Blog
Common Insider Trading Compliance Mistakes Companies Still Make
10 June 2026
Most insider trading compliance failures are not caused by bad intent; they are caused by operational lacunae, the gaps between what your policy says and what your systems actually do.
Listed companies in India often have robust policies, declarations, and annual training programs. However, when SEBI conducts an investigation, the regulator does not look at the policy manual; it looks at operational evidence. It seeks to understand: who had access to what, when, and whether your systems can prove it.
Here are the critical compliance gaps that continue to expose listed entities to risk and how to address them.
1. Defining UPSI: The Business Context Gap
Before you can control Unpublished Price Sensitive Information (UPSI), you must define it within the context of your specific business operations. A common mistake is using a generic, "copy-paste" definition of UPSI in internal policies.
In practice, different departments interpret materiality differently. Finance may prioritize quarterly results, while Business Development might view a potential partnership as highly sensitive long before it is finalized. If the definition is too vague or not aligned with the company’s specific business lifecycle, employees will inevitably misclassify or fail to classify sensitive information. This ambiguity is where compliance gaps begin.
2. The Code of Conduct: From Drafting to Adherence
Many companies treat the Code of Conduct as a static document created once and forgotten. SEBI mandates that this code be effectively implemented. The gap often lies in the "adherence" phase, where the policy fails to bridge the gap between regulatory requirements and employee behavior.
Common shortcomings include:
Drafting that lacks operational clarity, leaving employees guessing how to comply.
Failure to update the code to reflect changes in SEBI regulations or the company's internal structure.
Lack of verifiable evidence that the Code of Conduct was actually understood and acknowledged by all stakeholders, not just signed off on as a formality.
3. Trading Window Closures: Manual vs. Automated Risks
Trading window compliance is a high-risk area. Organizations generally rely on one of two approaches: manual issuance by the Compliance Officer (CO) or automated issuance through compliance software.
The manual approach, issuing email circulars, is fraught with operational risk:
The "Human Delay" Factor: Windows often close after the UPSI has already begun circulating, creating immediate exposure.
Coverage Gaps: Temporary insiders and third-party participants are frequently missed, resulting in inconsistent application.
Communication Failures: Employees often misunderstand exemption conditions, leading to unauthorized trading.
The shift toward automated Trading Window Closure (TWC) Notice issuance is becoming essential. Automation ensures that the trading window is locked the moment UPSI is triggered, removing the potential for human error and ensuring real-time enforcement.
4. Training Designated Persons (DPs)
Compliance training is often treated as a checkbox exercise. However, a significant lacuna exists where Designated Persons (DPs) are not adequately trained on the mechanics of compliance. If a DP does not understand how to identify UPSI or, more importantly, how to record it in the compliance system, the system will surely fail.
Effective training must move beyond theory. It should cover:
Hands-on identification of UPSI as it arises in daily work.
Technical mastery of the company’s compliance software or database. The gravity of their responsibility in maintaining an accurate SDD.
Train your DPs to use the SDD. Conduct regular refresher training sessions for DPs at least once a year. Make SDD entry a habit.
5. The SDD Entry Dilemma: CS Workload vs. DP Accountability
When managing the Structured Digital Database (SDD), companies can follow one of two models:
Option 1: Individual DPs (from Directors downward) personally enter UPSI into the SDD.
Option 2: DPs share information with the Company Secretary (CS) or CS team, who then perform the data entry.
While Option 2 appears convenient, however, it creates a significant operational bottleneck. It increases the workload of the CS team without reducing the accountability of the DP. Furthermore, it creates a "reporting lag", the information is sensitive before the CS team gets it, creating a dangerous window of time where the information is floating in emails or chats, unrecorded in the SDD during which time inappropriate trading may take place for which the DP will be responsible.
6. Managing Connected Persons (CPs) and External Entities
Identifying and maintaining records of all Connected Persons (CPs) remains a major challenge. Many companies struggle to keep an updated register of the 3 key types of CPs:
Immediate Relatives (IRs) and their trading activities.
