Recent Amendments — Structured Digital Database

For most of the life of insider-trading law, the hardest fact to prove was the simplest one: who knew what, and when. The Securities and Exchange Board of India (SEBI) could establish that a person traded, and that the trade was profitable and well-timed, but the bridge between the trade and the unpublished price sensitive information (UPSI) was usually circumstantial. The Structured Digital Database (SDD), introduced into the SEBI (Prohibition of Insider Trading) Regulations, 2015 through the 2018 amendment and progressively tightened since, was SEBI's answer. It converts the movement of UPSI inside an organisation into a contemporaneous, time-stamped, tamper-proof record that the company itself must keep - and produce on demand. This chapter examines Regulation 3(5) and 3(6) as amended, the scope of who must maintain the database, the design requirements SEBI has insisted upon, and the way the SDD has reshaped both compliance and enforcement.

Why the SDD was born: the evidentiary problem

The 1992 Regulations, and even the original 2015 framework, treated record-keeping of UPSI flows as a matter of best practice rather than law. The result was that when SEBI investigated suspicious trading, it had to reconstruct the chain of communication after the fact - from call data records, e-mails, WhatsApp logs, and the proximity of relationships between the trader and a person who plausibly held the information. As discussed in our chapter on the evolution from the 1992 Regulations, the recurring weakness was evidentiary: SEBI could show that an insider possessed UPSI and traded, but proving the precise moment and route of communication to a tippee was difficult, and a great deal of enforcement energy went into building inferential chains that defence counsel could then attack as speculative.

The Indian jurisprudence had long accepted that insider trading is, by its nature, a clandestine activity established largely on a preponderance of probabilities rather than proof beyond reasonable doubt. The Supreme Court in SEBI v. Kishore R. Ajmera (2016) 6 SCC 368 confirmed that in securities-law adjudication the regulator may draw logical inferences from proved circumstances, because direct evidence of a meeting of minds is rarely available. That standard helped SEBI, but it also produced uncertainty: where the inference rested on call records and relationships alone, the Securities Appellate Tribunal frequently set orders aside for want of a tangible link to the UPSI itself.

The High Level Committee chaired by Justice N.K. Sodhi, whose report led to the 2015 Regulations, had already flagged the need for better internal documentation. But it was the SEBI (Prohibition of Insider Trading) (Amendment) Regulations, 2018, notified on 31 December 2018 and brought into force from 1 April 2019, that created a hard legal obligation. The idea was simple but powerful: if every legitimate sharing of UPSI must be logged in a database that cannot be edited without leaving a trace, then any leak that does not appear in the log is itself evidence of a breach, and any entry that does appear narrows the universe of suspects to a known, dated list. The regulator was, in effect, mandating the manufacture of the very evidence it had previously struggled to reconstruct - and placing the cost and duty of that manufacture on the regulated entity.

Regulation 3(5): the maintenance obligation

Regulation 3(5), as it now stands, provides that the board of directors or head(s) of the organisation of every person required to handle UPSI shall ensure that a structured digital database is maintained containing the nature of the UPSI and the names of persons who have shared the information, as well as the names of persons with whom the information is shared under Regulation 3, together with their Permanent Account Number or other identifier where the PAN is unavailable. The provision then prescribes the technical character of the database: it must be maintained with adequate internal controls and checks such as time stamping and audit trails to ensure non-tampering of the database.

Three obligations are packed into that sentence. First, the database must capture both ends of every UPSI transfer - the sharer and the recipient - and the nature of the information, which links directly to the definition of UPSI under Regulation 2(1)(n). Second, the obligation is fixed personally on the board or the head of the organisation, so it cannot be delegated away as a purely clerical task. Third, the controls are not optional features but elements of legal compliance: an SDD without time-stamping and an audit trail is, in SEBI's view, no SDD at all.

Regulation 3(6): retention and preservation

Regulation 3(6) governs how long the database must survive. It requires that the structured digital database be preserved for a period of not less than eight years after completion of the relevant transactions. Critically, it adds that in the event of receipt of any information from SEBI regarding an investigation or enforcement proceeding, the relevant information in the SDD shall be preserved until the completion of such proceedings. The eight-year period is a floor, not a ceiling: the phrase not less than permits longer retention and forbids shorter.

