth is therefore measured not by the number of complaints it processes but by the deterrence it creates and the disasters it prevents. For a fuller map of how this provision sits among the equity-listing obligations, see our note on the specific listing obligations for equity, and the consolidated SEBI LODR notes hub.
Exam focus and key takeaways
For judiciary and CLAT-PG examinations, Regulation 22 rewards precision. Remember the two mandatory ingredients of sub-regulation (2): adequate safeguards against victimisation, and direct access to the chairperson of the audit committee in appropriate or exceptional cases — both are frequent one-mark traps where the wrong officer (such as the chairman of the board or the company secretary) is substituted. Remember the statutory mirror in Section 177(9) and (10) of the Companies Act, 2013 and the perimeter set by Rule 7 of the Companies (Meetings of Board and its Powers) Rules, 2014.
On the case law, anchor the protective philosophy to Indirect Tax Practitioners' Association v. R.K. Jain, (2010) 8 SCC 281, for the proposition that a whistle-blower exposing institutional malfunction should not be silenced and that truth is ordinarily a defence, and to Manoj H. Mishra v. Union of India for the motive test — that the primary purpose of the disclosure must be the public good rather than self-interest or vendetta. Finally, do not confuse Regulation 22 with the Whistle Blowers Protection Act, 2014: the former is a SEBI-enforced corporate-governance obligation on listed entities, the latter a public-sector anti-corruption statute. Master these distinctions and the disclosure obligations under Regulation 46 and the Board's Report, and the topic is comfortably scoring.
Frequently asked questions
What exactly does Regulation 22 of the SEBI LODR Regulations, 2015 require?
It requires every listed entity to formulate a vigil mechanism for directors and employees to report genuine concerns. The mechanism must provide adequate safeguards against victimisation of any person who uses it and must provide direct access to the chairperson of the audit committee in appropriate or exceptional cases.
Who can report under the vigil mechanism, and who is protected?
Reporting is available to directors and employees of the listed entity. The protection against victimisation is deliberately wider, extending to directors, employees "or any other person who avail the mechanism," so that anyone who routes a genuine concern through the channel is shielded from retaliation.
Why must complaints have direct access to the audit committee chairperson?
Because the ordinary reporting route fails when the wrongdoing implicates senior management or the very officers who run that route. Direct access to the chairperson of the audit committee, who is an independent director, gives an exceptional complaint an independent, uncompromised destination within the board.
How does Regulation 22 relate to Section 177 of the Companies Act, 2013?
Regulation 22 mirrors Section 177(9) and (10) almost verbatim. Section 177(9) mandates the vigil mechanism and Section 177(10) mandates the victimisation safeguard and direct audit-committee access. Rule 7 of the Companies (Meetings of Board and its Powers) Rules, 2014 fixes the classes of companies bound by the obligation.
What case law underpins whistle-blower protection in India?
In Indirect Tax Practitioners' Association v. R.K. Jain, (2010) 8 SCC 281, the Supreme Court held a whistle-blower exposing institutional malfunction should not be silenced and that truth is ordinarily a defence. In Manoj H. Mishra v. Union of India (2013), the Court held the primary motive of a genuine whistle-blower must be the public good rather than publicity or vendetta.
Where must a listed entity disclose its vigil mechanism?
The details of establishment of the vigil mechanism must be disclosed on the listed entity's website under Regulation 46 of the LODR Regulations, and details of its establishment must also be disclosed in the Board's Report under the Companies Act, 2013. Both disclosures are mandatory and independently enforceable.