Material Financial Relationships (MFRs) that could trigger compliance scrutiny.
Other Entities (OEs), including Statutory Auditors, Secretarial Auditors, Consultants, and Legal Counsel.
Failure to capture data on these stakeholders effectively means you lose visibility over who has access to your sensitive data. If an external auditor trades while holding your UPSI, and your records cannot pinpoint when they received that information, the regulatory liability falls squarely on the listed entity. Moreover, it is in the Listed Entity’s interest to ensure that their Fiduciaries like Statutory and Secretarial Auditors, Legal Advisors and Consultants should maintain their own SDDs as is mandatorily required under the regulations.
7. What SEBI Actually Expects: The Regulatory Reality
SEBI's enforcement trend is clear: they are increasingly moving away from examining whether policies exist to examining whether they are implemented and are working.
In investigations, regulators look for "Process Integrity." They will scrutinize:
Traceability: Can you prove, with immutable timestamps, who accessed UPSI and when?
Consistency: Is the compliance process applied uniformly across the entire organization, or only in select departments?
Audit Readiness: Can your records be independently verified?
Regulatory actions, such as show-cause notices and penalties, are becoming more frequent where companies fail to demonstrate the active maintenance of the SDD. The penalty is not just for a leak; it is often for the inability to prove that a system existed to prevent or monitor the leak.
8. Why Compliance Needs to Be System-Driven
Governance complexity has outpaced what fragmented tools can manage. To bridge these lacunae, listed companies need a dedicated, system-driven approach.
A well-designed insider trading management system should provide:
Structured UPSI classification with workflows that force identification at the point of creation.
Real-time trading window controls that eliminate manual delays.
Automated SDD management that captures access, shares, and changes with immutable logs.
Complete visibility into information shared with external parties and fiduciaries.
The objective is operational governance visibility. You need to know, at any point in time, exactly where your UPSI is, who has it, and whether your controls are functioning. The best way to ensure this is to ensure your DPs are trained in using the SDD and have made SDD entry a habit.
9. Strengthen Your Compliance Posture with Axar Digital
Axar Digital builds governance-focused solutions designed around the operational realities of modern organizations. We bridge the gap between complex regulations and daily business execution.
InsiderLens LCo: A structured and annually audited insider trading compliance platform for listed companies. Supports UPSI tracking, SDD management, insider identification, trading window controls, pre-clearance compliance and audit-ready compliance processes.
InsiderLens IFCo: Designed for intermediaries and fiduciaries. Supports insider access tracking, controlled information sharing, audit trails, and traceable compliance documentation.
Stop managing compliance as a reactive checkbox and start managing it as a strategic process. Contact Axar Digital or book a demo today to see how we can harden your compliance framework.
10. FAQs
Q: Why do companies with existing policies still face SEBI penalties?
A: Policies are static; SEBI prioritizes real-time operational evidence. Companies fail when their internal workflows, have not become calmly ingrained habits. They are reactive rather than proactive.
Q: What is the most common SDD management error?
A: Treating the SDD as a "checkbox" task rather than a live database. Excluding external advisors and consultants from real-time logs is a frequent trigger for regulatory scrutiny.
Q: Should the CS team or Designated Persons (DPs) manage SDD entries?
A: Centralizing entry on the CS team creates bottlenecks. Empowering DPs to record their own access via structured systems ensures data accuracy, timeliness, and clear accountability.
Q: How can we prevent leaks involving external partners?
A: Implement comprehensive "Connected Person" tracking. You must maintain updated registers and onboard all auditors and consultants into your compliance system to monitor their UPSI access. Also, insist on working with Fiduciaries like Auditors who maintain their own SDDs, as the regulator requires.
Q: How does Axar Digital ensure audit readiness?
A: Our InsiderLens solutions automates UPSI tracking, SDD management, and trading window controls, providing an immutable, timestamped audit trail. Contact us for a demo.