The eight-year floor is deliberate. It comfortably exceeds the periods that ordinarily govern when SEBI may credibly initiate action on stale conduct, and it ensures that the trail outlives the memory of the individuals involved and the tenure of the officers who created it. Because UPSI events and the trades they may have tainted can surface years after the fact - a delayed complaint, a whistle-blower, a pattern detected only on later analysis - a shorter retention period would have let the most useful evidence evaporate before suspicion crystallised.

The second limb - the freeze on deletion once SEBI signals an investigation - is functionally an anti-spoliation rule. A company that purges its SDD after learning of a probe converts what might have been a mere record-keeping lapse into something far closer to obstruction, and exposes itself to adverse inference: the destruction of evidence the law required it to preserve is itself telling. Read with Regulation 3(5)'s non-tampering requirement, Regulation 3(6) makes the database a near-permanent, self-authenticating witness that the company is legally bound to keep alive and intact for the regulator's benefit.

Expanding scope: from listed companies to every handler of UPSI

The most consequential amendment to the SDD regime was not to its mechanics but to its reach. As originally introduced with effect from 1 April 2019, the duty rested on the board of directors of the listed company. The SEBI (Prohibition of Insider Trading) (Amendment) Regulations, 2020, effective 17 July 2020, replaced that narrow formulation with every person required to handle unpublished price sensitive information, and shifted the duty onto the board of directors or head(s) of the organisation. The 2020 amendment is what transformed the SDD from a listed-company housekeeping rule into a market-wide obligation.

This was a structural change. The merchant bankers, law firms, auditors, valuers, registrars, and other intermediaries and fiduciaries who routinely receive UPSI during a transaction were now independently obliged to maintain their own SDDs - not merely to be logged in the company's database. SEBI's own FAQs and the advisories issued by professional bodies such as the Institute of Company Secretaries of India - including its SDD advisory for fiduciaries of February 2024 - have repeatedly underscored that fiduciaries and intermediaries cannot treat the SDD as someone else's problem. The practical consequence is that a single deal generates multiple overlapping databases held by different parties, and a discrepancy between them - the company's log showing a disclosure to an adviser that the adviser's own log omits, or vice versa - becomes a red flag in itself, because the two records should mirror each other at the point of transfer.

The widened scope also disciplines the chain of onward sharing. When a merchant banker passes UPSI down to its own deal team, or a law firm circulates a draft to associates, each onward leg is a sharing event that the fiduciary's SDD must capture. This dovetails with the rules on communication or procurement of UPSI under Regulation 3(1) and 3(2), which permit sharing only in furtherance of legitimate purposes and in the performance of duties or discharge of legal obligations; the SDD is precisely where that legitimacy must be documented, contemporaneously, by every link in the chain. A sharing that cannot be tied in the database to a legitimate purpose is a sharing that the regulation did not authorise.

Design requirements: internal, tamper-proof, time-stamped

Beyond the bare text, SEBI and the exchanges have layered on operational expectations through FAQs and circulars. Four features recur. First, the SDD must be maintained internally and, in SEBI's stated position, cannot be outsourced in a way that removes control from the entity - the board and compliance officer remain responsible for the security of the data and logs. SEBI's FAQs, revised in March 2023, stepped back from earlier prescriptions about where servers must physically sit, but the responsibility for data security and integrity continues to rest squarely on the board and the compliance officer, so reliance on a third-party software vendor does not dilute the entity's own accountability. Second, every entry must carry a time-stamp recording when a person first received access to particular UPSI, so that the chronology of access is fixed at the moment of access rather than reconstructed later. Third, the database must be genuinely tamper-proof: corrections cannot overwrite earlier entries but must be made through a fresh, separately logged entry, so that the history of changes is itself preserved and any attempt at revision is visible. Fourth, the right to make entries must be restricted to authorised personnel, so that the audit trail cannot be quietly populated or altered by unaccountable hands.

These features are not cosmetic. A spreadsheet that can be silently edited, or a log that overwrites rather than appends, fails the non-tampering test in Regulation 3(5) even if it nominally records the right data; the regulation requires both the right content and the right controls, and the absence of either is a breach. The exchanges have reinforced this through circulars - notably the NSE and BSE communications of October 2022 - requiring listed entities to confirm SDD compliance, with non-compliant companies liable to be flagged on the exchange's systems. For entities to which Regulation 24A of the SEBI (LODR) Regulations applies, compliance with the SDD requirement is confirmed through the Annual Secretarial Compliance Report; other entities furnish an SDD compliance certificate from a practising company secretary within the prescribed period after the close of the financial year. The effect is that SDD compliance is now externally audited and reported, not merely self-asserted, which closes off the defence that a deficiency went unnoticed.