Most insider trading compliance failures are not caused by bad intent; they are caused by operational lacunae, the gaps between what your policy says and what your systems actually do.
Listed companies in India often have robust policies, declarations, and annual training programs. However, when SEBI conducts an investigation, the regulator does not look at the policy manual; it looks at operational evidence. It seeks to understand: who had access to what, when, and whether your systems can prove it.
Here are the critical compliance gaps that continue to expose listed entities to risk and how to address them.
1. Defining UPSI: The Business Context Gap
Before you can control Unpublished Price Sensitive Information (UPSI), you must define it within the context of your specific business operations. A common mistake is using a generic, "copy-paste" definition of UPSI in internal policies.
In practice, different departments interpret materiality differently. Finance may prioritize quarterly results, while Business Development might view a potential partnership as highly sensitive long before it is finalized. If the definition is too vague or not aligned with the company’s specific business lifecycle, employees will inevitably misclassify or fail to classify sensitive information. This ambiguity is where compliance gaps begin.
2. The Code of Conduct: From Drafting to Adherence
Many companies treat the Code of Conduct as a static document created once and forgotten. SEBI mandates that this code be effectively implemented. The gap often lies in the "adherence" phase, where the policy fails to bridge the gap between regulatory requirements and employee behavior.
Common shortcomings include:
Drafting that lacks operational clarity, leaving employees guessing how to comply.
Failure to update the code to reflect changes in SEBI regulations or the company's internal structure.
Lack of verifiable evidence that the Code of Conduct was actually understood and acknowledged by all stakeholders, not just signed off on as a formality.
3. Trading Window Closures: Manual vs. Automated Risks
Trading window compliance is a high-risk area. Organizations generally rely on one of two approaches: manual issuance by the Compliance Officer (CO) or automated issuance through compliance software.
The manual approach, issuing email circulars, is fraught with operational risk:
The "Human Delay" Factor: Windows often close after the UPSI has already begun circulating, creating immediate exposure.
Coverage Gaps: Temporary insiders and third-party participants are frequently missed, resulting in inconsistent application.
Communication Failures: Employees often misunderstand exemption conditions, leading to unauthorized trading.
The shift toward automated Trading Window Closure (TWC) Notice issuance is becoming essential. Automation ensures that the trading window is locked the moment UPSI is triggered, removing the potential for human error and ensuring real-time enforcement.
4. Training Designated Persons (DPs)
Compliance training is often treated as a checkbox exercise. However, a significant lacuna exists where Designated Persons (DPs) are not adequately trained on the mechanics of compliance. If a DP does not understand how to identify UPSI or, more importantly, how to record it in the compliance system, the system will surely fail.
Effective training must move beyond theory. It should cover:
Hands-on identification of UPSI as it arises in daily work.
Technical mastery of the company’s compliance software or database. The gravity of their responsibility in maintaining an accurate SDD.
Train your DPs to use the SDD. Conduct regular refresher training sessions for DPs at least once a year. Make SDD entry a habit.
5. The SDD Entry Dilemma: CS Workload vs. DP Accountability
When managing the Structured Digital Database (SDD), companies can follow one of two models:
Option 1: Individual DPs (from Directors downward) personally enter UPSI into the SDD.
Option 2: DPs share information with the Company Secretary (CS) or CS team, who then perform the data entry.
While Option 2 appears convenient, however, it creates a significant operational bottleneck. It increases the workload of the CS team without reducing the accountability of the DP. Furthermore, it creates a "reporting lag", the information is sensitive before the CS team gets it, creating a dangerous window of time where the information is floating in emails or chats, unrecorded in the SDD during which time inappropriate trading may take place for which the DP will be responsible.
6. Managing Connected Persons (CPs) and External Entities
Identifying and maintaining records of all Connected Persons (CPs) remains a major challenge. Many companies struggle to keep an updated register of the 3 key types of CPs:
Immediate Relatives (IRs) and their trading activities.