The 2025 amendments: deadlines and an enlarged UPSI universe

The most recent recalibration came through the SEBI (Prohibition of Insider Trading) (Amendment) Regulations, 2025, notified on 11 March 2025 and brought into effect in June 2025. Two features matter for the SDD. First, the amendment addressed a long-standing gap: there had been no express deadline for capturing UPSI that originates outside the entity, such as information conveyed by a regulator, a rating agency, a counterparty, or a court. The amended framework requires that UPSI received from outside the listed entity be recorded in the structured digital database within two calendar days of receipt, closing the window in which externally-sourced information could circulate undocumented. The choice of calendar days rather than working days is significant: a weekend or a holiday does not extend the deadline, which signals SEBI's intent that the recording of inbound UPSI be treated as near-immediate.

Second, and more far-reaching, the 2025 amendment substantially expanded the enumerated list of events deemed to constitute UPSI under Regulation 2(1)(n) - bringing in items such as the outcome of rating actions, fundraising and restructuring decisions, the initiation or outcome of certain regulatory, statutory and legal actions and forensic audits, changes in key managerial personnel, and other material developments that earlier sat at the margins of the definition. The amendment moved the regulation closer to an enumerated, deeming approach, reducing the room for argument that a given event was not price-sensitive.

Because every item of UPSI must be logged, enlarging the definition automatically enlarges the SDD's workload. Compliance officers must now make far more frequent judgments about whether an operational or routine event has crossed into UPSI territory and therefore demands an SDD entry, a closure of the trading window, and the associated controls. The practical risk is twofold: under-recording exposes the entity to a Regulation 3(5) breach, while over-recording floods the database and the trading-window machinery with entries for events of marginal sensitivity. The 2025 amendment thus shifts a substantial judgment burden onto compliance officers, who must now calibrate the database to a longer and more granular list of triggering events than the regime had ever contemplated.

The SDD and the burden of proof

The deepest effect of the SDD is on the architecture of proof in insider-trading cases. Regulation 4(1) prohibits trading by an insider when in possession of UPSI, but it carries a proviso allowing the insider to demonstrate innocence - for example, that the trade was executed pursuant to a trading plan, that the transaction was an off-market inter-se transfer between promoters who were both in possession of the same UPSI, or that the trade was otherwise not motivated by the UPSI. The presumption of motivated trading once possession is shown was confirmed by the Supreme Court in Balram Garg v. SEBI (2022) 9 SCC 425, where the Court emphasised that the foundational fact of communication or possession of UPSI must still be established by SEBI, and cannot rest on assumption alone. The SDD interacts with this two-stage structure in two directions.

For SEBI, the database is a contemporaneous record that can confirm an insider's access to UPSI at a precise moment, removing the need to infer access from relationships alone - the very inferential exercise that Kishore Ajmera permitted but that the Tribunal often found unpersuasive on thin facts. Where the SDD records that a designated person received a specific item of UPSI on a specified date, the foundational fact that Balram Garg insists upon is documented rather than inferred. For the noticee, conversely, a clean, complete SDD can be exculpatory: if a person's name does not appear against a particular item of UPSI, the company's own records support the claim that the person was not in possession. The corollary is that a missing, incomplete, or back-dated SDD hurts both the company and the individuals, because it deprives everyone of the very evidence that might have explained the trade, and it invites SEBI to fall back on the adverse inferences that a properly maintained database would have foreclosed. SEBI has, in several investigations - including high-profile matters concerning Infosys, Zee Entertainment Enterprises and Lux Industries - sought extracts of the SDD as a standard investigative step, treating the database as a primary source rather than a supporting document.

Enforcement and the limits of after-the-fact reconstruction

The enforcement landscape illustrates why SEBI moved to a mandatory database. In the matter of insider trading in the scrip of Deep Industries Limited, SEBI's order in April 2018 turned substantially on reconstructing communication patterns and the proximity between connected persons, because there was no contemporaneous internal log to consult - the SDD obligation post-dated the conduct. The case is a useful counterfactual: had a compliant SDD existed, the question of who had access to the UPSI and when would have been answered by the company's own time-stamped records rather than by the inferential exercise that decisions like Kishore Ajmera sanctioned and that Balram Garg later subjected to a demanding evidentiary test.

Since the regime took effect, SEBI's adjudication orders increasingly treat the SDD as a checkpoint in their own right. Failure to maintain the database, or maintaining it without the prescribed controls of time-stamping, audit trail and non-tampering, attracts monetary penalty - SEBI has proceeded under the penalty provisions of the SEBI Act, 1992 for such record-keeping failures, independently of whether any trading violation is also established. Adjudicating officers have, in a series of orders against listed companies and intermediaries, imposed penalties purely for SDD deficiencies: maintaining the database in an editable spreadsheet, failing to capture the names of those sharing UPSI, or being unable to demonstrate that the log was tamper-proof.

The message of these orders is consistent: the obligation to maintain the SDD is freestanding. A company that never traded improperly, and against which no leak is alleged, can still be penalised purely for keeping a deficient or non-tamper-proof database, because the obligation in Regulation 3(5) is to maintain the controls themselves, not merely to avoid leaks. This separation of the maintenance duty from the trading prohibition is the regime's quiet innovation: it lets SEBI sanction the absence of a reliable record before, and independently of, any need to prove what the record would have shown.

Common compliance failures

The recurring deficiencies that surface in SEBI examinations and exchange reviews fall into predictable categories. The first is the editable database - an SDD kept in an ordinary spreadsheet or document that can be altered without leaving an audit trail, which fails the non-tampering requirement on its face. The second is incomplete capture: logging the recipients of UPSI but not the persons sharing it, or omitting the nature of the information, both of which Regulation 3(5) expressly requires.

A third failure is treating the SDD as a listed-company-only obligation and ignoring the post-2020 duty on intermediaries and fiduciaries to maintain their own databases. A fourth is delay - failing to make entries contemporaneously, which defeats the purpose of time-stamping and, after the 2025 amendment, breaches the two-calendar-day rule for externally received UPSI. A fifth is premature deletion: purging entries before the eight-year period in Regulation 3(6) expires, or after an investigation has been intimated, which converts a lapse into a far more serious preservation failure. Each of these maps onto a discrete requirement in the regulation, and SEBI's practice has been to treat them as independently actionable.

Interaction with the disclosure regime

The SDD does not operate in isolation. It sits alongside the initial and continual disclosure obligations under Chapter III of the Regulations, the trading-window mechanism, and the code of conduct that every listed company and intermediary must frame. Where the disclosure regime makes the holdings and trades of designated persons visible to the market and the company, the SDD makes the internal flow of information visible to the regulator.

Together they form a closed loop. The code of conduct identifies designated persons and pre-clearance requirements; the trading window closes when UPSI exists; the SDD records who held that UPSI; and the disclosures reveal who traded. A discrepancy anywhere in the loop - a trade during a closed window by a person whose name appears in the SDD against the relevant UPSI - is precisely the pattern SEBI is now equipped to detect quickly. The SDD is thus less a standalone obligation than the connective tissue that lets the rest of the framework function as an evidentiary system rather than a set of paper rules. For the broader architecture, see the SEBI Insider Trading Regulations hub.

Practical takeaways for aspirants

For the examination, three propositions are worth committing to memory. First, the SDD is the creature of Regulation 3(5) and 3(6); the maintenance and control obligations live in 3(5), and the eight-year retention and preservation-on-investigation rules live in 3(6). Second, the scope of the duty was widened in 2020 from listed companies to every person required to handle UPSI, sweeping in intermediaries and fiduciaries, and the duty falls personally on the board or head of the organisation. Third, the 2025 amendment added a two-calendar-day deadline for recording externally received UPSI and expanded the enumerated UPSI events, increasing the volume of mandatory entries.

The conceptual point that examiners reward is the shift in evidentiary logic: the SDD inverts the old problem of proving the route of a leak by requiring the regulated entity to maintain the proof itself, contemporaneously and tamper-proof, on pain of independent penalty. An answer that connects the database to the burden-of-proof structure under Regulation 4 - showing how the SDD can both incriminate and exculpate - demonstrates the deeper understanding that distinguishes a strong script.