Material Financial Relationships (MFRs) that could trigger compliance scrutiny.
Other Entities (OEs), including Statutory Auditors, Secretarial Auditors, Consultants, and Legal Counsel.
Failure to capture data on these stakeholders effectively means you lose visibility over who has access to your sensitive data. If an external auditor trades while holding your UPSI, and your records cannot pinpoint when they received that information, the regulatory liability falls squarely on the listed entity. Moreover, it is in the Listed Entity’s interest to ensure that their Fiduciaries like Statutory and Secretarial Auditors, Legal Advisors and Consultants should maintain their own SDDs as is mandatorily required under the regulations.
7. What SEBI Actually Expects: The Regulatory Reality
SEBI's enforcement trend is clear: they are increasingly moving away from examining whether policies exist to examining whether they are implemented and are working.
In investigations, regulators look for "Process Integrity." They will scrutinize:
Traceability: Can you prove, with immutable timestamps, who accessed UPSI and when?
Consistency: Is the compliance process applied uniformly across the entire organization, or only in select departments?
Audit Readiness: Can your records be independently verified?
Regulatory actions, such as show-cause notices and penalties, are becoming more frequent where companies fail to demonstrate the active maintenance of the SDD. The penalty is not just for a leak; it is often for the inability to prove that a system existed to prevent or monitor the leak.
8. Why Compliance Needs to Be System-Driven
Governance complexity has outpaced what fragmented tools can manage. To bridge these lacunae, listed companies need a dedicated, system-driven approach.
A well-designed insider trading management system should provide:
Structured UPSI classification with workflows that force identification at the point of creation.
Real-time trading window controls that eliminate manual delays.
Automated SDD management that captures access, shares, and changes with immutable logs.
Complete visibility into information shared with external parties and fiduciaries.
The objective is operational governance visibility. You need to know, at any point in time, exactly where your UPSI is, who has it, and whether your controls are functioning. The best way to ensure this is to ensure your DPs are trained in using the SDD and have made SDD entry a habit.
9. Strengthen Your Compliance Posture with Axar Digital
Axar Digital builds governance-focused solutions designed around the operational realities of modern organizations. We bridge the gap between complex regulations and daily business execution.
InsiderLens LCo: A structured and annually audited insider trading compliance platform for listed companies. Supports UPSI tracking, SDD management, insider identification, trading window controls, pre-clearance compliance and audit-ready compliance processes.
InsiderLens IFCo: Designed for intermediaries and fiduciaries. Supports insider access tracking, controlled information sharing, audit trails, and traceable compliance documentation.
Stop managing compliance as a reactive checkbox and start managing it as a strategic process. Contact Axar Digital or book a demo today to see how we can harden your compliance framework.
10. FAQs
Q: Why do companies with existing policies still face SEBI penalties?
A: Policies are static; SEBI prioritizes real-time operational evidence. Companies fail when their internal workflows, have not become calmly ingrained habits. They are reactive rather than proactive.
Q: What is the most common SDD management error?
A: Treating the SDD as a "checkbox" task rather than a live database. Excluding external advisors and consultants from real-time logs is a frequent trigger for regulatory scrutiny.
Q: Should the CS team or Designated Persons (DPs) manage SDD entries?
A: Centralizing entry on the CS team creates bottlenecks. Empowering DPs to record their own access via structured systems ensures data accuracy, timeliness, and clear accountability.
Q: How can we prevent leaks involving external partners?
A: Implement comprehensive "Connected Person" tracking. You must maintain updated registers and onboard all auditors and consultants into your compliance system to monitor their UPSI access. Also, insist on working with Fiduciaries like Auditors who maintain their own SDDs, as the regulator requires.
Q: How does Axar Digital ensure audit readiness?
A: Our InsiderLens solutions automates UPSI tracking, SDD management, and trading window controls, providing an immutable, timestamped audit trail. Contact us for a demo.
Devdutta Modak
